SlideShare a Scribd company logo

Lec 2.pptx

Download as PPTX, PDF
S
ssuserbab2f4

This document discusses web security considerations and the Secure Sockets Layer (SSL) protocol. It notes that as internet usage grows, securing web servers and traffic is increasingly important. SSL provides data encryption, authentication and integrity for network connections, and is commonly used to secure traffic between web browsers and servers via HTTPS. The document describes how SSL establishes sessions and connections, and how the SSL Record Protocol encrypts, authenticates and transmits data in fragments.

Software
1 of 29
Network Security CIT 602 Lec 2 Dr. Ahmed Alwakeel Assistant Professor College of Computers and Information Technology University of Tabuk aalwakeel@ut.edu.sa
WEB SECURITY CONSIDERATIONS Virtually all businesses, most government agencies, and many individuals now have Web sites. The number of individuals and companies with Internet access is expanding rapidly and all of these have graphical Web browsers. As a result, businesses are enthusiastic about setting up facilities on the Web for electronic commerce. But the reality is that the Internet and the Web are extremely vulnerable to compromises of various sorts. Dr. Anas Bushnag 2
WEB SECURITY CONSIDERATIONS As businesses wake up to this reality, the demand for secure Web services grows. We begin with a discussion of the general requirements for Web security and then focus on three standardized schemes that are becoming increasingly important as part of Web commerce and that focus on security at the transport layer: SSL/TLS, HTTPS, and SSH. Dr. Anas Bushnag 3
WEB SECURITY CONSIDERATIONS The Internet is two-way. The Web is vulnerable to attacks on the Web servers over the Internet. The Web is increasingly serving as a highly visible outlet for corporate and product information and as the platform for business transactions. Reputations can be damaged and money can be lost if the Web servers are subverted. Dr. Anas Bushnag 4
WEB SECURITY CONSIDERATIONS Although Web browsers are very easy to use, Web servers are relatively easy to configure and manage, and Web content is increasingly easy to develop, the underlying software is extraordinarily complex. This complex software may hide many potential security flaws. Once the Web server is subverted, an attacker may be able to gain access to data. Users are common clients for Web-based services. Such users are not necessarily aware of the security risks that exist and do not have the tools or knowledge to take effective countermeasures. Dr. Anas Bushnag 5
Web Security Threats One way to group these threats is in terms of passive and active attacks. Passive attacks include eavesdropping on network traffic between browser and server and gaining access to information on a Web site that is supposed to be restricted. Active attacks include impersonating another user, altering messages in transit between client and server, and altering information on a Web site. Dr. Anas Bushnag 6
Web Security Threats Another way to classify Web security threats is in terms of the location of the threat: Web server, Web browser, and network traffic between browser and server. Dr. Anas Bushnag 7
Web Security Threats Dr. Anas Bushnag 8
Web Traffic Security Approaches A number of approaches to providing Web security are possible. One way to provide Web security is to use IP security (IPsec). The advantage of using IPsec is that it is transparent to end users and applications and provides a general-purpose solution. Furthermore, IPsec includes a filtering capability so that only selected traffic need incur the overhead of IPsec processing. Dr. Anas Bushnag 9
Web Traffic Security Approaches Another relatively general-purpose solution is to implement security just above TCP. The foremost example of this approach is the Secure Sockets Layer (SSL) and the follow-on Internet standard known as Transport Layer Security (TLS). At this level, there are two implementation choices. For full generality, SSL (or TLS) could be provided as part of the underlying protocol suite and therefore be transparent to applications. Dr. Anas Bushnag 10
Web Traffic Security Approaches Alternatively, SSL can be embedded in specific packages. For example, Netscape and Microsoft Explorer browsers come equipped with SSL, and most Web servers have implemented the protocol. Application-specific security services are embedded within the particular application. The advantage of this approach is that the service can be tailored to the specific needs of a given application. Dr. Anas Bushnag 11
Web Traffic Security Approaches Dr. Anas Bushnag 12
SECURE SOCKET LAYER SSL is designed to make use of TCP to provide a reliable end- to-end secure service. SSL is not a single protocol but rather two layers of protocols. Dr. Anas Bushnag 13
SECURE SOCKET LAYER The SSL Record Protocol provides basic security services to various higher- layer protocols. In particular, the Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web client/server interaction, can operate on top of SSL. Three higher-layer protocols are defined as part of SSL: the Handshake Protocol, The Change Cipher Spec Protocol, and the Alert Protocol. These SSL-specific protocols are used in the management of SSL exchanges. Dr. Anas Bushnag 14
SECURE SOCKET LAYER Two important SSL concepts are the SSL session and the SSL connection, which are defined in the specification as follows: Connection: 1. A connection is a transport (in the OSI layering model definition) that provides a suitable type of service. 2. For SSL, such connections are peer-to-peer relationships. 3. The connections are transient. Every connection is associated with one session. Dr. Anas Bushnag 15
SECURE SOCKET LAYER Session: An SSL session is an association between a client and a server. Sessions are created by the Handshake Protocol. Sessions define a set of cryptographic security parameters which can be shared among multiple connections. Sessions are used to avoid the expensive negotiation of new security parameters for each connection. Dr. Anas Bushnag 16
SECURE SOCKET LAYER Between any pair of parties (applications such as HTTP on client and server), there may be multiple secure connections. There are a number of states associated with each session. Once a session is established, there is a current operating state for both read and write (i.e., receive and send). In addition, during the Handshake Protocol, pending read and write states are created. Upon successful conclusion of the Handshake Protocol, the pending states become the current states. Dr. Anas Bushnag 17
SECURE SOCKET LAYER Dr. Anas Bushnag 18
SECURE SOCKET LAYER Dr. Anas Bushnag 19
SSL Record Protocol The SSL Record Protocol provides two services for SSL connections: Confidentiality: The Handshake Protocol defines a shared secret key that is used for conventional encryption of SSL payloads. Message Integrity: The Handshake Protocol also defines a shared secret key that is used to form a message authentication code (MAC). Dr. Anas Bushnag 20
SSL Record Protocol Dr. Anas Bushnag 21
SSL Record Protocol The Record Protocol takes an application message to be transmitted, fragments the data into manageable blocks, optionally compresses the data, applies a MAC, encrypts, adds a header, and transmits the resulting unit in a TCP segment. Received data are decrypted, verified, decompressed, and reassembled before being delivered to higher-level users. Dr. Anas Bushnag 22
SSL Record Protocol The first step is fragmentation. Each upper-layer message is fragmented into blocks of 214bytes or less. Next, compression is optionally applied. Compression must be lossless. The next step in processing is to compute a message authentication code over the compressed data. For this purpose, a shared secret key is used. Dr. Anas Bushnag 23
SSL Record Protocol Next, the compressed message plus the MAC are encrypted using symmetric encryption. Encryption may not increase the content length by more than 1024 bytes. The following encryption algorithms are permitted: Dr. Anas Bushnag 24
SSL Record Protocol Dr. Anas Bushnag 25
SSL Record Protocol For stream encryption, the compressed message plus the MAC are encrypted. Note that the MAC is computed before encryption takes place and that the MAC is then encrypted along with the plaintext or compressed plaintext. For block encryption, padding may be added after the MAC prior to encryption. The padding is in the form of a number of padding bytes followed by a one-byte indication of the length of the padding. Dr. Anas Bushnag 26
SSL Record Protocol The total amount of padding is the smallest amount such that the total size of the data to be encrypted (plaintext plus MAC plus padding) is a multiple of the cipher’s block length. An example is a plaintext (or compressed text if compression is used) of 58 bytes, with a MAC of 20 bytes (using SHA-1), that is encrypted using a block length of 8 bytes (e.g., DES). With the padding-length byte, this yields a total of 79 bytes. To make the total an integer multiple of 8, one byte of padding is added. Dr. Anas Bushnag 27
SSL Record Protocol The final step of SSL Record Protocol processing is to prepare a header consisting of the following fields: Dr. Anas Bushnag 28
SSL Record Protocol Dr. Anas Bushnag 29

Recommended

Communications Technologies
Communications TechnologiesCommunications Technologies
Communications Technologies
Sarah Jimenez
 
Unit 6
Unit 6Unit 6
Unit 6
Vinod Kumar Gorrepati
 
Vtu network security(10 ec832) unit 5 notes.
Vtu network security(10 ec832) unit 5 notes.Vtu network security(10 ec832) unit 5 notes.
Vtu network security(10 ec832) unit 5 notes.
Jayanth Dwijesh H P
 
Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)
Jayanth Dwijesh H P
 
Vulnerabilities of the SSL/TLS Protocol
Vulnerabilities of the SSL/TLS ProtocolVulnerabilities of the SSL/TLS Protocol
Vulnerabilities of the SSL/TLS Protocol
csandit
 
VULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOLVULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOL
cscpconf
 
Https interception
Https interceptionHttps interception
Https interception
Andrey Apuhtin
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropper
Shakas Technologies
 

Recommended

Communications Technologies
Communications TechnologiesCommunications Technologies
Communications Technologies
Sarah Jimenez
 
Unit 6
Unit 6Unit 6
Unit 6
Vinod Kumar Gorrepati
 
Vtu network security(10 ec832) unit 5 notes.
Vtu network security(10 ec832) unit 5 notes.Vtu network security(10 ec832) unit 5 notes.
Vtu network security(10 ec832) unit 5 notes.
Jayanth Dwijesh H P
 
Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)Network and cyber security module(15ec835, 17ec835)
Network and cyber security module(15ec835, 17ec835)
Jayanth Dwijesh H P
 
Vulnerabilities of the SSL/TLS Protocol
Vulnerabilities of the SSL/TLS ProtocolVulnerabilities of the SSL/TLS Protocol
Vulnerabilities of the SSL/TLS Protocol
csandit
 
VULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOLVULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOL
cscpconf
 
Https interception
Https interceptionHttps interception
Https interception
Andrey Apuhtin
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropper
Shakas Technologies
 
Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropper
Shakas Technologies
 
Ecommerce final ppt
Ecommerce final pptEcommerce final ppt
Ecommerce final ppt
priyanka Garg
 
HTTPI BASED WEB SERVICE SECURITY OVER SOAP
HTTPI BASED WEB SERVICE SECURITY OVER SOAP HTTPI BASED WEB SERVICE SECURITY OVER SOAP
HTTPI BASED WEB SERVICE SECURITY OVER SOAP
IJNSA Journal
 
Network security protocols.pptx
Network security protocols.pptxNetwork security protocols.pptx
Network security protocols.pptx
SamyLacheheub
 
Ssl tls-beginners-guide
Ssl tls-beginners-guideSsl tls-beginners-guide
Ssl tls-beginners-guide
JosephLamineDIALLO
 
Paper id 27201448
Paper id 27201448Paper id 27201448
Paper id 27201448
IJRAT
 
Security issues in cloud
Security issues in cloudSecurity issues in cloud
Security issues in cloud
Wipro
 
Web Security
Web SecurityWeb Security
Web Security
Dr.Florence Dayana
 
Https
HttpsHttps
Https
Bala Bhaskar Karakavalasa
 
Final ppt ecommerce
Final ppt ecommerceFinal ppt ecommerce
Final ppt ecommerce
priyanka Garg
 
Network Security_Module_2.pdf
Network Security_Module_2.pdfNetwork Security_Module_2.pdf
Network Security_Module_2.pdf
Dr. Shivashankar
 
Role of Blockchain Technology in Cybersecurity
Role of Blockchain Technology in CybersecurityRole of Blockchain Technology in Cybersecurity
Role of Blockchain Technology in Cybersecurity
SoluLab1231
 
Role of Blockchain Technology in Cybersecurity
Role of Blockchain Technology in CybersecurityRole of Blockchain Technology in Cybersecurity
Role of Blockchain Technology in Cybersecurity
SoluLab1231
 
An Auditing Protocol for Protected Data Storage in Cloud Computing
An Auditing Protocol for Protected Data Storage in Cloud ComputingAn Auditing Protocol for Protected Data Storage in Cloud Computing
An Auditing Protocol for Protected Data Storage in Cloud Computing
ijceronline
 
IT8005_EC_Unit_III_Securing_Communication_Channels
IT8005_EC_Unit_III_Securing_Communication_ChannelsIT8005_EC_Unit_III_Securing_Communication_Channels
IT8005_EC_Unit_III_Securing_Communication_Channels
Palani Kumar
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
Monodip Singha Roy
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )
Monodip Singha Roy
 
Appraisal of the Most Prominent Attacks due to Vulnerabilities in Cloud Compu...
Appraisal of the Most Prominent Attacks due to Vulnerabilities in Cloud Compu...Appraisal of the Most Prominent Attacks due to Vulnerabilities in Cloud Compu...
Appraisal of the Most Prominent Attacks due to Vulnerabilities in Cloud Compu...
Salam Shah
 
Providing user security guarantees in public infrastructure clouds
Providing user security guarantees in public infrastructure cloudsProviding user security guarantees in public infrastructure clouds
Providing user security guarantees in public infrastructure clouds
Kamal Spring
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tls
Rana assad ali
 
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Julian Hyde
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
Peter Muessig
 

More Related Content

Similar to Lec 2.pptx

Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropper
Shakas Technologies
 
Ecommerce final ppt
Ecommerce final pptEcommerce final ppt
Ecommerce final ppt
priyanka Garg
 
HTTPI BASED WEB SERVICE SECURITY OVER SOAP
HTTPI BASED WEB SERVICE SECURITY OVER SOAP HTTPI BASED WEB SERVICE SECURITY OVER SOAP
HTTPI BASED WEB SERVICE SECURITY OVER SOAP
IJNSA Journal
 
Network security protocols.pptx
Network security protocols.pptxNetwork security protocols.pptx
Network security protocols.pptx
SamyLacheheub
 
Ssl tls-beginners-guide
Ssl tls-beginners-guideSsl tls-beginners-guide
Ssl tls-beginners-guide
JosephLamineDIALLO
 
Paper id 27201448
Paper id 27201448Paper id 27201448
Paper id 27201448
IJRAT
 
Security issues in cloud
Security issues in cloudSecurity issues in cloud
Security issues in cloud
Wipro
 
Web Security
Web SecurityWeb Security
Web Security
Dr.Florence Dayana
 
Https
HttpsHttps
Https
Bala Bhaskar Karakavalasa
 
Final ppt ecommerce
Final ppt ecommerceFinal ppt ecommerce
Final ppt ecommerce
priyanka Garg
 
Network Security_Module_2.pdf
Network Security_Module_2.pdfNetwork Security_Module_2.pdf
Network Security_Module_2.pdf
Dr. Shivashankar
 
Role of Blockchain Technology in Cybersecurity
Role of Blockchain Technology in CybersecurityRole of Blockchain Technology in Cybersecurity
Role of Blockchain Technology in Cybersecurity
SoluLab1231
 
Role of Blockchain Technology in Cybersecurity
Role of Blockchain Technology in CybersecurityRole of Blockchain Technology in Cybersecurity
Role of Blockchain Technology in Cybersecurity
SoluLab1231
 
An Auditing Protocol for Protected Data Storage in Cloud Computing
An Auditing Protocol for Protected Data Storage in Cloud ComputingAn Auditing Protocol for Protected Data Storage in Cloud Computing
An Auditing Protocol for Protected Data Storage in Cloud Computing
ijceronline
 
IT8005_EC_Unit_III_Securing_Communication_Channels
IT8005_EC_Unit_III_Securing_Communication_ChannelsIT8005_EC_Unit_III_Securing_Communication_Channels
IT8005_EC_Unit_III_Securing_Communication_Channels
Palani Kumar
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
Monodip Singha Roy
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )
Monodip Singha Roy
 
Appraisal of the Most Prominent Attacks due to Vulnerabilities in Cloud Compu...
Appraisal of the Most Prominent Attacks due to Vulnerabilities in Cloud Compu...Appraisal of the Most Prominent Attacks due to Vulnerabilities in Cloud Compu...
Appraisal of the Most Prominent Attacks due to Vulnerabilities in Cloud Compu...
Salam Shah
 
Providing user security guarantees in public infrastructure clouds
Providing user security guarantees in public infrastructure cloudsProviding user security guarantees in public infrastructure clouds
Providing user security guarantees in public infrastructure clouds
Kamal Spring
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tls
Rana assad ali
 

Similar to Lec 2.pptx (20)

Protecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropperProtecting location privacy in sensor networks against a global eavesdropper
Protecting location privacy in sensor networks against a global eavesdropper
 
Ecommerce final ppt
Ecommerce final pptEcommerce final ppt
Ecommerce final ppt
 
HTTPI BASED WEB SERVICE SECURITY OVER SOAP
HTTPI BASED WEB SERVICE SECURITY OVER SOAP HTTPI BASED WEB SERVICE SECURITY OVER SOAP
HTTPI BASED WEB SERVICE SECURITY OVER SOAP
 
Network security protocols.pptx
Network security protocols.pptxNetwork security protocols.pptx
Network security protocols.pptx
 
Ssl tls-beginners-guide
Ssl tls-beginners-guideSsl tls-beginners-guide
Ssl tls-beginners-guide
 
Paper id 27201448
Paper id 27201448Paper id 27201448
Paper id 27201448
 
Security issues in cloud
Security issues in cloudSecurity issues in cloud
Security issues in cloud
 
Web Security
Web SecurityWeb Security
Web Security
 
Https
HttpsHttps
Https
 
Final ppt ecommerce
Final ppt ecommerceFinal ppt ecommerce
Final ppt ecommerce
 
Network Security_Module_2.pdf
Network Security_Module_2.pdfNetwork Security_Module_2.pdf
Network Security_Module_2.pdf
 
Role of Blockchain Technology in Cybersecurity
Role of Blockchain Technology in CybersecurityRole of Blockchain Technology in Cybersecurity
Role of Blockchain Technology in Cybersecurity
 
Role of Blockchain Technology in Cybersecurity
Role of Blockchain Technology in CybersecurityRole of Blockchain Technology in Cybersecurity
Role of Blockchain Technology in Cybersecurity
 
An Auditing Protocol for Protected Data Storage in Cloud Computing
An Auditing Protocol for Protected Data Storage in Cloud ComputingAn Auditing Protocol for Protected Data Storage in Cloud Computing
An Auditing Protocol for Protected Data Storage in Cloud Computing
 
IT8005_EC_Unit_III_Securing_Communication_Channels
IT8005_EC_Unit_III_Securing_Communication_ChannelsIT8005_EC_Unit_III_Securing_Communication_Channels
IT8005_EC_Unit_III_Securing_Communication_Channels
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )
 
Appraisal of the Most Prominent Attacks due to Vulnerabilities in Cloud Compu...
Appraisal of the Most Prominent Attacks due to Vulnerabilities in Cloud Compu...Appraisal of the Most Prominent Attacks due to Vulnerabilities in Cloud Compu...
Appraisal of the Most Prominent Attacks due to Vulnerabilities in Cloud Compu...
 
Providing user security guarantees in public infrastructure clouds
Providing user security guarantees in public infrastructure cloudsProviding user security guarantees in public infrastructure clouds
Providing user security guarantees in public infrastructure clouds
 
Ssl and tls
Ssl and tlsSsl and tls
Ssl and tls
 

Recently uploaded

Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
Julian Hyde
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
Peter Muessig
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise EditionWhy Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Envertis Software Solutions
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
Ayan Halder
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
Google
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
Grant Fritchey
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
SOCRadar
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
Deuglo Infosystem Pvt Ltd
 
What is Augmented Reality Image Tracking
What is Augmented Reality Image TrackingWhat is Augmented Reality Image Tracking
What is Augmented Reality Image Tracking
pavan998932
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
Green Software Development
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
ICS
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
Hornet Dynamics
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
timtebeek1
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
Neo4j
 
Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
Remote DBA Services
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
Philip Schwarz
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Łukasz Chruściel
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
Green Software Development
 

Recently uploaded (20)

Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)Measures in SQL (SIGMOD 2024, Santiago, Chile)
Measures in SQL (SIGMOD 2024, Santiago, Chile)
 
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling ExtensionsUI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
UI5con 2024 - Boost Your Development Experience with UI5 Tooling Extensions
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise EditionWhy Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
Why Choose Odoo 17 Community & How it differs from Odoo 17 Enterprise Edition
 
Using Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional SafetyUsing Xen Hypervisor for Functional Safety
Using Xen Hypervisor for Functional Safety
 
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppAI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
 
Using Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query PerformanceUsing Query Store in Azure PostgreSQL to Understand Query Performance
Using Query Store in Azure PostgreSQL to Understand Query Performance
 
OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024OpenMetadata Community Meeting - 5th June 2024
OpenMetadata Community Meeting - 5th June 2024
 
socradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdfsocradar-q1-2024-aviation-industry-report.pdf
socradar-q1-2024-aviation-industry-report.pdf
 
Empowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - DeugloEmpowering Growth with Best Software Development Company in Noida - Deuglo
Empowering Growth with Best Software Development Company in Noida - Deuglo
 
What is Augmented Reality Image Tracking
What is Augmented Reality Image TrackingWhat is Augmented Reality Image Tracking
What is Augmented Reality Image Tracking
 
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, FactsALGIT - Assembly Line for Green IT - Numbers, Data, Facts
ALGIT - Assembly Line for Green IT - Numbers, Data, Facts
 
Webinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for EmbeddedWebinar On-Demand: Using Flutter for Embedded
Webinar On-Demand: Using Flutter for Embedded
 
E-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet DynamicsE-commerce Development Services- Hornet Dynamics
E-commerce Development Services- Hornet Dynamics
 
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdfAutomated software refactoring with OpenRewrite and Generative AI.pptx.pdf
Automated software refactoring with OpenRewrite and Generative AI.pptx.pdf
 
GraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph TechnologyGraphSummit Paris - The art of the possible with Graph Technology
GraphSummit Paris - The art of the possible with Graph Technology
 
Oracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptxOracle 23c New Features For DBAs and Developers.pptx
Oracle 23c New Features For DBAs and Developers.pptx
 
Hand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code KataHand Rolled Applicative User Validation Code Kata
Hand Rolled Applicative User Validation Code Kata
 
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Need for Speed: Removing speed bumps from your Symfony projects ⚡️
Need for Speed: Removing speed bumps from your Symfony projects ⚡️
 
Energy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina JonuziEnergy consumption of Database Management - Florina Jonuzi
Energy consumption of Database Management - Florina Jonuzi
 

Lec 2.pptx

  • 1. Network Security CIT 602 Lec 2 Dr. Ahmed Alwakeel Assistant Professor College of Computers and Information Technology University of Tabuk aalwakeel@ut.edu.sa
  • 2. WEB SECURITY CONSIDERATIONS Virtually all businesses, most government agencies, and many individuals now have Web sites. The number of individuals and companies with Internet access is expanding rapidly and all of these have graphical Web browsers. As a result, businesses are enthusiastic about setting up facilities on the Web for electronic commerce. But the reality is that the Internet and the Web are extremely vulnerable to compromises of various sorts. Dr. Anas Bushnag 2
  • 3. WEB SECURITY CONSIDERATIONS As businesses wake up to this reality, the demand for secure Web services grows. We begin with a discussion of the general requirements for Web security and then focus on three standardized schemes that are becoming increasingly important as part of Web commerce and that focus on security at the transport layer: SSL/TLS, HTTPS, and SSH. Dr. Anas Bushnag 3
  • 4. WEB SECURITY CONSIDERATIONS The Internet is two-way. The Web is vulnerable to attacks on the Web servers over the Internet. The Web is increasingly serving as a highly visible outlet for corporate and product information and as the platform for business transactions. Reputations can be damaged and money can be lost if the Web servers are subverted. Dr. Anas Bushnag 4
  • 5. WEB SECURITY CONSIDERATIONS Although Web browsers are very easy to use, Web servers are relatively easy to configure and manage, and Web content is increasingly easy to develop, the underlying software is extraordinarily complex. This complex software may hide many potential security flaws. Once the Web server is subverted, an attacker may be able to gain access to data. Users are common clients for Web-based services. Such users are not necessarily aware of the security risks that exist and do not have the tools or knowledge to take effective countermeasures. Dr. Anas Bushnag 5
  • 6. Web Security Threats One way to group these threats is in terms of passive and active attacks. Passive attacks include eavesdropping on network traffic between browser and server and gaining access to information on a Web site that is supposed to be restricted. Active attacks include impersonating another user, altering messages in transit between client and server, and altering information on a Web site. Dr. Anas Bushnag 6
  • 7. Web Security Threats Another way to classify Web security threats is in terms of the location of the threat: Web server, Web browser, and network traffic between browser and server. Dr. Anas Bushnag 7
  • 8. Web Security Threats Dr. Anas Bushnag 8
  • 9. Web Traffic Security Approaches A number of approaches to providing Web security are possible. One way to provide Web security is to use IP security (IPsec). The advantage of using IPsec is that it is transparent to end users and applications and provides a general-purpose solution. Furthermore, IPsec includes a filtering capability so that only selected traffic need incur the overhead of IPsec processing. Dr. Anas Bushnag 9
  • 10. Web Traffic Security Approaches Another relatively general-purpose solution is to implement security just above TCP. The foremost example of this approach is the Secure Sockets Layer (SSL) and the follow-on Internet standard known as Transport Layer Security (TLS). At this level, there are two implementation choices. For full generality, SSL (or TLS) could be provided as part of the underlying protocol suite and therefore be transparent to applications. Dr. Anas Bushnag 10
  • 11. Web Traffic Security Approaches Alternatively, SSL can be embedded in specific packages. For example, Netscape and Microsoft Explorer browsers come equipped with SSL, and most Web servers have implemented the protocol. Application-specific security services are embedded within the particular application. The advantage of this approach is that the service can be tailored to the specific needs of a given application. Dr. Anas Bushnag 11
  • 12. Web Traffic Security Approaches Dr. Anas Bushnag 12
  • 13. SECURE SOCKET LAYER SSL is designed to make use of TCP to provide a reliable end- to-end secure service. SSL is not a single protocol but rather two layers of protocols. Dr. Anas Bushnag 13
  • 14. SECURE SOCKET LAYER The SSL Record Protocol provides basic security services to various higher- layer protocols. In particular, the Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web client/server interaction, can operate on top of SSL. Three higher-layer protocols are defined as part of SSL: the Handshake Protocol, The Change Cipher Spec Protocol, and the Alert Protocol. These SSL-specific protocols are used in the management of SSL exchanges. Dr. Anas Bushnag 14
  • 15. SECURE SOCKET LAYER Two important SSL concepts are the SSL session and the SSL connection, which are defined in the specification as follows: Connection: 1. A connection is a transport (in the OSI layering model definition) that provides a suitable type of service. 2. For SSL, such connections are peer-to-peer relationships. 3. The connections are transient. Every connection is associated with one session. Dr. Anas Bushnag 15
  • 16. SECURE SOCKET LAYER Session: An SSL session is an association between a client and a server. Sessions are created by the Handshake Protocol. Sessions define a set of cryptographic security parameters which can be shared among multiple connections. Sessions are used to avoid the expensive negotiation of new security parameters for each connection. Dr. Anas Bushnag 16
  • 17. SECURE SOCKET LAYER Between any pair of parties (applications such as HTTP on client and server), there may be multiple secure connections. There are a number of states associated with each session. Once a session is established, there is a current operating state for both read and write (i.e., receive and send). In addition, during the Handshake Protocol, pending read and write states are created. Upon successful conclusion of the Handshake Protocol, the pending states become the current states. Dr. Anas Bushnag 17
  • 18. SECURE SOCKET LAYER Dr. Anas Bushnag 18
  • 19. SECURE SOCKET LAYER Dr. Anas Bushnag 19
  • 20. SSL Record Protocol The SSL Record Protocol provides two services for SSL connections: Confidentiality: The Handshake Protocol defines a shared secret key that is used for conventional encryption of SSL payloads. Message Integrity: The Handshake Protocol also defines a shared secret key that is used to form a message authentication code (MAC). Dr. Anas Bushnag 20
  • 21. SSL Record Protocol Dr. Anas Bushnag 21
  • 22. SSL Record Protocol The Record Protocol takes an application message to be transmitted, fragments the data into manageable blocks, optionally compresses the data, applies a MAC, encrypts, adds a header, and transmits the resulting unit in a TCP segment. Received data are decrypted, verified, decompressed, and reassembled before being delivered to higher-level users. Dr. Anas Bushnag 22
  • 23. SSL Record Protocol The first step is fragmentation. Each upper-layer message is fragmented into blocks of 214bytes or less. Next, compression is optionally applied. Compression must be lossless. The next step in processing is to compute a message authentication code over the compressed data. For this purpose, a shared secret key is used. Dr. Anas Bushnag 23
  • 24. SSL Record Protocol Next, the compressed message plus the MAC are encrypted using symmetric encryption. Encryption may not increase the content length by more than 1024 bytes. The following encryption algorithms are permitted: Dr. Anas Bushnag 24
  • 25. SSL Record Protocol Dr. Anas Bushnag 25
  • 26. SSL Record Protocol For stream encryption, the compressed message plus the MAC are encrypted. Note that the MAC is computed before encryption takes place and that the MAC is then encrypted along with the plaintext or compressed plaintext. For block encryption, padding may be added after the MAC prior to encryption. The padding is in the form of a number of padding bytes followed by a one-byte indication of the length of the padding. Dr. Anas Bushnag 26
  • 27. SSL Record Protocol The total amount of padding is the smallest amount such that the total size of the data to be encrypted (plaintext plus MAC plus padding) is a multiple of the cipher’s block length. An example is a plaintext (or compressed text if compression is used) of 58 bytes, with a MAC of 20 bytes (using SHA-1), that is encrypted using a block length of 8 bytes (e.g., DES). With the padding-length byte, this yields a total of 79 bytes. To make the total an integer multiple of 8, one byte of padding is added. Dr. Anas Bushnag 27
  • 28. SSL Record Protocol The final step of SSL Record Protocol processing is to prepare a header consisting of the following fields: Dr. Anas Bushnag 28
  • 29. SSL Record Protocol Dr. Anas Bushnag 29