CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

Slides:

Advertisements

Similar presentations

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Advertisements

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

Cryptographic Security Presented by: Josh Baker October 9 th, CS5204 – Operating Systems.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Principles of Information Security, 2nd edition1 Cryptography.

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.

Security Chapters 14,15. The Security Environment Threats Security goals and threats.

Security Chapters 14,15. The Security Environment Threats Security goals and threats.

1 Encryption What is EncryptionWhat is Encryption Types of EncryptionTypes of Encryption.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

Security Chapter The security environment 9.2 Basics of cryptography 9.3 User authentication 9.4 Attacks from inside the system 9.5 Attacks from.

Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Introduction to Cryptography

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

1 Fluency with Information Technology Lawrence Snyder Chapter 17 Privacy & Digital Security Encryption.

Chapter 31 Network Security

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

INE1020: Introduction to Internet Engineering 6: Privacy and Security Issues1 Lecture 9: E-commerce & Business r E-Commerce r Security Issues m Secure.

How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/ OK.

Network Security. An Introduction to Cryptography The encryption model (for a symmetric-key cipher).

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

Web Services Security. Introduction Developing standards for Web Services security – XML Key Management Specification (XKMS) – XML Signature – XML Encryption.

Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.

Secure Socket Layer (SSL)

Linux Networking and Security Chapter 8 Making Data Secure.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

Learning Aid Type Text Page 206 MGS GROUP C Svitlana Panasik.

Material being covered 3/9 Remainder of Text Chapter 6 (Q5, 6) Text Chapter 6A Material Posted 3/9 Midterm Information Introduction to Text Chapter 7.

Dr. L. Christofi1 Local & Metropolitan Area Networks ACOE322 Lecture 8 Network Security.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Introduction to Secure Sockets Layer (SSL) Protocol Based on:

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.

David Evans CS200: Computer Science University of Virginia Computer Science Class 36: Public-Key Cryptography If you want.

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

4 th lecture.  Message to be encrypted: HELLO  Key: XMCKL H E L L O message 7 (H) 4 (E) 11 (L) 11 (L) 14 (O) message + 23 (X) 12 (M) 2 (C) 10 (K) 11.

Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.

1 Securing Data and Communication. 2 Module - Securing Data and Communication ♦ Overview Data and communication over public networks like Internet can.

Internet-security.ppt-1 ( ) 2000 © Maximilian Riegel Maximilian Riegel Kommunikationsnetz Franken e.V. Internet Security Putting together the.

Encryption. What is Encryption? Encryption is the process of converting plain text into cipher text, with the goal of making the text unreadable.

Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.

Chapter 8 – Network Security Two main topics Cryptographic algorithms and mechanisms Firewalls Chapter may be hard to understand if you don’t have some.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

TCP/IP Protocol Suite 1 Chapter 30 Security Credit: most slides from Forouzan, TCP/IP protocol suit.

Pertemuan #10 Secure HTTP (HTTPS) Kuliah Pengaman Jaringan.

Public Key Encryption, Secure WWW Transactions & Digital Signatures.

Intro to Cryptography Lesson Introduction

INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.

Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.

CRYPTOGRAPHY Cryptography is art or science of transforming intelligible message to unintelligible and again transforming that message back to the original.

The Secure Sockets Layer (SSL) Protocol

Secure Sockets Layer (SSL)

The Secure Sockets Layer (SSL) Protocol

Unit 8 Network Security.

Presentation transcript:

CS 4244: Internet Programming Security 1.0

Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP

Client Identification and Cookies (1) HTTP Headers Client IP address User login Fat URLs Cookies

Client Identification and Cookies (2) HTTP Headers From User-Agent Referer Authorization

Client Identification and Cookies (3) Early servers used IP address to identify client Problems Identifies computer, not user Dynamic IP addresses Network Address Translation firewalls Use of proxies User login, covered in basic authentication

Client Identification and Cookies (4) Fat URLs are URLs that are generated by the server, specific to each user Problems include Ugly URLs Can’t share them Breaks caching Extra server load Escape hatches Not persistent across sessions

Client Identification and Cookies (5) Cookies are of two types Session cookies Persistent cookies

Basic Authentication (1) Request Challenge HTTP Header: WWW-Authenticate Authorization HTTP Header: Authorization Success HTTP Header: Authentication-Info

Basic Authentication (2) Base-64 Encoding is used to encode Username/Password Client sends encoded username/password with Authorization header, separated by : Proxy Authentication is used when a proxy is used instead of the server Proxy headers are used instead of server headers

Problems With Basic Authentication 1. Easy to decode username/password (u/p) 2. Even if encoding scheme was complicated, it’s easy for 3 rd party to capture u/p and replay it 3. Social engineering problems 4. No protection against proxies and intermediaries 5. Vulnerable to spoofing by counterfeit servers

Digest Authentication Never send password over the network Instead send a digest of the password Popular digest algorithms include MD5 and SHA

Secure HTTP Digital Cryptography Ciphers Keys Symmetric-key cryptosystems Asymmetric-key cryptosystems Public-key cryptography Digital signatures Digital certificates

Basics of Cryptography Relationship between the plaintext and the ciphertext

Monoalphabetic substitution each letter replaced by different letter Given the encryption key, easy to find decryption key Secret-key crypto called symmetric-key crypto Secret-Key Cryptography

Public-Key Cryptography All users pick a public key/private key pair publish the public key private key not published Public key is the encryption key private key is the decryption key

One-Way Functions Function such that given formula for f(x) easy to evaluate y = f(x) But given y computationally infeasible to find x

Digital Signatures Computing a signature block What the receiver gets (b)

Digital Certificates Certificates contain information about Name and hostname of website Public key of the website Name of the signing authority Expiration date Validity period Signature from the signing authority...

Secure HTTP HTTPS: The details Most popular secure version of HTTP It is widely implemented and available in all major browsers and servers Provides a powerful set of symmetric, asymmetric and certificate-based cryptographic techniques

Secure HTTP Instead of sending HTTP messages over unencrypted transport layer, send them over secure transport layer The transport layer is SSL or TSL Steps in using HTTPS Client prefixes request with https Connection is made to port 443 All information is encrypted Binary protocol

Secure HTTP Client and Server need to do SSL handshake Exchange protocol version numbers Select a cipher that each side knows Authenticate the identity of each side Generate temporary session keys to encrypt the channel