1 / 89

DIG 4104c – Web Design Workshop J Michael Moshell Web Security Lecture 8

DIG 4104c – Web Design Workshop J Michael Moshell Web Security Lecture 8. Web Security - on the Fly. Objectives of today's lecture: 1) Introduce most common threats 2) Discuss Necessary Architectural Concepts 3) Introduce threat methods and responses 4) Provide ideas and directions

olaf
Télécharger la présentation

DIG 4104c – Web Design Workshop J Michael Moshell Web Security Lecture 8

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DIG 4104c – Web Design WorkshopJ Michael MoshellWeb SecurityLecture 8

  2. Web Security - on the Fly • Objectives of today's lecture: • 1) Introduce most common threats • 2) Discuss Necessary Architectural Concepts • 3) Introduce threat methods and responses • 4) Provide ideas and directions • for further exploration

  3. Common Threats * Theft of proprietary data – - credit card numbers - personal data (e. g. South Carolina Social Number Fiasco) * Zombification of your computer – - becoming part of a botnet * Vandalization or destruction of your site * Denial of service attacks

  4. Architecture of the Internet * Concepts that must be mastered: * Application Layer * Transport Layer * Internet Layer * Link Layer * Port * Firewall * Virtual Private Network * TLS (Transport Layer Security), daughter of SSL (Secure Sockets Layer) * Cookies

  5. Essential Architecture Application: has the metadata needed for the purpose - - > Transport: Reliable, receipted- - - - > Internet: Unreliable, multipath- - - > Link: Ethernet, ATM, wireless - - - - - - -> (below): actual wires & electrons

  6. Baseline: Internet Protocol • An IP address consists of 4 bytes, • e. g. 200.240.82.114 = 32 bits; so, 2^32 • options (about 10^10 or 10 billion) • Not NEARLY enough, now that every sprinkler • head on every golf course ... needs one.

  7. Baseline: Internet Protocol • An IP address consists of 4 bytes, • e. g. 200.240.82.114 = 32 bits; so, 2^32 • options (about 10^10 or 10 billion) • Not NEARLY enough, now that every sprinkler • head on every golf course ... needs one. • IPv6 uses 128 bits (16 bytes), which should be enough for a while... • 2001:0db8:85a3:0042:1000:8a2e:0370:7334

  8. Baseline: Internet Protocol • An IP packet includes (among other junk) • Version (v4 or v6) • Number of bytes in the packet • Time To Live • Protocol (TCP etc)

  9. Baseline: Internet Protocol • An IP packet includes (among other junk) • Version (v4 or v6) • Number of bytes in the packet • Time To Live • Protocol (TCP, etc) • Source IP address • Destination Address • Header Checksum • The data

  10. Baseline: Internet Protocol • An IP packet includes (among other junk) • Version (v4 or v6) • Number of bytes in the packet • Time To Live -- rhymes with "liver" • TTL: How many hops may it pass before it dies? • At every hop, TTL is decremented by 1 • When it hits 0, nobody forwards the packet.

  11. Baseline: Internet Protocol How does IP traffic flow? Each router has a strategy for forwarding packets it receives. If an output channel is slow, routers use alternate routes

  12. Baseline: Internet Protocol Analogy: It's the year 1700 ... no U. S. Post I mail a letter from Edinburgh to Brooklyn Someone takes it to London Someone else takes it to Boston A rider takes it to Brooklyn

  13. Delivery is unreliable Maybe the next letter goes via New Haven or Philadelphia Maybe it gets lost or delayed along the way. How could you build a RELIABLE (though slow) system on an UNRELIABLE basis?

  14. Recepts and Sequences Solution: (1) serial - number your letters (2) require receipts (return letters "I got it") (3) If no receipt after 1 month, re-send

  15. Baseline: Internet Protocol • An IP packet includes (among other junk) • Version (v4 or v6) • Number of bytes in the packet • Time To Live • Protocol (TCP, etc) • Source IP address • Destination Address • Header Checksum -- << wazzat? • The data

  16. Baseline: Internet Protocol Header Checksum -- << wazzat? All of the info except the 'data' is guarded by a hash-code. If the header is corrupted the recipient (at any state) can detect it. Why is there no DATA checksum? That is an option for the next layer to implement.

  17. Domain Name Service 136.224.108.14 is hard to use. (And ... note: 332.14.22.11 is INCORRECT. Why?) People like symbolic info: 'youtube.com'. So a worldwide network of Domain Name Servers (DNS) provides a lookup service. It's hierarchical.

  18. Domain Name Service To find an IP for a given URL: 1) Your ISP looks in its own DNS tables. 2) If it cannot find, it asks its upstream DNS. 3) This continues, back to the Top Level Domain (like .com) When you register or modify a domain name, frogwarticecream.com The registrar must distribute this to ALL the DNS systems in the world (at some level...)

  19. Transport Control Protocol Here's a simplified picture: IP Header: IP Data TCP Header: with sequence and checksum controls TCP data TCP Footer controls

  20. Application Layer: HTTP MANY IP packets are usually necessary to transmit ONE TCP message. IP Header: IP Data TCP Header: with sequence and checksum controls TCP data TCP Footer controls

  21. Application Layer: HTTP HTTP, in turn, is carried inside the TCP message (spread across many IP packets): IP Header: IP Data TCP Header: with sequence and checksum controls TCP data TCP Footer controls HTTP information

  22. What is a PORT? Originating with Unix: A message arrives at an Operating System: What to do with it? Front end software - recognizes and processes the IP - extracts the TCP, assembles it, requests retransmits as necessary until complete - examines TCP packet for port number - passes TCP data to the associated application

  23. Well-Known Ports: 20: FTP Data Transfer 22: Secure Shell (SSH) 23: Telnet (unencrypted) 25: SMTP (Simple Mail Transfer Protocol) 53: DNS 80: HTTP 118 or 156: SQL 443: HTTPS And ... there are MANY others http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

  24. What happens when ...? A TCP packet arrives requesting service from a port? The OS runs the associated code and attempts to deal with the TCP data contents. HOWever ... every OS is different, and many of those ports are watched by risky, failure-prone software. 512: Remote Process Execution 514: Remote Shell, etc.

  25. What is a Firewall? A system resource that can MANAGE port access. * completely CLOSING unused ports * admitting only TRUSTED users to some ports * permitting only some actions on some ports * monitoring all port access and logging it The only thing more important than good virus control, is a good firewall, well managed.

  26. Where are Firewalls? Lots of places. Your DSL Router Web Server Your PC F i r e w a l l F i r e w a l l F i r e w a l l Prog Apache Web Server PHP resource

  27. Where are Firewalls? Lots of places. Each may choose to block a given port. Your DSL Router Web Server Your PC F i r e w a l l F i r e w a l l F i r e w a l l Prog Apache Web Server PHP resource

  28. The Great Chinese Firewall Last summer, in Beijing, HTTPS quit working! F i r e w a l l Your DSL Router Web Server Your PC F i r e w a l l F i r e w a l l F i r e w a l l Prog Apache Web Server 443 PHP resource

  29. VPN to the Rescue! Using an innocuous port, the VPN 'tunnels' through the firewalls F i r e w a l l Purdue University Your DSL Router Your PC HTTP 80 F i r e w a l l VPN F W VPN F i r e w a l l Prog HTTPS 443

  30. VPN: Secure? VPN can use its own encryption, not relying on HTTPS F i r e w a l l Purdue University Your DSL Router Your PC HTTP 80 F i r e w a l l VPN F W VPN F i r e w a l l Prog HTTPS 443

  31. VPN: Why does China Allow? (1) It's hard to stop; (2) They may not want to. F i r e w a l l Purdue University Your DSL Router Your PC HTTP 80 F i r e w a l l VPN F W VPN F i r e w a l l Prog HTTPS 443

  32. Encryption and SSL: Key Concepts • The RSA Public Key Encryption System: Key idea: • "Trapdoor function": Easy in, difficult out. Data Encryption Bob’s Mailbox Anybody can Encrypt and send A message to Bob

  33. Encryption and TLS/SSL: Key Concepts • The RSA Public Key Encryption System: Key idea 1: • "Trapdoor function": Easy in, difficult out. Data Encryption Bob’s Mailbox Decryption Only Bob has the Key to his mailbox.

  34. Encryption and SSL: Key Concepts • The RSA Public Key Encryption System: Key idea 2: • "Symmetry": two keys are created: Key 1, Key 2. • If you ENCRYPT with Key 1, you can DECRYPT with K2 • If you ENCRYPT with Key 2, you can DECRYPT with K1 • How does it work? You don't want to know the math.. • It involves prime numbers and factorization.

  35. Encryption and SSL: Key Concepts Bob wants private data from Alice. Bob creates a Key pair (two big, special numbers) Bob posts one (the public key) on his website Bob keeps the private key in a secret place (Private Key) Public Key Bob in Boston Alice in Atlanta

  36. Encryption and SSL: Key Concepts Bob wants private data from Alice. Bob creates a Key pair (two big, special numbers) Bob posts one (the public key) on his website Bob keeps the private key in a secret place (Private Key) Alice grabs a copy of the Public Key public key Public Key Bob in Boston Alice in Atlanta

  37. Encryption and SSL: Key Concepts • Alice uses the public key, encrypts data ('plaintext'), • sends it to Bob. Chris the Criminal grabs • a copy as it goes by. • key • plaintext ---> Encrypted • public key ---> message • public key attempt to Chris gets • decipher ?? garbage Bob in Boston Chris the crook Alice in Atlanta

  38. Encryption and SSL: Key Concepts • Bob uses the private key to recover Alice's • plaintext. • private • key • plaintext ---> Encrypted de- • public key ---> message cypher • plaintext Bob in Boston Chris the Crook Alice in Atlanta

  39. SSL and the Internet • Uses a public key encryption technique • to exchange keys with your browser. • (PKE is too slow for all of the traffic.) • Relies on a "Chain of Authority" to verify • That security certificates (public keys) • Actually belong to who they say.

  40. Chain of Authority • How it works? • My business has a security certificate. • You don't trust it, so you check with its • issuing authority (Thawte, Inc.) • * Who is Thawte? Check with THEIR issuing • authority … back to a trusted source. • Your browser has a list of trusted authorities. • (The police-verification story.)

  41. Cookies HTTP is STATELESS ("fire and forget"). Your browser would remember nothing about a session ... until cookies came along. Commonly stored info include: * logged-in state * passwords for frequently visited sites * and most importantly – Session ID cookie -

  42. Cookies and Sessions A cookie contains: = Name = Value * Expiration time (GMT) * Path cookie is good for * Domain cookie is good for * Security requirement & HttpOnly Items marked * are optional. If not specified, default values are used.

  43. Cookies and Sessions A cookie contains: = Name = Value * Expiration time (GMT) * Path cookie is good for (default: requested obj.) * Domain (default: requested domain) * Security requirement (if present, use https) * HttpOnly (e. g. do not allow Javascript access.)

  44. Cookies and Privacy An analogy: A hobo visitor to your house makes a mark on your front gate, to remind himself (and others) about you: ("This home gives out food.") ("Bad dog")

  45. Cookies and Privacy Normally, browser will only release a cookie to the IP address that originally SET it. But if, when setting the cookie, the setter specifies somebody ELSE as the setter, this is a 3rd party cookie. You can set your browser to reject 3rd party cookes.

  46. Cookies in the Browser

  47. Cookies in the Browser

  48. Cookies in the Browser

  49. Cookies in the Browser

  50. Cookies in the Browser

More Related