1 / 19

A Web Framework For Selective Encryption

A Web Framework For Selective Encryption. Richie Steigerwald. Privacy on the Web. Session Cookies. Session Cookies. HTTPS. Why HTTPS is slow. HTTPS. HTTPS stands for Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL

bary
Télécharger la présentation

A Web Framework For Selective Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A Web Framework For Selective Encryption Richie Steigerwald

  2. Privacy on the Web

  3. Session Cookies

  4. Session Cookies

  5. HTTPS

  6. Why HTTPS is slow

  7. HTTPS • HTTPS stands for Hypertext Transfer Protocol over Secure Socket Layer, or HTTP over SSL • SSL acts like a sub layer under regular HTTP application layering • HTTPS encrypts an HTTP message prior to transmission and decrypts a message upon arrival.

  8. HTTPS • Authentication • Integrity • Privacy

  9. Selective Encryption • Authentication • Encrypt cookies • Data integrity • Encrypt data checksum • Data privacy • Encrypt private data

  10. Authentication • For all requests, encrypt • Cookie • Secret Code • For all responses, encrypt • Secret Code

  11. Integrity • Perform authentication related encryption • In the response, attach and encrypt checksum with secret code Don’t read this while I’m presenting! If this is distracting you then I guess my presentation is pretty boring anyway. I actually wrote this presentation this morning. I hope it’s going well. Anyway, here’s something interesting: Apparently some brothel in Borneo (dunno WTF that is) was using a shaved orangutan as a sex slave. I just saw that on reddit. Maybe you’re looking at reddit right now, I don’t blame you. *(a$TH(0et1? be912zHZ&?

  12. Privacy • Perform authentication related security • Encrypt the entire request/response SSL in the 90’s

  13. Framework Interface • Developers should only have to specify what level of security to use • Framework should keep track of sessions and perform checksums automatically

  14. Server • Keep track of sessions • Guarantee it’s the same person • Checksums • Encryption

  15. Client • Decrypt and verify secret code • Decrypt and verify checksum • Decrypt private data • Sandbox received code

  16. Validation • Guarantee authenticity with near-HTTP speeds • Guarantee integrity with speeds faster than HTTPS

  17. Performance • Checksum faster than encryption

  18. Problems • Tradeoff speed vs. privacy • Encrypting shorter messages easier to crack

  19. Questions

More Related