Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Transactions Chapter 17. The user's machine No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable.

Published byBetty Hodge Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Transactions Chapter 17. The user's machine No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable."— Presentation transcript:

1 Secure Transactions Chapter 17

2 The user's machine No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable some features: cookies, Java, JavaScript Might not have 128-bit encryption –Until recently 128-bit encryption could not be legally exported from U.S. Might not be dealilng with a browser Store as little information as possible on user's machine (for a variety of reasons) No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable some features: cookies, Java, JavaScript Might not have 128-bit encryption –Until recently 128-bit encryption could not be legally exported from U.S. Might not be dealilng with a browser Store as little information as possible on user's machine (for a variety of reasons)

3 The Internet The Internet is inherently insecure Your options: Transmit info anyhow Digitally sign to avoid tampering Encrypt to keep private and avoid tampering Find another way to distribute information The Internet is inherently insecure Your options: Transmit info anyhow Digitally sign to avoid tampering Encrypt to keep private and avoid tampering Find another way to distribute information

4 The Internet "It is difficult to be certain whether the person you are dealing with is who he claims to be." Repudiation : can you prove to a court that someone took part in a transaction? "It is difficult to be certain whether the person you are dealing with is who he claims to be." Repudiation : can you prove to a court that someone took part in a transaction?

5 The Internet Ways to address privacy and repudiation issues: S ecure S ockets L ayer ( SSL ) –"is readily available and widely used" S ecure H yper T ext T ransfer P rotocol ( S-HTTP ) –"has not really taken off" Ways to address privacy and repudiation issues: S ecure S ockets L ayer ( SSL ) –"is readily available and widely used" S ecure H yper T ext T ransfer P rotocol ( S-HTTP ) –"has not really taken off"

6 Your system Keep up to date on warnings and patches for third-party software What do your scripts do (or not do)? –Use SSL to protect privacy –Use registered digital certificate –Check user-entered data carefully –Store information securely Keep up to date on warnings and patches for third-party software What do your scripts do (or not do)? –Use SSL to protect privacy –Use registered digital certificate –Check user-entered data carefully –Store information securely

7 Using SSL Originally designed by Netscape Now is "unofficial standard" for secure communication between browsers and servers Standardized in TLS –Transport Layer Security –Based on SSL –Not yet widely supported Originally designed by Netscape Now is "unofficial standard" for secure communication between browsers and servers Standardized in TLS –Transport Layer Security –Based on SSL –Not yet widely supported

8 TCP/UDP IP Various HTTPFTPSMTP... Application layer Transport layer Network layer Host to Network layer Network protocol stack

9 TCP/UDP IP Various... Application layer Transport layer Network layer Host to Network layer SSL Record Protocol SSL layer SSL Hand- shake Protocol HTTP SSL Change Cipher SSL Alert Protocol The SSL layer The SSL layer is transparent: –Same interface as the underlying transport layer Deals with handshaking, encryption, and decryption The SSL layer is transparent: –Same interface as the underlying transport layer Deals with handshaking, encryption, and decryption

10 SSL handshake Browser Server Browser connects, asks for certificate

11 SSL handshake Browser Server Browser connects, asks for certificate Server sends certificate Certificate Server distinguished name Server public key Period of validity Issuer distinguished name Issuer Signature Other information CA's public key public private

12 SSL handshake Browser Server Browser connects, asks for certificate Server sends certificate Browser sends list of cyphers RC4 with 40-bit key DES with 40-bit key DES with 56-bit key

13 SSL handshake Browser Server Browser connects, asks for certificate Server sends certificate Browser sends list of cyphers Server selects strongest common cypher RC4 with 40-bit key DES with 40-bit key DES with 56-bit key RC4 with 40-bit key RC2 with 40-bit key 3DES with 168-bit key Idea (128 bit key) RC4 with 40-bit key from browser:server supports:

14 SSL handshake Browser Server Browser connects, asks for certificate Server sends certificate Browser sends list of cyphers Server selects strongest common cypher Browser sends encrypted random number public private 4238195996

15 SSL handshake Browser Server Browser connects, asks for certificate Server sends certificate Browser sends list of cyphers Server selects strongest common cypher Browser sends encrypted random numberServer sends plain text random number 8435043532 Why is this sent in plain text?

16 SSL handshake Browser Server Browser connects, asks for certificate Server sends certificate Browser sends list of cyphers Server selects strongest common cypher Browser sends encrypted random numberServer sends plain text random number Hash random #s to get session key session

17 Sending data <head> My Page</ti My Page... Packetize Break up the data into manageable packets.

18 Sending data <head> My Page</ti My Page... Compress Packetize Each packet is (optionally) compressed.

19 Sending data <head> My Page</ti My Page... Calculate MAC Compress Packetize Use hash to calculate Message Authentication Code for each packet.

20 Sending data <head> My Page</ti My Page... Calculate MAC Encrypt Compress Packetize The MAC and compressed data are combined and encrypted using the session key. session

21 Sending data <head> My Page</ti My Page... Calculate MAC Encrypt Compress Packetize TCP header Combine with header and send

22 Screening user input Use addslashes() before putting data in database. Use stripslashes() when retrieving data. Magic quotes –Add and strip slashes automatically Use addslashes() before putting data in database. Use stripslashes() when retrieving data. Magic quotes –Add and strip slashes automatically

23 Screening user input escapeshellcmd() –used to pass data to system(), exec() or execute with backticks Avoid executing shell commands wherever possible, especially with user input. strip_tags() remove HTML tags htmlspecialchars() escape HTML chars –e.g., change < to < escapeshellcmd() –used to pass data to system(), exec() or execute with backticks Avoid executing shell commands wherever possible, especially with user input. strip_tags() remove HTML tags htmlspecialchars() escape HTML chars –e.g., change < to <

24 Providing secure storage "The most dangerous type of data we store is executable content." Don't allow write access to scripts and directories in document tree. Intruder could write malicious script and execute it by loading through the web server. Scripts that are supposed to write files should write outside web tree. "The most dangerous type of data we store is executable content." Don't allow write access to scripts and directories in document tree. Intruder could write malicious script and execute it by loading through the web server. Scripts that are supposed to write files should write outside web tree.

25 Providing secure storage Encrypting data probably won't help unless key and decrypting software are on a different machine. Intruder who can get to encrypted file can probably also get to key and decrypting software if they are on the same machine. Encrypting data probably won't help unless key and decrypting software are on a different machine. Intruder who can get to encrypted file can probably also get to key and decrypting software if they are on the same machine.

26 Protect passwords in scripts Scripts with.php will always be interpreted. Scripts with other extensions (like.inc) could be served as is. Limited protection from other users on same server –Don't use same password for login and database. Back up database. –Set group to apache (must be root) and don't allow public read. –CGI is more secure in this respect. Scripts with.php will always be interpreted. Scripts with other extensions (like.inc) could be served as is. Limited protection from other users on same server –Don't use same password for login and database. Back up database. –Set group to apache (must be root) and don't allow public read. –CGI is more secure in this respect.

27 Why are you storing credit card numbers? One time transactions: Send card number to transaction processor and don't store Periodic charges: –Don't store on web server –Check up-to-date security info –Be paranoid One time transactions: Send card number to transaction processor and don't store Periodic charges: –Don't store on web server –Check up-to-date security info –Be paranoid

28

Download ppt "Secure Transactions Chapter 17. The user's machine No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable."

Similar presentations

Section 10.1 Identify how Web sites are structured Explain the role of URLs Describe the function of HTTP Section 10.2 Explain how the Web has affected.

Section 10.1 Identify how Web sites are structured Explain the role of URLs Describe the function of HTTP Section 10.2 Explain how the Web has affected.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
CP3397 ECommerce.

CP3397 ECommerce.
Cryptography and Network Security

Cryptography and Network Security
Secure Socket Layer.

Secure Socket Layer.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Lori Fitterling LI843 SSL Secured Sockets Layer. What is Secure Sockets Layer (SSL)? It is protection of data transferred over the Internet using encryption.

Lori Fitterling LI843 SSL Secured Sockets Layer. What is Secure Sockets Layer (SSL)? It is protection of data transferred over the Internet using encryption.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Securing Network Communication. 2 Security Issues in Communication Privacy  Anyone can see content Integrity  Someone might alter content Authentication.

Securing Network Communication. 2 Security Issues in Communication Privacy  Anyone can see content Integrity  Someone might alter content Authentication.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.

15-1 Last time Internet Application Security and Privacy Public-key encryption Integrity.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Similar presentations

Ads by Google