Jennifer. Brad's public. key. Angelina. Man in the middl - PowerPoint PPT Presentation
1 / 52
Title:
Jennifer. Brad's public. key. Angelina. Man in the middl
Description:
Jennifer. Brad's public. key. Angelina. Man in the middle attack. Angelina's public. key ... Jennifer. CA. Brad's public. key. Digitally. signs. CA cert ... – PowerPoint PPT presentation
Number of Views:71
Avg rating:3.0/5.0
Title: Jennifer. Brad's public. key. Angelina. Man in the middl
1
Chriss Top Ten Security Tips
- Chris Seary
- CISSP
- MVP
2
Me
- Securing large enterprise applications
- Developer
- ISO 27001 Lead Auditor
3
10.What is an X509 certificate?
4
10.What is an X509 certificate?
Message
Jhbsx8
Encrypt
Decrypt
Message
5
10.What is an X509 certificate?
Public
Message
Jhbsx8
Encrypt
Private
Decrypt
Message
6
10.What is an X509 certificate?
Public
Message
Jhbsx8
Encrypt
Private
Decrypt
Usually includes encryption of symmetric key!
Message
7
10.What is an X509 certificate?
8
10.What is an X509 certificate?
Private key
Certificate store
9
10.What is an X509 certificate?
Private key is the essential component!
Private key
Certificate store
10
10.What is an X509 certificate?
- Local machine
- Certificates used by system
- Demo uses Network Service
- Current user
- Logged on user
- Permissions have to be granted for other users to
access private keys
11
9.What is a PKI?
12
9.What is a PKI?
Jennifer
Brad
13
9.What is a PKI?
Jennifer
Brad
Brads public key
14
9.What is a PKI?
Jennifer
Brad
Encrypts message
Kvhdxa 6e6t4g
Brads public key
15
9.What is a PKI?
Jennifer
Brad
Kvhdxa 6e6t4g
Message sent
Brads public key
16
9.What is a PKI?
Jennifer
Brad
Decrypts
Brads public key
Message Stuff
Brads private key
17
9.What is a PKI?
Jennifer
Brad
Angelina
Man in the middle attack
18
9.What is a PKI?
Jennifer
Brad
Brads public key
Angelina
Man in the middle attack
19
9.What is a PKI?
Jennifer
Brad
Angelinas public key
Angelina
Brads public key
Man in the middle attack
20
9.What is a PKI?
Jennifer
Brad
Encrypts message
Gvvwh 336fwd
Angelinas public key
Angelina
Brads public key
Man in the middle attack
21
9.What is a PKI?
Jennifer
Brad
Sends message
Gvvwh 336fwd
Angelinas public key
Angelina
Brads public key
Man in the middle attack
22
9.What is a PKI?
Jennifer
Brad
Message stuff
Angelinas public key
Angelinas private key
Decrypts message
Angelina
Brads public key
Man in the middle attack
23
9.What is a PKI?
Jennifer
Brad
Message New
Angelinas public key
Changes message
Angelina
Brads public key
Man in the middle attack
24
9.What is a PKI?
Jennifer
Brad
Hjbsxa687 svscv
Angelinas public key
Encrypts Using Brads public key
Angelina
Brads public key
Man in the middle attack
25
9.What is a PKI?
Jennifer
Brad
Hjbsxa687 svscv
Angelinas public key
Sends message
Angelina
Brads public key
Man in the middle attack
26
9.What is a PKI?
Brad decrypts Using his Private key
Jennifer
Brad
Message New
Angelinas public key
Angelina
Brads public key
Man in the middle attack
27
9.What is a PKI?
CA
Jennifer
Brad
Brads public key
28
9.What is a PKI?
CA
Digitally signs
Jennifer
Brad
Brads public key
29
9.What is a PKI?
CA
Trust
Trust
Digitally signs
Jennifer
Brad
CA cert Placed in cert store
CA cert Placed in cert store
Brads public key
30
9.What is a PKI?
CA
Jennifer
Brad
Brads public key
31
9.What is a PKI?
CA
Jennifer
Brad
Checks Signature On cert Against CA
cert Public key
Brads public key
Definitely Brad!
32
8. Best way to implement cryptography
- Dont write your own algorithm
- Use policy where possible
- WS-Security
- Use configuration where possible
- IIS and SSL
- Use simple APIs that perform crypto in one step
- CAPICOM
- Enterprise libraries
33
7.How do we store secrets?
- Encryption!
- But
- How do we store the encryption key?
34
7.How do we store secrets?
- DPAPI
- Get from nugget
35
6. whats the one hop problem?
- I can authenticate to the web server
- I cant authenticate to the database on another
server
36
6. whats the one hop problem?
Web server
SQL
37
6. whats the one hop problem?
Username Password
Web server
SQL
38
6. whats the one hop problem?
Username Password
Web server
NTLM auth
SQL
39
6. whats the one hop problem?
Digest AD cert mapping
Web server
SQL
40
6. whats the one hop problem?
Digest AD cert mapping
Web server
Null session
SQL
41
6. whats the one hop problem?
Digest AD cert mapping
Web server
Null session
SQL
42
6. whats the one hop problem? Solution!
- Protocol transition
- Kerberos
- Protocol transition
43
6. whats the one hop problem? Solution!
Web server
Any IIS authentication Method Basic Certs Digest
SQL
44
6. whats the one hop problem? Solution!
Kerberos auth
Web server
Any IIS authentication Method Basic Certs Digest
SQL
45
6. whats the one hop problem? Solution!
- Patterns and Practices Web Service Security
Scenarios, Patterns and Implementation Guidance
for Web Services Enhancements (WSE) 3.0 - From MSDN
46
5.ACL, DACL and SACL wossat?
47
4.Validation, validation, validation
- CICO
- Crap In Crap Out
48
4.Validation, validation, validation
- White list validation
- Check for what you will allow
- Regex
- Many functions available on net
- Replace bad input
- Escape characters
- HTMLEncode output
- Not a cure, but a patch
- Negotiate acceptable input with business when
gathering requirements
49
3.Warning, Will Robinson!
50
2.Using SQL
51
Run down
- 10. what is an X509 cert?
- 9.What is a PKI?
- 8.Best way to implement cryptography
- 7.How do we store secrets?
- 6.Whats the one hop problem?
- 5.ACL, DACL and SACL
- 4.Validation, validation, validation
- 3.Warning, Will Robinson!
- 2.Using SQL
52
1.Dont develop as admin!
Recommended
CrystalGraphics Presentations
