Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Security Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 1.

Published byBathsheba Grant Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Security Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 1."— Presentation transcript:

1 Web Security Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 1

2 Summary of the previous lecture Promoting a web application – Newsletter – Affiliate marketing – Search engine marketing Content management Usage analysis – Techniques – Indicators – Use behavior analysis Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 2

3 Outline Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 3 Web security overview Secure transmission of data User’s security issues Service provider’s issues

4 1. Web security Web client expect web applications to be secure – preventing access from untrusted or malicious sources to private data – service providers do not misuse their data by exchanging data with third party Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 4

5 1. Web security… Several risks exist for service providers as well – prevent access from attackers credit card number can be stolen data can be accessed and modified – availability of service can be reduced can influence agreements and cause financial lose Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 5

6 1. Web security… We can define security according to notions of users and service providers as – securing the end user’s computer and personal data stored on it – securing information in transit – securing the server and data stored on it Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 6

7 1. Web security… Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 7 Desktop security Security of personal data security of the host Service availability Network security Secure communication

8 1. Web security… Security aspects Confidentiality: – means communication between a customer and a provider cannot be read by a third party data encryption can be used Integrity: – nobody is able to modify the exchanged information Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 8

9 1. Web security… Security aspects Non-repudiation: – originators of messages should not be able to deny customers ordering books at an online store Authentication: – the process of verifying the identity of a person or general subject such as another application invoking a service on behalf of a human user – usually implemented by login/password mechanism Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 9

10 1. Web security… Security aspects Authorization – is used to infer which privileges authenticated users are granted Availability – guaranteeing the availability of Web applications service downtime typically implies financial losses Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 10

11 1. Web security… Security aspects Privacy – privacy demands the reliable handling of data Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 11

12 2. Data encryption Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 12 Encryption is a basic technology for enabling secure messaging Encryption : – translation of data into a format that is intended to be unreadable by anyone except the intended party – changing the original text to a secret message using mathematical function one-way encryption two-way encryption

13 2. Data encryption… Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 13 Decryption: – changing the secret message back to its original form

14 2. Data encryption… Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 14 Encryption/decryption process: Confidential message Hello ASD12#TY Encryption algorithm Plain text Cipher text ASD12#TY Cipher text Decryption algorithm Confidential message Hello Transmitt ed to the user Plain text

15 2. Data encryption… Used by Julius Caesar Caesar shifted each letter of his messages to his generals three places down in the alphabet So BURN THE BRIDGE becomes EXUQ WKH EUKFIG A  D B  E C  F D  G E  H F  I G  J H  K

16 2. Data encryption… Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 16 Cryptographic algorithms: Rely on keys as secret term for ciphering and deciphering Without key it is computationally impossible to break an algorithm An algorithm is considered strong if brute force attack is the only possible attack

17 2. Data encryption… Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 17 Symmetric cryptography: Two-way encryption Use the same single key to encrypt and decrypt a message Also called private key cryptography – DES and AES are examples of symmetric cryptographic algorithms

18 2. Data encryption… Basharat Mahmood, Department of Computer Science, CIIT,Islamabad, Pakistan. 18 Symmetric cryptography: Confidential message Hello ASD12#TY Encryption algorithm Plain text Cipher text ASD12#TY Cipher text Decryption algorithm Confidential message Hello Transmitt ed to the user Plain text Key 12345

19 2. Data encryption… Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 19 Asymmetric cryptography: Also known as public key cryptography Uses two keys instead of one – The public key is known to everyone and can be freely distributed – The private key is known only to the recipient of the message RSA is an example of asymmetric cryptography

20 2. Data encryption… Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 20 Asymmetric cryptography: Confidential message Hello ASD12#TY Encryption algorithm Plain text Cipher text ASD12#TY Cipher text Decryption algorithm Confidential message Hello Transmitt ed to the user Plain text Receiver's public Key Receiver's private Key

21 2. Data encryption… Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 21 Hashing algorithms: Hashing is a one-way process – converting a hash back to the original data is difficult or impossible A hash is a unique “signature” for a set of data – this signature, called a hash or digest, represents the contents

22 2. Data encryption… Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 22 Digital signatures: A digital signature is basically a way to ensure that an electronic document is authentic – Integrity – Non repudiation

23 2. Data encryption… Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 23 Digital signatures creation: sender creates a hash of the message sender encrypts the message with his/her private key attach the digital signature with message

24 2. Data encryption… Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 24 Digital signatures validation: Receiver decrypts the signature with sender’s public key Receiver creates the hash of the message Created hash is compared with the decrypted message

25 2. Data encryption… Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 25 Message (m) Create hash h(m) Encrypt hash with private key sig(m) Attach signature with message message + signature Create h(m) Decrypt signature sig(m) Message is verified h(m)=sig(m) altered yes No Transmit message + signature

26 3. Data encryption…. Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 26 Cryptography ensures Confidentiality Integrity Availability Authenticity Non-repudiation

27 3. Securing user’s data Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 27 After securely transmitting data user wants Privacy – providers keep data carefully – protect data from attackers Secured desktop

28 3. Securing user’s data… Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 28 Service providers need to establish trust relationship – can specify data practices using platform for Privacy Preferences (P3P) standard User can specify its preferences using P3P- agent P3P-capable browsers inform the user if service provider’s policies conflict with user’s preferences

29 3. Securing user’s data… Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 29 Phishing and Web Spoofing Phishing is the most common attack to retrieve user’s personal information Web spoofing denotes mocking the web presence of famous companies – send email to users as representative of some well known company – encourage the user’s to enter their personal information

30 3. Securing user’s data… Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 30 Securing the desktop users’ security can be at-risk through threats like viruses and worms – it is user’s responsibility to tackle with them

31 3. Securing user’s data… Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 31 Adware and spyware – adware deliver advertising contents – spyware monitor users activities and transfer gathered information to remote systems Remote access/backdoors provide remote systems the ability to connect with user’s machine – can obtain personal information, damage files and control user’s machine

32 3. Securing user’s data… Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 32 Viruses can damage files or repeat themselves – distributed through email or by sharing infected files Worms Repeat themselves – increase traffic and consume processing power

33 3. Securing user’s data… Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 33 Trojan horses Damage files but don’t replicate Appears as useful programs but performs other functionalities – aims at data theft and destruction or illegitimate access on computational resources

34 4. Service providers issues Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 34 Service provider wants to secure the server from attackers Common attacks: Cross-site scripting (XSS) Attackers inject script in dynamically created pages and try to find user’s information SQL-injection Attackers inject sql commands as an input

35 Summary Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 35 Web security overview Secure transmission of data User’s security issues Service provider’s issues

36 References Chapter 13, Kappel, G., Proll, B. Reich, S. & Retschitzegger, W. (2006). Web Engineering, Hoboken, NJ: Wiley & Son Basharat Mahmood, COMSATS Institute of Information Technology, Islamabad, Pakistan. 36

Download ppt "Web Security Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan. 1."

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Cryptography The science of writing in secret code.

Cryptography The science of writing in secret code.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Cryptographic Technologies

Cryptographic Technologies
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.

E- Business Digital Signature Varna Free University Prof. Teodora Bakardjieva.
Encryption Methods By: Michael A. Scott 20140508.

Encryption Methods By: Michael A. Scott
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Encryption is a way to transform a message so that only the sender and recipient can read, see or understand it. The mechanism is based on the use of.

Encryption is a way to transform a message so that only the sender and recipient can read, see or understand it. The mechanism is based on the use of.
Digital Signature Xiaoyan Guo/102587 Xiaohang Luo/104446.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/
Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

Controller of Certifying Authorities PKI Technology - Role of CCA Assistant Controller (Technology) Controller of Certifying Authorities Ministry of Communications.

Similar presentations

Ads by Google