Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.

Published byMarlene Quinn Modified over 8 years ago

Similar presentations

Presentation on theme: "CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP."— Presentation transcript:

1 CS 4244: Internet Programming Security 1.0

2 Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP

3 Client Identification and Cookies (1) HTTP Headers Client IP address User login Fat URLs Cookies

4 Client Identification and Cookies (2) HTTP Headers From User-Agent Referer Authorization

5 Client Identification and Cookies (3) Early servers used IP address to identify client Problems Identifies computer, not user Dynamic IP addresses Network Address Translation firewalls Use of proxies User login, covered in basic authentication

6 Client Identification and Cookies (4) Fat URLs are URLs that are generated by the server, specific to each user Problems include Ugly URLs Can’t share them Breaks caching Extra server load Escape hatches Not persistent across sessions

7 Client Identification and Cookies (5) Cookies are of two types Session cookies Persistent cookies

8 Basic Authentication (1) Request Challenge HTTP Header: WWW-Authenticate Authorization HTTP Header: Authorization Success HTTP Header: Authentication-Info

9 Basic Authentication (2) Base-64 Encoding is used to encode Username/Password Client sends encoded username/password with Authorization header, separated by : Proxy Authentication is used when a proxy is used instead of the server Proxy headers are used instead of server headers

10 Problems With Basic Authentication 1. Easy to decode username/password (u/p) 2. Even if encoding scheme was complicated, it’s easy for 3 rd party to capture u/p and replay it 3. Social engineering problems 4. No protection against proxies and intermediaries 5. Vulnerable to spoofing by counterfeit servers

11 Digest Authentication Never send password over the network Instead send a digest of the password Popular digest algorithms include MD5 and SHA

12 Secure HTTP Digital Cryptography Ciphers Keys Symmetric-key cryptosystems Asymmetric-key cryptosystems Public-key cryptography Digital signatures Digital certificates

13 Basics of Cryptography Relationship between the plaintext and the ciphertext

14 Monoalphabetic substitution each letter replaced by different letter Given the encryption key, easy to find decryption key Secret-key crypto called symmetric-key crypto Secret-Key Cryptography

15 Public-Key Cryptography All users pick a public key/private key pair publish the public key private key not published Public key is the encryption key private key is the decryption key

16 One-Way Functions Function such that given formula for f(x) easy to evaluate y = f(x) But given y computationally infeasible to find x

17 Digital Signatures Computing a signature block What the receiver gets (b)

18 Digital Certificates Certificates contain information about Name and hostname of website Public key of the website Name of the signing authority Expiration date Validity period Signature from the signing authority...

19 Secure HTTP HTTPS: The details Most popular secure version of HTTP It is widely implemented and available in all major browsers and servers Provides a powerful set of symmetric, asymmetric and certificate-based cryptographic techniques

20 Secure HTTP Instead of sending HTTP messages over unencrypted transport layer, send them over secure transport layer The transport layer is SSL or TSL Steps in using HTTPS Client prefixes request with https Connection is made to port 443 All information is encrypted Binary protocol

21 Secure HTTP Client and Server need to do SSL handshake Exchange protocol version numbers Select a cipher that each side knows Authenticate the identity of each side Generate temporary session keys to encrypt the channel

Download ppt "CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP."

Similar presentations

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.

Presented by Fengmei Zou Date: Feb. 10, 2000 The Secure Sockets Layer (SSL) Protocol.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Cryptographic Security Presented by: Josh Baker October 9 th, 2012 1CS5204 – Operating Systems.

Cryptographic Security Presented by: Josh Baker October 9 th, CS5204 – Operating Systems.
More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.

More on SSL/TLS. Internet security: TLS TLS is one of the more prominent internet security protocols. TLS is one of the more prominent internet security.
Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.

Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.

1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas

Lesson Title: Introduction to Cryptography Dale R. Thompson Computer Science and Computer Engineering Dept. University of Arkansas
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 29 Cryptography and Network.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.

Security Chapters 14,15. The Security Environment Threats Security goals and threats.
Security Chapters 14,15. The Security Environment Threats Security goals and threats.

Security Chapters 14,15. The Security Environment Threats Security goals and threats.
1 Encryption What is EncryptionWhat is Encryption Types of EncryptionTypes of Encryption.

1 Encryption What is EncryptionWhat is Encryption Types of EncryptionTypes of Encryption.
BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.

BY MUKTADIUR RAHMAN MAY 06, 2010 INTERODUCTION TO CRYPTOGRAPHY.
Security Chapter 9 9.1 The security environment 9.2 Basics of cryptography 9.3 User authentication 9.4 Attacks from inside the system 9.5 Attacks from.

Security Chapter The security environment 9.2 Basics of cryptography 9.3 User authentication 9.4 Attacks from inside the system 9.5 Attacks from.

Similar presentations

Ads by Google