chris s top ten security tips n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Chris’s Top Ten Security Tips PowerPoint Presentation
Download Presentation
Chris’s Top Ten Security Tips

Loading in 2 Seconds...

play fullscreen
1 / 52

Chris’s Top Ten Security Tips - PowerPoint PPT Presentation


  • 95 Views
  • Uploaded on

Chris’s Top Ten Security Tips. Chris Seary CISSP MVP. Me. Securing large enterprise applications Developer ISO 27001 Lead Auditor. 10.What is an X509 certificate?. 10.What is an X509 certificate?. Message. Jhbsx^8. Encrypt. Decrypt. Message. 10.What is an X509 certificate?. Public.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Chris’s Top Ten Security Tips' - tea


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide2
Me
  • Securing large enterprise applications
  • Developer
  • ISO 27001 Lead Auditor
10 what is an x509 certificate1
10.What is an X509 certificate?

Message

Jhbsx^8

Encrypt

Decrypt

Message

10 what is an x509 certificate2
10.What is an X509 certificate?

Public

Message

Jhbsx^8

Encrypt

Private

Decrypt

Message

10 what is an x509 certificate3
10.What is an X509 certificate?

Public

Message

Jhbsx^8

Encrypt

Private

Decrypt

Usually includes encryption of symmetric key!

Message

10 what is an x509 certificate4

Certificate

Subject name

Serial number

Issuer

Public key

CA signature

Attribute 1

Attribute 2

Attribute 3

.

.

10.What is an X509 certificate?
10 what is an x509 certificate5

Certificate

Subject name

Serial number

Issuer

Public key

CA signature

Attribute 1

Attribute 2

Attribute 3

.

.

10.What is an X509 certificate?

Private key

Certificate store

10 what is an x509 certificate6

Certificate

Subject name

Serial number

Issuer

Public key

CA signature

Attribute 1

Attribute 2

Attribute 3

.

.

10.What is an X509 certificate?

Private key is the essential component!

Private key

Certificate store

10 what is an x509 certificate7
10.What is an X509 certificate?
  • Local machine
    • Certificates used by system
      • Demo uses Network Service
  • Current user
    • Logged on user
  • Permissions have to be granted for other users to access private keys
9 what is a pki1
9.What is a PKI?

Jennifer

Brad

9 what is a pki2
9.What is a PKI?

Jennifer

Brad

Brad’s public

key

9 what is a pki3
9.What is a PKI?

Jennifer

Brad

Encrypts

message

Kvhdxa

6e6t4g

Brad’s public

key

9 what is a pki4
9.What is a PKI?

Jennifer

Brad

Kvhdxa

6e6t4g

Message

sent

Brad’s public

key

9 what is a pki5
9.What is a PKI?

Jennifer

Brad

Decrypts

Message

Stuff

Brad’s public

key

Brad’s private

key

9 what is a pki6
9.What is a PKI?

Jennifer

Brad

Angelina

Man in the middle attack

9 what is a pki7
9.What is a PKI?

Jennifer

Brad

Brad’s public

key

Angelina

Man in the middle attack

9 what is a pki8
9.What is a PKI?

Jennifer

Brad

Angelina’s public

key

Angelina

Brad’s public

key

Man in the middle attack

9 what is a pki9
9.What is a PKI?

Jennifer

Brad

Encrypts

message

Gvvwh

336fwd

Angelina’s public

key

Angelina

Brad’s public

key

Man in the middle attack

9 what is a pki10
9.What is a PKI?

Jennifer

Brad

Sends

message

Gvvwh

336fwd

Angelina’s public

key

Angelina

Brad’s public

key

Man in the middle attack

9 what is a pki11
9.What is a PKI?

Jennifer

Brad

Message

stuff

Angelina’s public

key

Angelina’s private

key

Decrypts

message

Angelina

Brad’s public

key

Man in the middle attack

9 what is a pki12
9.What is a PKI?

Jennifer

Brad

Message

New

Angelina’s public

key

Changes

message

Angelina

Brad’s public

key

Man in the middle attack

9 what is a pki13
9.What is a PKI?

Jennifer

Brad

Hjbsxa687

svscv

Angelina’s public

key

Encrypts

Using Brad’s

public key

Angelina

Brad’s public

key

Man in the middle attack

9 what is a pki14
9.What is a PKI?

Jennifer

Brad

Hjbsxa687

svscv

Angelina’s public

key

Sends message

Angelina

Brad’s public

key

Man in the middle attack

9 what is a pki15
9.What is a PKI?

Brad decrypts

Using his

Private key

Jennifer

Brad

Message

New

Angelina’s public

key

Angelina

Brad’s public

key

Man in the middle attack

9 what is a pki16
9.What is a PKI?

CA

Jennifer

Brad

Brad’s public

key

9 what is a pki17
9.What is a PKI?

CA

Digitally

signs

Jennifer

Brad

Brad’s public

key

9 what is a pki18
9.What is a PKI?

CA

Trust

Trust

Digitally

signs

Jennifer

Brad

CA cert

Placed in

cert store

CA cert

Placed in

cert store

Brad’s public

key

9 what is a pki19
9.What is a PKI?

CA

Jennifer

Brad

Brad’s public

key

9 what is a pki20
9.What is a PKI?

CA

Jennifer

Brad

Checks

Signature

On cert

Against

CA cert

Public

key

Brad’s public

key

Definitely Brad!

8 best way to implement cryptography
8. Best way to implement cryptography
  • Don’t write your own algorithm
  • Use policy where possible
    • WS-Security
  • Use configuration where possible
    • IIS and SSL
  • Use simple APIs that perform crypto in one step
    • CAPICOM
    • Enterprise libraries
7 how do we store secrets
7.How do we store secrets?
  • Encryption!
  • But……
  • How do we store the encryption key?
7 how do we store secrets1
7.How do we store secrets?
  • DPAPI
    • Get from nugget
6 what s the one hop problem
6. what’s the one hop problem?
  • I can authenticate to the web server
  • I can’t authenticate to the database on another server
6 what s the one hop problem2
6. what’s the one hop problem?

Username

Password

Web

server

SQL

6 what s the one hop problem3
6. what’s the one hop problem?

Username

Password

Web

server

NTLM

auth

SQL

6 what s the one hop problem4
6. what’s the one hop problem?

Digest

AD cert

mapping

Web

server

SQL

6 what s the one hop problem5
6. what’s the one hop problem?

Digest

AD cert

mapping

Web

server

Null session

SQL

6 what s the one hop problem6
6. what’s the one hop problem?

Digest

AD cert

mapping

Web

server

Null session

SQL

6 what s the one hop problem solution
6. what’s the one hop problem? Solution!
  • Protocol transition
    • Kerberos
    • Protocol transition
6 what s the one hop problem solution1
6. what’s the one hop problem? Solution!

Web

server

Any IIS

authentication

Method:

Basic

Certs

Digest

SQL

6 what s the one hop problem solution2
6. what’s the one hop problem? Solution!

Kerberos

auth

Web

server

Any IIS

authentication

Method:

Basic

Certs

Digest

SQL

6 what s the one hop problem solution3
6. what’s the one hop problem? Solution!
  • Patterns and Practices ‘Web Service Security: Scenarios, Patterns and Implementation Guidance for Web Services Enhancements (WSE) 3.0’
    • From MSDN
4 validation validation validation1
4.Validation, validation, validation
  • White list validation
    • Check for what you will allow
  • Regex
    • Many functions available on net
  • Replace bad input
    • Escape characters
  • HTMLEncode output
    • Not a cure, but a patch
  • Negotiate acceptable input with business when gathering requirements
run down
Run down
  • 10. what is an X509 cert?
  • 9.What is a PKI?
  • 8.Best way to implement cryptography
  • 7.How do we store secrets?
  • 6.What’s the one hop problem?
  • 5.ACL, DACL and SACL
  • 4.Validation, validation, validation
  • 3.Warning, Will Robinson!
  • 2.Using SQL