Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.

Slides:

Advertisements

Similar presentations

Internet Protocol Security (IP Sec)

Advertisements

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

CP3397 ECommerce.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

Cryptography and Network Security

Secure Socket Layer.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

Java Security CS-328. JDK 1.0 Security Model Sandbox Java Virtual Machine Local Code Remote Code Local Host System Resources (File System, Sockets, Printers…)

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

LAB#2 JAVA SECURITY OVERVIEW Prepared by: I.Raniah Alghamdi.

Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.

Cryptography 101 Frank Hecker

Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.

JSSE API University of Palestine Eng. Wisam Zaqoot April 2010.

CSCI 6962: Server-side Design and Programming

How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/ OK.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

Web Services Security. Introduction Developing standards for Web Services security – XML Key Management Specification (XKMS) – XML Signature – XML Encryption.

Secure Socket Layer (SSL)

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

每时每刻可信安全 1The DES algorithm is an example of what type of cryptography? A Secret Key B Two-key C Asymmetric Key D Public Key A.

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Cryptography  Why Cryptography  Symmetric Encryption  Key exchange  Public-Key Cryptography  Key exchange  Certification.

Introduction to Secure Sockets Layer (SSL) Protocol Based on:

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Chapter 23 Internet Authentication Applications Kerberos Overview Initially developed at MIT Software utility available in both the public domain and.

Network Security Essentials Chapter 5

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

IPsec IPsec (IP security) Security for transmission over IP networks –The Internet –Internal corporate IP networks –IP packets sent over public switched.

IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University.

CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.

Washington System Center © 2005 IBM Corporation August 25, 2005 RDS Training Secure Socket Layer (SSL) Overview z/Series Security (Mary Sweat, Greg Boyd)

Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication.

Network Security Continued. Digital Signature You want to sign a document. Three conditions. – 1. The receiver can verify the identity of the sender.

SMUCSE 5349/7349 SSL/TLS. SMUCSE 5349/7349 Layers of Security.

INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.

Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.

Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.

INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.

IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.

This courseware is copyrighted © 2016 gtslearning. No part of this courseware or any training material supplied by gtslearning International Limited to.

@Yuan Xue CS 285 Network Security Secure Socket Layer Yuan Xue Fall 2013.

Cryptography CSS 329 Lecture 13:SSL.

Web Security CS-431.

Secure Sockets Layer (SSL)

Presentation transcript:

Web Security CS-431

HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password before they are allowed access to certain URLs HTTP/1.1 requires that when a user makes a request for a protected resource the server responds with a authentication request header – WWW-Authenticate contains enough pertinent information to carry out a “challenge-response” session between the user and the server Web Server Client Client requests a protected resource Server responds with a 401 (not authorized and a challenge request for the client to authenticate

Client Response Well established clients like Firefox, Internet Explorer …. will respond to the challenge request (WWW-Authenticate) by presenting the user with a small pop-up window with data entry fields for – userid – password – a Submit button and a Cancel button entering a valid userid and password will post the data to the server, the server will attempt authentication and if authenticated will serve the originally requested resource.

WWW-Authenticate The authentication request received by the browser will look something like: – WWW-Authenticate = Basic realm=“defaultRealm” Basic indicates the HTTP Basic authentication is requested realm indicates the context of the login – realms hold all of the parts of security puzzle » Users » Groups » ACLs (Access Control Lists) Basic Authentication – userid and password are sent base 64 encoded (might as well be plain text) – hacker doesn’t even need to unencode all he has to do is “replay” the blob of information he stole over and over ( this is called a “replay attack”)

WWW-Authenticate Digest Authentication – attempts to overcome the shortcomings of Basic Authentication – WWW-Authenticate = Digest realm=“defaultRealm” nonce=“Server SpecificString” – see RFC 2069 for description of nonce, each nonce is different – the nonce is used in the browser in a 1-way function (MD5, SHA-1….) to encode the userid and password for the server, this function essentially makes the password good for only one time Common browsers don’t use Digest Authentication but an applet could as an applet has access to all of the Java Encryption classes needed to create the creation of a Digest.

WWW-Authenticate Secure Sockets Layer (SSL) – Invented by Netscape and made public domain for everyone’s use – An additional layer to the TCP/IP stack that sits between the Application and Transport layers ensures that all application data is encrypted but TCP/IP headers are not usually run on port 443 (default HTTPS port) Public Key Cryptography – owner of a private key sends a public key to all who want to communicate with him (keys are both prime factors of a large (1024 bit) number). Owner keeps the private key secret and uses it to decrypt information sent to him that has been encrypted with the public-key – RSA algorithm is most notable public-key cipher algorithm Digital Certificates – issued by a disinterested third party (ex. Verisign) – the Certificate contains the public-key for the specific Web Server and a digital signature of the certifying authority

back to SSL Once a secure session is established the source requests the destinations certificate ( sent in the http header (uncncrypted)) once the source accepts the authenticity of the certificate it uses the public-key from the certificate to encrypt the generated session key for protecting the conversation between the source and destination. Session is encrypted using a symmetric cipher (slow) conversation is encrypted using an asymmetric cipher (fast) its done this way to speed up overall communications, strong encryption (slow) is used as little as possible while weaker encryption is used for most exchanges actual cipher algorithms are negotiated on a per-session basis

Java Cryptographic Packages Separate packages that are now included as part of JDK – JCE - Java Cryptography classes – JSSE - Java Secure Sockets Extension – JAAS - Java Authentication and Authorization Services – Java GSS API - Java Generic Security Services API – Java Certification Path API

JCE JCE covers – encryption and decryption symmetric bulk encryption, such as DES, RC2, and IDEA Symmetric stream encryption, such as RC4 Asymmetric encryption, such as RSA Password-based encryption (PBE) – key agreement – Message Authentication Code (MAC) Strong Cryptography is the default – unlimited is available (depending on export restrictions)

JSSE Provides support for communications using SSL (Secure Sockets Layer) and TLS (Transport Layer Security) – commonly thought of as HTTPS part of javax.net SSL (and thus HTTPS) permits encrypted traffic to be exchanged between the client and server. – After an SSL client initiates a conversation with an SSL server, the server sends an X.509 certificate back to the client for authentication. The client then checks the validity of the certificate. Assuming the server is verified, the client generates a premaster secret key, encrypts it with the server's public key from the certificate, and sends the encrypted key back to the server. From this premaster key, the client and server generate a master key for the session. After some basic handshaking, the encrypted exchange can commence. The JSSE library hides these inner workings of the SSL protocol from you.

JAAS JAAS provides for the authentication of users and the authorization of tasks based upon that authentication Previously, anyone authenticated had access to the same security restrictions. Now, you can control what tasks are available for a specific authenticated user requires modification of security policies

Java GSS-API adds Kerberos V5 support to the Java platform. Kerberos originated at the Massachusetts Institute of Technology (MIT) as project Athena back in Essentially, a network authentication protocol. – Defined in RFC 1510 from 1993 – biggest draw is not having to send passwords over the net. – offers single sign-on within one domain -- if everything within the domain has been Kerberos-enabled. – support is also provided for single sign-on across different security realms over a network. – Used in conjunction with JAAS, once a user's identity is established, future authentication requests are no longer necessary.

Java Certification Path API Certification Path API provides classes for building and validating certificate chains, an important requirement of a Public Key Infrastructure (PKI). These certificates provide for the storage of security keys for users. By trusting the issuer of a certificate that holds the keys, and trusting the issuer of the certificate that trusts the original certificate, you establish chains of trust Building and validating certification paths is an important part of many standard security protocols, such as SSL/TLS, Secure/MIME (S/MIME), and IP Security (IPsec).