1 / 16

Online Security

Online Security. Tuesday April 8, 2003 Maxence Crossley. Outline. How do we authenticate a service? How do we encrypt a session? How do we prevent a “replay attack”? Another Problem: Spoofing. How do we authenticate a session?. Certification Authorities (CAs) VeriSign SecureNet

rosine
Télécharger la présentation

Online Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Online Security Tuesday April 8, 2003 Maxence Crossley

  2. Outline • How do we authenticate a service? • How do we encrypt a session? • How do we prevent a “replay attack”? • Another Problem: Spoofing

  3. How do we authenticate a session? • Certification Authorities (CAs) • VeriSign • SecureNet • Digital Signature Trust • Distribute and store certificates

  4. Public Key Cryptography • Server publishes public key with Certification Agency • Client encrypts message with public key • Server decrypts message with private key Source: http://waubonsie.com/security/www.html

  5. Private Key Cryptography • Server and Client share a secret and private key • Client encrypts message with private key • Server decrypts message with private key Source: http://waubonsie.com/security/www.html

  6. How do we encrypt a session? SSL • Client requests a secured file • Server sends its certificate • Client checks with CA that the signature is valid • Client generates a unique session key and sends it to server Source: http://waubonsie.com/security/www.html

  7. How do we encrypt a session? Source: http://waubonsie.com/security/www.html

  8. How do we encrypt a session? Source: http://waubonsie.com/security/www.html

  9. How do we encrypt a session? Source: http://waubonsie.com/security/www.html

  10. What is a “replay attack”? • When an attacker uses captured authentication tokens to gain access to a user’s account while bypassing normal authentication • Sniffing a URL that has a session ID in it • Attacker can obtain access to users account Source: http://www.owasp.org/asac/auth-session/replay.shtml

  11. Countermeasures • “Generate hard to reverse-engineer Session IDs for authenticated web users (i.e. use strong crypto, MD5 hashes, etc.)” • “Build and require SSL (or other encryption) into the web application so that the authentication token can not be easily sniffed in transit between browser and server; Ensure that all cookies enable the "secure" field (see OWASP's explanation of cookies)” Source: http://www.owasp.org/asac/auth-session/replay.shtml

  12. Countermeasure • “Provide a logout function that expires all cookies and other authentication tokens” • “Users can choose not to select the "Remember Me" option on web application accounts so that authentication tokens are not persistent after logout” Source: http://www.owasp.org/asac/auth-session/replay.shtml

  13. Another Problem: Spoofing • Web users rely on visual clues when deciding to trust a site • Location bar information • SSL icons • SSL warnings • Certificate information • Response time • These cues can be forged Source: http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/

  14. Spoofing Source: http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/

  15. Spoofing Source: http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/

  16. Countermeasures • Mozilla with SRD (synchronized random dynamic) Boundary • Trusted Reference Window in lower right corner • Untrusted Outer Window • Colors chosen at random Source: http://www.cs.dartmouth.edu/~pkilab/demos/countermeasures/

More Related