Presentation is loading. Please wait.

Presentation is loading. Please wait.

SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.

Published byNicholas Lambert Modified over 9 years ago

Similar presentations

Presentation on theme: "SEC835 Runtime authentication Secure session management Secure use of cryptomaterials."— Presentation transcript:

1 SEC835 Runtime authentication Secure session management Secure use of cryptomaterials

2 What is a session? A session is a semi-permanent interactive information exchange between two or more communicating devices, or between a computer and user (e.g. login session). A session is set up or established at a certain point in time, and torn down at a later point in time when a user stops communication Session requires a runtime object (one or more) used to sustain communication

3 Session Management Session management is implemented by an Application Protocol Often requires custom solution design and programming Based on underlying secure communication protocols SSL/TLS

4 Session tracking Internet communication is known as “stateless”. That means that the server does not keep track of its clients, and every time the client’s request has been seen as a new client’s one To recognize the returning client, the server must obtain information about preceding communication. Session ID is generated by the server and sent to the client Next time, the client’s browser must supply the session ID, which becomes an identification token for a user. Session ID can be sent thru: URL arguments Hidden form fields Cookies Cookies are more secure than the other two

5 Where to store cookies? Cookies contain confidential data, such as user’s identity or session unique ID Cookies can be stored on the server, or on the client Server-side cookies are expensive, therefore most Internet applications use client-side cookies, however that brings a security concern

6 Session Hijacking Client side cookies must be sent over Internet Vulnerabilities: Unauthorized access to read Can be modified User or Session ID can be stolen from the browser store Cookies can be intercepted and used to implement spoofing or replay attacks

7 Session Hijacking Protection Encryption SSL/TLS protocol Re-authenticate a user during runtime Do not pass session ID in a hidden URL field or URL parameters Session ID must be at least of 128-bit long

8 Session Poisoning Session poisoning may happen when the application has insufficient data input validation that just copies a user’s supplied data into the session variables Use the session variables for different purposes Writes to the arbitrary session variables Session variables got modified, potentially with malicious scripts

9 Session Poisoning Protection Strong data validation Avoid dual use of session variables Use designated session variables

10 Session fixation A session ID (SID) has been purposely generated and the session is open on the target server. An attacker will trick a user to authenticate with the pre-determined (fixed) SID. Now both a user and an attacker are connected to the server with the same session ID. That gives the attacker access to the user’s data

11 Session fixation Both server and client generated SID can be intercepted and misused SID then will be passed to the server with any transport mechanism: URL parameter (query string) or as POST data Hidden fields Cookies

12 Session Fixation Protection This is a web application responsibility!

13 Session Fixation Protection Do not accept session ID from URL string or from GET/POST variables Store session ID in an http cookie and encrypt it Utilize SSL/TLS application protocols Regenerate SID on every request Accept only server generated SID Enforce Logout Time-out old SIDs Verify that additional information is consistent through the session Reject suspicious referees

14 ASP and session fixation ASP does not allow to change SID That makes ASP extremely vulnerable to the session fixation attack At home, look at http://www.owasp.org/index.php/Session_F ixation_Protection for the protection technique http://www.owasp.org/index.php/Session_F ixation_Protection

15 Insecure cryptography The most common problems are: Not encrypting sensitive data Using home grown algorithms Insecure use of strong algorithms Continued use of proven weak algorithms (MD5, SHA-1, RC3, RC4, etc…) Hard coding keys, and storing keys in unprotected stores

16 Strong crypto mechanism Do not create cryptographic algorithms. Only use approved public algorithms such as AES, RSA public key cryptography, and SHA-256 or better for hashing. Do not use weak algorithms, such as MD5 / SHA1. Favor safer alternatives, such as SHA-256 or better. Generate keys offline and store private keys with extreme care. Never transmit private keys over insecure channels Ensure that infrastructure credentials such as database credentials or MQ queue access details are properly secured (via tight file system permissions and controls), or securely encrypted and not easily decrypted by local or remote users Ensure that encrypted data stored on disk is not easy to decrypt. For example, database encryption is worthless if the database connection pool provides unencrypted access.

17 Strong crypto mechanism (cont) Data in rest must be encrypted with the highest possible granularity, relevant to the data’s sensitivity classification. Field encryption will be implemented for highly sensitive data. Data files, folders, or whole-disk encryption can be used to protect data as a batch function. However, if the data contains sensitive items, then field encryption must be implemented prior to using bulk encryption Encryption keys must be protected at the same level or higher as the data.

18 Strong crypto mechanism (cont) All keying materials must be destroyed immediately after use. Encryption keys must not be hardcoded Encryption keys must not be stored in audit logs. An encryption key can be used for one purpose only. Memory protection Allocate two different buffers used for: Plaintext data Encrypted data Erase data traces from the buffers immediately after use.

19 Lab task Work on the reference spreadsheet Cells E3, G3 and A 19 - 23 http://www.owasp.org/index.php/Session_F ixation

Download ppt "SEC835 Runtime authentication Secure session management Secure use of cryptomaterials."

Similar presentations

SEC835 OWASP Top Ten Project.

SEC835 OWASP Top Ten Project.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Attacking Session Management Juliette Lessing

Attacking Session Management Juliette Lessing
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Dr. Sarbari Gupta Electrosoft Services Tel: (703)757-9096 Security Characteristics of Cryptographic.

Dr. Sarbari Gupta Electrosoft Services Tel: (703) Security Characteristics of Cryptographic.
WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.

WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Similar presentations

Ads by Google