Presentation is loading. Please wait.

Presentation is loading. Please wait.

6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)"— Presentation transcript:

1

2 6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)

3 6/3/2015topic2 Overview Basics of Security Web Server Security Secure Applications using Java Servlets Certificates, PKI and SSL

4 6/3/2015topic3 Security Concepts: Authentication Authentication Verifying the identities of the parties involved Typical: user name and password Authentication applies to both client and server Client: want to know it is talking to the true server, not an imposter Server: want to know the client is a true client, not an imposter Problems with user names and password method?

5 6/3/2015topic4 Confidentiality Confidentiality: Only the parties involved can understand the communication Example: ensure no one else can intercept the transmission of credit-card numbers Relies heavily on cryptography But, need to key controls

6 6/3/2015topic5 Integrity Content of communication is not altered during transmission The alteration can be intentional or unintentional Need a mechanism to check if any character has been changed This can be accomplished again through cryptography

7 6/3/2015topic6 HTTP Authentication Basic Authentication in HTTP: user name and password Transmission Loophole: use Base64 encoding in the HTTP header Built into most web servers Apache: in httpd.conf file AuthType Basic AuthName CMPT470.com # This user file should be put under.../Apache/ directory AuthUserFile passwordfile.txt require valid-user

8 6/3/2015topic7 Form-based Custom Authentication Use an HTML Form to implement a custom authentication method Then, the servlet LoginHandler can access the user/password parameter and maintain session control for the current session First, it checks the user name and password Then, it sets a new session for the user Finally, it redirects the user to the target URL

9 6/3/2015topic8 Servlet Based Authentication Loginform.htmlLogin_servlet User accounts database Yes, valid user: go to applications No! Invalid user Login fails

10 6/3/2015topic9 Potential Problems Access control via password - susceptible to eavesdropping – confidentiality not guaranteed Wiretapping is especially easy in a LAN environment Potential Confidentiality and Integrity problems not solved Need encryption based methods for Confidentiality Integrity Advanced level of authenticity You are what you say you are

11 6/3/2015topic10 Private Key Algorithm The original message is called the plaintext (or cleartext), and the scrambled message ciphertext A key (a large number) is needed to scramble a message A private key algorithm (also called symmetric key algorithm) uses a private key that is known (only) to the sender and the receiver: E = encrypt(K, M) where M is the plaintext, E is the encrypted message, and K is the private key

12 6/3/2015topic11 Private Key Algorithm (cont’d) Decryption is the inverse of encryption: M = decrypt(K, encrypt(K, M)) The disadvantage of private key algorithms is that the key must be kept secret by both parties to avoid compromising security However, need to transmit keys over the Internet Someone may intercept the key in transmission! Private key algorithms include the Data Encryption Standard (DES) (used by Kerberos), IDEA (used by PGP).

13 6/3/2015topic12 Public Key System Also known as asymmetric key system which assigns a user a pair of keys, one public one private Encrypt with one key – Decrypt with another The encryption process is as follows M = decrypt(privK, encrypt(pubK, M)) where privK and pubK are the receipient’s private key and public key, respectively Thus, a sender encrypts the message using the receiver's public key which is publicly known; the receiver uses his/her private key to decrypt the message Solves the confidentiality problem: communication encrypted

14 6/3/2015topic13 Digital Signature Question: If cmpt470.com sends out a message, how do we know the message didn’t come from an imposter? A public key system can be used to implement digital signature (i.e., to authenticate the sender), in the following manner: let privK be a private key of cmpt470.com – only known to the real cmpt470.com, then when receiving M, M = decrypt(pubK, encrypt(privK, M)) The recipient can be certain of the authenticity of the sender because the latter is supposed to be the only person in possession of the private key

15 6/3/2015topic14 Public Key System (cont’d) Two levels of encryption can be used to guarantee that a message is both authentic and private: E = encrypt(pubK2, encrypt(privK1, M)) M = decrypt(pubK1, decrypt(privK2, E)) Public key algorithms include RSA, and Diffie- Hellman, Verisign.com

16 6/3/2015topic15 Digital Certificates Final Authentication Problem: How do we know cmpt470.com is for real? Answer: need a trusted authority to do the background work, and certify the public key of cmpt470.com Example: verisign.com Verisign calls the digital certificates the Verisign Server ID’s Vendors can obtain/purchase Server ID and signed Public Key from Verisign.com

17 6/3/2015topic16 Excerpted from Verisign.com whitepaper

18 6/3/2015topic17 Secure Socket Layer: SSL The above scenario has been implemented into many web servers To initiate, the client accesses a secure site by using the HTTPS (HTTP + SSL) protocol, as shown above SSL2.0 only has server authentication SSL3.0 also has client authentication Secure web servers listen on port 443 by default.

19 6/3/2015topic18 SSL SSL is used to encrypt the data between browser and server De facto standard for secure communication on the Web SSL support built into both NS and IE Requires a web server to install a digital certificate Obtained through versisign,com, netscape, etc Data encryption and decryption is completely transparent to servlet developers No additional Java coding required All needs done is for Web server to support SSL!

Download ppt "6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)"

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
CP3397 ECommerce.

CP3397 ECommerce.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
1 Encryption What is EncryptionWhat is Encryption Types of EncryptionTypes of Encryption.

1 Encryption What is EncryptionWhat is Encryption Types of EncryptionTypes of Encryption.
EECC694 - Shaaban #1 lec #16 Spring2000 5-4-2000 Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.

Chapter Extension 23 SSL/TLS and //https © 2008 Pearson Prentice Hall, Experiencing MIS, David Kroenke.
SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.

Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.

Similar presentations

Ads by Google