internet web security n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Internet & Web Security PowerPoint Presentation
Download Presentation
Internet & Web Security

Loading in 2 Seconds...

play fullscreen
1 / 179

Internet & Web Security - PowerPoint PPT Presentation


  • 290 Views
  • Uploaded on

Internet & Web Security. References & Resources. Lincoln Stein, Web Security: A Step-by-Step Reference Guide Larry J. Hughes, Jr., Internet Security Techniques. What is web security?. Three parts of web security Three points of view Risks. Three components of web security. Browser Server

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

Internet & Web Security


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. Internet & Web Security

    2. References & Resources • Lincoln Stein, Web Security: A Step-by-Step Reference Guide • Larry J. Hughes, Jr., Internet Security Techniques

    3. What is web security? • Three parts of web security • Three points of view • Risks

    4. Three components of web security • Browser • Server • Connection between the two (I.e., the Internet!)

    5. Three points of view • User’s • Webmaster’s • Both parties’

    6. User’s point of view • Remote server’s ownership known and true • No viruses or other damaging documents / sw • Remote server respects user’s privacy • Doesn’t obtain / record / distribute private info

    7. Webmaster’s point of view • User won’t try to break in / alter contents • User won’t try to gain access to documents s/he’s not privy to • User won’t try to crash the server • User’s ID (if provided!) is true

    8. Both parties’ point of view • Network connection free of eavesdropping • Info between browser and server delivered intact, free from tampering

    9. Three (interdependent) parts • Document confidentiality • Client-side security • Server-side security

    10. Document confidentiality • Protect private information from • Eavesdropping • Fraudulent identities • Mostly via cryptography

    11. Client-side security • Protect user’s privacy and system’s integrity • Virus protection • Limit amount of info browser transmits (without user’s consent) • Protect organizations confidential information / network integrity • From Web browsing activities

    12. Server-side security • Protect server from • Break-ins • Site vandalism • Denial-of-service attacks • Mostly firewalls and OS security measures

    13. Risks • Risks that affect both client and server • Risks to the end user • Risks to the web site

    14. Risks that affect both client and server • Eavesdropping • “Packet sniffers” (more …) • Fraud

    15. Network snooping (sniffing) ... • Abuse of network debugging tools ... • Network interface into promiscuous mode ... • Solution: encrypt

    16. Abuse of network debugging tools ... • E.g., Network General's Expert Sniffer • etherfind (SunOS) • tcpdump (free on Internet) • Sniffer FAQ • comp.security, news.answers • ftp://ftp.iss.net/pub/faq/sniff • http://www.iss.net/iss/sniff.html

    17. Network interface into promiscuous mode ... • Report all packets to sniffer • Display / record • Analyze • Remote also possible

    18. Fraud • Authenticate • Individuals, organizations • Transactions • Documents • Solution: digital signatures, certification authorities

    19. Risks to the end user • Active content • Privacy infringement

    20. Active content • Browsers download and run SW without notice • Java applets • ActiveX controls • Plug-ins • Helper app’s • JavaScript • Malicious (not many) / buggy (???)

    21. Privacy infringement • Site-collected data on visitors • Server log (time, date, IP addr., document, referrer URL) • Proxy servers log (every site visited) • Cookies • User-provided data • Solutions: e.g., “stealth browser”

    22. Risks to the web site • Webjacking • Server and LAN break-ins • Denial-of-service attacks

    23. Webjacking • Break in & modify contents • Happens(ed) a lot • How? • Exploit holes in • OS, Web server, buggy SW • CGI scripts

    24. Server and LAN break-ins • Various attacks at different protocol layers (OSI, more …) • Defense: firewall

    25. Denial-of-service attacks • Cause server to crash / hang / “crawl” • OS, server, CGI scripts, Web site services • No real defenses • Place limits on resources used by server / other sw • Close known holes

    26. Part I: Document confidentiality • Basic cryptography • SSL, SET, and Digital Payment Systems

    27. Basic cryptography • How cryptography works • Symmetric cryptography • Public key cryptography • Online Resources • Printed Resources

    28. How cryptography works • Plaintext • Ciphertext • Cryptographic algorithm • Key Decryption Key Algorithm Plaintext Ciphertext Encryption

    29. Simple cryptosystem ... • Caesar Cipher • Simple substitution cipher • ROT-13 • half alphabet ==> 2 x ==> plaintext

    30. Keys cryptosystems … • keys and keyspace ... • secret-key and public-key ... • key management ... • strength of key systems ...

    31. Keys and keyspace … • ROT: key is N • Brute force: 25 values of N • IDEA in PGP: 2128 numeric keys • 1 billion keys / sec ==> >10,781,000,000,000,000,000,000 years

    32. Key Decryption Plaintext Ciphertext Plaintext Encryption Sender Recipient Symmetric cryptography • DES • Triple DES, DESX, GDES, RDES • RC2, RC4, RC5 • IDEA • Blowfish

    33. DES • Data Encryption Standard • US NIST (‘70s) • 56-bit key • Good then • Not enough now (cracked June 1997) • Discrete blocks of 64 bits • Often w/ CBC (cipherblock chaining) • Each blocks encr. depends on contents of previous

    34. Triple DES, DESX, GDES, RDES • Variants on DES: decrease risk of brute-force guessing • Triple-DES • 1. W/ Key 1 • 2. W/ Key 2 • 3. W/ Key 1 • ==> Effective key length ~168 bits

    35. RC2, RC4, RC5 • Proprietary (RSA Data Security, Inc.) • Variable length keys (up to 2,048 bits) • Outside US: 40-bit versions of RC2 & RC4 • ==> Web browsers & servers

    36. IDEA • Int’l Data Encryption Algorithm • Patented (AscomTech AG) • Popular in Europe • 128-bit key ==> more secure than DES • (One of) at heart of PGP • (Other is RSA)

    37. Blowfish • Unpatented (Bruce Schneier) • In many commercial & freeware • Var-length key (up to 448 bits)

    38. Symmetric not fit for Internet • Spontaneous comm ==> can’t exchange keys • Multiway comm ==> key secrecy compromised

    39. Public key cryptography • Two-in-one • Cryptography • Digital signatures

    40. Key Key Decryption Recipient’s secret key Recipient’s public key Encryption Public key cryptography • Asymmetric Plaintext Ciphertext Plaintext Recipient Senders

    41. Key Key Decryption Sender’s public key Sender’s secret key Recipient Sender Encryption Digital signatures • But, problem ... Authenticated Plaintext Plaintext Digital signature y =?

    42. Problem ... • Can cut & paste from older • Solutions • A --> B: random “challenge” phrase • B --> A: sign w/ secret key, return • A: decrypts w/ B’s public key, compare to original • Or, message digest functions

    43. Key Recipient’s secret key Key Key Key Sender’s public key Recipient’s public key Recipient Sender Sender’s secret key Combining cryptography and digital signature Signature text (“challenge”) Message text Authenticated Message y =? Digital signature Ciphertext sig. text

    44. Message digest functions & message integrity • One-way hashes • Digital fingerprint for original message • Sender ... • Recipient

    45. Sender • 1. Run message through digest function • 2. Sign hash with secret key • 3. Send signed hash & original message to recipient

    46. Recipient • Decrypt hash w/ sender’s public key • Compare with result of running message through digest function • Match ==> verified integrity • In SSL (later): Message Authenticity Check (MAC) • MAC = digest(secret + digest(secret - message))

    47. Message digest functions • MD4 (Rivest, MIT) • 128-bit hashes • Weaknesses ==> • MD5 (Rivest) • Most widely used • SHA: Secure Hash Algorithm (NIST) • 160-bit hash

    48. Digital envelopes • Public key encryption SLOWER than symmetric ==> Hybrid • 1. Random secret key (“session key”; discard when done) • 2. Encrypt message w/ session key & symmetric alg. • Encrypt session key w/ recipient’s public key (==> “digital envelope”) • Send encrypted message + digital envelope

    49. Key Key Key Session key Session key Recipient’s secret key Key Recipient’s public key Recipient Sender Digital envelopes Message plaintext Message plaintext Ciphertext

    50. Certifying authorities & public key infrastructure • Large public-key database • ==> management? Trusted third party • Certifying authorities (CA)