Web Server Management: Securing Access to Web Servers Jon Warbrick University of Cambridge Computing Service.

Slides:

Advertisements

Similar presentations

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Advertisements

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

Cryptography and Network Security

Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

1 Network Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

COMP043-Cryptology Week 4 – Certs and Sigs. Digital Signatures Digital signatures provide –Integrity –Authenticity and –Non-repudiation How do they work?

Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Principles of Information Security, 2nd edition1 Cryptography.

Client/Server Computing Model of computing in which very powerful personal computers (clients) are connected in a network with one or more server computers.

Online Security Tuesday April 8, 2003 Maxence Crossley.

Spring 2002CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2003CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Introduction to Secure Sockets Layer (SSL) Protocol Based on:

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Authentication of Signaling in VoIP Applications Authors: Srinivasan et al. (MIT Campus of Anna University, India) Source: IJNS review paper Reporter:

Csci5233 computer security & integrity 1 Cryptography: an overview.

CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

CS453: Introduction to Information Security for E-Commerce Prof. Tom Horton.

Traditional Security Issues Confidentiality –Prevent unauthorized access or reading of information Integrity –Insure that writing or operations are allowed.

Gold Coast Campus School of Information Technology 2003/16216/3112INT Network Security 1Copyright © Griffith University, INT / 3112INT Network.

Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.

Jump to first page Internet Security in Perspective Yong Cao December 2000.

1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.

Dos and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster Presented: Jesus F. Morales.

Privacy and Security Topics From Greenlaw/Hepp, In-line/On-line: Fundamentals of the Internet and the World Wide Web 1 Introduction Known Information Software.

Security By Meenal Mandalia. What is ? stands for Electronic Mail. much the same as a letter, only that it is exchanged in a different.

X509 Web Authentication From the perspective of security or An Introduction to Certificates.

Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke1 Database architecture and security Workshop 4.

SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.

Network security Presentation AFZAAL AHMAD ABDUL RAZAQ AHMAD SHAKIR MUHAMMD ADNAN WEB SECURITY, THREADS & SSL.

The Secure Sockets Layer (SSL) Protocol

Web Security CS-431.

Cryptography: an overview

Cryptography: an overview

Security Outline Encryption Algorithms Authentication Protocols

Secure Sockets Layer (SSL)

Visit for more Learning Resources

COMP3220 Web Infrastructure COMP6218 Web Architecture

Topic 1: Data, information, knowledge and processing

Originally by Yu Yang and Lilly Wang Modified by T. A. Yang

Information Security message M one-way hash fingerprint f = H(M)

Using SSL – Secure Socket Layer

Public Key Infrastructure

Message Digest Cryptographic checksum One-way function Relevance

Pooja programmer,cse department

Recap unit 2 Review cipher systems, RSA Digital signatures

The Secure Sockets Layer (SSL) Protocol

Cryptography: an overview

Install AD Certificate Services

Transport Layer Security (TLS)

Unit 8 Network Security.

Advanced Computer Networks

Electronic Payment Security Technologies

Cryptography and Network Security

Integrated Security System

Presentation transcript:

Web Server Management: Securing Access to Web Servers Jon Warbrick University of Cambridge Computing Service

Introduction ● Course Outline

Introduction ● Course Outline ● What is HTTPS?

Introduction ● Course Outline ● What is HTTPS?

Introduction ● Course Outline ● What is HTTPS?

What does HTTPS give you? ● Client-server, end-to-end encrypted traffic

What does HTTPS give you? ● Client-server, end-to-end encrypted traffic ● Message Integrity

What does HTTPS give you? ● Client-server, end-to-end encrypted traffic ● Message Integrity ● Authentication of the server

What does HTTPS give you? ● Client-server, end-to-end encrypted traffic ● Message Integrity ● Authentication of the server ● (optional) Authentication of the browser user

A warning about security ● "Security is a process, not a product"

A warning about security ● "Security is a process, not a product" ● TLS protects data in transmission

A warning about security ● "Security is a process, not a product" ● TLS protects data in transmission – What happens after it's received?

A warning about security ● "Security is a process, not a product" ● TLS protects data in transmission – What happens after it's received? –.. or before it's sent?

A warning about security ● "Security is a process, not a product" ● TLS protects data in transmission – What happens after it's received? –.. or before it's sent? – Is the webserver secure from attack?

A warning about security ● "Security is a process, not a product" ● TLS protects data in transmission – What happens after it's received? –.. or before it's sent? – Is the webserver secure from attack? – Is the webserver physically secure?

A warning about security ● "Security is a process, not a product" ● TLS protects data in transmission – What happens after it's received? –.. or before it's sent? – Is the webserver secure from attack? – Is the webserver physically secure? ● Legal requirements (DPA, RIPA)

Politics ● Patents

Politics ● Patents ● Munitions

A Crash Course in Cryptography

● Symmetric ciphers

A Crash Course in Cryptography ● Symmetric ciphers

A Crash Course in Cryptography (2) ● Public-key ciphers

A Crash Course in Cryptography (2) ● Public-key ciphers

A Crash Course in Cryptography (3) ● Key Exchange

A Crash Course in Cryptography (3) ● Key Exchange

A Crash Course in Cryptography (4) ● Message digests

A Crash Course in Cryptography (5) ● Digital signatures

A Crash Course in Cryptography (5) ● Digital signatures

A Crash Course in Cryptography (5) ● Digital signatures

A Crash Course in Cryptography (5) ● Digital signatures

A Crash Course in Cryptography (5) ● Digital signatures

A Crash Course in Cryptography (6) ● Public key certificates

A Crash Course in Cryptography (6) ● Public key certificates ● Certification authorities

A Crash Course in Cryptography (6) ● Public key certificates ● Certification authorities – UCS Certificate scheme

A Crash Course in Cryptography (6) ● Public key certificates ● Certification authorities – UCS Certificate scheme ● PKI

The SSL Process ● Browser contacts server

The SSL Process ● Browser contacts server ● Client & server agree ciphers, protocols, etc.

The SSL Process ● Browser contacts server ● Client & server agree ciphers, protocols, etc. ● Server sends its certificate to the client

The SSL Process ● Browser contacts server ● Client & server agree ciphers, protocols, etc. ● Server sends its certificate to the client ● Client verifies the server's certificate

The SSL Process ● Browser contacts server ● Client & server agree ciphers, protocols, etc. ● Server sends its certificate to the client ● Client verifies the server's certificate ● Client sends a secret using server's public key

The SSL Process (2) ● Client & server create symmetric keys

The SSL Process (2) ● Client & server create symmetric keys ● Client & server switch to the agreed cipher

The SSL Process (2) ● Client & server create symmetric keys ● Client & server switch to the agreed cipher ● Sequence numbers and hashes protect against tampering

The downside of using HTTPS ● No caching of documents

The downside of using HTTPS ● No caching of documents ● Overheads on client and server

The downside of using HTTPS ● No caching of documents ● Overheads on client and server ● Firewalls may not allow HTTPS traffic

The downside of using HTTPS ● No caching of documents ● Overheads on client and server ● Firewalls may not allow HTTPS traffic ● £££ Cost

The downside of using HTTPS ● No caching of documents ● Overheads on client and server ● Firewalls may not allow HTTPS traffic ● £££ Cost ● Search Engines

Creating Keys and Certificates

OpenSSL ● Used by most Unix and some Windows systems

OpenSSL ● Used by most Unix and some Windows systems – Cryptographic library

OpenSSL ● Used by most Unix and some Windows systems – Cryptographic library – Command-line utilities

OpenSSL ● Used by most Unix and some Windows systems – Cryptographic library – Command-line utilities ● Pre-built packages for RedHat, Fedora, SuSE, Debian, Solaris. Windows executables can be found

OpenSSL ● Used by most Unix and some Windows systems – Cryptographic library – Command-line utilities ● Pre-built packages for RedHat, Fedora, SuSE, Debian, Solaris. Windows executables can be found ●... or build your own

OpenSSL ● Used by most Unix and some Windows systems – Cryptographic library – Command-line utilities ● Pre-built packages for RedHat, Fedora, SuSE, Debian, Solaris. Windows executables can be found ●... or build your own ● Command-line arguments confusing

Configuring Apache

Getting or building SSL Apache ● Apache V.1 with mod_ssl (or Apache-SSL)

Getting or building SSL Apache ● Apache V.1 with mod_ssl (or Apache-SSL) ● Apache V.2

Getting or building SSL Apache ● Apache V.1 with mod_ssl (or Apache-SSL) ● Apache V.2 ● RedHat/Debian/Fedora/SuSE have pre-built packages

Getting or building SSL Apache ● Apache V.1 with mod_ssl (or Apache-SSL) ● Apache V.2 ● RedHat/Debian/Fedora/SuSE have pre-built packages ● Pre-compiled Windows available

Getting or building SSL Apache ● Apache V.1 with mod_ssl (or Apache-SSL) ● Apache V.2 ● RedHat/Debian/Fedora/SuSE have pre-built packages ● Pre-compiled Windows available ●... or build your own

Other Issues ● Additional Directives

Other Issues ● Additional Directives ● Proxying HTTPS

Other Issues ● Additional Directives ● Proxying HTTPS ● Extended Validation

Other Issues ● Additional Directives ● Proxying HTTPS ● Extended Validation

Other Issues ● Additional Directives ● Proxying HTTPS ● Extended Validation ● Server Gated Cryptography

Further Material ● courses/using_https/ ●