cryptography-security ch17-1 chapter 17 – web security 17.1 web security considerations 17.2...
TRANSCRIPT
Cryptography-Security
Ch17-1
Chapter 17 – Web Security
• 17.1 Web Security Considerations
• 17.2 Secure Sockets Layer and Transport Layer Security
Cryptography-Security
Ch17-2
Web Security• Web now widely used by business, government,
individuals• but Internet & Web are vulnerable• have a variety of threats
– integrity– confidentiality– denial of service– authentication
• need added security mechanisms
Cryptography-Security
Ch17-3
Web Security Requirement Threats
Threats Consequences Countermeasures
Integrity
• Modification of user data
• Trojan horse browser
• Memory• Modification
of message traffic in transmit
• Loss of information
• Compromise of machines
• Vulnerability to all other threats
• Cryptographic checksum (hash value)
Cryptography-Security
Ch17-4
Threats (cont.)Threats Consequences Countermea
sures
Confidentiality
• Eavesdropper on the net
• Theft of info from server
• Theft of info from client
• Info about network configuration
• Info about which client talks to server
•Loss of information
•Loss of privacy
•Encryption•Web proxy
Cryptography-Security
Ch17-5
Threats (cont.)
Threats Consequences
Countermeasures
Denial of service (DOS)
• Killing of user threats
• Flooding machine with bogus threats
• Filling up disk or memory
• Isolating machine by DNS attacks
• Disruptive• Annoying• Prevent
user from getting work done
•Hard to prevent
•Traffic control
Cryptography-Security
Ch17-6
Threats (cont.)
Threats Consequences Countermeasures
Authentication
• impersonation of legitimate users
•Data forgery
•Misrepresentation of user
•Belief that false information is valid
•Cryptographic techniques
•Digital signature
Cryptography-Security
Ch17-7
Put security in TCP/IP
Cryptography-Security
Ch17-8
SSL History• SSLv2 (Secure Socket Layer)
– Netscape, 1994
• PCT (Private Communications Technology)– Microsoft, 1995– Compatible with SSLv2
• SSLv3– Netscape, 1996
• TLSv1 (Transport Layer Socket)– ETF, 1998– Minor changes with SSLv3, may be viewed as SSLv3.1
Cryptography-Security
Ch17-9
SSL/TLS in network layers
Cryptography-Security
Ch17-10
SSL/TLS as “secure pipe”
Cryptography-Security
Ch17-11
Security functions• 私密性 (secrecy or privacy) :透過加密能確保資
訊的私密性。即使訊息仍然可能會被第三者攔截,但是他們無法閱讀這些資訊,因為他們沒有鑰匙可以開啟加密的資料 – Asymmetric key exchange: RSA, Diffie-Hellman, etc.– Symmetric encryption: DES, 3DES, RC4, etc.
• 完整性 (message integrity) :藉由 MAC 來確保訊息的完整性。如果在傳輸過程資料遭到竄改, 接 收 者 會 可以從 MAC 檢查出訊息遭到破壞 。– Message Integrity: MD5, SHA-1
Cryptography-Security
Ch17-12
Security functions (cont.)• 認證 (Authentication) :經由數位憑證,確定另一
通訊端的真實身份– Server authentication– Client authentication– X.509: public-key certificate
Cryptography-Security
Ch17-13
Protocols• Handshake Protocol
– authenticate each other– negotiate an encryption algorithm and cryptographic
keys
• Record Protocol– encapsulation of various higher level protocols
Cryptography-Security
Ch17-14
Cryptography-Security
Ch17-15
Steps of SSL
Cryptography-Security
Ch17-16
Cryptography-Security
Ch17-17
Data processing
Cryptography-Security
Ch17-18
What cannot SSL do?• SSL 只保障資料在 Internet 上的安全,一旦資
料到達對方之後,就以明文存在。例如,以SSL 傳送信用卡卡號, server 端可以知道該信用卡卡號– SET 才可以保障 server 端的商家無法得到卡號
• SSL 並不能防止送訊息的一方否認 (denial) 曾經送過某一個訊息。
Cryptography-Security
Ch17-19
How to use SSL• Commend: “httpshttps:www.mvdis.gov.tw”
Cryptography-Security
Ch17-20
Cryptography-Security
Ch17-21
Cryptography-Security
Ch17-22
Cryptography-Security
Ch17-23
Cryptography-Security
Ch17-24
SSL/TLS toolkits• OpenSSL
– http://www.openssl.org