Online Security Tuesday April 8, 2003 Maxence Crossley.

Slides:

Advertisements

Similar presentations

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Advertisements

Key Management. Shared Key Exchange Problem How do Alice and Bob exchange a shared secret? Offline – Doesnt scale Using public key cryptography (possible)

Public Key Infrastructure A Quick Look Inside PKI Technology Investigation Center 3/27/2002.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

CIS 725 Key Exchange Protocols. Alice ( PB Bob (M, PR Alice (hash(M))) PB Alice Confidentiality, Integrity and Authenication PR Bob M, hash(M) M, PR Alice.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Public Key Management and X.509 Certificates

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

Authentication Cristian Solano. Cryptography is the science of using mathematics to encrypt and decrypt data. Public Key Cryptography –Problems with key.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

16.1 © 2004 Pearson Education, Inc. Exam Planning, Implementing, and Maintaining a Microsoft® Windows® Server 2003 Active Directory Infrastructure.

An Introduction to Security Concepts and Public Key Infrastructure (PKI) Mary Thompson.

 Key exchange o Kerberos o Digital certificates  Certificate authority structure o PGP, hierarchical model  Recovery from exposed keys o Revocation.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

SSL By: Anthony Harris & Adam Shkoler. What is SSL? SSL stands for Secure Sockets Layer SSL is a cryptographic protocol which provides secure communications.

Copyright © Clifford Neuman - UNIVERSITY OF SOUTHERN CALIFORNIA - INFORMATION SCIENCES INSTITUTE CSci530: Computer Security Systems Authentication.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Digital Signature Xiaoyan Guo/ Xiaohang Luo/

Public Key Encryption An example of how a bank might accomplish encryption.

CSCI 6962: Server-side Design and Programming

Chapter 31 Network Security

Part Two Network Security Applications Chapter 4 Key Distribution and User Authentication.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

Secure r How do you do it? m Need to worry about sniffing, modifying, end- user masquerading, replaying. m If sender and receiver have shared secret.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your.

Introduction to Secure Sockets Layer (SSL) Protocol Based on:

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

Web Security : Secure Socket Layer Secure Electronic Transaction.

NDSU Lunchbytes "Are They Really Who They Say They Are?" Digital or Electronic Signature Information Rick Johnson, Theresa Semmens, Lorna Olsen April 24,

SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.

Ram Santhanam Application Level Attacks - Session Hijacking & Defences

Encryption / Security Victor Norman IS333 / CS332 Spring 2014.

Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.

CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.

31.1 Chapter 31 Network Security Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

1 Network Security Lecture 7 Overview of Authentication Systems Waleed Ejaz

Saphe surfing! 1 SAPHE Secure Anti-Phishing Environment Presented by Uri Sternfeld.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

Digital Signatures and Digital Certificates Monil Adhikari.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

Installing a SSL Server. Creating a key Before you can create a digital signature/certificate. You need first to create a private key. To do this process.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

Pertemuan #8 Key Management Kuliah Pengaman Jaringan.

Setting and Upload Products

Web Applications Security Cryptography 1

How to Check if a site's connection is secure ?

Using SSL – Secure Socket Layer

کاربرد گواهی الکترونیکی در سیستمهای کاربردی (امضای دیجیتال)

Electronic Payment Security Technologies

Presentation transcript:

Online Security Tuesday April 8, 2003 Maxence Crossley

Outline  How do we authenticate a service?  How do we encrypt a session?  How do we prevent a “replay attack”?  Another Problem: Spoofing

How do we authenticate a session?  Certification Authorities (CAs)  VeriSign  SecureNet  Digital Signature Trust  Distribute and store certificates

Public Key Cryptography  Server publishes public key with Certification Agency  Client encrypts message with public key  Server decrypts message with private key Source:

Private Key Cryptography  Server and Client share a secret and private key  Client encrypts message with private key  Server decrypts message with private key Source:

How do we encrypt a session? SSL  Client requests a secured file  Server sends its certificate  Client checks with CA that the signature is valid  Client generates a unique session key and sends it to server Source:

How do we encrypt a session? Source:

How do we encrypt a session? Source:

How do we encrypt a session? Source:

What is a “replay attack”?  When an attacker uses captured authentication tokens to gain access to a user’s account while bypassing normal authentication  Sniffing a URL that has a session ID in it  Attacker can obtain access to users account Source:

Countermeasures Source:  “Generate hard to reverse-engineer Session IDs for authenticated web users (i.e. use strong crypto, MD5 hashes, etc.)”  “Build and require SSL (or other encryption) into the web application so that the authentication token can not be easily sniffed in transit between browser and server; Ensure that all cookies enable the "secure" field (see OWASP's explanation of cookies)”

Countermeasure Source:  “Provide a logout function that expires all cookies and other authentication tokens”  “Users can choose not to select the "Remember Me" option on web application accounts so that authentication tokens are not persistent after logout”

Another Problem: Spoofing  Web users rely on visual clues when deciding to trust a site  Location bar information  SSL icons  SSL warnings  Certificate information  Response time  These cues can be forged Source:

Spoofing Source:

Spoofing Source:

Countermeasures  Mozilla with SRD (synchronized random dynamic) Boundary  Trusted Reference Window in lower right corner  Untrusted Outer Window  Colors chosen at random Source: