PHP Secure Communications

Slides:



Advertisements
Similar presentations
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Advertisements

SECURE SITES. A SECURE CONNECTION TERMS Secure Sockets Layer (SSL) An older Internet protocol that allows for data transmission between server and client.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
>> PHP: Access Control & Security. Authentication: Source Authentication Source Hard-coded File-Based The username and password is available inside the.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
03 December 2003 Public Key Infrastructure and Authentication Mark Norman DCOCE Oxford University Computing Services.
CSCI 6962: Server-side Design and Programming
CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.
Session 11: Security with ASP.NET
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.
Website Security ISYS 475. Authentication Authentication is the process that determines the identity of a user.
Class 8Intro to Databases Authentication and Security Note: What we discuss in class today covers moderate to low security. Before you involve yourself.
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
© FPT SOFTWARE – TRAINING MATERIAL – Internal use 04e-BM/NS/HDCV/FSOFT v2/3 Securing a Microsoft ASP.NET Web Application.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Cryptography, Authentication and Digital Signatures
Web Security : Secure Socket Layer Secure Electronic Transaction.
Types of Electronic Infection
Nic Shulver, Introduction to Sessions in PHP Sessions What is a session? Example Software Software Organisation The login HTML.
Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.
Chapter 6: Authentications. Training Course, CS, NCTU 2 Overview  Getting Username and Password  Verifying Username and Password  Keeping The Verification.
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
Data Encryption using SSL Topic 5, Chapter 15 Network Programming Kansas State University at Salina.
SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.
Public Key Encryption.
Web Database Programming Week 7 Session Management & Authentication.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
PHP-based Authentication
PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.
By Sandeep Gadi 12/20/  Design choices for securing a system affect performance, scalability and usability. There is usually a tradeoff between.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.
1-way String Encryption Rainbows (a.k.a. Spectrums) Public Private Key Encryption HTTPS Encryption.
SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.
1 Internet data security (HTTPS and SSL) Ruiwu Chen.
Why Does The Site Need an SSL Certification?. Security should always be a high concern for your website, but do you need an SSL certificate? A secure.
Secure HTTP (HTTPS) Pat Morin COMP 2405.
The Secure Sockets Layer (SSL) Protocol
TOPIC: HTTPS (Security protocol)
Web Security CS-431.
Setting and Upload Products
Data Virtualization Tutorial… SSL with CIS Web Data Sources
SSL Certificates for Secure Websites
Encryption 1-way String Encryption Rainbows (a.k.a. Spectrums)
Cryptography and Network Security
PAYMENT GATEWAY Presented by SHUJA ASHRAF SHAH ENROLL: 4471
Secure Sockets Layer (SSL)
Information Security message M one-way hash fingerprint f = H(M)
Chapter 8 Building the Transaction Database
Web Services Security.
How to Check if a site's connection is secure ?
E-Commerce Security.
Information Security message M one-way hash fingerprint f = H(M)
Using SSL – Secure Socket Layer
Web Systems Development (CSC-215)
PHP: Security issues FdSc Module 109 Server side scripting and
Cryptography and Network Security
Information Security message M one-way hash fingerprint f = H(M)
The Secure Sockets Layer (SSL) Protocol
Transport Layer Security (TLS)
PHP Forms and Databases.
Electronic Payment Security Technologies
PHP Secure Communications
Presentation transcript:

PHP Secure Communications Web Technologies Group Computing Science Thompson Rivers University

Unit Topics How to create a secure connection How to use a secure connection; how to authenticate a server How to use user authentication How to work with encrypted data Secure Comm

1. How to Use a Secure Connection An introduction to secure connections How SSL authentication works How to get a digital secure certificate for your web server How to request a secure connection How to enforce the user to use a secure connection Secure Comm

An introduction to secure connections 1. An introduction to secure connections [Q] Is it safe to use HTTP to send a credit card number? [Q] What is the solution, then? A secure connection. But a secure connection is much slower than regular HTTP connections. You usually use secure connections only when your application passes sensitive data. [Q] How to use a secure connection then? [Q] How to trust web servers? How to trust users? There are two types of authentication. [Q] What are they? User authentication and server authentication Secure Comm

How SSL authentication works – how to authenticate a server HTTPS Advanced Skills

Secure connection protocols With a regular HTTP connection, all data is sent as unencrypted plain text. [Q] What does this mean? Can a hacker read my credit card number? With a secure connection, all data is encrypted with a secrete key before it is transferred between the client and server. Secure connection protocols SSL (Secure Sockets Layer) – older TLS (Transport Layer Security) – newer; successor of SSL The URL for a secure connection starts with HTTPS instead of HTTP. Secure Comm

[Q] What information is included in a certificate? Before a secure connection is established, the server uses SSL server authentication to authenticate itself. It does this by providing a digital secure certificate to the browser. [Q] What information is included in a certificate? Name of the server Name of the issuer Expiration date … [Q] How to trust a certificate? Digitally signed, i.e., encrypted by using the issuer's private key, so that nobody can change. Only the issuer's public key can be used to decrypt the certificate. And the issuer should be trustworthy. Secure Comm

1. Before a secure connection is established, the server uses SSL server authentication to authenticate itself. It does this by providing a digital secure certificate to the browser. [Q] How to trust a certificate? By default, browsers accept digital secure certificates that come from trusted sources. [Q] ??? However, if the browser does not recognize the certificate as coming from a trusted source, it informs the user and lets the user view the certificate. Then the user decides. Can you try with eBay? Advanced Skills

How to get a digital secure certificate for your web server 1. How to get a digital secure certificate for your web server [Q] From where? Trustworthy CA (Certificate Authority), and RA (Registration Authority) www.verisign.com www.thawte.com www.geotrust.com www.instantssl.com www.entrust.com SSL strength 40-bit, 56-bit 128-bit 256-bit [Q] What does this mean? Secure Comm

How to request a secure connection [Q] How? 1. How to request a secure connection [Q] How? Once you establish a secure connection, you can use relative URLs (i.e., relative paths) to continue using the secure connection. [Q] Is it true? Secure Comm

How to redirect to a secure connection 1. Topics How to redirect to a secure connection [Q] If you want to make sure that a page is always viewed over a secure connection, what do you have to do? If you want to make sure that a page is always viewed over a secure connection, you can include code at the top of the page that redirects the page to a secure connection. [Q] What does this mean? How? If the user requests the page over a regular connection, the web server redirects the request to the same page but over a secure connection. [Q] How? You need to know whether the user uses http or https. <?php if (!isset($_SERVER['HTTPS'])) { $url = 'https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']; // start with /... header("Location: " . $url); // Redirect - 302 exit; // should be before any output } // ?> Secure Comm

2. How to Use User Authentication Three types of user authentication How to store and validate a password How to use form-based authentication How to use basic authentication Secure Comm

Three types of user authentication [Q] How to make only authorized users access some pages? You need to begin by determining whether a client is who and what it claims to be. This process is known as User Authentication. [Q] Any good idea? Username and password Secure Comm

Three types of user authentication 2. Three types of user authentication Form-based authentication a login form By default, no encryption Basic authentication – causes the browser to display a dialog box that gets the username and password. Digest authentication Encrypts the username and password before sending them [Q] Which one looks like the best? [Q] No encryption used in 1) and 2) ? Secure Comm

How to store and validate a password For most types of authentication, you store the usernames and passwords in a database. [Q] Encrypted passwords, or unencrypted passwords? A hash function accepts a variable-size string and returns a fixed-size string known as the hash value. [Q] Always the same hash value for the same input? [Q] Is a hash function reversible? Password Encrypted password Database Secure Comm

// [Q] How to add a username and password into a database? function add_user($username, $password) { global $db; // [Q] global? $hashed_password = sha1($password); // SHA-1 hash ft $query = "insert into Users (username, password) values ('$username', '$hashed_password')"; mysqli_query($db, $query); } // [Q] How to validate ? Secure Comm

function is_valid_user($username, $password) { global $db; // [Q] How to validate ? function is_valid_user($username, $password) { global $db; $hashed_password = sha1($password); // ? $query = "select * from users where username = '$username' and password = '$hashed_password'"; $result = mysqli_query($db, $query); $valid = (mysqli_num_rows($result) == 1); return $valid; } Secure Comm

2. SHA1 uses only 40 bits, and this algorithm is broken. You will need to use a stronger hash function. // SHA256 hash($algorithm, $string_to_hash) // MD5, SHA256, ... // example $hashed_password = hash(SHA256, $password); // Not 'SHA…' Secure Comm

How to use form-based authentication After the user authentication, you will need to move to a protected page. It is also a good idea to use a session. [Q] What if the user does not use https? Advanced Skills

[Q] Can you make an algorithm for the controller, index.php? 2. After the user authentication, you will need to move to a protected page. It is also a good idea to use a session. [Q] Can you make an algorithm for the controller, index.php? Start session; Include necessary functions (model); Get the action, such as SignIn, to perform; If the user isn’t signed in, then $action = ‘SignIn' to force the user to sign in; Switch(action) ‘SignIn': Validate the username and password; Create session; …: ‘SignOut': Destroy session; Secure Comm

How to use basic authentication PHP script can enforce the browser to ask the user to enter username and password. [Q] Why do we need this? [Q] How? Advanced Skills

The $_SERVER array 2. Topics PHP_AUTH_USER Returns the username from the dialog box or a NULL PHP_AUTH_PW Returns the password from the dialog box <?php // require_once('model/database.php'); // require_once('model/admin_db.php'); $username = $_SERVER['PHP_AUTH_USER'] $password = $_SERVER['PHP_AUTH_PW']; if (!isset($username) || !is_valid_user($username, $password)) { header('WWW-Authenticate: Basic realm = "My Realm"'); header('HTTP/1.0 401 Unauthorized'); exit(); } ?> Secure Comm

3. How to Work with Encrypted Data [Q] Can we use SHA for encryption/decryption? How to encrypt and decrypt data A class for storing encrypted data – We will revisit class later. Secure Comm

Do you need to store encrypted data in a db? How to encrypt and decrypt data MCRYPT_RIJNDAEL_128 The Rijndael cipher with a 128 bit key size. MCRYPT_RIJNDAEL_192 MCRYPT_RIJNDAEL_256 There are a lot of cipher algorithms. MCRYPT_MODE_CBC CBC (Cypher Block Chaining) mode There are also other modes. mcrypt_get_iv_size($cipher, $mode) Gets the size of initialization vector (iv) used by the cipher algorithm. mcrypt_create_iv($ivs) creates the initialization vector for the specified size. mcrypt_encrypt($cipher, $key, $data, $mode, $iv) mcrypt_decrypt($cipher, $key, $data, $mode, $iv) base64_encode($data) to help the data survive going through transport layers; binary to text encoding base64_decode($data) Secure Comm

3. // Both sides $cipher = MCRYPT_RIJNDAEL_128; $mode = MCRYPT_MODE_CBC; // cipher block chaining $key = sha1('secretPassword', true); // true => raw_output; ??? // how to use SHA256 instead? // Sender $credit_card_no = '4111 1111 1111 1111'; $ivs = mcrypt_get_iv_size($cipher, $mode); $iv = mcrypt_create_iv($ivs); $data = mcrypt_encrypt($cipher, $key, $credit_card_no, $mode, $iv); $data = base64_encode($data); // to help the data survive going // through transport layers echo 'Encrypted data: ' . $data . '<br>'; // transmit $data through the Internet // Receiver $data = base64_decode($data); $credit_card_no = mcrypt_decrypt($cipher, $key, $data, $mode, $iv); echo 'Decrypted data: ' . $credit_card_no . '<br>'; Secure Comm

A class for storing encrypted data – crypt.php class Crypt { private $key, $ivs, $iv, $cipher, $mode; public function __construct() { $this->cipher = MCRYPT_RIJNAEL_128; $this->mode = MCRYPT_MODE_CBC; $this->ivs = mcrypt_get_iv_size($this->cipher, $this->mode); $this->iv = mcrypt_create_iv($this-ivs); $this->key = sha1('secreteKey', true); } public function encrypt($data) { ...; // [Q] What do you have to do here? public function decrypt($data) { ?> Secure Comm

3. Topics Secure Comm require 'crypt.php'; $credit_card_no = '4111111111111111'; // [Q] How to create an object of Crypt? $crypt = new Crypt(); // encrypt the data $data = $crypt->encrypt($credit_card_no); $data = $crypt->encode($data); // decrypt the data $data = $crypt->decode($data); $data = $crypt->decrypt($data); Secure Comm

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.