secure client applications
play

Secure Client Applications HTTPS Secure Email Networking - PowerPoint PPT Presentation

Jan 11, 2023 •120 likes •389 views

Networking Secure apps Aims Crypto Basics Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 26 June 2014

  1. Networking Secure apps Aims Crypto Basics Secure Client Applications HTTPS Secure Email Networking Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 26 June 2014 Common/Reports/secure-client-apps.tex, r900 1/26

  2. Networking Acronyms and Abbreviations Secure apps CA Certificate Authority (same as TA) Aims HTTP HyperText Transfer Protocol Crypto Basics HTTPS HTTP over SSL HTTPS PGP Pretty Good Privacy Secure Email PR Private key PU Public key SSL Secure Sockets Layer (same as TLS) TA Trusted Authority (same as CA) TCP Transmission Control Protocol TLS Transport Layer Security (same as SSL) 2/26

  3. Networking Contents Secure apps Aims Crypto Basics Aims HTTPS Secure Email Cryptography Basics HTTPS and Digital Certificates Secure Email 3/26

  4. Networking Workshop Aims Secure apps ◮ Understand security limitations of common Internet Aims applications Crypto Basics ◮ Increase awareness of ”extensions” of Internet HTTPS applications that increase security Secure Email ◮ Learn about techniques for enhancing your communication secrecy and privacy 4/26

  5. Networking Applications and Extensions Secure apps Web Browsing Aims Crypto Basics ◮ Secrecy: HTTPS and certificates, HTTPS Everywhere HTTPS ◮ Privacy: AdBlock Plus, Ghostery, FoxyProxy, Hola . . . Secure Email ◮ Safety: NoScript, . . . Email ◮ Signatures and Secrecy: OpenPGP, Enigmail, Thunderbird File Encryption ◮ File: ◮ Disk: TrueCrypt, BitLocker 5/26

  6. Networking Contents Secure apps Aims Crypto Basics Aims HTTPS Secure Email Cryptography Basics HTTPS and Digital Certificates Secure Email 6/26

  7. Networking Cryptography Secure apps Symmetric Key Cryptography Aims Crypto Basics ◮ Source: Encrypt message with secret key K HTTPS ◮ Destination: must also know K ; decrypts data with K Secure Email ◮ Pro: Fast for large amounts of data ◮ Con: Requires K to be securely exchanged in advance Public Key Cryptography ◮ Each node has a (public, private) key pair, ( PU a , PR a ) ◮ Encrypt a message with one key in pair, can only be decrypted with other key in key pair ◮ Pro: Does not require exchange of secrets ◮ Con: Slow for large amounts of data 7/26

  8. Networking Public Key Cryptography Secure apps Public Key Cryptography for Confidentiality Aims Crypto Basics ◮ Source: Encrypt message with public key, PU dst of HTTPS destination Secure Email ◮ Destination: decrypts data with PR dst ◮ Only destination can decrypt it Public Key Cryptography for Signatures ◮ Source: Encrypt message with own private key, PR src ◮ Destination: decrypts data with PU src ◮ Only source could have sent it 8/26

  9. Networking Contents Secure apps Aims Crypto Basics Aims HTTPS Secure Email Cryptography Basics HTTPS and Digital Certificates Secure Email 9/26

  10. Networking HTTP and HTTPS Secure apps HTTP Aims Crypto Basics ◮ Send request to web server; returns the web page HTTPS ◮ Malicious use can intercept/modify data Secure Email HTTPS ◮ Establish secure SSL/TLS connection between browser and server; then use HTTP ◮ Data is encrypted; interception/modification not possible ◮ But . . . 10/26

  11. Networking HTTP: Interception is Easy Secure apps Aims Crypto Basics HTTPS Secure Email 11/26

  12. Networking HTTPS: Data is Encrypted Secure apps Aims Crypto Basics HTTPS Secure Email ◮ Public key cryptography used to exchange a secret key ◮ Data encrypted with secret key 12/26

  13. Networking HTTPS: Man-in-the-Middle Attack Secure apps Aims Crypto Basics HTTPS Secure Email 13/26

  14. Networking HTTPS Encryption Secure apps ◮ To encrypt data, browser and server must exchange a Aims secret key Crypto Basics ◮ But cannot send secret key, unencrypted, across HTTPS Internet Secure Email ◮ Use public-key cryptography for secret key exchange ◮ Server has (public, private) keypair ◮ Encrypt with one, can only decrypt with the other in pair ◮ Server sends its public key to browser, then used to encrypt secret key 14/26

  15. Networking HTTPS: Challenge is Public Key Distribution Secure apps Aims Crypto Basics HTTPS Secure Email ◮ How does browser know received public key is that of the server? 15/26

  16. Networking HTTPS: Challenge is Public Key Distribution Secure apps Aims Crypto Basics HTTPS Secure Email ◮ How does browser know received public key is that of the server? 16/26

  17. Networking HTTPS: Trusted Authority Signs Key Secure apps Aims Crypto Basics HTTPS Secure Email ◮ Trusted Authority: Another entity trusted by the browser and server ◮ Trusted Authority “signs” public key of server ◮ Browser “verifies” received public key using TA’s public key 17/26

  18. Networking HTTPS: Trusted Authority Signs Key Secure apps Aims Crypto Basics HTTPS Secure Email ◮ If malicious node modifies signed public key of server, the verification at browser will detect it ◮ A public key signed by someone else is called a digital certificate 18/26

  19. Networking Digital Certificates in Practice Secure apps How does a server obtain a certificate? Aims Crypto Basics ◮ Prove identity to CA by: HTTPS ◮ Domain validation Secure Email ◮ Extended validation ◮ Free and commercial services How does browser obtain CA certificate? ◮ Pre-loaded into browsers ◮ Hierarchy of certificates is supported What if CA certificate is not in browser? ◮ Browsers commonly present warning to user 19/26

  20. Networking Security Issues with Digital Certificates Secure apps ◮ Identity verification of server (owners) Aims ◮ Security of CA private key Crypto Basics ◮ Pre-loaded certificates by browser publisher HTTPS Secure Email ◮ Response when invalid certificate received ◮ Algorithms used in certificates should be strong 20/26

  21. Networking Contents Secure apps Aims Crypto Basics Aims HTTPS Secure Email Cryptography Basics HTTPS and Digital Certificates Secure Email 21/26

  22. Networking Secure Email Secure apps ◮ Email messages originally only text with pre-defined Aims headers (To, From Subject, CC, . . . ) Crypto Basics ◮ Multipurpose Internet Mail Extensions (MIME) allows HTTPS for different message and header formats: different Secure Email character sets, attachments, new headers ◮ Secure email requirements: 1. Authentication: receiver can confirm the actual sender, and that content is not modified 2. Confidentiality: only sender/receiver can read the contents ◮ Two common ways to implement secure email: 1. S/MIME 2. OpenPGP ◮ Both use similar approach: sender signs message with private key, encrypts message with symmetric key encryption using a secret key, and encrypts the secret key using recipients public key 22/26

  23. Networking OpenPGP Secure apps ◮ Pretty Good Privacy (PGP) developed by Phil Aims Zimmerman in 1991 Crypto Basics ◮ IETF standardised as OpenPGP HTTPS ◮ One of first and most widely used applications of Secure Email public-key cryptography ◮ Implementations: ◮ Original by Zimmerman: Symantec ◮ GNU Privacy Guard (GPG) ◮ Many email clients (either direct or through plugins, e.g. Enigmail, GPG4Win) ◮ OpenPGP vs S/MIME: ◮ OpenPGP: public keys distributed informally: phone, websites, email ◮ S/MIME: public keys distrubuted as X.509 digital certificates 23/26

  24. Networking PGP Operation: Concept Secure apps Aims Crypto Basics HTTPS Secure Email Credit:xaedes & jfreax & Acdx, Wikimedia Commons, CC Attribution-Share Alike 3.0 24/26

  25. Networking PGP Operation: Message Generation at A Secure apps Aims Crypto Basics HTTPS Secure Email Credit: Figure 18.5 in Stallings, Cryptography and Network Security , 5th Ed., Pearson 2011 25/26

  26. Networking PGP Operation: Message Reception at B Secure apps Aims Crypto Basics HTTPS Secure Email Credit: Figure 18.6 in Stallings, Cryptography and Network Security , 5th Ed., Pearson 2011 26/26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Secure Web Applications with AWA Stphane Carrez FOSDEM 2019 What is a Web Application

Secure Web Applications with AWA Stphane Carrez FOSDEM 2019 What is a Web Application

Secure Web Applications with AWA Stphane Carrez FOSDEM 2019 What is a Web Application Client server program with browser as client Examples: Gmail, Dropbox, Netflix, Zoho,... Server Server Database Client Front Back Browser End

1.09k views • 34 slides
Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Many acting parties on a site

867 views • 62 slides
Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side

CSE 127: Computer Security Modern client-side defenses Deian Stefan Today How can we build flexible and secure client-side web applications (from vulnerable/untrusted components) Modern web sites are complicated Modern web sites are

709 views • 57 slides
Secure Communication in Client-Server Android Apps With a bias towards mobile banking

Secure Communication in Client-Server Android Apps With a bias towards mobile banking

Secure Communication in Client-Server Android Apps With a bias towards mobile banking applications. AFRICA HACKON CONFERENCE, 2016. Convergent Security. whoami Masters Candidate Ethical Hacker Web Developer Jazz fan

599 views • 20 slides
and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure

CS 1655 / Spring 2010 Secure Data Management and Web Applications 06 Secure Coding Alexandros Labrinidis University of Pittsburgh Secure Coding From: Secure Coding: Principles and Practices by Mark G. Graff & Kenneth R. Van Wyk

753 views • 17 slides
Network Applications Network Applications There are many network applications Network

Network Applications Network Applications There are many network applications Network

Network Applications Network Applications There are many network applications Network applications involve the cooperation Client Server Programming Client Server Programming of processes running on different hosts connected by a

323 views • 7 slides
Client Server Programming Client Server Programming Srinidhi Varadarajan Network Applications

Client Server Programming Client Server Programming Srinidhi Varadarajan Network Applications

Client Server Programming Client Server Programming Srinidhi Varadarajan Network Applications Network Applications There are many network applications Network applications involve the cooperation of processes running on different hosts

613 views • 40 slides
THIALFI A Client Notification Service for Internet-Scale Applications Authors: Atul Adya, Gregory

THIALFI A Client Notification Service for Internet-Scale Applications Authors: Atul Adya, Gregory

THIALFI A Client Notification Service for Internet-Scale Applications Authors: Atul Adya, Gregory Cooper, Daniel Myers, Michael Piatek Google, Inc. Karol Nienatowski Problem Ensuring the freshness of client data for applications that rely

616 views • 39 slides
Ext xtranet 24/7 Client Access Benefits ..secure 24/7 web access to live matters or data

Ext xtranet 24/7 Client Access Benefits ..secure 24/7 web access to live matters or data

Ext xtranet 24/7 Client Access Benefits ..secure 24/7 web access to live matters or data rooms giving current progress and financial updates Information Management ..facilities for buyers/investors/managers to view relevant

2.34k views • 12 slides
1 HTTP Client-server paradigm Typical network app has two application pieces: client and server

1 HTTP Client-server paradigm Typical network app has two application pieces: client and server

Network Applications Drive Network Design Important to remember that network applications are the reason we care about 3: Application Protocols: building a network infrastructure HTTP and DNS Applications range from text based command

504 views • 14 slides
Practical Secure Two-Party Computation and Applications Lecture 3: Tools and Applications

Practical Secure Two-Party Computation and Applications Lecture 3: Tools and Applications

Practical Secure Two-Party Computation and Applications Lecture 3: Tools and Applications Estonian Winter School in Computer Science 2016 Overview of this lecture Part 2: ABY Part 3: GSHADE Special Purpose Protocols Generic Protocols

819 views • 52 slides
MACAO: A Maliciously-Secure and Client-Efficient Active ORAM Framework Thang Hoang , Jorge

MACAO: A Maliciously-Secure and Client-Efficient Active ORAM Framework Thang Hoang , Jorge

NDSS Symposium 2020 MACAO: A Maliciously-Secure and Client-Efficient Active ORAM Framework Thang Hoang , Jorge Guajardo , Attila A. Yavuz CSE, University of South Florida hoangm@mail.usf.edu, attilaayavuz@usf.edu Robert Bosch

517 views • 23 slides
Applications & Client/Server computing link Example client/server systems and

Applications & Client/Server computing link Example client/server systems and

COMP 431 Application-Layer Protocols Internet Services & Protocols Outline application application transport The architecture of distributed systems network Applications & Client/Server computing link Example

204 views • 17 slides
Multi-Threaded Servers December 6, 2007 1 Client-Server Communication Client Client Client

Multi-Threaded Servers December 6, 2007 1 Client-Server Communication Client Client Client

Multi-Threaded Servers December 6, 2007 1 Client-Server Communication Client Client Client Client Client Client Client Client Client Google Client Client Client Client Client Client Many clients; 1 server Server starts and then

333 views • 6 slides
CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis

CSE392/ISE331 Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application Popular attacks Cross-site

266 views • 15 slides
TLS/SSL TLS/SSL aims to provide a secure channel Username and Server Bob Client Alice password

TLS/SSL TLS/SSL aims to provide a secure channel Username and Server Bob Client Alice password

TLS/SSL TLS/SSL aims to provide a secure channel Username and Server Bob Client Alice password are sent over TLS/SSL M A M B M 0 M 0 A B Credit-card number is sent over TLS/SSL Adversary Privacy: Adversary does not learn anything about M A

54 views • 4 slides
Pretty Good Privacy Privacy Enhancing Technologies Leonardo A. Martucci CC-BY-4.0 Part 2:

Pretty Good Privacy Privacy Enhancing Technologies Leonardo A. Martucci CC-BY-4.0 Part 2:

Pretty Good Privacy Privacy Enhancing Technologies Leonardo A. Martucci CC-BY-4.0 Part 2: Secure Communications Why do we need secure communications? PGP We are here! TLS and Let's Encrypt Secure messaging Pretty Good Privacy

468 views • 21 slides
Security and Authorization Ramakrishnan & Gehrke, Chapter 21 320302 Databases & Web

Security and Authorization Ramakrishnan & Gehrke, Chapter 21 320302 Databases & Web

Security and Authorization Ramakrishnan & Gehrke, Chapter 21 320302 Databases & Web Applications (P . Baumann) Motivation Secrecy: Users should not be able to see things they are not supposed to Ex: student cant see other

766 views • 21 slides
Algorithmics Spring Semester 2020 Prof. Dr. Matthias Krause 2020/02/20, 16:22 University of

Algorithmics Spring Semester 2020 Prof. Dr. Matthias Krause 2020/02/20, 16:22 University of

Algorithmics Spring Semester 2020 Prof. Dr. Matthias Krause 2020/02/20, 16:22 University of Mannheim Prerequisites Classification into the Overall Context of Business Informatics Process Management in Business and Society: Identifying

1.34k views • 97 slides
Mostafa afa Z. Ali mzali@just.edu.jo 1-1 Root Privileges Most Linux systems include an

Mostafa afa Z. Ali mzali@just.edu.jo 1-1 Root Privileges Most Linux systems include an

Fall 2009 Lecture 4 Operating Systems: Configuration & Use CIS345 Introduction to UBUNTU LINUX Mostafa afa Z. Ali mzali@just.edu.jo 1-1 Root Privileges Most Linux systems include an account for a user named root (Superuser) who has

1.32k views • 62 slides
Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. Gilbert ANSSI, France

Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. Gilbert ANSSI, France

Format Oracles on OpenPGP Format Oracles on OpenPGP F. Maury J.-R. Reinhard O. Levillain H. Gilbert ANSSI, France CT-RSA April 22, 2015 Maury et al. | ANSSI | CT-RSA 2015 1 / 19 Format Oracles on OpenPGP | Introduction Contribution We

1.05k views • 28 slides
The DigiNotar crisis from incident response to crisis coordination Aart Jochem NCSC-NL FIRST

The DigiNotar crisis from incident response to crisis coordination Aart Jochem NCSC-NL FIRST

The DigiNotar crisis from incident response to crisis coordination Aart Jochem NCSC-NL FIRST Conference Malta - 18 June 2012 Wave 1 Wave 1 Early nineties: Phil Zimmerman releases PGP Photo Phill Zimmerman Pretty Good Privacy Early

649 views • 31 slides
Crypto Wars 2.0 Abertay Hackers Michael Jack mikey$ whoami Michael Jack 2 nd Year

Crypto Wars 2.0 Abertay Hackers Michael Jack mikey$ whoami Michael Jack 2 nd Year

Crypto Wars 2.0 Abertay Hackers Michael Jack mikey$ whoami Michael Jack 2 nd Year Ethical Hacking @MikeyJck BSc @ Abertay Member Abertay Ethical mikeyjck.io Hacking Society I <3 Cryptography Whats all this then?

953 views • 37 slides
Security Protocols Key Establishment, Chapter 13 of Understanding Cryptography by Paar

Security Protocols Key Establishment, Chapter 13 of Understanding Cryptography by Paar

References Introduction to Cryptography Security Protocols Key Establishment, Chapter 13 of Understanding Cryptography by Paar & Pelzl Wide Mouth Frog Protocol from Wikipedia Jim Royer

281 views • 9 slides

More recommend