General - PowerPoint PPT Presentation

1 / 19
About This Presentation
Title:

General

Description:

Clients request 'documents' (or scripts) through URL. Server response with 'documents' ... but use the master secret in place of sp to generate byte stream to cut out: ... – PowerPoint PPT presentation

Number of Views:123
Avg rating:3.0/5.0
Slides: 20
Provided by: fengmi5
Category:
Tags: general

less

Transcript and Presenter's Notes

Title: General


1
Web Security (I)
CS 6262 Spring 04
2
How the Web Works - HTTP
  • Hypertext transfer protocol (http).
  • Clients request documents (or scripts) through
    URL.
  • Server response with documents.
  • Stateless protocol, requests are independent.

3
How the Web Works Other Elements
  • Hyper-text markup language (html).
  • Other application specific document.
  • E.G., MIME, graphics, video/audio, postscript,
    Java applets, etc.
  • Browsers.
  • Display html documents and embedded graphics.
  • Run Java program.
  • Start helper applications.
  • ...

4
Web Vulnerabilities
  • http//www.w3.org/Security/Faq
  • Revealing private information on server
  • Intercept of client information
  • Execute unauthorized programs
  • Denial of service
  • ...

5
Web Vulnerabilities cgi-bin
  • cgi-bin server-side includes
  • If random arguments are allowed
  • Web server program should run under a particular
    UID (e.g., www, nobody)

6
Web Security
  • Authentication
  • Basic (username, password)
  • Can be used along with cookie
  • Digest
  • Access control via addresses
  • Multi-layered
  • S-http (secure http), just for http
  • Proposed by CommerceNet, pretty much dead
  • SSL (TLS), generic for TCP
  • https http over SSL
  • IPSec

7
HTTP Authentication - Basic
  • Client doesnt know which method
  • Client attempts access (GET, PUT, ) normally
  • Server returns
  • 401 unauthorized
  • Realm protection space
  • Client tries again with (userpassword)
  • Passwords in the clear
  • Repeated for each access

8
From Basic Authentication to Forms and Cookies
  • Not all sites use basic authentication
  • Many instead ask the user to type
    username/password into a HTML form
  • Server looks up the user and sends back a cookie
  • The browser (client) resends the cookie on
    subsequent requests

9
HTTP Access Control - Digest
  • Server sends www-authenticate parameters
  • Realm
  • Domain
  • Nonce, new for each 401 response
  • E.G. H(client-IPtimestampserver-secret)
  • Algorithm
  • E.G., MD5

10
HTTP Access Control - Digest
  • Client sends authorization response
  • Same nonce
  • H(A1), where A1userrealmpassword, and other
    information
  • Steal H(A1)
  • Only good for realm

11
Web Server Access Configuration
  • http//hoohoo.ncsa.uiuc.edu/docs/tutorials/user.ht
    ml
  • .htaccess per directory
  • Global configuration file access.conf

12
SSL Overview
  • For any TCP protocol HTTP (https// port 443),
    NNTP, telnet, etc.
  • Secure byte stream.
  • Optional (but common) public key server
    authentication.
  • Optional client authentication.
  • Hash combined MD5 and SHA.
  • Encryption optional.
  • Now TLS (IETF WG).

13
SSL Architecture
  • Two layers
  • SSL record protocol provides basic security
    services
  • 3 higher-layer protocols
  • Handshake, change cipher spec, alert
  • Connection
  • A transport with some service, associated with a
    session
  • Session
  • Created by handshake, defines cryptographic
    security parameters for multiple connections

14
Session and Connection
  • Session parameters
  • ID, peer certificate, compression method, cipher
    spec, master secret, is resumable.
  • Connection parameters
  • Server and client random, server write MAC
    secret, client write MAC secret, server write
    key, client write key, IV, sequence number.

15
SSL Record Protocol
  • 2 services
  • Confidentiality, message integrity
  • Layered protocol
  • Fragment application data into blocks
  • Compress data
  • Apply message authentication code (MAC) h(sm)
    for message m and secret s
  • Encrypt with client (cw) or server (sw) write key
  • Transmit over TCP
  • Specify content type for higher protocols

16
Handshake Protocol
  • Establish security capabilities
  • Protocol version, session ID, cipher suite,
    compression method, IV
  • Server authentication and key exchange
  • Send certificate, key exchange, request client
    certificate
  • Client authentication and key exchange
  • Send certificate, key exchange, certificate
    verification
  • Finish

17
Cryptographic Computations
  • Master secret creation.
  • A pre-master-secret is exchanged first.
  • RSA, or Diffie-Hellman.
  • Both sides compute master secret based on
    pre-master-secret.
  • Generation of cryptographic parameters.
  • Client/server write MAC secrets, client/server
    write keys, client/server write IV are generated
    from master secret.

18
Cryptographic Computations Details (1)
  • Client generates a 48-byte pre-master-secret sp
  • Master secret
  • smMD5(spSHA(A sprcrs)) MD5(spSHA(BB
    sprcrs)) MD5(spSHA(CCC sprcrs))
  • Where rc,s client, server random

19
Cryptographic Computations Details (2)
  • Session key same as above, but use the master
    secret in place of sp to generate byte stream to
    cut out
  • Client, server MAC secret
  • Client, server write key
  • Client, server IV
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "General" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!