User and Security Management. Security Management in Web Applications.

Slides:



Advertisements
Similar presentations
CP3397 ECommerce.
Advertisements

Grid Computing, B. Wilkinson, 20045a.1 Security Continued.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Cryptography and Network Security
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.
Web Application Security SSE USTC Qing Ding. Agenda General security issues Web-tier security requirements and schemes HTTP basic authentication based.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)
Electronic Transaction Security (E-Commerce)
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
WEB2P security Java web application security Dr Jim Briggs.
Apr 22, 2003Mårten Trolin1 Agenda Course high-lights – Symmetric and asymmetric cryptography – Digital signatures and MACs – Certificates – Protocols Interactive.
EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Crawling The Web. Motivation By crawling the Web, data is retrieved from the Web and stored in local repositories Most common example: search engines,
Web Site Security Representation and Management of Data on the Web.
Session and Security Management. HTTP Cookies Cookies Cookies are a general mechanism that server-side applications can use to both store and retrieve.
Web Application Security Representation and Management of Data on the Web.
SSL Technology Overview and Troubleshooting Tips.
CSCI 6962: Server-side Design and Programming
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Session 11: Security with ASP.NET
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
SE-2840 Dr. Mark L. Hornick1 Web Application Security.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Types of Electronic Infection
Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
SE-2840 Dr. Mark L. Hornick1 Web Application Security.
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.
Chapter 8 – Network Security Two main topics Cryptographic algorithms and mechanisms Firewalls Chapter may be hard to understand if you don’t have some.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
PHP Secure Communications Web Technologies Computing Science Thompson Rivers University.
© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.
Slide 1 Web Application Security ©SoftMoore Consulting.
Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Security Management in Web Applications. We all know this page...
1 E-cash Model Ecash Bank Client Wallet Merchant Software stores coins makes payments accepts payments Goods, Receipt Pay coins sells items accepts payments.
CS520 Web Programming Declarative Security (I) Chengyu Sun California State University, Los Angeles.
Cryptographic Hash Function. A hash function H accepts a variable-length block of data as input and produces a fixed-size hash value h = H(M). The principal.
The Secure Sockets Layer (SSL) Protocol
TOPIC: HTTPS (Security protocol)
PHP Secure Communications
Secure Sockets Layer (SSL)
Using SSL – Secure Socket Layer
The Secure Sockets Layer (SSL) Protocol
Advanced Computer Networks
Cryptography and Network Security
PHP Secure Communications
Presentation transcript:

User and Security Management

Security Management in Web Applications

DBI 2007 HUJI-CS We all know this page...

DBI 2007 HUJI-CS Would we want all to know this page?

DBI 2007 HUJI-CS Problem Formulation Want to restrict access to certain Web pages Must answer the following questions –Which pages should be restricted? –Who should access restricted pages? –How should users be authenticated? –Should authentication data be encrypted?

DBI 2007 HUJI-CS Authentication Methods Several authentication methods are used: Declarative Security –HTTP-level mechanisms Basic authentication scheme Digest access authentication scheme –Server-level mechanisms Programmatic Security

DBI 2007 HUJI-CS HTTP Basic Mechanism In the basic authentication scheme of HTTP, the user's name and password need to be sent with each request for a protected resource When the server gets a request for a protected resource, it checks whether that request has the HTTP header Authorization: Basic username:password If the name and password are accepted by the server (i.e., are those of a user that has the privilege to get the page), then the requested page is returned

DBI 2007 HUJI-CS HTTP Basic Mechanism If the request does not have the authorization header or the name and password are not accepted, then the server replies with 401 (unauthorized) An 401 response can have the header WWW-Authenticate: Basic realm="realm-name" That is, "in order to get this resource, you will have to authenticate using the basic method" –Tell the user to supply authentication for pages in realm-name

DBI 2007 HUJI-CS Realm B Realm A /a/A.html /a/B.jsp /b/C.css /b/D.xml E.xsl GET E.xsl OK + Content F.xml Declarative Security: BASIC

DBI 2007 HUJI-CS Realm B Realm A /a/A.html /a/B.jsp /b/C.css /b/D.xml E.xsl GET /a/B.jsp Basic realm="A" F.xml Declarative Security: BASIC

DBI 2007 HUJI-CS Declarative Security: BASIC Realm B Realm A /a/A.html /a/B.jsp /b/C.css /b/D.xml E.xsl GET /a/B.jsp + user:pass OK + Content F.xml

DBI 2007 HUJI-CS Declarative Security: BASIC Realm B Realm A /a/A.html /a/B.jsp /b/C.css /b/D.xml E.xsl GET /a/A.html + user:pass OK + Content F.xml

DBI 2007 HUJI-CS Browser Cooperation Throughout the session, the browser stores the user-name and password and automatically sends the authorization header in either one of the following cases: –The requested resource is under the directory of the originally authenticated resource –The browser received 401 from the Web server and the WWW-Authenticate header has the same realm as the previous protected resource

DBI 2007 HUJI-CS Digest Access Scheme The most serious security flaw in the basic scheme is that the name and password are sent unencrypted, and hence everyone on the network path can read it If an attacker snoops a request with basic authentication, she can access to the whole protection space of the resource The digest access authentication scheme solves many of the flaws of the basic schemes, such as the one above

DBI 2007 HUJI-CS Digest Operation Like the basic, the digest scheme requires that authentication data is sent with each request for a protected resource However, passwords are not sent in clear text The idea is to use a one-way hash, such as MD5 A one-way hash H is a mapping of strings that has the following properties: –It is "easy" to compute H(x), given the input x –It is "hard" to compute x, given the mapping H(x)

DBI 2007 HUJI-CS Digest Operation (cont) In the digest scheme, instead of sending the password x in clear text, the client sends H(y) y is the concatenation of the user name, the password, an opaque generated by the server, the request URI, and more (why is the opaque needed?) A server that gets digested authentication data repeats the same encryption process and compares its output with the given H(y) More details can be found in RFC 2617

DBI 2007 HUJI-CS Server-Level Authentication A Web server can use its own authentication mechanisms rather than those of HTTP Typically, server-level mechanisms act as follows –The server requires authentication by redirecting the client to a special HTML form –If authentication succeeds, then the server stores the username in the corresponding session object Note that the browser and the HTTP headers are oblivious to server-level authentication

DBI 2007 HUJI-CS Programmatic Security In declarative security, a page is either accessible to a user or is not But what if we wanted a page to include some data that will only be shown to privileged users? –E.g., the grades of the user In programmatic security, we enhance security checks in dynamic pages (e.g., JSP) Using this approach, an application can generate different contents for different users

DBI 2007 HUJI-CS Declarative-Security: Pros & Cons Advantage: Application programs (i.e., JSP and Servlets) do not have to do anything special Advantage: Security holes due to bugs are less probable Disadvantage: Server-specific process Disadvantage: All or nothing security –users can or cannot see the page –sometimes, what we really want is for the page content to be dependent on the user

Authentication Management in Tomcat

DBI 2007 HUJI-CS Declarative Security in Tomcat To apply declarative security in Tomcat: –Define roles and users A user has a username and a password –Define the restricted pages and the roles that can access them –Define the authentication method that is used in the Web application

DBI 2007 HUJI-CS Defining Users and Roles 1.Create a database that stores users and roles A table that stores usernames and passwords A table that stores usernames and roles 2.Tell Tomcat how to access your tables in the file TOMCAT_BASE/conf/server.xml 3.Users and roles can be dynamically added to the database

DBI 2007 HUJI-CS An Example create table users ( username varchar(30) not null primary key, pass varchar(30) not null ); create table users_roles ( username varchar(30) not null, role varchar(30) not null, primary key (username,role), foreign key (username) references users(username) );

DBI 2007 HUJI-CS In server.xml <Realm className="org.apache.catalina.realm.JDBCRealm" driverName="org.postgresql.Driver" connectionURL= "jdbc:postgresql://dbserver/public?user=snoopy" userTable="users" userNameCol="username" userCredCol="pass" userRoleTable="users_roles" roleNameCol="role"/>

DBI 2007 HUJI-CS [more roles...] <user username="snoopy" password="snoopass" roles="members"/> [more users...] Static Users and Roles You can alternatively define a static set of users and roles in $CATALINA_BASE/conf/tomcat-users.xml

DBI 2007 HUJI-CS Tomcat Manager The default resource of users is the file tomcat- users If you use database users, then you need to add a manager for Tomcat to your tables –Otherwise, you (and Eclipse) will not be able to log into the manager application A manager is a user that belongs to the role "manager"

DBI 2007 HUJI-CS restricted one /restricted1/* restricted two /restricted2/* Defining Restrictions in web.xml

DBI 2007 HUJI-CS members... members Defining Restrictions in web.xml

DBI 2007 HUJI-CS BASIC Authentication in Tomcat Add to the application's web.xml the login method (BASIC) and your chosen realm name BASIC Members

DBI 2007 HUJI-CS FORM-Based Authentication in Tomcat Tomcat provides a built-in form-based authentication In the first request to a restricted page, the server forwards the request to a login page Using the form in the login page, the user submits its login and password to a special URL of the server which is automatically handled by Tomcat. If authentication is successful, the special URL stores the information in the session object and forwards the requerst the the restricted page originally requested (how does Tomcat know which page this is?) On subsequent requests for restricted pages, the server checks the session to see if it contains suitable authentication, and if so the requested page is returned (instead of forwarding to the login page)

DBI 2007 HUJI-CS Add to web.xml FORM /admin/login.html /admin/login-error.html

DBI 2007 HUJI-CS Log In Log in for accessing this resource. Login: Password: <input type="password" name="j_password"/> myApp/admin/login.html Create A Login Page

DBI 2007 HUJI-CS Login Failure Wrong username and password! Create an Error Page myApp/admin/login-error.html

SSL Connections

DBI 2007 HUJI-CS Security on the Internet The Internet is used to transmit sensitive data from clients to servers and vice-versa –User passwords –Credit card numbers –Private client data on remote servers (e.g., Banks) However, data packets are read by several computers on the way from the client to the server (and vice-versa) –Routers, proxies, etc.

DBI 2007 HUJI-CS Security on the Internet (cont) For secure communication, the following should be provided: –Only the server can read the client requests –Only the client can read the server's responses –Only the client can send requests on behalf of itself –Only the server can send responses on behalf of itself In short, no one should be able to interfere in the interaction, either by reading the transferred data or by impersonating one of the sides

DBI 2007 HUJI-CS Symmetric and Asymmetric Keys Data can be encrypted and decrypted using keys, which are simply large numbers Symmetric keys: the same key is used for both encoding and decoding of the message Asymmetric keys: one key is used to encode the message, and another is used to decode it It is considered practically impossible to decode a message without knowing the decoding key

DBI 2007 HUJI-CS The RSA Cryptography System RSA was developed in 1977 by Ron Rivest, Adi Shamir and Leonard Adleman It is the based on the asymmetric key mechanism: –Each participant has a private key and a public key –The public key is known to all and the private key is kept in secret within its owner –Asymmetric keys: the public key is the encoding key and the private key is the decoding key

DBI 2007 HUJI-CS Secure Connection: A Naive Approach Consider the following protocol: –Server and Client send their public keys to each other –Data is encrypted using the public key of the receiver What is wrong with this protocol? –Encryption methods (public keys) are known to everyone - everyone can impersonate the participants –A participant cannot tell whether its received key was indeed sent by the other participant

DBI 2007 HUJI-CS SSL Connections The SSL (Secure Socket Layer) protocol is used to manage security of message transmission on the Internet Data encryption and decryption is based on symmetric and asymmetric keys The HTTPS (HTTP over SSL) protocol is actually the HTTP protocol above SSL transportation

DBI 2007 HUJI-CSTCP/IP SSL SSL in the Network Layers HTTP Protocols

DBI 2007 HUJI-CS The SSL Handshake Server hello + SSL settings Client SSL Settings + Certificate Is this a good certificate? 1. Client gets the Server's certificate

DBI 2007 HUJI-CS The SSL Handshake Server Client 2. Client creates a master secret and shares it with the server

DBI 2007 HUJI-CS The SSL Handshake Server Client 3. Client and server create symmetric session keys from the master secret

DBI 2007 HUJI-CS The SSL Handshake Server Client Data is transferred using the session keys (Http Response) (Http Request)

DBI 2007 HUJI-CS SSL Certificates To assure that the replier of the first request is the server, the server sends a certificate The certificate contains both the server's name and its public key The certificate is issued by a Certificate Authority (CA), which is known to the client in advance –For example: VeriSign, Thawte, RSA Secure Server, etc. CA signs the certificate using a digital signature, which the client can verify using a method similar to the private-public key method

DBI 2007 HUJI-CS Issuer's Name Public Key Serial Number Validity Period Server's Name The Server's Certificate Issuer's Digital Signature

DBI 2007 HUJI-CS An Example: The Certificate of bankleumi.co.il

DBI 2007 HUJI-CS Authentication via SSL If the server needs to assure the client's identity, the first interaction after the SSL handshake will typically be a client authentication Client authentication is done using the regular (e.g., HTTP) authentication mechanisms What is the difference, though?

DBI 2007 HUJI-CS SSL in Tomcat 6.0 To use SSL connections in Tomcat 6.0, we need to do the following: –Acquire a certificate –Enable the HTTPS service that listens to a designated port –Declare the pages that require SSL connections

DBI 2007 HUJI-CS Generating a Certificate Acquiring a certificate from a known CA costs money Instead, we will generate our own certificate Naturally, the browser will not recognize the CA as a known one and will therefore alert the user

DBI 2007 HUJI-CS Generating a Certificate (cont) From the command line, type the following: keytool -genkey -alias tomcat -keyalg RSA -keystore keyfile

DBI 2007 HUJI-CS

HUJI-CS Enable the HTTPS Service Add the following to $CATALINA_BASE/conf/server.xml under the Service "catalina": Declare the redirection port for the HTTP Connector: <Connector port="8443" scheme="https" secure="true" sslProtocol="TLS" keystoreFile="keyfile" keystorePass="keypass"/> server.xml

DBI 2007 HUJI-CS Declare Secured Pages In the application's web.xml, add the following element under the security constraint for which you want SSL to be used CONFIDENTIAL web.xml