Presentation is loading. Please wait.

Presentation is loading. Please wait.

Online Security Tuesday April 8, 2003 Maxence Crossley.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Online Security Tuesday April 8, 2003 Maxence Crossley."— Presentation transcript:

1 Online Security Tuesday April 8, 2003 Maxence Crossley

2 Outline  How do we authenticate a service?  How do we encrypt a session?  How do we prevent a “replay attack”?  Another Problem: Spoofing

3 How do we authenticate a session?  Certification Authorities (CAs)  VeriSign  SecureNet  Digital Signature Trust  Distribute and store certificates

4 Public Key Cryptography  Server publishes public key with Certification Agency  Client encrypts message with public key  Server decrypts message with private key Source: http://waubonsie.com/security/www.htmlhttp://waubonsie.com/security/www.html

5 Private Key Cryptography  Server and Client share a secret and private key  Client encrypts message with private key  Server decrypts message with private key Source: http://waubonsie.com/security/www.htmlhttp://waubonsie.com/security/www.html

6 How do we encrypt a session? SSL  Client requests a secured file  Server sends its certificate  Client checks with CA that the signature is valid  Client generates a unique session key and sends it to server Source: http://waubonsie.com/security/www.htmlhttp://waubonsie.com/security/www.html

7 How do we encrypt a session? Source: http://waubonsie.com/security/www.htmlhttp://waubonsie.com/security/www.html

8 How do we encrypt a session? Source: http://waubonsie.com/security/www.htmlhttp://waubonsie.com/security/www.html

9 How do we encrypt a session? Source: http://waubonsie.com/security/www.htmlhttp://waubonsie.com/security/www.html

10 What is a “replay attack”?  When an attacker uses captured authentication tokens to gain access to a user’s account while bypassing normal authentication  Sniffing a URL that has a session ID in it  Attacker can obtain access to users account Source: http://www.owasp.org/asac/auth-session/replay.shtmlhttp://www.owasp.org/asac/auth-session/replay.shtml

11 Countermeasures Source: http://www.owasp.org/asac/auth-session/replay.shtmlhttp://www.owasp.org/asac/auth-session/replay.shtml  “Generate hard to reverse-engineer Session IDs for authenticated web users (i.e. use strong crypto, MD5 hashes, etc.)”  “Build and require SSL (or other encryption) into the web application so that the authentication token can not be easily sniffed in transit between browser and server; Ensure that all cookies enable the "secure" field (see OWASP's explanation of cookies)”

12 Countermeasure Source: http://www.owasp.org/asac/auth-session/replay.shtmlhttp://www.owasp.org/asac/auth-session/replay.shtml  “Provide a logout function that expires all cookies and other authentication tokens”  “Users can choose not to select the "Remember Me" option on web application accounts so that authentication tokens are not persistent after logout”

13 Another Problem: Spoofing  Web users rely on visual clues when deciding to trust a site  Location bar information  SSL icons  SSL warnings  Certificate information  Response time  These cues can be forged Source: http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/

14 Spoofing Source: http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/

15 Spoofing Source: http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/

16 Countermeasures  Mozilla with SRD (synchronized random dynamic) Boundary  Trusted Reference Window in lower right corner  Untrusted Outer Window  Colors chosen at random Source: http://www.cs.dartmouth.edu/~pkilab/demos/countermeasures/http://www.cs.dartmouth.edu/~pkilab/demos/countermeasures/

Download ppt "Online Security Tuesday April 8, 2003 Maxence Crossley."

Similar presentations

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)
Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Public Key Management and X.509 Certificates

Public Key Management and X.509 Certificates
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
16.1 © 2004 Pearson Education, Inc. Exam 70-294 Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.
An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.
 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Similar presentations

Ads by Google