Iss letcure 7_8

497 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
497
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • In its most basic example of a web application, a straight HTML request in which a user: instructs a web browser to contact a web server using the HTTP protocol, and ask it for a specific HTML document which the server returns to be displayed by the web browser.
  • Here is the SimpleWebServer object. First we initialize a variable that holds the port number the web server should listen to for connections from clients. Then we initialize a ServerSocket. Socket: The method of directing data to the appropriate application in a TCP/IP network. The combination of the IP address of the station and a port number make up a socket. Think of this like an electrical socket. A web server and a web client both have a “virtual” power strip with many sockets on it. A web client can talk to a server by selecting one of its sockets, and then selecting a server socket and plugging a virtual wire into each end. The run() method has an infinite loop waiting for a connection from a client. The call to ServerSocket accept() returns a socket object that corresponds to a unique socket on the server. This allows the server to communicate with the client. Once the communication is established, the client’s request is processed.
  • processRequest() takes the client socket as input. It uses this socket to create BufferedReader and OutputStreamWriter objects. Once these communication objects are created, the method attempts to read a line of input from the client using the BufferedReader. We expect this line of input to be an HTTP GET request (as discussed earlier).
  • The StringTokenizer object is used to break up the request into its constituent parts: GET, the pathname to the file the client would like to download.
  • The StringTokenizer object is used to break up the request into its constituent parts: GET, the pathname to the file the client would like to download. If the command is a “GET”, we call the serveFile() method, else we issue an error. Then we close the connection to the client.
  • The first “if” removes the initial slash at the beginning of the pathname, and the second “if” sets the file to be downloaded = index.html, if another file was not specified.
  • Now the method attempts to open the file and read it into the web server’s memory. If the FileReader object is unable to open the file and read a byte from it, it issues an error message.
  • If the file was successfully opened, send the HTTP/1.0 200 OK message and then the method enters a while loop that reads bytes from the file and appends them to a StringBuffer, until the end of the file is reached. Then this StringBuffer is sent to the client.
  • This script takes the entered username and passwords and places them into a SQL command that selects data from the users table based on the username and password. If the login is valid, the database will return the user’s record. If not, it will return an empty record.
  • This sql command means find a row in the table users where the username is admin and the password is somepasswd The – stands for a code remark: every thing that follows will be disregarded. The attack was made possible because the programmer didn’t filter the apostrophe (‘) inside the user input fields, which allowed the hacker to break the sql syntax and enter a custom code.
  • Iss letcure 7_8

    1. 1. Information System SecurityInformation System SecurityLectures 7 and 8Lectures 7 and 8Web SecurityWeb Security
    2. 2. 22ReferencesReferences[1] Google Code for Educator: Sample Course Content, Web[1] Google Code for Educator: Sample Course Content, WebSecurity.Security.http://code.google.com/edu/content/submissions/web_secuhttp://code.google.com/edu/content/submissions/web_secu..[2][2] Network security, The complete ReferenceNetwork security, The complete Reference. R. Bragg, M.. R. Bragg, M.Rhodes-Ousley, K. Strassberg. McGraw-Hill Osborne,Rhodes-Ousley, K. Strassberg. McGraw-Hill Osborne,2004.2004.
    3. 3. 33OutlineOutline1.1. Web SystemWeb System2.2. Web System SecurityWeb System Security3.3. Simple Web ServerSimple Web Server4.4. Web Server SecurityWeb Server Security5.5. Web Browser SecurityWeb Browser Security6.6. Web Application SecurityWeb Application Security7.7. Communication SecurityCommunication Security
    4. 4. 441. Web System1. Web System Generic web application work flow diagram:Generic web application work flow diagram:
    5. 5. 55Web SystemWeb SystemWebBrowserHTML forms,Java, Cookies,JavaScript,VBScript,Plug-ins, etc.http requestWebServerWebApplicationCGI, JavaServlets,ASP, SSI,J2EE, PHP,etc.WebServerResourcesApplicationshttp replyhttp/SSL/TCP/IP
    6. 6. 662. Web System Security2. Web System Security1.1. Web Server SecurityWeb Server Security2.2. Web Browser SecurityWeb Browser Security3.3. Web Application SecurityWeb Application Security4.4. Channel SecurityChannel Security
    7. 7. 773. Simple Web Server3. Simple Web Server ** To illustrate what can go wrong if we do not design for securityTo illustrate what can go wrong if we do not design for securityin our web applications from the start, consider a simple webin our web applications from the start, consider a simple webserver implemented in Java.server implemented in Java. All this program does is serve documents using HTTP.All this program does is serve documents using HTTP. We will walkthrough the code in the following slides.We will walkthrough the code in the following slides. This web server only supports simple HTTP GET requests.This web server only supports simple HTTP GET requests.** Slides 7-17 taken from [1]Slides 7-17 taken from [1]
    8. 8. 88Some Preliminaries…Some Preliminaries… ((HHyperyperTTextext TTransferransfer PProtocol): The communications protocolrotocol): The communications protocolused to connect to servers on the Web.used to connect to servers on the Web. Its primary function is to establish a connection with a WebIts primary function is to establish a connection with a Webserver and transmit HTML pages to the client browser or anyserver and transmit HTML pages to the client browser or anyother files required by an HTTP application.other files required by an HTTP application. http is stateless (ie, request/reply)http is stateless (ie, request/reply) Addresses of Web sites begin with anAddresses of Web sites begin with an http://http:// prefix.prefix.
    9. 9. 99Some Preliminaries…Some Preliminaries… A typical HTTP request that a browser makes to a webA typical HTTP request that a browser makes to a webserver:server:Get / HTTP/1.0Get / HTTP/1.0 When the server receives this request for filename / (whichWhen the server receives this request for filename / (whichmeans themeans the rootroot document on the web server), it attemptsdocument on the web server), it attemptsto load index.html. It sends back:to load index.html. It sends back:HTTP/1.0 200 OKHTTP/1.0 200 OKfollowed by the document contents.followed by the document contents.
    10. 10. 1010SimpleWebServer: main()SimpleWebServer: main()/* This method is called when the program is run from the/* This method is called when the program is run from thecommand line. */command line. */public static void main (String argv[]) throws Exception {public static void main (String argv[]) throws Exception {/* Create a SimpleWebServer object, and run it *//* Create a SimpleWebServer object, and run it */SimpleWebServer sws = new SimpleWebServer();SimpleWebServer sws = new SimpleWebServer();sws.run();sws.run();}}
    11. 11. 1111SimpleWebServer ClassSimpleWebServer Classpublic class SimpleWebServer {public class SimpleWebServer {/* Run the HTTP server on this TCP port. *//* Run the HTTP server on this TCP port. */private static final int PORT = 8080;private static final int PORT = 8080;/* The socket used to process incoming connections/* The socket used to process incoming connectionsfrom web clients */from web clients */private static ServerSocket dServerSocket;private static ServerSocket dServerSocket;public SimpleWebServer () throws Exception {public SimpleWebServer () throws Exception {dServerSocket = new ServerSocket (PORT);dServerSocket = new ServerSocket (PORT);}}public void run() throws Exception {public void run() throws Exception {while (true) {while (true) {/* wait for a connection from a client *//* wait for a connection from a client */Socket s = dServerSocket.accept();Socket s = dServerSocket.accept();/* then process the clients request *//* then process the clients request */processRequest(s);processRequest(s);}}}}
    12. 12. 1212SimpleWebServer: processRequest 1SimpleWebServer: processRequest 1/* Reads the HTTP request from the client, and/* Reads the HTTP request from the client, andresponds with the file the user requested orresponds with the file the user requested ora HTTP error code. */a HTTP error code. */public void processRequest(Socket s) throwspublic void processRequest(Socket s) throwsException {Exception {/* used to read data from the client *//* used to read data from the client */BufferedReader br =BufferedReader br =new BufferedReader (new InputStreamReadernew BufferedReader (new InputStreamReader(s.getInputStream()));(s.getInputStream()));/* used to write data to the client *//* used to write data to the client */OutputStreamWriter osw =OutputStreamWriter osw =new OutputStreamWriter (s.getOutputStream());new OutputStreamWriter (s.getOutputStream());
    13. 13. 1313SimpleWebServer: processRequest 2SimpleWebServer: processRequest 2/* read the HTTP request from the client *//* read the HTTP request from the client */String request = br.readLine();String request = br.readLine();String command = null;String command = null;String pathname = null;String pathname = null;/* parse the HTTP request *//* parse the HTTP request */StringTokenizer st =StringTokenizer st =new StringTokenizer (request, " ");new StringTokenizer (request, " ");command = st.nextToken();command = st.nextToken();pathname = st.nextToken();pathname = st.nextToken();
    14. 14. 1414SimpleWebServer: processRequest 3SimpleWebServer: processRequest 3if (command.equals("GET")) {if (command.equals("GET")) {/* if the request is a GET/* if the request is a GETtry to respond with the filetry to respond with the filethe user is requesting */the user is requesting */serveFile (osw,pathname);serveFile (osw,pathname);}}else {else {/* if the request is a NOT a GET,/* if the request is a NOT a GET,return an error saying this serverreturn an error saying this serverdoes not implement the requested command */does not implement the requested command */osw.write ("HTTP/1.0 501 Notosw.write ("HTTP/1.0 501 NotImplementednn");Implementednn");}}/* close the connection to the client *//* close the connection to the client */osw.close();osw.close();
    15. 15. 1515SimpleWebServer:SimpleWebServer:serveFile 1serveFile 1public void serveFile (OutputStreamWriter osw,public void serveFile (OutputStreamWriter osw,String pathname) throws Exception {String pathname) throws Exception {FileReader fr=null;FileReader fr=null;int c=-1;int c=-1;StringBuffer sb = new StringBuffer();StringBuffer sb = new StringBuffer();/* remove the initial slash at the beginning/* remove the initial slash at the beginningof the pathname in the requestof the pathname in the request */*/if (pathname.charAt(0)==/)if (pathname.charAt(0)==/)pathname=pathname.substring(1);pathname=pathname.substring(1);/* if there was no filename specified by the/* if there was no filename specified by theclient, serve the "index.html" file */client, serve the "index.html" file */if (pathname.equals(""))if (pathname.equals(""))pathname="index.html";pathname="index.html";
    16. 16. 1616SimpleWebServer:SimpleWebServer:serveFile 2serveFile 2/* try to open file specified by pathname *//* try to open file specified by pathname */try {try {fr = new FileReader (pathname);fr = new FileReader (pathname);c = fr.read();c = fr.read();}}catch (Exception e) {catch (Exception e) {/* if the file is not found,return the/* if the file is not found,return theappropriate HTTP response code */appropriate HTTP response code */osw.write ("HTTP/1.0 404 Not Foundnn");osw.write ("HTTP/1.0 404 Not Foundnn");return;return;}}
    17. 17. 1717SimpleWebServer:SimpleWebServer:serveFile 3serveFile 3/* if the requested file can be/* if the requested file can besuccessfully opened and read, then returnsuccessfully opened and read, then returnan OK response code and send the contentsan OK response code and send the contentsof the file */of the file */osw.write ("HTTP/1.0 200 OKnn");osw.write ("HTTP/1.0 200 OKnn");while (c != -1) {while (c != -1) {sb.append((char)c);sb.append((char)c);c = fr.read();c = fr.read();}}osw.write (sb.toString());osw.write (sb.toString());
    18. 18. 1818SimpleWebServerSimpleWebServerVulnerabilitiesVulnerabilities Can you identify any security vulnerabilities inCan you identify any security vulnerabilities inSimpleWebServer? Or what can go wrong?SimpleWebServer? Or what can go wrong? Yes:Yes: Denial of Service (DoS):Denial of Service (DoS):– An attacker makes a web server unavailable, butAn attacker makes a web server unavailable, but– How?How? DoS on SimpleWebServer:DoS on SimpleWebServer:– Just send a carriage return as the first message instead of a properlyJust send a carriage return as the first message instead of a properlyformatted GET message…formatted GET message…– The web server crashesThe web server crashes– Service to all subsequent clients is denied until the web server is restartedService to all subsequent clients is denied until the web server is restarted
    19. 19. 19194. Web Server Security:4. Web Server Security:OverviewOverview Consider the following HTML code:Consider the following HTML code:<html><html><head><head><title> Hello world </title><title> Hello world </title></head></head></html></html> Attackers can try 2 strategies to penetrate the web server hostingAttackers can try 2 strategies to penetrate the web server hostingthis HTML code:this HTML code:– Exploit web application insecurityExploit web application insecurity there no Exploit in this codethere no Exploit in this code– Hacking web server itselfHacking web server itself See the SimpleWebServer : DoS attackSee the SimpleWebServer : DoS attack
    20. 20. 2020Web Server Security: Goals ofWeb Server Security: Goals ofserver attacksserver attacks1.1. Web site defacementWeb site defacement– Corruption of the HTML code.Corruption of the HTML code.– Example: Next slideExample: Next slide1.1. Data CorruptionData Corruption– Any data on the server can be deleted or modified.Any data on the server can be deleted or modified.1.1. Data TheftData Theft– eg, credit card number stolen from ecommerce site.eg, credit card number stolen from ecommerce site.1.1. Denial of serviceDenial of service– Clients are no more served.Clients are no more served.
    21. 21. 2121http://www.syria-news.com
    22. 22. 2222Web Server Security: Types ofWeb Server Security: Types ofattacksattacks1.1. Directory traversalDirectory traversal2.2. Script permissionsScript permissions3.3. Directory BrowsingDirectory Browsing4.4. Default samplesDefault samples
    23. 23. 2323Web Server Security: Types ofWeb Server Security: Types ofattacksattacks1.1. Directory traversalDirectory traversal– Is a method for accessing directories other than the allowed ones.Is a method for accessing directories other than the allowed ones.– In Microsoft’s IIS, if the OS XP is installed on drive c: and adminstratorIn Microsoft’s IIS, if the OS XP is installed on drive c: and adminstratordidn’t change the directory name, the default web site directory isdidn’t change the directory name, the default web site directory isc:inetpubc:inetpub– Attackers can read file they are not meant to. For exampleAttackers can read file they are not meant to. For example If the attacker tryIf the attacker try http://www.somesite.com/../autoexec.bathttp://www.somesite.com/../autoexec.bat then the servermay return the content of autoexec.bat.
    24. 24. 2424Web Server Security: Types ofWeb Server Security: Types ofattacksattacks2.2. Script permissionsScript permissions In order to run server-side applications (eg, CGI, Perl, etc.),In order to run server-side applications (eg, CGI, Perl, etc.),administrator must grant executable permission to the directory whereadministrator must grant executable permission to the directory wherethese applications reside.these applications reside. What happens if the admin grand permissions to the wrong directory?What happens if the admin grand permissions to the wrong directory? Example: if the admin grants executable permission to c: then whatExample: if the admin grants executable permission to c: then whathappens if the attacker tryhappens if the attacker tryhttp://www.somesite.com/../Windows/system32/cmd.exe%20%2fc%20dirhttp://www.somesite.com/../Windows/system32/cmd.exe%20%2fc%20dir
    25. 25. 2525Web Server Security: Types ofWeb Server Security: Types ofattacksattacks The web server parse the request and executeThe web server parse the request and execute../windows/system32/cmd.exe /c dir../windows/system32/cmd.exe /c dirie, listing all files in the current directory.ie, listing all files in the current directory.– Attacker can execute commands that delete or modify files on the webAttacker can execute commands that delete or modify files on the webserver.server.3.3. Directory BrowsingDirectory Browsing If Directory browsing is enabled attacker, can browse that directory andIf Directory browsing is enabled attacker, can browse that directory andits subdirectories.its subdirectories. Knowledge of the existence of some file can help attacker launching anKnowledge of the existence of some file can help attacker launching anattack.attack.
    26. 26. 2626Web Server ProtectionWeb Server Protection1.1. Run web server service with Least privileges.Run web server service with Least privileges.2.2. Install most recent security patches of server software.Install most recent security patches of server software.3.3. Install most recent security patches of OS.Install most recent security patches of OS.4.4. Secure other network services running on the same machine.Secure other network services running on the same machine.5.5. Delete unneeded applications.Delete unneeded applications.6.6. Grant script permissions only to isolated directory containingGrant script permissions only to isolated directory containingthe scripts in question.the scripts in question.7.7. Maintain adequate logs and backups..Maintain adequate logs and backups..8.8. Secure your web server using third-party security products:Secure your web server using third-party security products:antiviruses, Firewalls, vulnerabilities scanners, input validation,antiviruses, Firewalls, vulnerabilities scanners, input validation,etc.etc.
    27. 27. 27275. Web browser Security5. Web browser Security Browser sends requests– May reveal private information (in forms, cookies)– Also sends other information that may be damaging: IP address OS Browser version/type, etc. Browser receives information, code– May corrupt hosts by running unsafe code– Information may exercise a bug in the browser allowing arbitraryremote code execution.
    28. 28. 2828Web browser SecurityWeb browser Security Cookies– Cookie mechanism Mobile code– Java applet– JavaScript– VBScript
    29. 29. 2929Web browser Security:Web browser Security:CookiesCookies HTTP is stateless. This causes problems in a lot of transactions thatneed a concept of a “session”:– A customer wants to purchase an item online.– A customer logs onto their bank to pay bills– Sites like Yahoo allow users to customize their view of the portal– As the user jumps from web page to web page, the server can’t keep trackof whether it’s the same user, or another user requesting the same page– Servers use cookies to keep track of their users. A cookie is a file created by an Internet site to store information onyour computer– Once a cookie is saved on your computer, only the Web site that createdthe cookie can read it.– Example: google’s cookie
    30. 30. 3030Web browser Security:Web browser Security:CookiesCookies PREFID=186f76e084b84d56:TM=1193982844:LM=1193982844:S=O8OM9yhkCkr98Ej_google.co.uk/1536 //3081004544 // 30038711 //2452507808 // 29891852* Problems– Cookies maintain record of your browsing habits May include any information a web site knows about you– Browser attacks could invade your “privacy”– Stealing someone’s cookies may allow attacker to impersonate the victim: Session hijacking
    31. 31. 3131Web browser Security: MobileWeb browser Security: MobileCodeCode Mobile code runs on clients’ machine.Mobile code runs on clients’ machine. It’s an executable content (eg, applets).It’s an executable content (eg, applets). Things to do:Things to do:– Protect machine from downloaded code.Protect machine from downloaded code.– Needs protection from content providers.Needs protection from content providers. Normal users are asked to make security decisions /policies.Normal users are asked to make security decisions /policies.WebbrowserWebServerexecutesappletMobile Code(eg, applet)
    32. 32. 32326. Web application Security6. Web application Security1.1. SQL injectionSQL injection1.1. Common Gateway InterfaceCommon Gateway Interface
    33. 33. 3333SQL injectionSQL injection SQL (Structured Query Language) is a language thatSQL (Structured Query Language) is a language thatCommunicates with DBs, Example:Communicates with DBs, Example:– Select * from Users where username =’admin’ andSelect * from Users where username =’admin’ andpassword = ‘somepasswd’password = ‘somepasswd’– Looks for user whose username = admin and password = somepasswdLooks for user whose username = admin and password = somepasswd SQL injection is a technique to inject crafted SQL into user inputSQL injection is a technique to inject crafted SQL into user inputfields that are a part of web forms, can be used to:fields that are a part of web forms, can be used to:– bypass custom login to a web site,bypass custom login to a web site,– Log in to a web site, orLog in to a web site, or– take over a sitetake over a site
    34. 34. 3434SQL injection: Simple loginSQL injection: Simple loginbypassingbypassing Consider the following web site’s login form:Consider the following web site’s login form:……<form action = “login.asp” method = “post”><form action = “login.asp” method = “post”><p> Username:<input type=text name= “username” /> </p><p> Username:<input type=text name= “username” /> </p><p> Password:<input type=password name= “password” /><p> Password:<input type=password name= “password” /></p></p><p> <input type=submit name= “submit” value=”login” /><p> <input type=submit name= “submit” value=”login” /></p></p></form></form>……– It’s a web page that requests 2 pieces of information from the user usernameIt’s a web page that requests 2 pieces of information from the user usernameand password and it submits the information in the fields to login.asp (writtenand password and it submits the information in the fields to login.asp (writtenin asp)in asp)
    35. 35. 3535SQL injection: Simple loginSQL injection: Simple loginbypassingbypassing The file login.asp:The file login.asp:Dim adoConnectionDim adoConnectionSetSetadoConnection=server.CreateObject(“ADODB.ConnectiadoConnection=server.CreateObject(“ADODB.Connection”)on”)……Dim strLoginSQLDim strLoginSQLstrLoginSQL=”select * from users where username =”strLoginSQL=”select * from users where username =”& Request.Form (“username”) & “ ‘ and password =’& Request.Form (“username”) & “ ‘ and password =’“ & Request.Form(“password”) & “ ‘ ““ & Request.Form(“password”) & “ ‘ “Dim adoResultDim adoResultSet adoResult=adoConnection.Execute(strLoginSQL)Set adoResult=adoConnection.Execute(strLoginSQL)If not adoResult.EOF ThenIf not adoResult.EOF Then‘‘We are here all went okWe are here all went okElseElse‘‘Wrong loginWrong loginEnd IfEnd If
    36. 36. 3636SQL injection: Simple loginSQL injection: Simple loginbypassingbypassing If the user entersIf the user enters adminadmin as a username andas a username and adminpasswdadminpasswd, the, thefollowing sql command is constructed:following sql command is constructed:Select * from users where username =’admin’ andSelect * from users where username =’admin’ andpassword = ‘adminpasswd’password = ‘adminpasswd’ The username and password are placed inside the SQL string,The username and password are placed inside the SQL string,but without any checks:but without any checks:– What happens if an attacker enter ‘a’ or “1”=“1” as a username and anyWhat happens if an attacker enter ‘a’ or “1”=“1” as a username and anypassword?password?– The resulting SQL string is:The resulting SQL string is:Select * from users where username =Select * from users where username = ‘a’ or‘a’ or“1”=“1” -- ’“1”=“1” -- ’ and password = ‘anypassword’and password = ‘anypassword’– This code will return data because “1”=“1”This code will return data because “1”=“1”– the attacker bypass the login.the attacker bypass the login.
    37. 37. 3737SQL injectionSQL injection Worse!Worse!– The attacker can use built-in procedures to read or write files, or to invokeThe attacker can use built-in procedures to read or write files, or to invokeprograms in the database computerprograms in the database computer– For example theFor example the xp_cmdshellxp_cmdshell stored procedure invokes shell commandsstored procedure invokes shell commandson the server’s computer likeon the server’s computer like dir, copy, renamedir, copy, rename, etc., etc.– From the last example, a hacker can enter some username as a username andFrom the last example, a hacker can enter some username as a username anda’exec master..xp_cmdshell ‘dela’exec master..xp_cmdshell ‘delc:winntsystem32*.dll’c:winntsystem32*.dll’ as a passwordas a password .. This will cause the database to delete all DLLs in the specified directory.This will cause the database to delete all DLLs in the specified directory.
    38. 38. 3838SQL injection: SolutionsSQL injection: Solutions Filter all input fields for apostrophes to prevent unauthorizedFilter all input fields for apostrophes to prevent unauthorizedloginslogins Filter all input fields for SQL commands likeFilter all input fields for SQL commands like insert,insert,select, deleteselect, delete, and, and execexec to prevent server manipulationto prevent server manipulation Limit input field length (which will limit hackers’ options), andLimit input field length (which will limit hackers’ options), andvalidate the input length with server-side scripts.validate the input length with server-side scripts. Place the database on a different computer than the web server.Place the database on a different computer than the web server.– If the database is hacked, it’ll be harder to reach the web server.If the database is hacked, it’ll be harder to reach the web server. Limit the user privileges of the server-side scripts.Limit the user privileges of the server-side scripts. Delete all unneeded extended stored procedures to limit hackers’Delete all unneeded extended stored procedures to limit hackers’possibilities.possibilities.
    39. 39. 3939Common Gateway InterfaceCommon Gateway Interface Common Gateway Interface (CGI)Common Gateway Interface (CGI)– meta-language for translating URLs or HTML forms into executablemeta-language for translating URLs or HTML forms into executableprograms.programs. An attacker may exploit bugs in CGI scripts to gain unauthorizedaccess to files on the web server, or even to take control of thehost. CGI scripts can present security holes in two ways:– they may intentionally or unintentionally leak information about the hostsystem that will help hackers break in.– Scripts that process user input may be vulnerable to attacks in which theremote user tricks them into executing commands (always remember:“user input is evil”).
    40. 40. 40407. Communication Security7. Communication Security VulnerabilitiesVulnerabilities– Tapping or eavesdropping:Tapping or eavesdropping: occurs when a device is placed near or intooccurs when a device is placed near or intothe cabling.the cabling.– Sniffing: usingSniffing: using Sniffers ( special programs) in order to eavesdrop on theSniffers ( special programs) in order to eavesdrop on thenetwork traffic.network traffic.– IP spoofing:IP spoofing: An attacker can place any IP address as the source address of an IPAn attacker can place any IP address as the source address of an IPdatagram, so can be dangerous to base access control decisions ondatagram, so can be dangerous to base access control decisions onraw IP addresses alone.raw IP addresses alone. An attacker may be able to replay, delay, reorder, modifiy or inject IPAn attacker may be able to replay, delay, reorder, modifiy or inject IPdatagrams.datagrams.– DNS spoofing: DNS server is lured to translate names (eg,DNS spoofing: DNS server is lured to translate names (eg,www.scs-net.orgwww.scs-net.org) into attackers’ IP addresses.) into attackers’ IP addresses. Communication Protection: SSLCommunication Protection: SSL
    41. 41. 4141SSLSSL Secure Sockets LayerSecure Sockets Layer (SSL) was developed (in 1994) by(SSL) was developed (in 1994) byNetscape Corporation to provide security between web clientNetscape Corporation to provide security between web clientand server.and server. SSL designed to be under HTTP:SSL designed to be under HTTP:– HTTP | SSL | TCPHTTP | SSL | TCP SSL permits:SSL permits:– Authentication of peer entitiesAuthentication of peer entities– Exchange of secret keysExchange of secret keys– Use of exchanged keys to authenticate and encrypt transmitted dataUse of exchanged keys to authenticate and encrypt transmitted databetween communicating peer entities.between communicating peer entities.
    42. 42. 4242SSL ArchitectureSSL Architecture SSL consists of two sublayers:SSL consists of two sublayers:– SSL Record Protocol: provide security services to higher-layer protocolsSSL Record Protocol: provide security services to higher-layer protocols(in particular, HTTP) including SSL management protocols.(in particular, HTTP) including SSL management protocols.– SSL Management protocols: Handshake, Cipher Change, and AlertSSL Management protocols: Handshake, Cipher Change, and AlertProtocolsProtocolsSSL Architecture
    43. 43. 4343SSL Record ProtocolSSL Record Protocol The SSL Record Protocol uses the keys derived from the HandshakeThe SSL Record Protocol uses the keys derived from the HandshakeProtocol’s master key to securely deliver data.Protocol’s master key to securely deliver data. Provides two security functions:Provides two security functions:– Confidentiality and Message IntegrityConfidentiality and Message IntegrityDataCompression(optional)EncryptRecord protocolHeaderfragment fragment fragmentFragmentationTo be transmitted in aTCP segmentMAC
    44. 44. 4444SSL Record ProtocolSSL Record Protocol Protected data : SSL Record protocol allows applicationProtected data : SSL Record protocol allows applicationprotocols above SSL to be secured.protocols above SSL to be secured. Fragmentation: messages are broken into blocksFragmentation: messages are broken into blocks Compression: optionalCompression: optional– Compression algorithm is not specifiedCompression algorithm is not specified MAC: computed over compressed data.MAC: computed over compressed data.– SSL MAC is similar to HMACSSL MAC is similar to HMAC– MAC key is derived from the master key.MAC key is derived from the master key. Encryption may be stream or block mode.Encryption may be stream or block mode.– Symmetric encryption is usedSymmetric encryption is used– There are only a limited selection of ciphers and MAC algorithms thatThere are only a limited selection of ciphers and MAC algorithms thatare allowed (eg, DES, 3DES, IDEA, RC4, etc)are allowed (eg, DES, 3DES, IDEA, RC4, etc)
    45. 45. 4545SSL Handshake ProtocolSSL Handshake Protocol Used to allow the server and client toUsed to allow the server and client to– authenticate each other using certificates,authenticate each other using certificates,– negotiate encryption and MAC algorithms, andnegotiate encryption and MAC algorithms, and– establish keys to be used to protect data sent in SSL Record.establish keys to be used to protect data sent in SSL Record. Used before any application data is transmitted.Used before any application data is transmitted.
    46. 46. 4646S-HTTPS-HTTP Secure HTTP (S-HTTP) is a superset of HTTP with securitySecure HTTP (S-HTTP) is a superset of HTTP with securitysupport.support. Created in 1994 by Enterprise Integration Technology (EIT)Created in 1994 by Enterprise Integration Technology (EIT) Adopted by IETF as RFC 2660.Adopted by IETF as RFC 2660. Allows message to be encapsulated in various ways (message-Allows message to be encapsulated in various ways (message-oriented).oriented). Encapsulation for encryption, signing and MACEncapsulation for encryption, signing and MAC Not widely used (not supported by Internet explorer orNot widely used (not supported by Internet explorer orNetscape)Netscape)

    ×