Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE.

Slides:

Advertisements

Similar presentations

Internet Protocol Security (IP Sec)

Advertisements

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Chapter 17: WEB COMPONENTS

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

CSE 486/586, Spring 2014 CSE 486/586 Distributed Systems Security Steve Ko Computer Sciences and Engineering University at Buffalo.

A Public Web Services Security Framework Based on Current and Future Usage Scenarios J.Thelin, Chief Architect PJ.Murray, Product Manager Cape Clear Software.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

Security Prospects through Cloud Computing by Adopting Multiple Clouds Meiko Jensen, Jorg Schwenk Jens-Matthias Bohli, Nils Gruschka Luigi Lo Iacono Presented.

Integration Considerations Greg Thompson April 20 th, 2006 Copyright © 2006, Credentica Inc. All Rights Reserved.

Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

January 2011 As a precaution, re-check the exam time in early January. Various rooms are used, your room will be on your personal timetable, available.

Making VLAB Secure Javier I. Roman. What is VLAB?  An interdisciplinary consortium dedicated to the development and promotion of the theory of planetary.

WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.

Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.

Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.

Laboratory for Reliable Computing Department of Electrical Engineering National Tsing Hua University Hsinchu, Taiwan Security Processor: A Review Chih-Pin.

Web services security I

Prashanth Kumar Muthoju

Key Management Guidelines. 1. Introduction 2. Glossary of Terms and Acronyms 3. Cryptographic Algorithms, Keys and Other Keying Material 4. Key Management.

CSCI 6962: Server-side Design and Programming

LEVERAGING UICC WITH OPEN MOBILE API FOR SECURE APPLICATIONS AND SERVICES Ran Zhou 1 9/3/2015.

8: Network Security8-1 Security in the layers. 8: Network Security8-2 Secure sockets layer (SSL) r Transport layer security to any TCP- based app using.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

Cloud Computing & Security Issues Prepared by: Hamoud Al-Shammari CS 6910 Summer, 2011 University of Colorado at Colorado Springs Engineering & Applied.

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

WS-Security: SOAP Message Security Web-enhanced Information Management (WHIM) Justin R. Wang Professor Kaiser.

Web Services Security Standards Overview for the Non-Specialist Hal Lockhart Office of the CTO BEA Systems.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Web Security : Secure Socket Layer Secure Electronic Transaction.

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Secure Authentication System for Public WLAN Roaming Ana Sanz Merino, Yasuhiko.

1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.

Secure Systems Research Group - FAU Patterns for Web Services Security Standards Presented by Keiko Hashizume.

 A Web service is a method of communication between two electronic devices over World Wide Web.

Forward: Preventing XML Signature Wrapping Attacks in Cloud Computing Prepared by: Abdulaziz AlShammari Professor Ramasamy Uthurusamy April10, 2014.

CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

1 Normal executable Infected executable Sequence of program instructions Entry Original program Entry Jump Replication and payload Viruses.

SECURITY IN CLOUD COMPUTING By Bina Bhaskar Anand Mukundan.

Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication.

Copyright © 2003 Jorgen Thelin / Cape Clear Software 1 A Web Services Security Framework Jorgen Thelin Chief Scientist Cape Clear Software Inc.

Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.

Web Services Security Patterns Alex Mackman CM Group Ltd

SSL(HandShake) Protocol By J.STEPHY GRAFF IIM.SC(C.S)

Web Services Security INFOSYS 290, Section 3 Web Services: Concepts, Design and Implementation Adam Blum

Security in OPC Unified Architecture (UA) Dick Oyen IndustrialSysDev, Inc.

SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.

Cryptography CSS 329 Lecture 13:SSL.

Web Security CS-431.

Secure Sockets Layer (SSL)

NAAS 2.0 Features and Enhancements

Kerberos Kerberos is an authentication protocol for trusted hosts on untrusted networks.

Securing the CASP Protocol

Multi-party Authentication in Web Services

Presentation transcript:

Technical Security Issues in Cloud Computing By: Meiko Jensen, Jorg Schwenk, Nils Gruschka, Luigi Lo Lacono Presentation by: Winston Tong 2009 IEEE

Outline 1. Background 2. Cloud Technologies 1. Web Service Security 2. Transport Layer Security 3. Security related Issues 1. Wrapper Attacks 2. Browser Security 3. Metadata Attacks 4. Flooding Attacks

Background  Cloud layers of service  Software as a Service – Provides ready to use applications (Facebook)  Platform as a Service – Tailored hosting environments (Google App Engine)  Infrastructure as a Service – Provides raw resources (CPU, Storage, Memory)  Security concern – User’s data leaves the home protection of the user and provides trust to the foreign cloud.

Cloud Technologies – Web Service Security  Provide integrity, confidentiality and authentication for SOAP messages.  SOAP messages – Organized XML type message  Defines a SOAP header that carries WS-Security extensions.  Defines XML Signature/Encryption application to SOAP messages.  Hybrid Encryption  XML fragment is encrypted with a randomly generated symmetric key.  Key is encrypted with public key of recipient.  Encrypted key is inside security header.

Transport Layer Security  Handshake  Establishes encryption keys and algorithms  Authenticate server and client  Record Layer  Encrypts/decrypts TCP data streams using keys and algorithms from handshake.  Has different options for key agreement, encryption and authentication.  Popular  Certificate authentication of servers  User/Password authentication of clients

Cloud Security Issues – XML Signature  XML Signature Element Wrapping (Wrapping Attack)  Allows an outsider to freely use a victim’s cloud.  Example  Client sends SOAP message asking for “me.jpg” in the message “body”.  Client signature is in SOAP header and points to signed message for “body”.  Attacker can intercept the message and manipulate “body” in such a way that it asks for something else.  The message will still contain the valid signature.  2008, Amazon EC2 services were vulnerable to wrapping attacks.

Cloud Security Issues – XML Signature

Cloud Security Issues – Browser Security  Client usage of the browser as a tool to access his cloud leaves him vulnerable to browser attacks.  In response, Cloud services use Federated Identity Management (FIM) protocols.  Authentication through a third party. (With credentials)  When authenticated, Kerberos tokens are sent to the server.  These tokens are vulnerable.  Browsers unable to issue XML based security tokens itself.  FIM tokens are stored in the browser and are only protected by standard operating procedures.

Cloud integrity and Binding Issues  Clouds use metadata for identification of type of service that users want.  Malware Injection Attacks  Adversary creates his own service module and adds it to the cloud system  The cloud will then unknowingly service a user the malicious module.  Metadata Spoofing  Maliciously reengineering the Web Services’ metadata descriptions  Ex: deleteUser -> setAdminRights  These two attacks are weaker and avoidable

Flooding Attacks  Attacker sending a huge load of nonsense to service  Direct Denial of Service  Cloud wastes its resources on a flooded service.  Indirect Denial of Service  The flooded service affects the availability to other services  Accounting and Accountability  Economic loss from the computational power usage

Conclusion  Favor XML Signature and encryption security in browsers.  Strengthen security capabilities of browsers and Web Service frameworks.  Strengthen TLS to protect the SAML tokens  TLS session binding – the token will be protected by the same channel.  Strong Locked same origin policy – use server key as authentication as opposed to the insecure DNS system.