Presentation is loading. Please wait.

Presentation is loading. Please wait.

COMP2322 Networks in Organisations Richard Henson University of Worcester April 2016.

Published byCaren Powers Modified over 8 years ago

Similar presentations

Presentation on theme: "COMP2322 Networks in Organisations Richard Henson University of Worcester April 2016."— Presentation transcript:

1

2 COMP2322 Networks in Organisations Richard Henson University of Worcester April 2016

3 Week 8: Network Services for Secure Web Pages n Objectives:  Explain how HTTPS/SSL/TLS fits into the OSI seven layer model  Take the necessary steps to implement an SSL system on a www server that uses EAP/TLS  Apply PKI principles to produce a workable for protecting web pages at the client end

4 Secure Sockets Layer (SSL) and Secure HTTP n Summary of SSL:  devised by Netscape  very successful  works with HTTP-S to only display the web page in a secure environment  never been cracked  Further developed by IETF n But how does it all fit together?

5 Back to the TCP/IP model TELNETFTP TCP/TLS SMTPHTTPhttp-s Session layer protocols: eg Unix “sockets”, SSL n Zoom in on TCP and the upper layers… Level 7 Level 5 Level 4

6 Secure HTTP (https) and the session layer n All application layer protocols communicate with TCP layer through unique TCP ports and (optional) session layer logon n Security can also be imposed, therefore, by authenticating at the “logon” layer  e.g. using Kerberos authentication  username/password is required before data can pass the session layer and be displayed by the browser

7 Secure Sockets and the Session Layer n In the early days of Unix, someone devised the concept of a “socket”:  a protocol between application and transport layers that TCP could plug in to with the help of a TCP port  network authentication could be handled by the “socket” n The concept continued, and was assimilated into the session layer n When Windows interfaced with TCP/IP for the first time, the term WINSOCK was introduced

8 The trouble with HTTP n General Internet principle of “anyone can go anywhere” n On a Windows system with www access:  TCP can link to HTTP through “Winsock”  session layer authentication not invoked  HTML data transferred directly to the presentation and application layers for display n Problem:  the data is visible to anyone else on the Internet who may have access to that machine and the data path to it!

9 Secure HTTP and the user authentication problem n Makes use of the potential for requiring authentication at the session layer n SSL protocol can require a username/password combination before data passes through the socket from transport layer to application layer application transport authentication required

10 Computer Authentication n SSL is able to use the PKI (remember that?) n When a user first attempts to communicate with a web server over a secure connection:  that server will present the web browser with authentication data  presented as a server certificate (remember those?) »verifies that the server is who and what it claims to be n Works both ways…  protocol: EAP/TLS  server may in return request client authentication via username/password

11 SSL and Encryption n Authenticating the user & server only helps when the data is at its at its source or destination  data also needs to be protected in transit… n SSL working at level 5/6 also ensures that it is: »encrypted before being sent »decrypted upon receipt and prior to processing for display

12 Confidentiality & Integrity n Encryption of SSL responses can be  Either Standard 40 bit RSA »difficult to break confidentiality  Or Secure 128 bit RSA »virtually impossible to “crack” n Guarantee that the data will not be modified in transit by a third party  integrity therefore also maintained

13 Is an SSL Digital Certificate Really Necessary? n Yes:  for sites involved in e-commerce and therefore involving digital payment with authentication  any other business transaction in which authentication is important n No:  if an administrator simply wants to ensure that data being transmitted and received by the server is private and cannot be snooped by anyone eavesdropping on the connection  In such cases, a self-signed certificate is sufficient

14 The Web of Trust (PGP) n Based on individual trust networks built up between individuals n Possible to “self sign” a digital certificate  if someone trusts you, a self-signature may be all they need  OpenPGP identiity certificates are designed to be self-signed

15 Verisign Trust System n Web of Trust  OK for academics (“good” people?)  but bad” people can also do business… n Verisign system developed by Internet/Business experts  Intention: people could trust strangers in web-based business transactions  financial institutions provide the “trust”

16 General Tips on Running SSL n Secure websites…  designed to be as efficient as securely possible »problem: encryption/decryption is computationally expensive from a performance standpoint  not strictly necessary to run an entire Web application over SSL »customary for a developer to find out decide which pages require a secure connection and which do not »and create secure and non-secure folder structures for the respective web pages

17 Installing a Server Certificate on Windows Servers that will support https n https://www.youtube.com/watch?v=GD VvcyPqMk0 https://www.youtube.com/watch?v=GD VvcyPqMk0 https://www.youtube.com/watch?v=GD VvcyPqMk0

18 When to use SSL n Whenever web pages require a secure connection with the server e.g.:  login pages  personal information pages  shopping cart checkouts  any pages where credit card information could possibly be transmitted

19 Running HTTPS n A client-server service that runs on the Web server (like http, smtp, and ftp)  uniquely designed so it will not run on a server without an installed and active server certificate n Once the service has been set up, https will require users to establish an encrypted channel with the server  i.e. https://  rather than http:// n Until the user does use https they will get an error, rather than the pop up that proceeds the secure web page

20 Running HTTPS n Use of encryption can interfere with access to data… (i.e. availability)  an encrypted channel running https requires that the user's Web browser and the Web server BOTH support the same encryption scheme n For example:  IF an IIS Web Server is set to use default secure communication settings  THEN the client Web browser must support a session key strength of 40 bits, or greater

21 Accessing a Web Page using HTTPS n If the client is to request a page that needs SSL:  in the HTML code that will call that page, prefix the address with https:// instead of http:// »the system will do the rest… n Any pages which absolutely require a secure connection need to:  check the protocol type associated with the page request  take appropriate action if https: is not specified

22 Has a Web Page has been delivered securely using SSL? n 1. (depending on browser settings)  pop up appears…  informs the client that they are entering a secure client-server connection  must be acknowledged to continue n 2. Web page displayed:  https:// will appear before the URL  “lock” symbol appears on the bottom left of the screen

23 How secure are your mobile apps? n Possible vulnerabilities (exploit poor programming):  MITM attack (capture of code en route) »much easier on wireless networks  SQL injection »unprotected data windows »needs input validation controls  DOS & DDOS »exploitations that invokes ping

24 More Vulnerabilities… n Cross-site Scripting  cunning method of capturing data by creating a false website  website looks identical to original… »traffic diverted to IP address of website clone »users feed in personal data etc. into HTML or web forms and that personal data is stolen n Buffer overflow  poor programming technique allows secure data to be written to an open area of memory where it can be easily extracted

25 CWE Top 25 faults (1) Rank IDName 1CWE-79Failure to Preserve Web Page Structure ('Cross-site Scripting') 2CWE-89Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') 3CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') 4CWE-352Cross-Site Request Forgery (CSRF) 5CWE-285Improper Access Control (Authorization) 6CWE-807Reliance on Untrusted Inputs in a Security Decision 7CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 8CWE-434Unrestricted Upload of File with Dangerous Type 9CWE-78Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') 10CWE-311Missing Encryption of Sensitive Data 11CWE-798Use of Hard-coded Credentials 12CWE-805Buffer Access with Incorrect Length Value 13CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') [TSI/2012/183] © Copyright 2003-2012

26 CWE Top 25 faults (2) RankIDName 14CWE-129Improper Validation of Array Index 15CWE-754Improper Check for Unusual or Exceptional Conditions 16CWE-209Information Exposure Through an Error Message 17CWE-190Integer Overflow or Wraparound 18CWE-131Incorrect Calculation of Buffer Size 19CWE-306Missing Authentication for Critical Function 20CWE-494Download of Code Without Integrity Check 21CWE-732Incorrect Permission Assignment for Critical Resource 22CWE-770Allocation of Resources Without Limits or Throttling 23CWE-601URL Redirection to Untrusted Site ('Open Redirect') 24CWE-327Use of a Broken or Risky Cryptographic Algorithm 25CWE-362Race Condition [TSI/2012/183] © Copyright 2003-2012

27 Hot off the Press… n This is reality, 5/4/2016 (i.e. today!):  http://www.computing.co.uk/ctg/news/2453 442/websites-vulnerable-to-tls-certificate- man-in-the-middle-attacks http://www.computing.co.uk/ctg/news/2453 442/websites-vulnerable-to-tls-certificate- man-in-the-middle-attacks http://www.computing.co.uk/ctg/news/2453 442/websites-vulnerable-to-tls-certificate- man-in-the-middle-attacks

28 Thanks for Listening Thanks for Listening

Download ppt "COMP2322 Networks in Organisations Richard Henson University of Worcester April 2016."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
SECURE SITES. A SECURE CONNECTION TERMS Secure Sockets Layer (SSL) An older Internet protocol that allows for data transmission between server and client.

SECURE SITES. A SECURE CONNECTION TERMS Secure Sockets Layer (SSL) An older Internet protocol that allows for data transmission between server and client.
Cryptography and Network Security

Cryptography and Network Security
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)

6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)
Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
Layer 7- Application Layer

Layer 7- Application Layer
Wireless Encryption By: Kara Dolansky Network Management Spring 2009.

Wireless Encryption By: Kara Dolansky Network Management Spring 2009.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
Softsmith Infotech Secure Socket Layer (SSL) and Tomcat.

Softsmith Infotech Secure Socket Layer (SSL) and Tomcat.
CSCI 6962: Server-side Design and Programming

CSCI 6962: Server-side Design and Programming
COMP2121 Internet Technology Richard Henson April 2011.

COMP2121 Internet Technology Richard Henson April 2011.
Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Secure Software Development Mini Zeng University of Alabama in Huntsville 1.

Similar presentations

Ads by Google