19 December 1998EMGnet meeting INRIA Rhône-Alpes1 An Overview of Security Issues in the Web José KAHAN OBLATT W3C/INRIA 19 December 1998.

Slides:



Advertisements
Similar presentations
Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Advertisements

Public Key Infrastructure and Applications
Akshat Sharma Samarth Shah
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 8, 2013.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.
Principles of Information Security, 2nd edition1 Cryptography.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Lecture III : Communication Security, Services & Mechanisms Internet Security: Principles & Practices John K. Zao, PhD SMIEEE National Chiao-Tung University.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Internet Security Terms and Techniques Chris Avram Faculty of Information Technology Monash University 1U-Cubed ‘99Chris Avram.
Chapter 8 Web Security.
Seguridad en Sistemas de Información Francisco Rodríguez Henríquez SSL/TLS: An Introduction.
Web services security I
1 Chapter 8 Securing Information Systems. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized.
Computer Security Tran, Van Hoai Department of Systems & Networking Faculty of Computer Science & Engineering HCMC University of Technology.
1 Chapter 8: Security in Electronic Commerce IT357 Electronic Commerce.
Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Cryptography, Authentication and Digital Signatures
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
©The McGraw-Hill Companies, Inc., 2000© Adapted for use at JMU by Mohamed Aboutabl, 2003Mohamed Aboutabl1 1 Chapter 29 Internet Security.
© Oxford University Press 2011 DISTRIBUTED COMPUTING Sunita Mahajan Sunita Mahajan, Principal, Institute of Computer Science, MET League of Colleges, Mumbai.
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.
Cryptography and Network Security (SSL)
Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
Systems Analysis and Design in a Changing World, 6th Edition 1 Chapter 12 Databases, Controls, and Security.
1 Class 15 System Security. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized data access,
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED.
Chapter 8 – Network Security Two main topics Cryptographic algorithms and mechanisms Firewalls Chapter may be hard to understand if you don’t have some.
Securing Data in Transit and Storage Sanjay Beri Co-Founder & Senior Director of Product Management Ingrian Networks.
Secure Systems Research Group - FAU SW Development methodology using patterns and model checking 8/13/2009 Maha B Abbey PhD Candidate.
Security, Accounting, and Assurance Mahdi N. Bojnordi 2004
Security Many secure IT systems are like a house with a locked front door but with a side window open -somebody.
CS453: Introduction to Information Security for E-Commerce Prof. Tom Horton.
Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.
1 Kerberos – Private Key System Ahmad Ibrahim. History Cerberus, the hound of Hades, (Kerberos in Greek) Developed at MIT in the mid 1980s Available as.
Access Controls Henry Parks SSAC 2012 Presentation Outline Purpose of Access Controls Access Control Models –Mandatory –Nondiscretionary/Discretionary.
Need for Security Control access to servicesControl access to services Ensure confidentialityEnsure confidentiality Guard against attacksGuard against.
Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats – integrity – confidentiality.
Jump to first page Internet Security in Perspective Yong Cao December 2000.
1 SUBMITTED BY- PATEL KUMAR C.S.E(8 th - sem). SUBMITTED TO- Mr. DESHRAJ AHIRWAR.
6.033 Quiz3 Review Spring How can we achieve security? Authenticate agent’s identity Verify the integrity of the request Check the agent’s authorization.
SECURITY. Security Threats, Policies, and Mechanisms There are four types of security threats to consider 1. Interception 2 Interruption 3. Modification.
Encryption and Security Tools for IA Management Nick Hornick COSC 481 Spring 2007.
What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Kerberos is a three-headed dog Available as open source or in supported.
Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke1 Database architecture and security Workshop 4.
Tanenbaum & Van Steen, Distributed Systems: Principles and Paradigms, 2e, (c) 2007 Prentice-Hall, Inc. All rights reserved DISTRIBUTED SYSTEMS.
UNIT 7 SEMINAR Unit 7 Chapter 9, plus Lab 13 Course Name – IT482 Network Design Instructor – David Roberts – Office Hours: Tuesday.
Communication protocols 2. HTTP Hypertext Transfer Protocol, is the protocol of World Wide Web (www) Client web browser Web server Request files Respond.
Web Server Management: Securing Access to Web Servers Jon Warbrick University of Cambridge Computing Service.
Security Outline Encryption Algorithms Authentication Protocols
NETWORK SECURITY Cryptography By: Abdulmalik Kohaji.
Remote Access Lecture 2.
The Secure Sockets Layer (SSL) Protocol
Chinese wall model in the internet Environment
Key Distribution Reference: Pfleeger, Charles P., Security in Computing, 2nd Edition, Prentice Hall, /18/2019 Ref: Pfleeger96, Ch.4.
Electronic Payment Security Technologies
Unit # 1: Overview of the Course Dr. Bhavani Thuraisingham
Presentation transcript:

19 December 1998EMGnet meeting INRIA Rhône-Alpes1 An Overview of Security Issues in the Web José KAHAN OBLATT W3C/INRIA 19 December 1998

EMGnet meeting INRIA Rhône-Alpes2 Disclaimer The following slides represent the author’s personal opinion and not necessarily that of the W3C or of INRIA.

19 December 1998EMGnet meeting INRIA Rhône-Alpes3 Outline Architecture Web Security problems Security measures Conclusion

19 December 1998EMGnet meeting INRIA Rhône-Alpes4 Hypertext information model (linking of documents) Client/Server consultation protocol ? documentsserver usertransaction Internet Architecture of the Web

19 December 1998EMGnet meeting INRIA Rhône-Alpes5 Unauthorized release of information Security problems : confidentiality ? ? Internet pirate user

19 December 1998EMGnet meeting INRIA Rhône-Alpes6 Security problems: integrity Unauthorized modification of information ? Internet pirate user

19 December 1998EMGnet meeting INRIA Rhône-Alpes7 Security measures authentication authorization firewalls encryption Access control

19 December 1998EMGnet meeting INRIA Rhône-Alpes8 Mathematical transformation of a message -Document confidentiality -Document integrity -Server authentication -Client authentication EncryptDecrypt Hello Hel Hello plaintextcyphertextplaintext encryption key decryption key Encryption: principles

19 December 1998EMGnet meeting INRIA Rhône-Alpes9 Symmetric (secret key) cryptography Same key used for encryption and decryption Asymmetric (public key) cryptography Different keys used for encryption and decryption Supported by commercial browsers: SSL, TLS BUT: legal problems in some countries Encryption: mechanisms

19 December 1998EMGnet meeting INRIA Rhône-Alpes10 Reference Monitor user resources request operation noeuds deny authorize security database guard consult security administrator update Access control model

19 December 1998EMGnet meeting INRIA Rhône-Alpes11 Access control: authentication Verifying the identity of a user identity, proof of identity security database

19 December 1998EMGnet meeting INRIA Rhône-Alpes12 Web authentication mechanisms

19 December 1998EMGnet meeting INRIA Rhône-Alpes13 Access control: authorization Verifying the access rights of a user identity, proof of identity security database ?

19 December 1998EMGnet meeting INRIA Rhône-Alpes14 Web authorization mechanisms Access control lists (ACL) Roles, groups : simple user administration Capabilities : exchange of access control information in the request

19 December 1998EMGnet meeting INRIA Rhône-Alpes15 Personal experience Existing security mechanisms can solve most of the problems of confidentiality and integrity Difficult part: defining a security policy set of rules describing the behavior of users in a system Choice of security mechanisms: performance versus simple user administration User education is important

19 December 1998EMGnet meeting INRIA Rhône-Alpes16 Some security issues in EMGnet Encryption of data exchanges? Which authentication mechanism? Distribution or centralization of security database? Set of access rights? ACLs, capabilities, or both? User administration! Tip: reuse existing technology when possible