Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Applications Security Cryptography 1

Published byAda Lambert Modified over 6 years ago

Similar presentations

Presentation on theme: "Web Applications Security Cryptography 1"— Presentation transcript:

1 Web Applications Security Cryptography 1
IT College, Andres Käver, , autumn semester Web: Skype: akaver

2 Cryptography Cryptography (or crypto) is one of the more advanced topics of information security, and one whose understanding requires the most schooling and experience. There are many approaches to encryption, each with advantages and disadvantages that need to be thoroughly understood by web solution architects and developers. A small mistake in configuration or coding will result in removing most of the protection and rendering the crypto implementation useless.

3 Cryptography Provides
Authentication, Auditing, Confidentiality, Integrity Some crypto algorithms are more suited to particular tasks, but not to others. Usually more secure algorithm is much more expensive to run (slower, more cpu/memory usage) Sometimes combination is used – SSL for example. Initial connection is made with secure solution, actual data transfer is done with much faster/weaker implementation.

4 Cryptography - symmetric
Symmetric keys share a common secret (password, pass phrase, or key). Data is encrypted and decrypted using the same key. Symmetric algorithms are very fast Common examples of symmetric algorithms are DES, 3DES and AES. Key exchange is problem!!!

5 Cryptography - asymmetric
Aka Public/Private Key crypto Asymmetric algorithms use two keys, one to encrypt the data, and either key to decrypt. These inter-dependent keys are generated together. One is labeled the Public key and is distributed freely. The private key must be kept secure.

6 Cryptography - asymmetric
Confidentiality Encrypt data with a user’s public key (which is publicly available), we can send the data over an insecure network knowing that only the associated private key will be able to decrypt the data.

7 Cryptography - asymmetric
Authentication Encrypt data with private key, only public key can decrypt –prove the message’s authenticity, since only specific private key could have generated the message.

8 Cryptography - asymmetric
A Certificate Authority (CA), whose public certificates are installed with browsers or otherwise commonly available, may also digitally sign public keys or certificates. We can authenticate remote systems or users via a mutual trust of an issuing CA. We trust their ‘root’ certificates, which in turn authenticate the public certificate presented by the server. PGP and SSL are prime examples of a systems implementing asymmetric cryptography, using the RSA or other algorithms.

9 Cryptography - hashes Hash functions take some data (and possibly a key or password) and generate a unique hash or checksum. Since this is a one-way function, it is normally used to provide tamper detection. MD5 and SHA-1 are common hashing algorithms used today. These algorithms are considered weak. Consider using SHA-256 instead.

10 Cryptography – key exchange
Key exchange algorithms (such as Diffie-Hellman for SSL). These allow use to safely exchange encryption keys with an unknown party.

11 Cryptography As modern cryptography relies on being computationally expensive to break, specific standards can be set for key sizes that will provide assurance that with today’s technology and understanding, it will take too long to decrypt any given key. Therefore, we need to ensure that both the algorithm and the key size are taken into account when selecting an algorithm. Proprietary encryption algorithms are not to be trusted as they typically rely on ‘security through obscurity’ and not sound mathematics.

12 Cryptography Weak algorithms
MD5 has recently been found less secure than previously thought. While still safe for most applications such as hashes for binaries made available publicly, secure applications should now be migrating away from this algorithm. SHA-0 has been conclusively broken. SHA-1 has been reduced in strength - migrate to SHA-256, which implements a larger key size. DES was once the standard crypto algorithm for encryption; a normal desktop machine can now break it. AES is the current preferred symmetric algorithm.

13 Cryptography – Key storage
Crypto relies on keys to assure a user’s identity, provide confidentiality and integrity as well as non-repudiation. It is vital that the keys are adequately protected. Should a key be compromised, it can no longer be trusted. Any system that has been compromised in any way should have all its cryptographic keys replaced.

14 Cryptography – tokens Web servers typically deal with large numbers of users. Differentiating between them is often done through cookies or other session identifiers. If these session identifiers use a predictable sequence, an attacker need only generate a value in the sequence in order to present a seemingly valid session token. This can occur at a number of places; the network level for TCP sequence numbers, or right through to the application layer with cookies used as authenticating tokens. Any deterministic sequence generator is likely to be vulnerable. Use strong implementation of random number generators! Sometimes hardware solution is needed.

15 THE END

Download ppt "Web Applications Security Cryptography 1"

Similar presentations

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.

Chapter 9: Using and Managing Keys Security+ Guide to Network Security Fundamentals Second Edition.
Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.

Introduction to PKI Seminar What is PKI? Robert Brentrup July 13, 2004.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Cryptographic Technologies

Cryptographic Technologies
Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.

Introduction to Public Key Infrastructure (PKI) Office of Information Security The University of Texas at Brownsville & Texas Southmost College.
Encryption Methods By: Michael A. Scott 20140508.

Encryption Methods By: Michael A. Scott
Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.

Chapter 8.  Cryptography is the science of keeping information secure in terms of confidentiality and integrity.  Cryptography is also referred to as.
Cryptography 101 Frank Hecker

Cryptography 101 Frank Hecker
CSCI 6962: Server-side Design and Programming

CSCI 6962: Server-side Design and Programming
Chapter 31 Network Security

Chapter 31 Network Security
DNSSEC Cryptography Review Track 2 Workshop July 3, 2010 American Samoa Hervey Allen.

DNSSEC Cryptography Review Track 2 Workshop July 3, 2010 American Samoa Hervey Allen.
.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

.Net Security and Performance -has security slowed down the application By Krishnan Ganesh Madras.

Similar presentations

Ads by Google