Web Applications Security Cryptography 1

Slides:



Advertisements
Similar presentations
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Advertisements

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Cryptographic Technologies
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Encryption Methods By: Michael A. Scott
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Cryptography 101 Frank Hecker
CSCI 6962: Server-side Design and Programming
Chapter 31 Network Security
DNSSEC Cryptography Review Track 2 Workshop July 3, 2010 American Samoa Hervey Allen.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
Lecture 19 Page 1 CS 111 Online Symmetric Cryptosystems C = E(K,P) P = D(K,C) E() and D() are not necessarily the same operations.
每时每刻 可信安全 1The DES algorithm is an example of what type of cryptography? A Secret Key B Two-key C Asymmetric Key D Public Key A.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
Cryptography (2) University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Symmetric Cryptography, Asymmetric Cryptography, and Digital Signatures.
Public / Private Keys was a big year… DES: Adopted as an encryption standard by the US government. It was an open standard. The NSA calls it “One.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
Security Using PGP - Prajakta Bahekar. Importance of Security is one of the most widely used network service on Computer Currently .
Security fundamentals Topic 4 Encryption. Agenda Using encryption Cryptography Symmetric encryption Hash functions Public key encryption Applying cryptography.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
CRYPTOGRAPHY Cryptography is art or science of transforming intelligible message to unintelligible and again transforming that message back to the original.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
Security Protecting information data confidentiality
Key management issues in PGP
Basics of Cryptography
Security is one of the most widely used and regarded network services
Security Outline Encryption Algorithms Authentication Protocols
Symmetric and Asymmetric Encryption
USAGE OF CRYPTOGRAPHY IN NETWORK SECURITY
Cryptography Much of computer security is about keeping secrets
Computer Communication & Networks
Network Security.
Secure Sockets Layer (SSL)
Public Key Encryption Systems
Basic Network Encryption
Tutorial on Creating Certificates SSH Kerberos
IS3230 Access Security Unit 9 PKI and Encryption
Digital Signatures Last Updated: Oct 14, 2017.
Security through Encryption
Cryptography and Network Security
CS/ECE 478 Network Security Dr. Attila Altay Yavuz
Lecture 4 - Cryptography
The Secure Sockets Layer (SSL) Protocol
Engineering Secure Software
Key Management Network Systems Security
Outline Using cryptography in networks IPSec SSL and TLS.
Network Security - A Lecture 1 - NETW4006 NETW4006-Lecture01 1.
Lecture 10: Network Security.
Install AD Certificate Services
DISSERTATION ON CRYPTOGRAPHY.
Chapter 29 Cryptography and Network Security
Basic Network Encryption
Fluency with Information Technology Lawrence Snyder
Public Key Encryption Systems
Chapter 8 roadmap 8.1 What is network security?
Review of Cryptography: Symmetric and Asymmetric Crypto Advanced Network Security Peter Reiher August, 2014.
Lecture 36.
Lecture 36.
Presentation transcript:

Web Applications Security Cryptography 1 IT College, Andres Käver, 2017-2018, autumn semester Web: http://enos.Itcollege.ee/~akaver/WebSec Skype: akaver Email: akaver@itcollege.ee

Cryptography Cryptography (or crypto) is one of the more advanced topics of information security, and one whose understanding requires the most schooling and experience. There are many approaches to encryption, each with advantages and disadvantages that need to be thoroughly understood by web solution architects and developers. A small mistake in configuration or coding will result in removing most of the protection and rendering the crypto implementation useless.

Cryptography Provides Authentication, Auditing, Confidentiality, Integrity Some crypto algorithms are more suited to particular tasks, but not to others. Usually more secure algorithm is much more expensive to run (slower, more cpu/memory usage) Sometimes combination is used – SSL for example. Initial connection is made with secure solution, actual data transfer is done with much faster/weaker implementation.

Cryptography - symmetric Symmetric keys share a common secret (password, pass phrase, or key). Data is encrypted and decrypted using the same key. Symmetric algorithms are very fast Common examples of symmetric algorithms are DES, 3DES and AES. Key exchange is problem!!!

Cryptography - asymmetric Aka Public/Private Key crypto Asymmetric algorithms use two keys, one to encrypt the data, and either key to decrypt. These inter-dependent keys are generated together. One is labeled the Public key and is distributed freely. The private key must be kept secure.

Cryptography - asymmetric Confidentiality Encrypt data with a user’s public key (which is publicly available), we can send the data over an insecure network knowing that only the associated private key will be able to decrypt the data.

Cryptography - asymmetric Authentication Encrypt data with private key, only public key can decrypt –prove the message’s authenticity, since only specific private key could have generated the message.

Cryptography - asymmetric A Certificate Authority (CA), whose public certificates are installed with browsers or otherwise commonly available, may also digitally sign public keys or certificates. We can authenticate remote systems or users via a mutual trust of an issuing CA. We trust their ‘root’ certificates, which in turn authenticate the public certificate presented by the server. PGP and SSL are prime examples of a systems implementing asymmetric cryptography, using the RSA or other algorithms.

Cryptography - hashes Hash functions take some data (and possibly a key or password) and generate a unique hash or checksum. Since this is a one-way function, it is normally used to provide tamper detection. MD5 and SHA-1 are common hashing algorithms used today. These algorithms are considered weak. Consider using SHA-256 instead.

Cryptography – key exchange Key exchange algorithms (such as Diffie-Hellman for SSL). These allow use to safely exchange encryption keys with an unknown party.

Cryptography As modern cryptography relies on being computationally expensive to break, specific standards can be set for key sizes that will provide assurance that with today’s technology and understanding, it will take too long to decrypt any given key. Therefore, we need to ensure that both the algorithm and the key size are taken into account when selecting an algorithm. Proprietary encryption algorithms are not to be trusted as they typically rely on ‘security through obscurity’ and not sound mathematics.

Cryptography Weak algorithms MD5 has recently been found less secure than previously thought. While still safe for most applications such as hashes for binaries made available publicly, secure applications should now be migrating away from this algorithm. SHA-0 has been conclusively broken. SHA-1 has been reduced in strength - migrate to SHA-256, which implements a larger key size. DES was once the standard crypto algorithm for encryption; a normal desktop machine can now break it. AES is the current preferred symmetric algorithm.

Cryptography – Key storage Crypto relies on keys to assure a user’s identity, provide confidentiality and integrity as well as non-repudiation. It is vital that the keys are adequately protected. Should a key be compromised, it can no longer be trusted. Any system that has been compromised in any way should have all its cryptographic keys replaced.

Cryptography – tokens Web servers typically deal with large numbers of users. Differentiating between them is often done through cookies or other session identifiers. If these session identifiers use a predictable sequence, an attacker need only generate a value in the sequence in order to present a seemingly valid session token. This can occur at a number of places; the network level for TCP sequence numbers, or right through to the application layer with cookies used as authenticating tokens. Any deterministic sequence generator is likely to be vulnerable. Use strong implementation of random number generators! Sometimes hardware solution is needed.

THE END