Secure Transactions Chapter 17. The user's machine No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable.

Slides:

Advertisements

Similar presentations

Section 10.1 Identify how Web sites are structured Explain the role of URLs Describe the function of HTTP Section 10.2 Explain how the Web has affected.

Advertisements

Chapter 17: WEB COMPONENTS

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

CP3397 ECommerce.

Cryptography and Network Security

Secure Socket Layer.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Lori Fitterling LI843 SSL Secured Sockets Layer. What is Secure Sockets Layer (SSL)? It is protection of data transferred over the Internet using encryption.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

Securing Network Communication. 2 Security Issues in Communication Privacy  Anyone can see content Integrity  Someone might alter content Authentication.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Cryptography and Network Security Chapter 17

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Chapter 8 Web Security.

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

DIGITAL CERTIFICATE & SSL PRESENTED BY, SWAPNA ERABATHINI.

CSCI 6962: Server-side Design and Programming

The World-Wide Web. Why we care? How much of your personal info was released to the Internet each time you view a Web page? How much of your personal.

Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

Secure Socket Layer (SSL)

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Introduction to Secure Sockets Layer (SSL) Protocol Based on:

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Encryption and Security Dylan Anderson Michael Huffman Julie Rothacher Dylan Anderson Michael Huffman Julie Rothacher.

18-jan-962. ETH-W4 (ra)1 security on the Web l security l authentication l privacy.

Cryptography and Network Security (CS435) Part Fourteen (Web Security)

Web Security : Secure Socket Layer Secure Electronic Transaction.

Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.

1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.

TCP/IP (Transmission Control Protocol / Internet Protocol)

PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.

Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?

Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats – integrity – confidentiality.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.

1 6 Chapter 6 Implementing Security for Electronic Commerce.

Chapter 7 : Web Security Lecture #1-Week 12 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.

SSL Certificates for Secure Websites

World Wide Web policy.

Cryptography and Network Security

Secure Sockets Layer (SSL)

Using SSL – Secure Socket Layer

Cryptography and Network Security

Cryptography and Network Security

Unit 8 Network Security.

Cryptography and Network Security

Presentation transcript:

Secure Transactions Chapter 17

The user's machine No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable some features: cookies, Java, JavaScript Might not have 128-bit encryption –Until recently 128-bit encryption could not be legally exported from U.S. Might not be dealilng with a browser Store as little information as possible on user's machine (for a variety of reasons) No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable some features: cookies, Java, JavaScript Might not have 128-bit encryption –Until recently 128-bit encryption could not be legally exported from U.S. Might not be dealilng with a browser Store as little information as possible on user's machine (for a variety of reasons)

The Internet The Internet is inherently insecure Your options: Transmit info anyhow Digitally sign to avoid tampering Encrypt to keep private and avoid tampering Find another way to distribute information The Internet is inherently insecure Your options: Transmit info anyhow Digitally sign to avoid tampering Encrypt to keep private and avoid tampering Find another way to distribute information

The Internet "It is difficult to be certain whether the person you are dealing with is who he claims to be." Repudiation : can you prove to a court that someone took part in a transaction? "It is difficult to be certain whether the person you are dealing with is who he claims to be." Repudiation : can you prove to a court that someone took part in a transaction?

The Internet Ways to address privacy and repudiation issues: S ecure S ockets L ayer ( SSL ) –"is readily available and widely used" S ecure H yper T ext T ransfer P rotocol ( S-HTTP ) –"has not really taken off" Ways to address privacy and repudiation issues: S ecure S ockets L ayer ( SSL ) –"is readily available and widely used" S ecure H yper T ext T ransfer P rotocol ( S-HTTP ) –"has not really taken off"

Your system Keep up to date on warnings and patches for third-party software What do your scripts do (or not do)? –Use SSL to protect privacy –Use registered digital certificate –Check user-entered data carefully –Store information securely Keep up to date on warnings and patches for third-party software What do your scripts do (or not do)? –Use SSL to protect privacy –Use registered digital certificate –Check user-entered data carefully –Store information securely

Using SSL Originally designed by Netscape Now is "unofficial standard" for secure communication between browsers and servers Standardized in TLS –Transport Layer Security –Based on SSL –Not yet widely supported Originally designed by Netscape Now is "unofficial standard" for secure communication between browsers and servers Standardized in TLS –Transport Layer Security –Based on SSL –Not yet widely supported

TCP/UDP IP Various HTTPFTPSMTP... Application layer Transport layer Network layer Host to Network layer Network protocol stack

TCP/UDP IP Various... Application layer Transport layer Network layer Host to Network layer SSL Record Protocol SSL layer SSL Hand- shake Protocol HTTP SSL Change Cipher SSL Alert Protocol The SSL layer The SSL layer is transparent: –Same interface as the underlying transport layer Deals with handshaking, encryption, and decryption The SSL layer is transparent: –Same interface as the underlying transport layer Deals with handshaking, encryption, and decryption

SSL handshake Browser Server Browser connects, asks for certificate

SSL handshake Browser Server Browser connects, asks for certificate Server sends certificate Certificate Server distinguished name Server public key Period of validity Issuer distinguished name Issuer Signature Other information CA's public key public private

SSL handshake Browser Server Browser connects, asks for certificate Server sends certificate Browser sends list of cyphers RC4 with 40-bit key DES with 40-bit key DES with 56-bit key

SSL handshake Browser Server Browser connects, asks for certificate Server sends certificate Browser sends list of cyphers Server selects strongest common cypher RC4 with 40-bit key DES with 40-bit key DES with 56-bit key RC4 with 40-bit key RC2 with 40-bit key 3DES with 168-bit key Idea (128 bit key) RC4 with 40-bit key from browser:server supports:

SSL handshake Browser Server Browser connects, asks for certificate Server sends certificate Browser sends list of cyphers Server selects strongest common cypher Browser sends encrypted random number public private

SSL handshake Browser Server Browser connects, asks for certificate Server sends certificate Browser sends list of cyphers Server selects strongest common cypher Browser sends encrypted random numberServer sends plain text random number Why is this sent in plain text?

SSL handshake Browser Server Browser connects, asks for certificate Server sends certificate Browser sends list of cyphers Server selects strongest common cypher Browser sends encrypted random numberServer sends plain text random number Hash random #s to get session key session

Sending data <head> My Page</ti My Page... Packetize Break up the data into manageable packets.

Sending data <head> My Page</ti My Page... Compress Packetize Each packet is (optionally) compressed.

Sending data <head> My Page</ti My Page... Calculate MAC Compress Packetize Use hash to calculate Message Authentication Code for each packet.

Sending data <head> My Page</ti My Page... Calculate MAC Encrypt Compress Packetize The MAC and compressed data are combined and encrypted using the session key. session

Sending data <head> My Page</ti My Page... Calculate MAC Encrypt Compress Packetize TCP header Combine with header and send

Screening user input Use addslashes() before putting data in database. Use stripslashes() when retrieving data. Magic quotes –Add and strip slashes automatically Use addslashes() before putting data in database. Use stripslashes() when retrieving data. Magic quotes –Add and strip slashes automatically

Screening user input escapeshellcmd() –used to pass data to system(), exec() or execute with backticks Avoid executing shell commands wherever possible, especially with user input. strip_tags() remove HTML tags htmlspecialchars() escape HTML chars –e.g., change < to < escapeshellcmd() –used to pass data to system(), exec() or execute with backticks Avoid executing shell commands wherever possible, especially with user input. strip_tags() remove HTML tags htmlspecialchars() escape HTML chars –e.g., change < to <

Providing secure storage "The most dangerous type of data we store is executable content." Don't allow write access to scripts and directories in document tree. Intruder could write malicious script and execute it by loading through the web server. Scripts that are supposed to write files should write outside web tree. "The most dangerous type of data we store is executable content." Don't allow write access to scripts and directories in document tree. Intruder could write malicious script and execute it by loading through the web server. Scripts that are supposed to write files should write outside web tree.

Providing secure storage Encrypting data probably won't help unless key and decrypting software are on a different machine. Intruder who can get to encrypted file can probably also get to key and decrypting software if they are on the same machine. Encrypting data probably won't help unless key and decrypting software are on a different machine. Intruder who can get to encrypted file can probably also get to key and decrypting software if they are on the same machine.

Protect passwords in scripts Scripts with.php will always be interpreted. Scripts with other extensions (like.inc) could be served as is. Limited protection from other users on same server –Don't use same password for login and database. Back up database. –Set group to apache (must be root) and don't allow public read. –CGI is more secure in this respect. Scripts with.php will always be interpreted. Scripts with other extensions (like.inc) could be served as is. Limited protection from other users on same server –Don't use same password for login and database. Back up database. –Set group to apache (must be root) and don't allow public read. –CGI is more secure in this respect.

Why are you storing credit card numbers? One time transactions: Send card number to transaction processor and don't store Periodic charges: –Don't store on web server –Check up-to-date security info –Be paranoid One time transactions: Send card number to transaction processor and don't store Periodic charges: –Don't store on web server –Check up-to-date security info –Be paranoid