SlideShare a Scribd company logo

Design and Analyze Secure Networked Systems - 3

D
Don Kim

Design and Analyze Secure Networked Systems Prof. Edward Chow @ Colorado Univ. Note by waegaein@github.com

Software
1 of 20
Download to read offline
Design and Analyze Secure Networked Systems 3 Prof. Edward Chow @ Colorado Univ. Note by waegaein@github.com
Principle of Least Privileges • Every program and user of the system should operate using the lest set of privileges necessary to complete the job. • Unintentional, unwanted, or improper uses of privileges are less likely to occur. • It limits the damage from error, accident, or break-in. E.g. • User's home directory • drwx------. • Only owner can access. • Sharing documents with read-only permission • -rw-r--r--. • Only owner can write. • Append-only permission for log file • drwxr-sr-x+ • Logs cannot be overwritten. • Plus means extended access control like append-only.
Principle of Adequate Protection • Computer items must be protected only until they lose their value. • PII (Personally Identifiable Information) never lose their values, thus they need to be encrypted in storage and in transmission.
Certificate Signing and Installation 1. Service provider requests server certificate to certificate authority (e.g. Symantec) for signing. 2. Certificate authority hashes the certificate content to generate message digest. (e.g. SHA-256) 3. Certificate authority encrypts the digest using its private key to generate signature. 4. Certificate authority append the signature along with certificate content to form a digital certificate. 5. Certificate authority sends the digital certificate back to the service provider. 6. Service provider installs the digital certificate on its web servers.
Certificate Signing and Installation Service Provider Certificate Authority
Certificate Signing and Installation Service Provider Certificate Authority Requests server certificate
Certificate Signing and Installation Service Provider Certificate Authority Requests server certificate Certificate Content
Certificate Signing and Installation Service Provider Certificate Authority Requests server certificate Certificate Content Message DigestHash e.g. SHA-256
Certificate Signing and Installation Service Provider Certificate Authority Requests server certificate Certificate Content Message DigestHash e.g. SHA-256 Encrypt (private key)
Certificate Signing and Installation Service Provider Certificate Authority Requests server certificate Certificate Content Message DigestHash e.g. SHA-256 Encrypt (private key) Digital Certificate
Certificate Signing and Installation Service Provider Certificate Authority Requests server certificate Certificate Content Message DigestHash e.g. SHA-256 Encrypt (private key) Digital Certificate Return server certificate
Certificate Signing and Installation Service Provider Certificate Authority Requests server certificate Certificate Content Message DigestHash e.g. SHA-256 Encrypt (private key) Digital Certificate Return server certificate Install server certificate
Certificate Verification 1. Browser retrieves digital certificate from web server. 2. Browser extracts signature from the digital certificate. 3. Browser retrieves public key of certificate authority based on issue field in certificate. 4. Browser decrypts the signature to restore the message digest. 5. Meanwhile, the browser hashes certificate content to generate a message digest. 6. If the two digests are identical, the server is verified and good to go. 7. If those are different, it is considered to be altered.
Certificate Verification Browser Service Provider Certificate Authority
Certificate Verification Browser Service Provider Retrieve server certificate Certificate Authority
Certificate Verification Browser Service Provider Retrieve server certificate Certificate Authority
Certificate Verification Browser Service Provider Retrieve server certificate Retrieve public key Certificate Authority Issue field
Certificate Verification Browser Service Provider Retrieve server certificate Retrieve public key Certificate Authority Issue field Decrypt
Certificate Verification Browser Service Provider Retrieve server certificate Retrieve public key Certificate Authority Issue field Decrypt Hash info Hash
Certificate Verification Browser Service Provider Retrieve server certificate Retrieve public key Certificate Authority Issue field Decrypt Hash info Hash = Verified / Altered

Recommended

Cache poisoning
Cache poisoningCache poisoning
Cache poisoningAlexandraLacatus
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache PoisoningKuldeepPandya5
 
Http response splitting
Http response splittingHttp response splitting
Http response splittingSharath Unni
 
Simple Principles for Website Security
Simple Principles for Website SecuritySimple Principles for Website Security
Simple Principles for Website SecurityLauren Wood
 
Information Security Systems
Information Security SystemsInformation Security Systems
Information Security SystemsEyad Mhanna
 
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?BeyondTrust
 
Securing PostgreSQL from External Attack
Securing PostgreSQL from External AttackSecuring PostgreSQL from External Attack
Securing PostgreSQL from External AttackAll Things Open
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 

Recommended

Cache poisoning
Cache poisoningCache poisoning
Cache poisoningAlexandraLacatus
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache PoisoningKuldeepPandya5
 
Http response splitting
Http response splittingHttp response splitting
Http response splittingSharath Unni
 
Simple Principles for Website Security
Simple Principles for Website SecuritySimple Principles for Website Security
Simple Principles for Website SecurityLauren Wood
 
Information Security Systems
Information Security SystemsInformation Security Systems
Information Security SystemsEyad Mhanna
 
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?
Eyes Wide Shut: What Do Your Passwords Do When No One is Watching?BeyondTrust
 
Securing PostgreSQL from External Attack
Securing PostgreSQL from External AttackSecuring PostgreSQL from External Attack
Securing PostgreSQL from External AttackAll Things Open
 
Spa Secure Coding Guide
Spa Secure Coding GuideSpa Secure Coding Guide
Spa Secure Coding GuideGeoffrey Vandiest
 
Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web AttacksVivek Sinha Anurag
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacksRoberto Suggi Liverani
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 
Uses of proxies
Uses of proxiesUses of proxies
Uses of proxiesProxies Rent
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Http requesting smuggling
Http requesting smugglingHttp requesting smuggling
Http requesting smugglingApijay Kumar
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Denis Kolegov
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
Introduction to Web security
Introduction to Web securityIntroduction to Web security
Introduction to Web securityjeyaselvir
 
Group18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.pptGroup18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.pptAnitha Selvan
 
Securing data and preventing data breaches
Securing data and preventing data breachesSecuring data and preventing data breaches
Securing data and preventing data breachesMariaDB plc
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE
 
FamilySearch Authentication Options
FamilySearch Authentication OptionsFamilySearch Authentication Options
FamilySearch Authentication OptionsJimmy Zimmerman
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 
Web security
Web securityWeb security
Web securityMuhammad Usman
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkpromediakw
 

More Related Content

What's hot

Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacksRoberto Suggi Liverani
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationStefan Achtsnit
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active DirectorySunny Neo
 
Http requesting smuggling
Http requesting smugglingHttp requesting smuggling
Http requesting smugglingApijay Kumar
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation SecurityAman Singh
 
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Denis Kolegov
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security AttacksSajid Hasan
 
Introduction to Web security
Introduction to Web securityIntroduction to Web security
Introduction to Web securityjeyaselvir
 
Group18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.pptGroup18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.pptAnitha Selvan
 
Securing data and preventing data breaches
Securing data and preventing data breachesSecuring data and preventing data breaches
Securing data and preventing data breachesMariaDB plc
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applicationsNiyas Nazar
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security EcosystemPrabath Siriwardena
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE
 
FamilySearch Authentication Options
FamilySearch Authentication OptionsFamilySearch Authentication Options
FamilySearch Authentication OptionsJimmy Zimmerman
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureMongoDB
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 

What's hot (20)

Presentation on Web Attacks
Presentation on Web AttacksPresentation on Web Attacks
Presentation on Web Attacks
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
 
Uses of proxies
Uses of proxiesUses of proxies
Uses of proxies
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
Securing Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based AuthenticationSecuring Single Page Applications with Token Based Authentication
Securing Single Page Applications with Token Based Authentication
 
Attacker's Perspective of Active Directory
Attacker's Perspective of Active DirectoryAttacker's Perspective of Active Directory
Attacker's Perspective of Active Directory
 
Http requesting smuggling
Http requesting smugglingHttp requesting smuggling
Http requesting smuggling
 
Web Exploitation Security
Web Exploitation SecurityWeb Exploitation Security
Web Exploitation Security
 
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
Non-Invasive Elimination of Logical Access Control Vulnerabilities in Web A...
 
Web Security Attacks
Web Security AttacksWeb Security Attacks
Web Security Attacks
 
Introduction to Web security
Introduction to Web securityIntroduction to Web security
Introduction to Web security
 
Group18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.pptGroup18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.ppt
 
Securing data and preventing data breaches
Securing data and preventing data breachesSecuring data and preventing data breaches
Securing data and preventing data breaches
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
 
Building an API Security Ecosystem
Building an API Security EcosystemBuilding an API Security Ecosystem
Building an API Security Ecosystem
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
 
FamilySearch Authentication Options
FamilySearch Authentication OptionsFamilySearch Authentication Options
FamilySearch Authentication Options
 
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More SecureLow Hanging Fruit, Making Your Basic MongoDB Installation More Secure
Low Hanging Fruit, Making Your Basic MongoDB Installation More Secure
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 

Similar to Design and Analyze Secure Networked Systems - 3

Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkpromediakw
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideHai Nguyen
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
Rest API Security
Rest API SecurityRest API Security
Rest API SecurityStormpath
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applicationsArash Ramez
 
presentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdfpresentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdfGumanSingh10
 
Secure electronic transaction
Secure electronic transactionSecure electronic transaction
Secure electronic transactionNishant Pahad
 
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonInfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonDavid Johansson
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsFelipe Prado
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layerBU
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppFIWARE
 

Similar to Design and Analyze Secure Networked Systems - 3 (20)

Web security
Web securityWeb security
Web security
 
Dr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talkDr. Omar Ali Alibrahim - Ssl talk
Dr. Omar Ali Alibrahim - Ssl talk
 
Sp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guideSp 29 two_factor_auth_guide
Sp 29 two_factor_auth_guide
 
Demystifying OAuth 2.0
Demystifying OAuth 2.0Demystifying OAuth 2.0
Demystifying OAuth 2.0
 
Authentication services
Authentication servicesAuthentication services
Authentication services
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 
Rest API Security
Rest API SecurityRest API Security
Rest API Security
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
Anatomy of a Cloud Hack
Anatomy of a Cloud HackAnatomy of a Cloud Hack
Anatomy of a Cloud Hack
 
SSL
SSLSSL
SSL
 
presentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdfpresentation2-151203145018-lva1-app6891.pdf
presentation2-151203145018-lva1-app6891.pdf
 
Secure electronic transaction
Secure electronic transactionSecure electronic transaction
Secure electronic transaction
 
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonInfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
 
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systemsDEF CON 24 - workshop - Craig Young - brainwashing embedded systems
DEF CON 24 - workshop - Craig Young - brainwashing embedded systems
 
Secure socket layer
Secure socket layerSecure socket layer
Secure socket layer
 
SSL Everywhere!
SSL Everywhere!SSL Everywhere!
SSL Everywhere!
 
Kafka Security
Kafka SecurityKafka Security
Kafka Security
 
O auth 2
O auth 2O auth 2
O auth 2
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 
Adding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your AppAdding Identity Management and Access Control to your App
Adding Identity Management and Access Control to your App
 

More from Don Kim

Clean Code - 5
Clean Code - 5Clean Code - 5
Clean Code - 5Don Kim
 
Clean Code - 4
Clean Code - 4Clean Code - 4
Clean Code - 4Don Kim
 
Clean Code - 3
Clean Code - 3Clean Code - 3
Clean Code - 3Don Kim
 
Clean Code - 2
Clean Code - 2Clean Code - 2
Clean Code - 2Don Kim
 
Clean Code - 1
Clean Code - 1Clean Code - 1
Clean Code - 1Don Kim
 
Design and Analyze Secure Networked Systems - 7
Design and Analyze Secure Networked Systems - 7Design and Analyze Secure Networked Systems - 7
Design and Analyze Secure Networked Systems - 7Don Kim
 
Design and Analyze Secure Networked Systems - 6
Design and Analyze Secure Networked Systems - 6Design and Analyze Secure Networked Systems - 6
Design and Analyze Secure Networked Systems - 6Don Kim
 
Design and Analyze Secure Networked Systems - 5
Design and Analyze Secure Networked Systems - 5Design and Analyze Secure Networked Systems - 5
Design and Analyze Secure Networked Systems - 5Don Kim
 
Design and Analyze Secure Networked Systems - 4
Design and Analyze Secure Networked Systems - 4Design and Analyze Secure Networked Systems - 4
Design and Analyze Secure Networked Systems - 4Don Kim
 
Design and Analyze Secure Networked Systems - 2
Design and Analyze Secure Networked Systems - 2Design and Analyze Secure Networked Systems - 2
Design and Analyze Secure Networked Systems - 2Don Kim
 
Design and Analyze Secure Networked Systems - 1
Design and Analyze Secure Networked Systems - 1Design and Analyze Secure Networked Systems - 1
Design and Analyze Secure Networked Systems - 1Don Kim
 

More from Don Kim (11)

Clean Code - 5
Clean Code - 5Clean Code - 5
Clean Code - 5
 
Clean Code - 4
Clean Code - 4Clean Code - 4
Clean Code - 4
 
Clean Code - 3
Clean Code - 3Clean Code - 3
Clean Code - 3
 
Clean Code - 2
Clean Code - 2Clean Code - 2
Clean Code - 2
 
Clean Code - 1
Clean Code - 1Clean Code - 1
Clean Code - 1
 
Design and Analyze Secure Networked Systems - 7
Design and Analyze Secure Networked Systems - 7Design and Analyze Secure Networked Systems - 7
Design and Analyze Secure Networked Systems - 7
 
Design and Analyze Secure Networked Systems - 6
Design and Analyze Secure Networked Systems - 6Design and Analyze Secure Networked Systems - 6
Design and Analyze Secure Networked Systems - 6
 
Design and Analyze Secure Networked Systems - 5
Design and Analyze Secure Networked Systems - 5Design and Analyze Secure Networked Systems - 5
Design and Analyze Secure Networked Systems - 5
 
Design and Analyze Secure Networked Systems - 4
Design and Analyze Secure Networked Systems - 4Design and Analyze Secure Networked Systems - 4
Design and Analyze Secure Networked Systems - 4
 
Design and Analyze Secure Networked Systems - 2
Design and Analyze Secure Networked Systems - 2Design and Analyze Secure Networked Systems - 2
Design and Analyze Secure Networked Systems - 2
 
Design and Analyze Secure Networked Systems - 1
Design and Analyze Secure Networked Systems - 1Design and Analyze Secure Networked Systems - 1
Design and Analyze Secure Networked Systems - 1
 

Recently uploaded

Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfkalichargn70th171
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsSafe Software
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprisepreethippts
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmSujith Sukumaran
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationvaddepallysandeep122
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceBrainSell Technologies
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEEVICTOR MAESTRE RAMIREZ
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsChristian Birchler
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样umasea
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalLionel Briand
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Mater
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtimeandrehoraa
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsAhmed Mohamed
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Developmentvyaparkranti
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Angel Borroy López
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odishasmiwainfosol
 

Recently uploaded (20)

Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdfExploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
Exploring Selenium_Appium Frameworks for Seamless Integration with HeadSpin.pdf
 
Powering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data StreamsPowering Real-Time Decisions with Continuous Data Streams
Powering Real-Time Decisions with Continuous Data Streams
 
Odoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 EnterpriseOdoo 14 - eLearning Module In Odoo 14 Enterprise
Odoo 14 - eLearning Module In Odoo 14 Enterprise
 
Intelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalmIntelligent Home Wi-Fi Solutions | ThinkPalm
Intelligent Home Wi-Fi Solutions | ThinkPalm
 
PREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentationPREDICTING RIVER WATER QUALITY ppt presentation
PREDICTING RIVER WATER QUALITY ppt presentation
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
CRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. SalesforceCRM Contender Series: HubSpot vs. Salesforce
CRM Contender Series: HubSpot vs. Salesforce
 
Cloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEECloud Data Center Network Construction - IEEE
Cloud Data Center Network Construction - IEEE
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving CarsSensoDat: Simulation-based Sensor Dataset of Self-driving Cars
SensoDat: Simulation-based Sensor Dataset of Self-driving Cars
 
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
办理学位证(UQ文凭证书)昆士兰大学毕业证成绩单原版一模一样
 
Precise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive GoalPrecise and Complete Requirements? An Elusive Goal
Precise and Complete Requirements? An Elusive Goal
 
Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)Ahmed Motair CV April 2024 (Senior SW Developer)
Ahmed Motair CV April 2024 (Senior SW Developer)
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
SpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at RuntimeSpotFlow: Tracking Method Calls and States at Runtime
SpotFlow: Tracking Method Calls and States at Runtime
 
Unveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML DiagramsUnveiling Design Patterns: A Visual Guide with UML Diagrams
Unveiling Design Patterns: A Visual Guide with UML Diagrams
 
VK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web DevelopmentVK Business Profile - provides IT solutions and Web Development
VK Business Profile - provides IT solutions and Web Development
 
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
Alfresco TTL#157 - Troubleshooting Made Easy: Deciphering Alfresco mTLS Confi...
 
2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva2.pdf Ejercicios de programación competitiva
2.pdf Ejercicios de programación competitiva
 
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company OdishaBalasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
Balasore Best It Company|| Top 10 IT Company || Balasore Software company Odisha
 

Design and Analyze Secure Networked Systems - 3

  • 1. Design and Analyze Secure Networked Systems 3 Prof. Edward Chow @ Colorado Univ. Note by waegaein@github.com
  • 2. Principle of Least Privileges • Every program and user of the system should operate using the lest set of privileges necessary to complete the job. • Unintentional, unwanted, or improper uses of privileges are less likely to occur. • It limits the damage from error, accident, or break-in. E.g. • User's home directory • drwx------. • Only owner can access. • Sharing documents with read-only permission • -rw-r--r--. • Only owner can write. • Append-only permission for log file • drwxr-sr-x+ • Logs cannot be overwritten. • Plus means extended access control like append-only.
  • 3. Principle of Adequate Protection • Computer items must be protected only until they lose their value. • PII (Personally Identifiable Information) never lose their values, thus they need to be encrypted in storage and in transmission.
  • 4. Certificate Signing and Installation 1. Service provider requests server certificate to certificate authority (e.g. Symantec) for signing. 2. Certificate authority hashes the certificate content to generate message digest. (e.g. SHA-256) 3. Certificate authority encrypts the digest using its private key to generate signature. 4. Certificate authority append the signature along with certificate content to form a digital certificate. 5. Certificate authority sends the digital certificate back to the service provider. 6. Service provider installs the digital certificate on its web servers.
  • 5. Certificate Signing and Installation Service Provider Certificate Authority
  • 6. Certificate Signing and Installation Service Provider Certificate Authority Requests server certificate
  • 7. Certificate Signing and Installation Service Provider Certificate Authority Requests server certificate Certificate Content
  • 8. Certificate Signing and Installation Service Provider Certificate Authority Requests server certificate Certificate Content Message DigestHash e.g. SHA-256
  • 9. Certificate Signing and Installation Service Provider Certificate Authority Requests server certificate Certificate Content Message DigestHash e.g. SHA-256 Encrypt (private key)
  • 10. Certificate Signing and Installation Service Provider Certificate Authority Requests server certificate Certificate Content Message DigestHash e.g. SHA-256 Encrypt (private key) Digital Certificate
  • 11. Certificate Signing and Installation Service Provider Certificate Authority Requests server certificate Certificate Content Message DigestHash e.g. SHA-256 Encrypt (private key) Digital Certificate Return server certificate
  • 12. Certificate Signing and Installation Service Provider Certificate Authority Requests server certificate Certificate Content Message DigestHash e.g. SHA-256 Encrypt (private key) Digital Certificate Return server certificate Install server certificate
  • 13. Certificate Verification 1. Browser retrieves digital certificate from web server. 2. Browser extracts signature from the digital certificate. 3. Browser retrieves public key of certificate authority based on issue field in certificate. 4. Browser decrypts the signature to restore the message digest. 5. Meanwhile, the browser hashes certificate content to generate a message digest. 6. If the two digests are identical, the server is verified and good to go. 7. If those are different, it is considered to be altered.
  • 14. Certificate Verification Browser Service Provider Certificate Authority
  • 15. Certificate Verification Browser Service Provider Retrieve server certificate Certificate Authority
  • 16. Certificate Verification Browser Service Provider Retrieve server certificate Certificate Authority
  • 17. Certificate Verification Browser Service Provider Retrieve server certificate Retrieve public key Certificate Authority Issue field
  • 18. Certificate Verification Browser Service Provider Retrieve server certificate Retrieve public key Certificate Authority Issue field Decrypt
  • 19. Certificate Verification Browser Service Provider Retrieve server certificate Retrieve public key Certificate Authority Issue field Decrypt Hash info Hash
  • 20. Certificate Verification Browser Service Provider Retrieve server certificate Retrieve public key Certificate Authority Issue field Decrypt Hash info Hash = Verified / Altered