Cryptography-Security

Ch17-1

Chapter 17 – Web Security

• 17.1 Web Security Considerations

• 17.2 Secure Sockets Layer and Transport Layer Security

Cryptography-Security

Ch17-2

Web Security• Web now widely used by business, government,

individuals• but Internet & Web are vulnerable• have a variety of threats

– integrity– confidentiality– denial of service– authentication

• need added security mechanisms

Cryptography-Security

Ch17-3

Web Security Requirement Threats

Threats Consequences Countermeasures

Integrity

• Modification of user data

• Trojan horse browser

• Memory• Modification

of message traffic in transmit

• Loss of information

• Compromise of machines

• Vulnerability to all other threats

• Cryptographic checksum (hash value)

Cryptography-Security

Ch17-4

Threats (cont.)Threats Consequences Countermea

sures

Confidentiality

• Eavesdropper on the net

• Theft of info from server

• Theft of info from client

• Info about network configuration

• Info about which client talks to server

•Loss of information

•Loss of privacy

•Encryption•Web proxy

Cryptography-Security

Ch17-5

Threats (cont.)

Threats Consequences

Countermeasures

Denial of service (DOS)

• Killing of user threats

• Flooding machine with bogus threats

• Filling up disk or memory

• Isolating machine by DNS attacks

• Disruptive• Annoying• Prevent

user from getting work done

•Hard to prevent

•Traffic control

Cryptography-Security

Ch17-6

Threats (cont.)

Threats Consequences Countermeasures

Authentication

• impersonation of legitimate users

•Data forgery

•Misrepresentation of user

•Belief that false information is valid

•Cryptographic techniques

•Digital signature

Cryptography-Security

Ch17-7

Put security in TCP/IP

Cryptography-Security

Ch17-8

SSL History• SSLv2 (Secure Socket Layer)

– Netscape, 1994

• PCT (Private Communications Technology)– Microsoft, 1995– Compatible with SSLv2

• SSLv3– Netscape, 1996

• TLSv1 (Transport Layer Socket)– ETF, 1998– Minor changes with SSLv3, may be viewed as SSLv3.1

Cryptography-Security

Ch17-9

SSL/TLS in network layers

Cryptography-Security

Ch17-10

SSL/TLS as “secure pipe”

Cryptography-Security

Ch17-11

Security functions• 私密性 (secrecy or privacy) ：透過加密能確保資

訊的私密性。即使訊息仍然可能會被第三者攔截，但是他們無法閱讀這些資訊，因為他們沒有鑰匙可以開啟加密的資料 – Asymmetric key exchange: RSA, Diffie-Hellman, etc.– Symmetric encryption: DES, 3DES, RC4, etc.

• 完整性 (message integrity) ：藉由 MAC 來確保訊息的完整性。如果在傳輸過程資料遭到竄改， 接 收 者 會 可以從 MAC 檢查出訊息遭到破壞 。– Message Integrity: MD5, SHA-1

Cryptography-Security

Ch17-12

Security functions (cont.)• 認證 (Authentication) ：經由數位憑證，確定另一

通訊端的真實身份– Server authentication– Client authentication– X.509: public-key certificate

Cryptography-Security

Ch17-13

Protocols• Handshake Protocol

– authenticate each other– negotiate an encryption algorithm and cryptographic

keys

• Record Protocol– encapsulation of various higher level protocols

Cryptography-Security

Ch17-14

Cryptography-Security

Ch17-15

Steps of SSL

Cryptography-Security

Ch17-16

Cryptography-Security

Ch17-17

Data processing

Cryptography-Security

Ch17-18

What cannot SSL do?• SSL 只保障資料在 Internet 上的安全，一旦資

料到達對方之後，就以明文存在。例如，以SSL 傳送信用卡卡號， server 端可以知道該信用卡卡號– SET 才可以保障 server 端的商家無法得到卡號

• SSL 並不能防止送訊息的一方否認 (denial) 曾經送過某一個訊息。

Cryptography-Security

Ch17-19

How to use SSL• Commend: “httpshttps:www.mvdis.gov.tw”

Cryptography-Security

Ch17-20

Cryptography-Security

Ch17-21

Cryptography-Security

Ch17-22

Cryptography-Security

Ch17-23

Cryptography-Security

Ch17-24

SSL/TLS toolkits• OpenSSL

– http://www.openssl.org