Download
internet web security n.
Skip this Video
Loading SlideShow in 5 Seconds..
Internet & Web Security PowerPoint Presentation
Download Presentation
Internet & Web Security

Internet & Web Security

223 Views Download Presentation
Download Presentation

Internet & Web Security

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Internet & Web Security

  2. References & Resources • Lincoln Stein, Web Security: A Step-by-Step Reference Guide • Larry J. Hughes, Jr., Internet Security Techniques

  3. What is web security? • Three parts of web security • Three points of view • Risks

  4. Three components of web security • Browser • Server • Connection between the two (I.e., the Internet!)

  5. Three points of view • User’s • Webmaster’s • Both parties’

  6. User’s point of view • Remote server’s ownership known and true • No viruses or other damaging documents / sw • Remote server respects user’s privacy • Doesn’t obtain / record / distribute private info

  7. Webmaster’s point of view • User won’t try to break in / alter contents • User won’t try to gain access to documents s/he’s not privy to • User won’t try to crash the server • User’s ID (if provided!) is true

  8. Both parties’ point of view • Network connection free of eavesdropping • Info between browser and server delivered intact, free from tampering

  9. Three (interdependent) parts • Document confidentiality • Client-side security • Server-side security

  10. Document confidentiality • Protect private information from • Eavesdropping • Fraudulent identities • Mostly via cryptography

  11. Client-side security • Protect user’s privacy and system’s integrity • Virus protection • Limit amount of info browser transmits (without user’s consent) • Protect organizations confidential information / network integrity • From Web browsing activities

  12. Server-side security • Protect server from • Break-ins • Site vandalism • Denial-of-service attacks • Mostly firewalls and OS security measures

  13. Risks • Risks that affect both client and server • Risks to the end user • Risks to the web site

  14. Risks that affect both client and server • Eavesdropping • “Packet sniffers” (more …) • Fraud

  15. Network snooping (sniffing) ... • Abuse of network debugging tools ... • Network interface into promiscuous mode ... • Solution: encrypt

  16. Abuse of network debugging tools ... • E.g., Network General's Expert Sniffer • etherfind (SunOS) • tcpdump (free on Internet) • Sniffer FAQ • comp.security, news.answers • ftp://ftp.iss.net/pub/faq/sniff • http://www.iss.net/iss/sniff.html

  17. Network interface into promiscuous mode ... • Report all packets to sniffer • Display / record • Analyze • Remote also possible

  18. Fraud • Authenticate • Individuals, organizations • Transactions • Documents • Solution: digital signatures, certification authorities

  19. Risks to the end user • Active content • Privacy infringement

  20. Active content • Browsers download and run SW without notice • Java applets • ActiveX controls • Plug-ins • Helper app’s • JavaScript • Malicious (not many) / buggy (???)

  21. Privacy infringement • Site-collected data on visitors • Server log (time, date, IP addr., document, referrer URL) • Proxy servers log (every site visited) • Cookies • User-provided data • Solutions: e.g., “stealth browser”

  22. Risks to the web site • Webjacking • Server and LAN break-ins • Denial-of-service attacks

  23. Webjacking • Break in & modify contents • Happens(ed) a lot • How? • Exploit holes in • OS, Web server, buggy SW • CGI scripts

  24. Server and LAN break-ins • Various attacks at different protocol layers (OSI, more …) • Defense: firewall

  25. Denial-of-service attacks • Cause server to crash / hang / “crawl” • OS, server, CGI scripts, Web site services • No real defenses • Place limits on resources used by server / other sw • Close known holes

  26. Part I: Document confidentiality • Basic cryptography • SSL, SET, and Digital Payment Systems

  27. Basic cryptography • How cryptography works • Symmetric cryptography • Public key cryptography • Online Resources • Printed Resources

  28. How cryptography works • Plaintext • Ciphertext • Cryptographic algorithm • Key Decryption Key Algorithm Plaintext Ciphertext Encryption

  29. Simple cryptosystem ... • Caesar Cipher • Simple substitution cipher • ROT-13 • half alphabet ==> 2 x ==> plaintext

  30. Keys cryptosystems … • keys and keyspace ... • secret-key and public-key ... • key management ... • strength of key systems ...

  31. Keys and keyspace … • ROT: key is N • Brute force: 25 values of N • IDEA in PGP: 2128 numeric keys • 1 billion keys / sec ==> >10,781,000,000,000,000,000,000 years

  32. Key Decryption Plaintext Ciphertext Plaintext Encryption Sender Recipient Symmetric cryptography • DES • Triple DES, DESX, GDES, RDES • RC2, RC4, RC5 • IDEA • Blowfish

  33. DES • Data Encryption Standard • US NIST (‘70s) • 56-bit key • Good then • Not enough now (cracked June 1997) • Discrete blocks of 64 bits • Often w/ CBC (cipherblock chaining) • Each blocks encr. depends on contents of previous

  34. Triple DES, DESX, GDES, RDES • Variants on DES: decrease risk of brute-force guessing • Triple-DES • 1. W/ Key 1 • 2. W/ Key 2 • 3. W/ Key 1 • ==> Effective key length ~168 bits

  35. RC2, RC4, RC5 • Proprietary (RSA Data Security, Inc.) • Variable length keys(up to 2,048 bits) • Outside US: 40-bit versions of RC2 & RC4 • ==> Web browsers & servers

  36. IDEA • Int’l Data Encryption Algorithm • Patented (AscomTech AG) • Popular in Europe • 128-bit key ==> more secure than DES • (One of) at heart of PGP • (Other is RSA)

  37. Blowfish • Unpatented (Bruce Schneier) • In many commercial & freeware • Var-length key (up to 448 bits)

  38. Symmetric not fit for Internet • Spontaneous comm ==> can’t exchange keys • Multiway comm ==> key secrecy compromised

  39. Public key cryptography • Two-in-one • Cryptography • Digital signatures

  40. Key Key Decryption Recipient’s secret key Recipient’s public key Encryption Public key cryptography • Asymmetric Plaintext Ciphertext Plaintext Recipient Senders

  41. Key Key Decryption Sender’s public key Sender’s secret key Recipient Sender Encryption Digital signatures • But, problem ... Authenticated Plaintext Plaintext Digital signature y =?

  42. Key Recipient’s secret key Key Key Key Sender’s public key Recipient’s public key Recipient Sender Sender’s secret key Combining cryptography and digital signature Signature text Message text Authenticated Message y =? Digital signature Ciphertext

  43. Problem ... • Can cut & paste from older • Solutions • A --> B: random “challenge” phrase • B --> A: sign w/ secret key, return • A: decrypts w/ B’s public key, compare to original • Or, message digest functions

  44. Message digest functions & message integrity • One-way hashes • Digital fingerprint for original message • Sender ... • Recipient

  45. Sender • 1. Run message through digest function • 2. Sign hash with secret key • 3. Send signed hash & original message to recipient

  46. Recipient • Decrypt hash w/ sender’s public key • Compare with result of running message through digest function • Match ==> verified integrity • In SSL (later): Message Authenticity Check (MAC) • MAC = digest(secret + digest(secret - message))

  47. Message digest functions • MD4 (Rivest, MIT) • 128-bit hashes • Weaknesses ==> • MD5 (Rivest) • Most widely used • SHA: Secure Hash Algorithm (NIST) • 160-bit hash

  48. Digital envelopes • Public key encryption SLOWER than symmetric ==> Hybrid • 1. Random secret key (“session key”; discard when done) • 2. Encrypt message w/ session key & symmetric alg. • Encrypt session key w/ recipient’s public key (==> “digital envelope”) • Send encrypted message + digital envelope

  49. Key Key Key Session key Session key Recipient’s secret key Key Recipient’s public key Recipient Sender Digital envelopes Message plaintext Message plaintext Ciphertext

  50. Certifying authorities & public key infrastructure • Large public-key database • ==> management? Trusted third party • Certifying authorities (CA)