1. Cryptography-Security Ch17-1 Chapter 17 – Web Security 17.1 Web Security Considerations 17.2 Secure Sockets Layer and Transport Layer Security

2. Cryptography-Security Ch17-2 Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats –integrity –confidentiality –denial of service –authentication need added security mechanisms

3. Cryptography-Security Ch17-3 Web Security Requirement Threats ThreatsConsequencesCountermeasure s Integrity Modification of user data Trojan horse browser Memory Modification of message traffic in transmit Loss of information Compromise of machines Vulnerability to all other threats Cryptographic checksum (hash value)

4. Cryptography-Security Ch17-4 Threats (cont.) ThreatsConsequencesCountermea sures Confidentiality Eavesdropper on the net Theft of info from server Theft of info from client Info about network configuration Info about which client talks to server Loss of information Loss of privacy Encryption Web proxy

5. Cryptography-Security Ch17-5 Threats (cont.) ThreatsConsequenc es Countermeasu res Denial of service (DOS) Killing of user threats Flooding machine with bogus threats Filling up disk or memory Isolating machine by DNS attacks Disruptive Annoying Prevent user from getting work done Hard to prevent Traffic control

6. Cryptography-Security Ch17-6 Threats (cont.) ThreatsConsequencesCountermeasu res Authentication impersonation of legitimate users Data forgery Misrepresentation of user Belief that false information is valid Cryptographic techniques Digital signature

7. Cryptography-Security Ch17-7 Put security in TCP/IP

8. Cryptography-Security Ch17-8 SSL History SSLv2 (Secure Socket Layer) –Netscape, 1994 PCT (Private Communications Technology) –Microsoft, 1995 –Compatible with SSLv2 SSLv3 –Netscape, 1996 TLSv1 (Transport Layer Socket) –ETF, 1998 –Minor changes with SSLv3, may be viewed as SSLv3.1

9. Cryptography-Security Ch17-9 SSL/TLS in network layers

10. Cryptography-Security Ch17-10 SSL/TLS as “ secure pipe ”

11. Cryptography-Security Ch17-11 Security functions 私密性 (secrecy or privacy) ： 透過加密能確保資訊 的私密性。即使訊息仍然可能會被第三者攔截，但是 他們無法閱讀這些資訊，因為他們沒有鑰匙可以開啟 加密的資料 –Asymmetric key exchange: RSA, Diffie-Hellman, etc. –Symmetric encryption: DES, 3DES, RC4, etc. 完整性 (message integrity) ： 藉由 MAC 來確保訊息 的完整性。如果在傳輸過程資料遭到竄改， 接 收 者 會 可以從 MAC 檢查出訊息遭到破壞 。 –Message Integrity: MD5, SHA-1

12. Cryptography-Security Ch17-12 Security functions (cont.) 認證 (Authentication) ： 經由數位憑證，確定另一 通訊端的真實身份 –Server authentication –Client authentication –X.509: public-key certificate

13. Cryptography-Security Ch17-13 Protocols Handshake Protocol –authenticate each other –negotiate an encryption algorithm and cryptographic keys Record Protocol –encapsulation of various higher level protocols

14. Cryptography-Security Ch17-14

15. Cryptography-Security Ch17-15 Steps of SSL

16. Cryptography-Security Ch17-16

17. Cryptography-Security Ch17-17 Data processing

18. Cryptography-Security Ch17-18 What cannot SSL do? SSL 只保障資料在 Internet 上的安全，一旦資料 到達對方之後，就以明文存在。例如，以 SSL 傳送信用卡卡號， server 端可以知道該信用卡 卡號 –SET 才可以保障 server 端的商家無法得到卡號 SSL 並不能防止送訊息的一方否認 (denial) 曾經 送過某一個訊息。

19. Cryptography-Security Ch17-19 How to use SSL httpsCommend: “ https:www.mvdis.gov.tw ”

20. Cryptography-Security Ch17-20

21. Cryptography-Security Ch17-21

22. Cryptography-Security Ch17-22

23. Cryptography-Security Ch17-23

24. Cryptography-Security Ch17-24 SSL/TLS toolkits OpenSSL –http://www.openssl.orghttp://www.openssl.org