Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security & Privacy on the WWW Briefing for CS4173.

Published byShannon Kelley Modified over 9 years ago

Similar presentations

Presentation on theme: "Security & Privacy on the WWW Briefing for CS4173."— Presentation transcript:

1 Security & Privacy on the WWW Briefing for CS4173

2 Topic Outline 1.Information Security Relationship to safety Definition of important terms Where breaches can occur Web techniques Components of security Firewalls, and Encryption Secure Socket Layer (SSL) & HTTPS 2.Privacy Definition Reasons for concern Rôles Web Techniques: P3P

3 Information Security ‘[The] protection of information systems against unauthorized access to or modification of information, whether in storage, processing or transit, and against the denial of service to authorized users, including those measures necessary to detect, document, and counter such threats.’ – Alliance for Telecommunications Industry Solutions (ATIS) Network Performance, Reliability, and Quality of Service Subcommittee http://www.atis.org/tg2k/_information_systems_security.html

4 Security Issues in a Nutshell Based on a diagram by Kurose & Ross secure sender secure receiver network channel data & control messages data AB T

5 What can ‘the intruder’ do?   eavesdrop: intercept messages  insert messages into connection  impersonate: can fake (spoof) source address in packet (or any field in packet)  hijack: ‘take over’ ongoing connection by removing sender or receiver, inserting himself in place  denial of service: prevent service from being used by others (e.g., by overloading resources) secure sender secure receiverAB T

6 Where Can Security Be Breached? Where Can Security ‘Leak’?   Client Channel  Server 

7 Where Can Security Be Breached? Where Can Security ‘Leak’?  Client Channel Server Software Network

8 Where Can Security Be Breached? Where Can Security ‘Leak’?  Client Channel Server  Software  Network 

9 Where Security. Can Be Breached

10 Where Security Can Be Breached  Client Channel Server  Software  Network   User

11 Network Transmission Local Software  In The Network  Human  User Agent Client Server Web server Users Client-sideServer-side

12 Where Security Can Be Breached  Client Channel Server  Software  Network   User

13  User/password – shoulder surfing  Trojan horses  Password breaking (various strategies)  Denial of service attacks – flood the server with requests  Packet sniffing on net (wire tap, wireless recon.)  Spoofing websites  Dumpster diving – garbage search How many categories/classes of security invasions/breaches can students find? (#1)

14 How many categories/classes of security invasions/breaches can students find? (#2)  Hacking user IDs and passwords  Denial of service/access  Physical invasion of a data centre  Social Engineering – exploit human good nature to get info you should not have  Internet Packet Sniffing  Taking advantage of known frailties in systems  Domain Hijacking – impersonating another legitimate domain  Buffer Overflows  Viruses  Attacks by employees

15 Components of Security Diagram by Konstantin Beznosov

16 Important Concepts (1 of 2)  Confidentiality: only sender, intended receiver should “understand” message contents  sender encrypts message  receiver decrypts message Authentication: sender and receiver want to confirm identity of each other Trust: sender and receiver must have confidence in system and its maintainers

17 Important Concepts (2 of 2)  Message Integrity / Data Protection: sender and receiver want to ensure message not altered (in transit, or afterwards) at least without detection Access and Availability: services must be available to users (through the system) and users must be able to use the system Access Control / Authorization: only specific people (or agents) can use the system

18 Technologies & Techniques

19 IT Security Basics  Avoidance – preventing a security breach  Using a firewall system to frontend your intranet (or LAN) to the Internet  Minimization – early warning signals and action plans so as to reduce exposure  Attempted to access secure directories  Recovery - regular backups should be made and recovery periodically tested

20 IT Security Basics  Software, particularly low layer components such as the operating system and DBMS, should be kept to recent patch levels  Access from dial-in lines should be limited and if possible call-back systems can be used

21 IT Security Basics  Passwords (and potentially User Ids) should be forced to change periodically  Passwords should be difficult to guess  Try to create passwords such as: To Be or Not To Be  2bon2b  Databases should be secured in terms of access rights to data (usually by individual or group)

22 Physical Security  Large mainframe systems have always had adequate physical security  The transition from LAN to WAN to Internet has caused new interest in these methods  Physical security means locked doors and security personnel  Options are to host on a secure ISP/ASP (InternetHosting.com)InternetHosting.com

23 Secure sockets layer (SSL)   transport layer security to any TCP-based app using SSL services.  used between Web browsers, servers for e-commerce (shttp).  security services:  server authentication  data encryption  client authentication (optional)  server authentication:  SSL-enabled browser includes public keys for trusted CAs.  Browser requests server certificate, issued by trusted CA.  Browser uses CA’s public key to extract server’s public key from certificate.  check your browser’s security menu to see its trusted CAs.

24 SSL (continued)  Encrypted SSL session:  Browser generates symmetric session key, encrypts it with server’s public key, sends encrypted key to server.  Using private key, server decrypts session key.  Browser, server know session key  All data sent into TCP socket (by client or server) encrypted with session key.  SSL: basis of IETF Transport Layer Security (TLS).  SSL can be used for non-Web applications, e.g., IMAP.  Client authentication can be done with client certificates.

25 Using a Firewall  A firewall server or router acts as an electronic security cop  No machine other than firewall is directly accessible from Internet  May also function as a “proxy” server allowing intranet systems to access only portions of the Internet  Internet security methods are focused at the firewall reducing cost and admin overhead

26 Security through HTTPS Browser Client 1 Server A HTTP TCP/IP HTTP Server App. Server Fire Wall Server Server C Server B

27 Cryptography  Cryptography or ciphering is an ancient method of encoding a message — only a receiver with a key can decipher the content  A single (symmetric) secret key is used to encrypt and decrypt  Requires the communication of the key between sender and receiver!  Basis of nuclear war-head command and control security

28 Public Key Cryptography  In 1976 Diffie & Hellman at Stanford U. developed public-key cryptography  Asymmetric:  Private key – kept secret by owner  Public key – distributed freely to all who wish to send  Generated by computer algorithm, so a mathematical relation exists between them... however...  It is computationally difficult to determine the private key from the public key, even with knowledge of the encryption algorithm

29 Public Key Cryptography  The keys come in the form of tightly coupled pairs which anyone can generate using methods such as RSA, SHA-1, DSA (RSA is most common)  Javascript demo: http://shop-js.sourceforge.net/crypto2.htm http://shop-js.sourceforge.net/crypto2.htm  There is only one public key corresponding to any one private key and vice versa  Sender encodes data using public key of receiver  Receiver decodes data using unique private key, no one else can do the same  This ensures integrity of the data

30 Authentication  How can you be sure that the person sending the encrypted data is who they say they are  This requires some method of authenticating the identity of the sender  The solution is for the sender to “sign” the data using his/her private key – the data is encrypted using the sender’s private key  The receiver validates (decrypts the data) the “signature” using the sender’s public key  This will work as long as receiver can be sure the sender’s public key belongs to the sender and not an imposter … enter PKI

31 Integrity and Authentication  Example: Consider a merchant wants to send a secure message to a customer:  Merchant encrypts message using customer’s public key  Merchant then signs message by encrypting with their private key  Customer decrypts using the merchants public key to prove authenticity of sender  Customer decrypts using their private key to ensure integrity of message

32 PKI — Public Key Infrastructure  Integrates PK cryptography with digital certificates and certificate authorities (CA)  Digital certificate = issued by a CA, includes user name, public key, serial number, expiration date, signature of trusted CA (message encrypted by CA’s private key)  Receipt of a valid certificate is proof of identity – can be checked at CAs sight  www.verisign.com is major player www.verisign.com

33 Security and HTTPS  Certificate is an entity’s public key plus other identification (name, CA signature)  SSL – Secure Socket Layer  Lies between TCP/IP and HTTP and performs encryption  HTTPS is the HTTP protocol that employs SSL – it uses a separate server port (default = 443)

34 Security through HTTPS Browser Database Server Client 1 Server A URL HTTP TCP/IP HTTP Server App. Server index.html Bank Server Dedicated prog.jsp HTTPS port = 80 port = 443

35 SSL – Secure Socket Layer 1.Client makes HTTPS connection to server 2.Server sends back SSL version and certificate 3.Client checks if certificate from CA 4.Client creates session “premaster secret”, encrypts it and sends it to server and creates “master secret” 5.Server uses its private key to decrypt “premaster secret” and create the same “master secret” 6.The master secret is used by both to create session keys for encryption and decryption

36 SET — Secure Electronic Transfer  Developed by Visa & Mastercard  Designed to protect E-Comm transactions  SET uses digital certificates to authenticate customer, merchant and financial institution  Merchants must have digital certificate and special SET software  Customers must have digital certificate and SET e-Wallet software

37 Major Architectural Components of the Web Internet Browser Database Server Client 1 Server A Server B Bank Server URL HTTP TCP/IP Browser Client 2 HTTP Server App. Server index.html BankServer prog.jsp

38 Consider Your Rôle  Surfer  Information provider  Shopper  Seller  Game player  …

39 Consider Network Rôles  Client  Server  Browser  Web Server  User  Interpreting browser display  Issuing commands

40 Privacy

41 UN Declaration of Human Rights Article 12 No one shall be subjected to arbitrary interference with his privacy, …. Everyone has the right to the protection of the law against such interference ….

42 Source: Privacy International's PHR2004-Overview of Privacy (13/11/2004 version)  Robert Ellis Smith, editor of the Privacy Journal, defined privacy as "the desire by each of us for physical space where we can be free of interruption, intrusion, embarrassment, or accountability and the attempt to control the time and manner of disclosures of personal information about ourselves."[6]  According to Edward Bloustein, privacy is an interest of the human personality. It protects the inviolate personality, the individual's independence, dignity and integrity.[7]  According to Ruth Gavison, there are three elements in privacy: secrecy, anonymity and solitude. It is a state which can be lost, whether through the choice of the person in that state or through the action of another person.[8]

43 * Source: W3C P3P Project webpage, 10 March 2006 P3P *  The Platform for Privacy Preferences Project  W3C standard  Expected to enable simple, automated ways for WWW users to gain more control over the use of personal information  A high-level data interchange language (like PICS codes for filtering and Common Content leases)  Not a whole solution, only an infrastructure

44 * Source: W3C P3P Project webpage, 10 March 2006 P3P: How *  ‘P3P-enabled browsers can “read” this snapshot automatically and compare it to the consumer's own set of privacy preferences.’  ‘P3P enhances user control by putting privacy policies where users can find them, in a form users can understand, and, most importantly, enables users to act on what they see.’

45 P3P Resources  www.w3.org/P3P/ www.w3.org/P3P/

46 The End

Download ppt "Security & Privacy on the WWW Briefing for CS4173."

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
CP3397 ECommerce.

CP3397 ECommerce.
Cryptography and Network Security

Cryptography and Network Security
Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.

Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.

By: Mr Hashem Alaidaros MIS 326 Lecture 6 Title: E-Business Security.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.

Encryption and Firewalls Chapter 7. Learning Objectives Understand the role encryption plays in firewall architecture Know how digital certificates work.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)

6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)
Security and Authentication Daniel L. Silver, Ph.D. Acadia & Dalhousie Univs.

Security and Authentication Daniel L. Silver, Ph.D. Acadia & Dalhousie Univs.
Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.
Security & Privacy on the WWW Briefing for CS3172.

Security & Privacy on the WWW Briefing for CS3172.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

K. Salah 1 Chapter 31 Security in the Internet. K. Salah 2 Figure 31.5 Position of TLS Transport Layer Security (TLS) was designed to provide security.

Similar presentations

Ads by Google