Web Security Sandy Kutin CSPP 532 8/7/01
Dec 17, 2015
Web security: an overview
Company wants to build web site Online purchasing Requests for service or support Viewing data files online
How do we make this process secure? Confidentiality Authentication
Usual answer: cryptography
TCP/IP in 60 seconds
Computers communicate via packets, not connection
Packets are directed from machine to machine
Smart nodes, stupid network Contrasts with phone network
Internet Protocol controls this movementTransfer Control Protocol: packets at destinationCould insert cryptography at any layer
IP
TCP
Applications
IPsec
IPsec works at IP levelTransparent to applicationsSlows everything down
Some say it’s the future, some say it’s notIf every packet is encrypted: negates
performance-optimization, firewalls
IPsec
TCP
Applications
HaSSLe-free Solution
Secure Sockets Layer (SSL)Works at TCP levelDeveloped by Netscape“Applications” now includes:
Handshake, Alert, Cipher Spec Change
Packets encoded by SSL Record ProtocolImplemented in web server, browserSuccessor: Transport Layer Security (TLS)
IP
TCP
SSL Record
Applications
LoSSLess Communication
SSL Record Protocol: 1. Fragment data into blocks; can compress 2. Append MAC to each block:
MAC = H(K | pad2 | H(K | pad1 | info | data))H could be MD5 or SHA-1; similar to HMACinfo includes sequencing, length information
3. Encrypt each block (symmetric) 4. Append header, send fragment
BusineSSLike Handshake
How do we establish a session key? 1. Client says “hello”: version, random number 2. Server says “hello”: same, includes key
exchange method, optional certificate 3. Client initiates key exchange (may just
generate master, send it using RSA) 4. Both sides compute various keys from master,
random numbers in hello messages 5. Confirmation messages
HelpleSSLy Hoping
So, does SSL secure our site?Confidential, authenticated transactions are
important, but not the only issue Threat model: who might attack, and how
Steal customer data (credit cards) Steal private corporate data Deface web site Denial of Service: prevent us from working
SSL has nothing to do with any of these
Trial Separation
How do we keep corporate data secure?Solution: keep it separateOnly mix information when you have to: use
a floppy, or a laptopPartial solution: restrict web server’s
access privileges (e.g., firewall, DMZ)OK if data flow is mostly to the serverWhat about credit card numbers?
SET, I project
Secure Electronic Transaction (SET)
MasterCard, VisaAlice sends Bob order, encrypted
card infoBob forward card info to
MC/VisaMC/Visa pays BobBob never gets card numberCredit card company never gets order information
Building a Better MouSETrap
OI = order info (include time), OIMD = H(OI)PI = payment info (& time), PIMD = H(PI)Alice signs (OIMD | PIMD) (SHA-1, RSA)Alice sends Bob OI, ECC(PI), PIMD, sig S
Bob compute OIMD, checks signature SBob sends OIMD, ECC(PI), S to MC/Visa
They decrypt, check PI, check signature SThey transfer funds, Bob ships item to Alice
Improving our MindSET
Think outside the box Q: How do we store credit card numbers? A: Store them so we can’t read them
Application-level solutions: harder to implement, but better targeted to problems
Cryptography is only part of the solutionAny system can be brokenBuild a threat model, measure costs
Breaking and Entering
Enemy could break in Could corrupt data (deface web site) Could steal data (including passwords) Could gain control of system
Firewalls help, but there’s always a way inKeep data separate whenever possibleEducate users about viruses, Trojan horsesInstall patches as often as you can
Intruder Alert
Home security: locks stop easy attacksBetter: door, window alarms
(as long as they don’t go through the walls)
Even better: motion detectorsAlarms don’t stop anything directly, but they
alert the authoritiesFear of alarms forces criminals to hurry,
make mistakes
Law and Order
Deterrent to robbery: fear of prosecutionAfter a crime, police gather fingerprints,
DNA, eyewitnessesNot aimed at stopping crime or recovering
goods, but at punishing criminalsHard to do in computer crime; criminals
often minors or foreign nationals
Intrusion Detection
No matter what systems and protocols we use, people will break in if they want
Hard to defend against determined teenagers with nothing else to do
Solution: monitor system, detect intrusions, watch for unusual activity
Honeypots: trap intrudersGather evidence; maybe prosecuteAt the very least, close off the holes
Denial of Service Attacks
One approach: break in, crash the serverAnother: flood the server with bad requestsDistributed Denial of Service (DDoS):
Take over PCs around the country/world Use them to overload a site
Only solution: have hardware routers detect bad packets
Almost impossible; Windows XP may make it worse
Here’s looking at you, KiDDoS
In the real world: to attack, you have to put yourself at risk. Not on the Internet.
In the real world: attackers must learn skills. Not on the Internet.
One person discovers a hole, writes a script; now “script kiddies” can use it
Patches don’t work. Attackers will always be ahead of users.
Beta testing doesn’t uncover security holes
Gibson Research Corporation
Steve Gibson’s GRC.com: securityAttacked, repeatedly, by DDoSs. No defense.
“Nothing more than the whim of a 13-year old hacker is required to knock any user, site, or server right off the Internet.”
Solution: Distributed ResponsibilityOwners responsible for their machinesISPs responsible for their routersSoftware writers responsible for bugs
EXPensive Problem
Attackers usually spoof source IP addresses, to conceal their location
Easy to do in UNIX (as root)Not possible in Windows 9x/ME, but
possible in Windows 2000/XPMicrosoft says: we’re fixing a bugGibson says: there’s no legitimate reason
home users would need this feature
Bruce Schneier: Counterpane
Author of “Applied Cryptography”Feels only monitoring, intrusion detection,
active response can do any goodCounterpane.com: corporate securitySolution: InsuranceInsure against damages from attacksLower rates for following good practices