Cryptography-Security Ch17-1 Chapter 17 – Web Security 17.1 Web Security Considerations 17.2 Secure Sockets Layer and Transport Layer Security.

Cryptography-Security

Ch17-1

Chapter 17 – Web Security

• 17.1 Web Security Considerations

• 17.2 Secure Sockets Layer and Transport Layer Security


Ch17-2

Web Security• Web now widely used by business, government,

individuals• but Internet & Web are vulnerable• have a variety of threats

– integrity– confidentiality– denial of service– authentication

• need added security mechanisms


Ch17-3

Web Security Requirement Threats

Threats Consequences Countermeasures

Integrity

• Modification of user data

• Trojan horse browser

• Memory• Modification

of message traffic in transmit

• Loss of information

• Compromise of machines

• Vulnerability to all other threats

• Cryptographic checksum (hash value)


Ch17-4

Threats (cont.)Threats Consequences Countermea

sures

Confidentiality

• Eavesdropper on the net

• Theft of info from server

• Theft of info from client

• Info about network configuration

• Info about which client talks to server

•Loss of information

•Loss of privacy

•Encryption•Web proxy


Ch17-5

Threats (cont.)

Threats Consequences

Countermeasures

Denial of service (DOS)

• Killing of user threats

• Flooding machine with bogus threats

• Filling up disk or memory

• Isolating machine by DNS attacks

• Disruptive• Annoying• Prevent

user from getting work done

•Hard to prevent

•Traffic control


Ch17-6

Threats (cont.)

Threats Consequences Countermeasures

Authentication

• impersonation of legitimate users

•Data forgery

•Misrepresentation of user

•Belief that false information is valid

•Cryptographic techniques

•Digital signature


Ch17-7

Put security in TCP/IP


Ch17-8

SSL History• SSLv2 (Secure Socket Layer)

– Netscape, 1994

• PCT (Private Communications Technology)– Microsoft, 1995– Compatible with SSLv2

• SSLv3– Netscape, 1996

• TLSv1 (Transport Layer Socket)– ETF, 1998– Minor changes with SSLv3, may be viewed as SSLv3.1


Ch17-9

SSL/TLS in network layers


Ch17-10

SSL/TLS as “secure pipe”


Ch17-11

Security functions• 私密性 (secrecy or privacy) ：透過加密能確保資

訊的私密性。即使訊息仍然可能會被第三者攔截，但是他們無法閱讀這些資訊，因為他們沒有鑰匙可以開啟加密的資料 – Asymmetric key exchange: RSA, Diffie-Hellman, etc.– Symmetric encryption: DES, 3DES, RC4, etc.

• 完整性 (message integrity) ：藉由 MAC 來確保訊息的完整性。如果在傳輸過程資料遭到竄改，接收者會可以從 MAC 檢查出訊息遭到破壞。– Message Integrity: MD5, SHA-1


Ch17-12

Security functions (cont.)• 認證 (Authentication) ：經由數位憑證，確定另一

通訊端的真實身份– Server authentication– Client authentication– X.509: public-key certificate


Ch17-13

Protocols• Handshake Protocol

– authenticate each other– negotiate an encryption algorithm and cryptographic

keys

• Record Protocol– encapsulation of various higher level protocols


Ch17-14


Ch17-15

Steps of SSL


Ch17-16


Ch17-17

Data processing


Ch17-18

What cannot SSL do?• SSL 只保障資料在 Internet 上的安全，一旦資

料到達對方之後，就以明文存在。例如，以SSL 傳送信用卡卡號， server 端可以知道該信用卡卡號– SET 才可以保障 server 端的商家無法得到卡號

• SSL 並不能防止送訊息的一方否認 (denial) 曾經送過某一個訊息。


Ch17-19

How to use SSL• Commend: “httpshttps:www.mvdis.gov.tw”


Ch17-20


Ch17-21


Ch17-22


Ch17-23


Ch17-24

SSL/TLS toolkits• OpenSSL

– http://www.openssl.org

Cryptography-Security Ch17-1 Chapter 17 – Web Security 17.1 Web Security Considerations 17.2 Secure Sockets Layer and Transport Layer Security.

Documents

web security considerations

web security17

secure sockets layer

individualsbut internet

memoryisolating machine

encryption algorithm

network layersssltls

symmetric encryption