1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.

Slides:

Advertisements

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Advertisements

Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Cryptography and Network Security

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.

Security S Wireless Personal, Local, Metropolitan, and Wide Area Networks1 Contents Security requirements Public key cryptography Key agreement/transport.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

© 2004, The Technology Firm SSL Packet Decodes From Wikipedia, the free encyclopedia.  Secure Sockets Layer (SSL) is a cryptographic.

Lecture 22 Internet Security Protocols and Standards

Cryptography and Network Security Chapter 17

1 Encryption What is EncryptionWhat is Encryption Types of EncryptionTypes of Encryption.

Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

TCP/IP Protocol Suite 1 Chapter 28 Upon completion you will be able to: Security Differentiate between two categories of cryptography schemes Understand.

Chapter 8 Web Security.

INE1020: Introduction to Internet Engineering 6: Privacy and Security Issues1 Lecture 9: E-commerce & Business r E-Commerce r Security Issues m Secure.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Computer Networks NYUS FCSIT Spring 2008 Milos STOLIC, Bs.C. Teaching Assistant

Network Security. An Introduction to Cryptography The encryption model (for a symmetric-key cipher).

Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.

CIS 1310 – HTML & CSS 12 E-Commerce Overview. CIS 1310 – HTML & CSS Learning Outcomes  Define E-commerce  Identify Benefits & Risks of E-Commerce 

32.1 Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP, VPN, and Firewalls Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction.

Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.

Secure Socket Layer (SSL)

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Introduction to Secure Sockets Layer (SSL) Protocol Based on:

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Cryptography and Network Security (CS435) Part Fourteen (Web Security)

Web Security : Secure Socket Layer Secure Electronic Transaction.

Cryptography and Network Security (SSL)

Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.

1 DCS 835 – Computer Networking and the Internet Digital Certificate and SSL (rev ) Team 1 Rasal Mowla (project leader) Alvaro Restrepo, Carlos.

TLS/SSL - How and Why PCI Flags it but why do we care? By: MadHat Unspecific.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

1 Cryptography NOTES. 2 Secret Key Cryptography Single key used to encrypt and decrypt. Key must be known by both parties. Assuming we live in a hostile.

CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

Cryptography and the Web Lincoln Stein Whitehead Institute/MIT Center for Genome Research.

TCP/IP Protocol Suite 1 Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit.

Pertemuan #10 Secure HTTP (HTTPS) Kuliah Pengaman Jaringan.

INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.

Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats – integrity – confidentiality.

Cryptography and Network Security Chapter 16 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Network and Internet Security Prepared by Dr. Lamiaa Elshenawy

Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.

1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.

Privacy and Security Topics From Greenlaw/Hepp, In-line/On-line: Fundamentals of the Internet and the World Wide Web 1 Introduction Known Information Software.

INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.

Cryptography CSS 329 Lecture 13:SSL.

Henric Johnson1 Chapter 7 WEB Security Henric Johnson Blekinge Institute of Technology, Sweden

SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.

Unit 8 Network Security.

Cryptography and Network Security

Presentation transcript:

1 Secure HTTP Herng-Yow Chen

2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from eavesdropping and tampering? Using digital cryptography.

3 HTTPS https scheme security icon

4 HTTPS (cont.) Network interfaces I P T C P H T T P Application layer Transport layer Network layer Data link layer (a) HTTP H T T P Application layer Security layer SSL or TLS T C P Transport layer I P Network layer Network interfaces Data link layer (b) HTTPS

5 Digital cryptography Ciphers Keys Symmetric-key cryptosystems Asymmetric-key cryptosystems Public-key cryptography Digital signatures Digital certificates

6 Plaintext and Ciphertext Meet me at the pier at midnight Plaintext Encoder Phhw ph dw wkh slhu dw plgqljkw Decoder Ciphertext Meet me at the pier at midnight Plaintext

7 Rotate-by-3 cipher example Cipher ABCDEFGHIJKLMNOPQRSTUVWXYZ ABCDEFGHI JKLMNOPQRSTUVWXYZABC PlaintextMEET ME AT THE AT PIRE AT MIDNIGHT Ciphertext PHHW PH DW WKH DW SLHU DW PLGQLJKW

8 Keyed Ciphers (rotate-by-n), using different keys Meet me at the pier at midnight Plaintext nffu nf bu uif qjfs bu njeojhiu Ciphertext (a) Key=1 Meet me at the pier at midnight Plaintext oggv og cv vjg rkgt cv okfpkijv Ciphertext (b) Key=2 Rotate(n) encoder Meet me at the pier at midnight Plaintext phhw ph dw wkh slhu dw plgqlijkw Ciphertext (c) Key=3 Rotate(n) encoder

9 Digital Ciphers

10 Plaintext is encoded with encoding key e Ciphertext C Key=e Encoder E Plaintext P C = E (P, e)

11 Symmetric-Key Cryptography Plaintext P Key=d Decoder D Ciphertext C P = D (C, d) If d = e Popular symmetric-key cryptography algorithm are DES, Triple-DES, RC2, and RC4.

12 Key Length and Enumeration Attacks Attack cost40-bit key 56-bit key64-bit key80-bit key128-bit key $100,0002 secs35 hours1 years70,000 years years $1,000, msecs 3.5 hours37 days7,000 years10 18 years $10,000,00020 msecs 21 mins4 days700 years10 17 years $100,000,0002msecs2 mins9 hours70 years10 16 years $1,000,000, usecs 13 secs1 hours7 years10 15 years

13 Public-Key Cryptography Public key=es Private key=ds server Plaintext Internet Encrypted ciphertext client Plaintext Using different keys for encoding and decoding

14 Public-Key cryptography assigns a single, public encoding key to each host A BD C kBX kAX kCX kDX (a) Symmetric-key cryptography A BD C ex (b) Public-key cryptography ex

15 Signatures Are Cryptographic Checksums Plaintext message Signature A Message digest Private key=dA D B Public key=eA E Same? Message digest Message digest

16 The Guts of a Certificate

17 X.509 v3 Certificates

18 Verifying that a signature is real Signing authority ’ s public key E Same? B Message digest Message digest

19 HTTPS Overview Network interfaces I P T C P H T T P Application layer Transport layer Network layer Data link layer (a) HTTP H T T P Application layer Security layer SSL or TLS T C P Transport layer I P Network layer Network interfaces Data link layer (b) HTTPS

20 HTTPS Schemes client Server (a) HTTP request 80 HTTP client Secure Server (b) HTTPS request 443 HTTPS client Secure Server (C) HTTPS over HTTP tunnel 443 HTTPS Proxy 8080 HTTP tunnel

21 Secure Transport Setup

22 Secure Transport Setup (cont.) (a) Unencrypted HTTP transaction (b) Enencrypted HTTPS transaction

23 SSL Handshake (simplified)

24 Server Certificates client Server Internet Server Certificate Certificate serial number35:DE:F4:CF Certificate expiration dateWed, Sep 17, 2003 Site ’ s organization nameJoe ’ s Hardware Online Site ’ s DNS hostnamewww.joes-hardware.com Site ’ s public key Certificate issuer nameRSA Data Security Certificate issuer signature Jone doe HTTPS certificates are X.509 certificates with site information

25 Virtual Hosting and Certificates Certificate name mismatches bring up certificate error dialog boxes

26 Virtual Hosting and Certificates (cont.)

27 Tunneling Secure Traffic Through Proxies client Public Internet Firewall proxy Security perimeter Corporate firewall proxy

28 Tunneling Secure Traffic Through Proxies (cont.) proxy.ncnu.edu.tw client.ncnu.edu.tw bdfwr73ytr6ouydoiw687eqidfjwvd76weti76fig287hdi9 8r82yr87pfdy72y PDUyqe719eyty3gee98y8787 Proxy cannot proxy an encrypted request

29 Reference HTTP Security Web Security, Privacy & Commerce Simson Garfinkel, O ’ reilly & Associates, Inc. This is one of the best, most readable introductions to web security and the use of SSL/TLS and digital certificates. RFC 2818, “ HTTP Over TLS, ” specifies how to implement secure HTTP over Transport Layer Security (TLS), the modern successor to SSL. RFC 2817, “ Upgrading to TLS Within HTTP/1.1, ” explains hoe to use the Upgrade mechanism in HTTP/1.1 to initiate TLS over an existing TCP connection. This allows unsecured and secured HTTP traffic to share the same well-known port (in this case, http: at 80 rather than https: at 443). It also enables virtual hosting, so a single HTTP+TLS server can disambiguate traffic intended for several hostnames at a single IP address.

30 Reference (cont.) SSL and TLS RFC 2246, “ The TLS Protocol Version 1.0, ” specifies Version 1.0 of the TLS protocol (the successor to SSL). TLS provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, and message forgery. /sslin/contents.htm /sslin/contents.htm “ Introduction to SSL ” introduces the Secure Sockets Layer (SSL) protocol. Originally developed by Netscape, SSL has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers. “ The SSL Protocol Version 3.0 ” is Netscape ’ s 1996 specification for SSL.

31 Reference (cont.) sl/howitworks.html sl/howitworks.html “ How SSL Works ” is Netscape ’ s introduction to key cryptography. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general-purpose cryptography library.