web security summer term 2012
play

Web Security, Summer Term 2012 Secure HyperText Transfer Protocol - PowerPoint PPT Presentation

Nov 17, 2022 •226 likes •486 views

IIG University of Freiburg Web Security, Summer Term 2012 Secure HyperText Transfer Protocol Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 1 Table of Contents Attacks using HTTP

  1. IIG University of Freiburg Web Security, Summer Term 2012 Secure HyperText Transfer Protocol Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 1

  2. Table of Contents Attacks using HTTP � Where do we Need Security? Symetric and Asymetric Cryptography � Signing a message Public Key Infrastructure � Efficiency of Cryptography SSL and TLS � Presentation of phases Properties of a TLS connextion How to Configure your Web Server � Create a HTTPS server Host Multiple Servers on One Machine Double Side Authentication Apache Configuration Limitations � References � Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 2

  3. Attacks Using HTTP ◮ HTTP is transfered Cleartext over the internet • Request / Response sent unencrypted ◮ Eavesdropping • Any attacker can read everything transfering on the Internet. • Includes GET and POST parameters • For instance Username / Password or Session Cookie ◮ Message Modification • Message can be manipulated • Request : add some tracking information • Response: modify the page. Examples: ◮ Add some Javascript for sending information to a third party ◮ Change the action of a form (to redirect the user to a physhing site) ◮ . . . Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 3

  4. Needs for security ◮ Confidentiality • Nobody can read the message I send • For both Security and Privacy ◮ Authentication of the partner • Am I realy talking with the server I am supposed to? • Am I realy the person I am supposed to be? ◮ Integrity of the Message • Is the message the one that my partner sent? Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 4

  5. Symetric Cryptography ◮ Symetric Cryptography • Alice and Bob share the same Key K (which is secret) • Alice encrypts the message with K • Bob decrypts the message with K • If Charly doesn’t have K , he can not read the message ◮ Efficiency • This type of crypto is very efficient ◮ Problem • How to exchange the key if you do not meet your correspondant • Alice and Bob need a secure chanel to exchange the key Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 5

  6. Asymetric Cryptography ◮ Knowledge of Keys is Asymetric • Alice wants to send a message M to Bob • Alice has access to the public key K Bpub of Bob • Bob knows a pair ( K Bpub , K Bpriv ) ◮ Encryption of a message • Alice encrypts the message using Bob’s Public key K Bpub • Bob decrypts the message using his private key K Bpriv ◮ Problem • How can Bob be sure it is Alice who sent the message? • Charlie may have intercepted the message and replaced by another one Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 6

  7. Signing a message ◮ Bob wants to be certain the message was sent by Alice • He wants to check the integrity of the message ◮ Signing of the message • Alice also has a pair of keys:( K Apub , K Apriv ) • Bob knows the public key of Alice K Apub • Alice uses her private key to sign the message sent to Bob • Bob uses the public key to verify the signature of Alice • Since Charly does not know the private key, he can not forge such a message • Bob is convinced that Alice has sent this message ◮ Combining both : encrypting and signing • Alice writes a message M • She creates a signature σ ( M ) with her private key K Apriv • She encrypts both M and σ ( M ) with Bob’s public key K Bpub • Bob receives the encrypted message, Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 7

  8. Public Key Infrastructure ◮ A lot of keys have to be exchanged • Alice needs the public key of Bob • Bob needs the public key of Alice • etc. ◮ How to exchange keys in a secure way? • Alice and Bod never met eachother • They trust the same third party (called Certificate Authority - CA) • They both have received (in a secure way) the public key of the CA Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 8

  9. Certificate ◮ Alice wants to receive Bob’s public key • Bob creates his key pair • Bob is identified by CA and gives his Name and public key to the CA • CA signes a “certificate” containing the following information ◮ Name of the Certificate Authority ◮ Name of the owner of the certificate (Bob) ◮ Address, . . . ◮ Public key of Bob ◮ So if Alice trusts the verification of CA, she trusts the public key of Bob. ◮ Problems in real life • Alice and Bob may not have the same certificate authority: We have a chain of trust (or web of trust) • The Public Key Infrastructure PKI uses a Root Certificate who anybody trusts. • You need a way to revoke compromised keys • . . . Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 9

  10. Public Key Infrastructure (simplified) Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 10

  11. Efficiency of Cryptography ◮ Public Key Cryptography • Very useful between unknown persons • Requires long keys • Is too slow • Can not be used for big transfer ◮ Symetric Key Cryptography • Reserved for people that know each other • Can be much more efficient • Should be used to transfer large data ◮ Solution • Use the two systems • First “Hand Shaking” using a public key • Then (once we know each other) use a symetric key algorithm Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 11

  12. SSL and TLS ◮ TCP/IP socket can be read and modified • TCP/IP does not contain any security mechanism • Idea: we trust the others ◮ SSL and TLS • Create a socket that can neither be read nor modified • “Tuneling” ◮ Content is protected from its origin to its destination • Content is encrypted and signed • Protocol prevents any modification Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 12

  13. Tunnel Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 13

  14. Three Phases of TLS 1. Peer negotiation for algorithm support • For key Exchange: RSA, Difie-Hellman, DSA, SRP, PSK • For symetric ciphers: RC4, Triple DES, AES or Camellia • For crypto hash function (Message authentication codes - MAC): HMAC-MD5 or HMAC-SHA 2. Key exchange and authentication • Exchange of Certificate(s) (normally X.509, draft for OpenPGP) • Verification of the certificate(s) (can ask the CA if it is still valid) • Exchange of a new secret key for symetric encryption 3. Symmetric cipher encryption and message authentication • Symetric encryption is faster Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 14

  15. Advantages of TLS ◮ Eavesdropping • The data transfered on the net are crypted. It is not possible to read it. ◮ Data Modification • Since consitancy of data is checked using MAC hash functions, content can not be modified ◮ Man in the middle attack • The client is certain to be faced with the server possessing the certificate. Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 15

  16. Problems with HTTPS / TLS-SSL ◮ Relies on the PKI infrastructure • Revocation of Certificates have to be tested • Certificate Authorities have to be known (and trusted) • X.509 relies on a Root certificate, should not be protected ◮ Man in the Middle attack • Possible: the user is warned and clicks the button OK ◮ Interception / Modification • Much more complicated than with HTTP Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 16

  17. Create your own HTTPS server ◮ Create a Certificate (Standard X.509) Contains • Identity and Address of the subject • Validity (not before, not after) • Public Key Information (algorithm and key) ◮ Let a CA sign your certificate You add the following information in your certificate • Identity and Address of the issuer of the certificate • Signature (algorithm and fingerprint) ◮ Configure the port 443 of your server • Update the configuration of your server such that it listens to this port using HTTPS. Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 17

  18. Sample Certificate Certificate: Data: Version: 1 (0x0) Serial Number: 7829 (0x1e95) Signature Algorithm: md5WithRSAEncryption Issuer: C=ZA, ST=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Server CA/emailAddress=server-certs@thawte.com Validity Not Before: Jul 9 16:04:02 1998 GMT Not After : Jul 9 16:04:02 1999 GMT Subject: C=US, ST=Maryland, L=Pasadena, O=Brent Baccala, OU=FreeSoft, CN=www.freesoft.org/emailAddress=baccala@freesoft.org Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b4:31:98:0a:c4:bc:62:c1:88:aa:dc:b0:c8:bb: 33:35:19:d5:0c:64:b9:3d:41:b2:96:fc:f3:31:e1: ... d2:75:6b:c1:ea:9e:5c:5c:ea:7d:c1:a1:10:bc:b8: e8:35:1c:9e:27:52:7e:41:8f Exponent: 65537 (0x10001) Signature Algorithm: md5WithRSAEncryption 93:5f:8f:5f:c5:af:bf:0a:ab:a5:6d:fb:24:5f:b6:59:5d:9d: 92:2e:4a:1b:8b:ac:7d:99:17:5d:cd:19:f6:ad:ef:63:2f:92: ... 8f:0e:fc:ba:1f:34:e9:96:6e:6c:cf:f2:ef:9b:bf:de:b5:22: 68:9f Web Security, Summer Term 2012 3 Secure HyperText Transfer Protocol 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist

Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist

IIG University of Freiburg Web Security, Summer Term 2012 Brocken Authentication and Session Management Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 7 Broken Authentication and Session Management 1 Table of Contents

641 views • 24 slides
Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web

Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web

IIG University of Freiburg Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 5 Cross Site Scripting 1 Table of Contents Presentation: Inject Javascript in a Page

506 views • 26 slides
Web Security, Summer Term 2012 HyperText Transfer Protocol - HTTP Dr. E. Benoist Sommer Semester

Web Security, Summer Term 2012 HyperText Transfer Protocol - HTTP Dr. E. Benoist Sommer Semester

IIG University of Freiburg Web Security, Summer Term 2012 HyperText Transfer Protocol - HTTP Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 2 HyperText Transfer Protocol - HTTP 1 Table of Contents Principles Request

675 views • 35 slides
Web Security, Summer Term 2012 Information Leakage and Improper Error Handling Dr. E. Benoist

Web Security, Summer Term 2012 Information Leakage and Improper Error Handling Dr. E. Benoist

IIG University of Freiburg Web Security, Summer Term 2012 Information Leakage and Improper Error Handling Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 1 Table of Contents

240 views • 12 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
Short term Foreign Exchange: England Summer 2012 BACK IN CALIFORNIA British Slang vs. American

Short term Foreign Exchange: England Summer 2012 BACK IN CALIFORNIA British Slang vs. American

Short term Foreign Exchange: England Summer 2012 BACK IN CALIFORNIA British Slang vs. American Lingo Chips Crisps French Fries Chips Trash Can Rubish Bin Backpack Rucksack Bathroom/Restroom Toilet/Lou Soccer Football Cleats Boots Bus

449 views • 16 slides
Summer 2012 August 6, 2012 CSE 332 Data Abstractions, Summer 2012 1 *ominous music* THE FINAL

Summer 2012 August 6, 2012 CSE 332 Data Abstractions, Summer 2012 1 *ominous music* THE FINAL

CSE 332 Data Abstractions: Data Races and Memory, Reordering, Deadlock, Readers/Writer Locks, and Condition Variables (oh my!) Kate Deibel Summer 2012 August 6, 2012 CSE 332 Data Abstractions, Summer 2012 1 *ominous music* THE FINAL EXAM

826 views • 80 slides
Algorithms of Scientific Computing Discrete Cosine Transform (DCT) Michael Bader Summer Term

Algorithms of Scientific Computing Discrete Cosine Transform (DCT) Michael Bader Summer Term

Technische Universit at M unchen Algorithms of Scientific Computing Discrete Cosine Transform (DCT) Michael Bader Summer Term 2012 Michael Bader: Algorithms of Scientific Computing Discrete Cosine Transform (DCT), Summer Term 2012 1

233 views • 19 slides
Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer

Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer

Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer Schools on Cryptography and Principles of Software Security @ Penn State; Jun 1st, 2012 High-Level Languages for Safety/Security 2 Java, C#,

1.54k views • 98 slides
Codsall Middle School Year 5 Autumn Term Spring Term Summer Term Story Openers Persuasive

Codsall Middle School Year 5 Autumn Term Spring Term Summer Term Story Openers Persuasive

Codsall Middle School Year 5 Autumn Term Spring Term Summer Term Story Openers Persuasive writing Amazon Diary; (advertising, debates, Reading and writing letters to persuade); instructions. A range of poetry texts The Lightning Thief

193 views • 16 slides
Kate Deibel Summer 2012 July 16, 2012 CSE 332 Data Abstractions, Summer 2012 1 Where We Are

Kate Deibel Summer 2012 July 16, 2012 CSE 332 Data Abstractions, Summer 2012 1 Where We Are

CSE 332 Data Abstractions: Sorting It All Out Kate Deibel Summer 2012 July 16, 2012 CSE 332 Data Abstractions, Summer 2012 1 Where We Are We have covered stacks, queues, priority queues, and dictionaries Emphasis on providing one

1.09k views • 83 slides
Security Summer 2013 Cornell University 1 Today How does the OS provide security?

Security Summer 2013 Cornell University 1 Today How does the OS provide security?

CS 4410 Operating Systems Security Summer 2013 Cornell University 1 Today How does the OS provide security? Secure System Security Violations Security Measures Threats User Authentication Protection 2 Secure

381 views • 14 slides
Summer 2012 In Site Summer 2012 By Kevin Greene, Inga Hall, Nicola Ellis, Laura Ludlow & Lee

Summer 2012 In Site Summer 2012 By Kevin Greene, Inga Hall, Nicola Ellis, Laura Ludlow & Lee

Summer 2012 In Site Summer 2012 By Kevin Greene, Inga Hall, Nicola Ellis, Laura Ludlow & Lee Forsyth Construction and Engineering Welcome to the Summer 2012 edition of In Site. This edition covers the following topics: NEC3 issues for

220 views • 9 slides
Summer 2012 CFPC Approved Project Review CFPC Approved Summer 2012 Projects Facilities

Summer 2012 CFPC Approved Project Review CFPC Approved Summer 2012 Projects Facilities

University Facilities Management September 14, 2012 Summer 2012 CFPC Approved Project Review CFPC Approved Summer 2012 Projects Facilities Management worked hard over the summer refreshing and repairing campus facilities and grounds in

447 views • 13 slides
Security Summer 2016 Cornell University 1 Today Security policies Enforcement

Security Summer 2016 Cornell University 1 Today Security policies Enforcement

CS 4410 Operating Systems Security Summer 2016 Cornell University 1 Today Security policies Enforcement Authenticating people Passwords 2 Security policy Security policies prescribe what must be done and what must not be

431 views • 13 slides
Welcome List of Providers (LoP) Keeping you up to date meeting July 2019 Funding Summer Term

Welcome List of Providers (LoP) Keeping you up to date meeting July 2019 Funding Summer Term

Welcome List of Providers (LoP) Keeping you up to date meeting July 2019 Funding Summer Term 2019 Summer Term Additional Headcount Task payments will be made by 19 July. We will let you know via the Broadcast alerts as usual when

577 views • 24 slides
GUESS THE CORRECT LOG CT INSIGHTS 1 2 3 4 5 Content TLS + Vulnerabilities CA +

GUESS THE CORRECT LOG CT INSIGHTS 1 2 3 4 5 Content TLS + Vulnerabilities CA +

create your own exercise Berkay Kozan, Jan Krol Group 202 GUESS THE CORRECT LOG CT INSIGHTS 1 2 3 4 5 Content TLS + Vulnerabilities CA + Black Tulip How Certificate Transparency Works SCT delivering methods Merkle

729 views • 55 slides
Certificates Noah Zani, Tim Strasser, Andrs Baumeler Overview Motivation Introduction

Certificates Noah Zani, Tim Strasser, Andrs Baumeler Overview Motivation Introduction

Certificates Noah Zani, Tim Strasser, Andrs Baumeler Overview Motivation Introduction Public Key Infrastructure (PKI) Economic Aspects Motivation Need for secure, trusted communication Growing certificate market

777 views • 49 slides
Computer Security HKUST, Hong Kong Computer Security Cunsheng Ding, HKUST COMP4631

Computer Security HKUST, Hong Kong Computer Security Cunsheng Ding, HKUST COMP4631

CUNSHENG DING Computer Security HKUST, Hong Kong Computer Security Cunsheng Ding, HKUST COMP4631 CUNSHENG DING Computer Security HKUST, Hong Kong Lecture 11: Public-Key Infrastructure Main Topics of this Lecture 1. Digital

433 views • 25 slides
Verifying the SET Protocol G Bella & L C Paulson Cambridge F Massacci Siena P Tramontano

Verifying the SET Protocol G Bella & L C Paulson Cambridge F Massacci Siena P Tramontano

Verifying the SET Protocol G Bella & L C Paulson Cambridge F Massacci Siena P Tramontano Rome Inductive Protocol Verification Define systems operational semantics Include honest parties and an attacker Model each

465 views • 22 slides
Encrypt ALL the things with LetsEncrypt Created by : Justin W. Flory Solomon Rubin

Encrypt ALL the things with LetsEncrypt Created by : Justin W. Flory Solomon Rubin

Encrypt ALL the things with LetsEncrypt Created by : Justin W. Flory Solomon Rubin License : CC-BY-SA 4.0 Introduction What is TLS and why do I need it? TLS stands for Transport Layer Security Difference between https and

360 views • 23 slides
Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute

Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute

ITS335 Web Security Browsing Applications Web Security HTTPS Certificates Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2 February 2014 its335y13s2l09,

446 views • 31 slides
CS 683 - Security and Privacy Spring 2018 Instructor: Karim Eldefrawy University of San

CS 683 - Security and Privacy Spring 2018 Instructor: Karim Eldefrawy University of San

CS 683 - Security and Privacy Spring 2018 Instructor: Karim Eldefrawy University of San Francisco http://www.cs.usfca.edu/~keldefrawy/teaching /spring2018/cs683/cs683_main.htm (https://goo.gl/t396Fw) 1 Le Lect cture 14 14 Public Key

857 views • 47 slides
CSCI E-170 October 17, 2005 L04: Public Key Cryptography 1 Todays Outline 1. LJ Nonsense

CSCI E-170 October 17, 2005 L04: Public Key Cryptography 1 Todays Outline 1. LJ Nonsense

CSCI E-170 October 17, 2005 L04: Public Key Cryptography 1 Todays Outline 1. LJ Nonsense 2. HW2 - Graded and returned. 3. HW3 - How are things going? 4. Review of L03 (hash functions & ciphers) 5. Public Key Cryptography 6.

757 views • 43 slides

More recommend