Security in Web Scenario

8/14/2019 Security in Web Scenario

1/22

Security in webscenario


2/22

Contents:Contents: What Do We Mean By Security?What Do We Mean By Security? The Foundations of SecurityThe Foundations of Security General Types of AttacksGeneral Types of Attacks Network ThreatsNetwork Threats Web traffic security approachesWeb traffic security approaches IP Security (IPSec)IP Security (IPSec) Secure Socket LayerSecure Socket Layer

KerberosKerberos Pretty Good PrivacyPretty Good Privacy Secure Electronic TransactionSecure Electronic Transaction Host ThreatsHost Threats


3/22

What Do We Mean ByWhat Do We Mean By

Security?Security?

Security is fundamentally aboutSecurity is fundamentally aboutprotecting assets. Assets may beprotecting assets. Assets may be

tangible items, such as a Web pagetangible items, such as a Web pageor your customer database or theyor your customer database or theymay be less tangible, such as yourmay be less tangible, such as yourcompanys reputation.companys reputation.


4/22

The Foundations of Security


5/22


6/22

General Types of AttacksGeneral Types of Attacks

Active AttacksActive Attacks

2.2.MasqueradeMasquerade

3.3.ReplayReplay

4.4.Modification of messagesModification of messages5.5.Denial of serviceDenial of servicePassive AttacksPassive Attacks

7.7.Release of message contentsRelease of message contents

8.8.Traffic AnalysisTraffic Analysis


7/22

Internet

Release of messageRelease of messagecontentscontents

DarthDarth

BobBob AliceAlice

Read Contents

of message

from Bob toAlice


8/22

Traffic AnalysisTraffic Analysis

Internet

DarthDarth

BobBob AliceAlice

Observe the

pattern of

messages from

Bob to Alice


9/22


10/22

ReplayReplay

Internet

DarthDarth

BobBob AliceAlice

Capture message

from Bob to Alice;

later replay

message to Alice


11/22

Modification of messagesModification of messages

Internet

DarthDarth

BobBob AliceAlice

Darth modifies

message from Bob

to Alice


12/22

Denial of serviceDenial of service

Internet

DarthDarth

BobBob

Darth disrupts

services provided

by server

ServerServer


13/22

Information gatheringInformation gathering

SniffingSniffing

SpoofingSpoofing Session hijackingSession hijacking

Denial of serviceDenial of service

Network ThreatsNetwork Threats


14/22

Web traffic securityapproaches

HTTP FTP SMTP

TCP

IP/IPSec

HTTP FTP SMTP

SSL or TLS

TCP

IP

S/MIME PGP SET

Kerberos SMTP HTTP

UDP TCP

IP

Network LevelNetwork Level Transport LevelTransport Level

Application LevelApplication Level


15/22

IP Security (IPSec)

Architecture

ESP Protocol AH Protocol

Encryptionalgorithm

Authenticationalgorithm

DOI

KeyManagement

IPSec Document OverviewIPSec Document Overview


16/22

Secure Socket Layer

SSLSSLHandshakeHandshake

ProtocolProtocol

SSL ChangeSSL ChangeCipher SpecCipher Spec

ProtocolProtocol

SSL AlertSSL AlertProtocolProtocol

HTTPHTTP

SSL Record ProtocolSSL Record Protocol

TCPTCP

IPIP

SSL Protocol StackSSL Protocol Stack


17/22

Kerberos

Authentication Server (AS)

Ticketgranting

server (TGS)

Once per userlogon session

Request ticket

grating ticketTicket +

Session key

Request Service

grating ticket

Ticket +

Session key

Once per type

of service

Kerberos

Once per

service session

Request service

Provide server

authenticator


18/22

Pretty Good Privacy

X file

Generate SignatureX Signature || X

CompressX Z(X)

Encrypt key, XX E(Pub, Ks ) || E(Ks, X)

Convert toradix

X R64[X]

Signature

Required?

Confidentiality

Required?

No

Yes

Transmission of PGP Messages

Yes

No


19/22

Strip Signature from XVerify Signature

DecompressX Z-1(X)

Decrypt key, XKs D(PRb, E(Pub,Ks))

X D(Ks, E(Ks, X))

Convert toradix 64 X

R64-1[X]

SignatureRequired

?

Confidentiality

Required?

No

Yes

Yes

No

Reception of PGP Messages


20/22

Secure ElectronicTransaction

PaymentNetwork

Internet

Merchant

Cardholder

Certificate

authority

Issuer

Acquirer

Payment

gateway


21/22

Host Threats

Viruses, Trojan horses, and wormsFootprinting

ProfilingPassword crackingDenial of service

Arbitrary code executionUnauthorized access


22/22

Thank YouThank You

Security in Web Scenario

Documents