Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Applications Security Cryptography 1

Similar presentations


Presentation on theme: "Web Applications Security Cryptography 1"— Presentation transcript:

1 Web Applications Security Cryptography 1
IT College, Andres Käver, , autumn semester Web: Skype: akaver

2 Cryptography Cryptography (or crypto) is one of the more advanced topics of information security, and one whose understanding requires the most schooling and experience. There are many approaches to encryption, each with advantages and disadvantages that need to be thoroughly understood by web solution architects and developers. A small mistake in configuration or coding will result in removing most of the protection and rendering the crypto implementation useless.

3 Cryptography Provides
Authentication, Auditing, Confidentiality, Integrity Some crypto algorithms are more suited to particular tasks, but not to others. Usually more secure algorithm is much more expensive to run (slower, more cpu/memory usage) Sometimes combination is used – SSL for example. Initial connection is made with secure solution, actual data transfer is done with much faster/weaker implementation.

4 Cryptography - symmetric
Symmetric keys share a common secret (password, pass phrase, or key). Data is encrypted and decrypted using the same key. Symmetric algorithms are very fast Common examples of symmetric algorithms are DES, 3DES and AES. Key exchange is problem!!!

5 Cryptography - asymmetric
Aka Public/Private Key crypto Asymmetric algorithms use two keys, one to encrypt the data, and either key to decrypt. These inter-dependent keys are generated together. One is labeled the Public key and is distributed freely. The private key must be kept secure.

6 Cryptography - asymmetric
Confidentiality Encrypt data with a user’s public key (which is publicly available), we can send the data over an insecure network knowing that only the associated private key will be able to decrypt the data.

7 Cryptography - asymmetric
Authentication Encrypt data with private key, only public key can decrypt –prove the message’s authenticity, since only specific private key could have generated the message.

8 Cryptography - asymmetric
A Certificate Authority (CA), whose public certificates are installed with browsers or otherwise commonly available, may also digitally sign public keys or certificates. We can authenticate remote systems or users via a mutual trust of an issuing CA. We trust their ‘root’ certificates, which in turn authenticate the public certificate presented by the server. PGP and SSL are prime examples of a systems implementing asymmetric cryptography, using the RSA or other algorithms.

9 Cryptography - hashes Hash functions take some data (and possibly a key or password) and generate a unique hash or checksum. Since this is a one-way function, it is normally used to provide tamper detection. MD5 and SHA-1 are common hashing algorithms used today. These algorithms are considered weak. Consider using SHA-256 instead.

10 Cryptography – key exchange
Key exchange algorithms (such as Diffie-Hellman for SSL). These allow use to safely exchange encryption keys with an unknown party.

11 Cryptography As modern cryptography relies on being computationally expensive to break, specific standards can be set for key sizes that will provide assurance that with today’s technology and understanding, it will take too long to decrypt any given key. Therefore, we need to ensure that both the algorithm and the key size are taken into account when selecting an algorithm. Proprietary encryption algorithms are not to be trusted as they typically rely on ‘security through obscurity’ and not sound mathematics.

12 Cryptography Weak algorithms
MD5 has recently been found less secure than previously thought. While still safe for most applications such as hashes for binaries made available publicly, secure applications should now be migrating away from this algorithm. SHA-0 has been conclusively broken. SHA-1 has been reduced in strength - migrate to SHA-256, which implements a larger key size. DES was once the standard crypto algorithm for encryption; a normal desktop machine can now break it. AES is the current preferred symmetric algorithm.

13 Cryptography – Key storage
Crypto relies on keys to assure a user’s identity, provide confidentiality and integrity as well as non-repudiation. It is vital that the keys are adequately protected. Should a key be compromised, it can no longer be trusted. Any system that has been compromised in any way should have all its cryptographic keys replaced.

14 Cryptography – tokens Web servers typically deal with large numbers of users. Differentiating between them is often done through cookies or other session identifiers. If these session identifiers use a predictable sequence, an attacker need only generate a value in the sequence in order to present a seemingly valid session token. This can occur at a number of places; the network level for TCP sequence numbers, or right through to the application layer with cookies used as authenticating tokens. Any deterministic sequence generator is likely to be vulnerable. Use strong implementation of random number generators! Sometimes hardware solution is needed.

15 THE END


Download ppt "Web Applications Security Cryptography 1"

Similar presentations


Ads by Google