1 Securing Internet Sessions with Sorbet Fred Long, Robert Seacord, Scott A. Hissam, John Robert August, 1999 Software Engineering Institute Carnegie Mellon.

Slides:



Advertisements
Similar presentations
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Advertisements

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography and Network Security
Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.
SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Grid Security Infrastructure Tutorial Von Welch Distributed Systems Laboratory U. Of Chicago and Argonne National Laboratory.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.
Cryptography and Network Security Chapter 17
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 2000 by Carnegie Mellon.
Web Site Security Representation and Management of Data on the Web.
Chapter 8 Web Security.
Security on the Internet Jan Damsgaard Dept. of Informatics Copenhagen Business School
Cryptography 101 Frank Hecker
Digital Certificates. What is a Digital Certificate? A digital certificate is the equivalent of your business card in the e-commerce world. It says who.
SSH Secure Login Connections over the Internet
CSCI 6962: Server-side Design and Programming
How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/ OK.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.
Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
ECE509 Cyber Security : Concept, Theory, and Practice Cryptography Spring 2014.
Krerk Piromsopa. Network Security Krerk Piromsopa. Department of Computer Engineering. Chulalongkorn University.
Cryptography Encryption/Decryption Franci Tajnik CISA Franci Tajnik.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Introduction to Secure Sockets Layer (SSL) Protocol Based on:
Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.
© Oxford University Press 2011 DISTRIBUTED COMPUTING Sunita Mahajan Sunita Mahajan, Principal, Institute of Computer Science, MET League of Colleges, Mumbai.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Web Security : Secure Socket Layer Secure Electronic Transaction.
1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.
Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.
Cryptography (2) University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Encryption. What is Encryption? Encryption is the process of converting plain text into cipher text, with the goal of making the text unreadable.
Security in Skype Prepared by Prithula Dhungel. Security in Skype2 The Skype Service P2P based VoIP software Founded by the founders of Kazaa Can be downloaded.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.
ELECTROINC COMMERCE TOOLS Chapter 6. Outline 6.0 Introduction 6.1 PUBLIC KEY INFRASTRUCTURE (PKI) AND CERTIFICATE AUTHORITIES (CAs) TRUST
Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
1 Session 4 Module 6: Digital signatures. Digital Signatures / Session4 / 2 of 18 Module 4, 5 - Review (1)  Java 2 security model provides a consistent.
Encryption and Security Tools for IA Management Nick Hornick COSC 481 Spring 2007.
The Secure Sockets Layer (SSL) Protocol
Cryptography and Network Security
Secure Sockets Layer (SSL)
Cryptography and Network Security
The Secure Sockets Layer (SSL) Protocol
Electronic Payment Security Technologies
Cryptography and Network Security
Presentation transcript:

1 Securing Internet Sessions with Sorbet Fred Long, Robert Seacord, Scott A. Hissam, John Robert August, 1999 Software Engineering Institute Carnegie Mellon University Pittsburgh, PA Sponsored by the U.S. Department of Defense © 1999 by Carnegie Mellon University Carnegie Mellon University Software Engineering Institute

2 Carnegie Mellon University Software Engineering Institute Agenda Introduction Public key encryption background A particular problem The Sorbet solution Comparisons with other methods Summary Conclusions

3 Carnegie Mellon University Software Engineering Institute Introduction More and more organizations are using intranets, or even the Internet, as the communications media for important data These media are inherently insecure Mechanisms must be built on top of the underlying facilities to secure these connections

4 Carnegie Mellon University Software Engineering Institute Public Key Encryption Background Public key encryption clearly solves the confidentiality problem Signing a message with a signature encrypted with ones private key solves the identification problem Passing encrypted signatures can be used to grant authorization Attaching an encrypted, signed digest of an object allows one to check its integrity

5 Carnegie Mellon University Software Engineering Institute A Particular Problem An SEI client wanted a non-COTS solution restrictions on existing COTS solutions licensing issues performance issues Hence, we developed Sorbet Secure ORB Enterprise Transactions pure Java lightweight deployable as an orblet, servlet, or application

6 Carnegie Mellon University Software Engineering Institute The Sorbet Solution Sorbet was to provide: secure sessions lightweight transactions for transferring large blobs of information client-side authentication comparable performance to SSL Developed for CORBA uses interceptors to separate security policy from the application code

7 Carnegie Mellon University Software Engineering Institute Elements of Sorbet Solution Credentials (a.k.a. certificates) are co-located with client Seed for randomizer is generated by server One-sided authentication Secure association is not point-to-point, but is rather client to “system”

8 Carnegie Mellon University Software Engineering Institute Sorbet Example Keystore Client Target Service Basically there are four components Keystore (K) Client (C) Security Service (SS) Target Service (T) And three steps need to occur (1) obtain client Credentials from keystore (2) client authentication & set up secure association (3) secure session operation Basically there are four components Keystore (K) Client (C) Security Service (SS) Target Service (T) And three steps need to occur (1) obtain client Credentials from keystore (2) client authentication & set up secure association (3) secure session operation Now the details... Security Service

9 Carnegie Mellon University Software Engineering Institute Client Obtaining Credentials Encrypted Keystore - Java keystore - Netscape Communicator db Client-side Interceptor Alias & password 1 1. Client installs security interceptor on the client side, passing “alias” and “password” 2. Security interceptor using, Java classes, gets credentials associated with alias it was installed with credentials retrieved from Keystore 2 Java classes 4. Security interceptor using, Java classes, gets corresponding private key private key retrieved from Keystore 4 5. Java classes constitute private key materials from underlying Keystore C priv 5 3. Java classes (package Credentials) constitutes credentials from underlying Keystore C cred read & decrypt 3 local storage

10 Carnegie Mellon University Software Engineering Institute Client Authentication Client Client-side interceptor Security Service C cred 1 SS challenge 2 3 C response = SIGN Cpriv (SS challenge ) 4 C response 5 VERIFY(C cred, C response ) 6 Session Object Create Session Object 7 SS IOR 8 Set SS IOR as ORB Principal 9 10 E Cpub (SS randomseed )

11 Carnegie Mellon University Software Engineering Institute Target Service Server-side interceptor Secure Session Operation Client Client-side interceptor Security Service Session Object Session Object Session Object IIOP Header & data (w/ principal) + next random # 1 Extract random number & principal (a.k.a. IOR) 2 Verify correct next random # w/ associated Session Object 3 method call 5 Return method results as normal IIOP Reply 6 4 Incr to next random # & compare

12 Carnegie Mellon University Software Engineering Institute Data Transfer Rate vs. IIOP Packet Size Unsecured data transfer has the best performance

13 Carnegie Mellon University Software Engineering Institute Data Transfer Rate vs. IIOP Packet Size SSL performance degrades significantly as the size of the IIOP message increases

14 Carnegie Mellon University Software Engineering Institute Data Transfer Rate vs. IIOP Packet Size Sorbet has the poorest performance at the 0.5k data packet size

15 Carnegie Mellon University Software Engineering Institute Data Transfer Rate vs. IIOP Packet Size At larger packet sizes, Sorbet competes closely with SSL without encryption

16 Carnegie Mellon University Software Engineering Institute Summary Unsecured data transfer has the best performance SSL performance degrades significantly as the size of the IIOP message increases Sorbet has the poorest performance at the 0.5k data packet size At larger packet sizes, Sorbet competes closely with SSL without encryption

17 Carnegie Mellon University Software Engineering Institute Conclusions “In most cases, SSL is a better choice than a custom security model such as Sorbet because SSL is a standard solution that can be more readily approved for use in large organizations.” Sorbet advantages as compared to commercial SSL solutions does not require native libraries more control over security policy Custom solutions such as Sorbet may be used when COTS solutions prove inadequate due to performance, functionality, or other failures.

18 Carnegie Mellon University Software Engineering Institute Acronyms CORBACommon Object Request Broker Architecture COTSCommercial Off The Shelf DCOMDistributed Component Object Model IIOP Internet Inter-ORB Protocol IOR Interoperable Object Reference ORBObject Request Broker RMIRemote Method Invocation Sorbet Secure ORB Enterprise Transactions SSL Secure Socket Layer

19 Carnegie Mellon University Software Engineering Institute For More Information... Fred Robert Scott John World Wide Webhttp:// Telephone412 / U.S. mailCustomer Relations Software Engineering Institute Carnegie Mellon Pittsburgh, PA

20 Carnegie Mellon University Software Engineering Institute Encryption Types symmetric, or single key (secret) -secret key encrypts and decrypts messages -DES (Data Encryption Standard) asymmetric, or key-pair (public/private) -public key encrypts, private key decrypts (and vice versa) -RSA (Ron Rivest, Adi Shamir, and Leonard Adleman)

21 Carnegie Mellon University Software Engineering Institute Encryption involves scrambling a message: encrypted message Secret Message In traditional encryption methods, the encryption and decryption keys are the same (symmetric key cryptography)

22 Carnegie Mellon University Software Engineering Institute Public Key Encryption (asymmetric key cryptography) involves two different keys, a public and a private key: Private Key James T. Private’s Public Key Public Domain Private Domain James T. Private Secret Message John Q. Public Only the holder of the private key can read the encrypted message plain text encrypted message Secret Message plain text