Document 7469004
Download
Report
Transcript Document 7469004
Security on the
World Wide Web
Content
WWW History & architecture
Security issues & WWW
Cryptography principals
Securing the WWW
World Wide Web: general
architecture
Network
Organized as a layered model
# of layers, content of layers
depending from network to network
2 important reference models:
• OSI (7 layers)
• TCP/IP (4 layers, used for the Internet)
TCP/IP Reference Model
Application Layer
Transport Layer
Internet Layer
Host-to-Network
TCP/IP Reference Model
Application Layer
Transport Layer
• Layered model
• Each layer offers functionality
to layer above
Internet Layer
Host-to-Network
• Separation of concerns
TCP/IP Reference Model
Application Layer
Transport Layer
Internet Layer
• inject packets into the network
• Major issue: packet routing
• Defines an official packet
format and protocol, named IP
Host-to-Network
TCP/IP Reference Model
Application Layer
Transport Layer
Internet Layer
Host-to-Network
• To let peer entities on source
and destination communicate
• Major issue: packet sequencing,
flow control
• 2 protocols: TCP / UDP
TCP/IP Reference Model
Application Layer
Transport Layer
Internet Layer
Host-to-Network
• Applications building on layer
below
• Examples: telnet, smtp, ftp,
DNS, http, …
TCP/IP Reference Model
Application Layer
Transport Layer
Internet Layer
• Largely unspecified
Host-to-Network
•Host should connect to the
network using some protocol so it
can send IP packets
TCP/IP Reference Model: protocols
Application Layer
Transport Layer
Internet Layer
Host-to-Network
TCP/IP Reference Model:
IP protocol
TCP/IP Reference Model:
IP protocol
Keeps track of
which version of
the protocol the
datagram belongs
to
Tells how long the
header is
TCP/IP Reference Model:
IP protocol
Allows the host to tell
the subnet what kind
of service it wants
(different possibilities
of reliability and
speed)
Both header and data
(max. is 65535 bytes)
TCP/IP Reference Model:
IP protocol
All fragments of one
datagram have the
same identification
value
Tells where in the
current datagram this
fragment belongs
TCP/IP Reference Model:
IP protocol
Unused bit
DF = Don’t
fragment
datagram (e.g.
Destination
cannot
reconstruct)
MF = More
fragments
TCP/IP Reference Model:
IP protocol
Counter used to
limit packet
lifetimes
When internet layer
assembled a
complete
datagram, it needs
to give it a
transport process
(TCP, UDP)
TCP/IP Reference Model:
IP protocol
Is usefull for
detecting errors
generated inside
a router
Verifies the
header only
TCP/IP Reference Model:
IP protocol
Address of
sender
Address of
receiver
Application Layer
Transport Layer
Internet Layer
Host-to-Network
TCP/IP Reference Model:
TCP protocol
TCP/IP Reference Model:
TCP protocol
Both sender and
receiver create
endpoints (sockets)
Socket number =
IP adress of host +
16-bit local to that
host (=port)
TCP/IP Reference Model:
TCP protocol
Position of data in the
original data stream
Acknowledges the
acceptance of data
from the other device
TCP/IP Reference Model:
TCP protocol
The number of 32-bit
words in the TCP
header. This indicates
where the data begins
6-bit field not used
(set to 0)
TCP/IP Reference Model:
TCP protocol
Six 1-bit flags:
• URG: to indicate if the urgent pointer is in use
• ACK: to indicate that the acknowledgement
number is valid
• PSH: request the receiver to deliver the data
to the application upon arrival instead of
buffering
• RST: used to reset the connection
• SYN: to establish connections
• FIN: to release the connection
TCP/IP Reference Model:
TCP protocol
Defines the size of
the “sliding
window.”
Error checking and
correction
TCP/IP Reference Model:
TCP protocol
Some events may cause
TCP to stop accumulate
data and transmit
everything it has for that
connection immediately (=
urgent data)
Defines the end of the
urgent data so that the
receiving application
knows when it is over
TCP/IP Reference Model:
TCP protocol
Most important option
is the one that allows
each host to specify
the maximum TCP
payload it is willing to
accept
Application Layer
Transport Layer
Internet Layer
Host-to-Network
TCP/IP Reference Model:
UDP protocol
TCP versus UDP
TCP guarantees a fault-free transportation
channel to an application
• Packets that didn’t reach the destination are
send again
• Packets arrived in the wrong order are
reordered
• ...
UDP gives no guarantees
TCP versus UDP (cont.)
TCP is a connection oriented protocol
• First establish a connection
• Use the connection for data
transmission
• Release the connection
UDP is a connectionless protocol
(UDP packets can be send
immediately)
TCP versus UDP (cont.)
TCP contains flow control
• Both sides of the connection can tell the
other party how many data can be send
• So when the sender sends to much data
he will be slowed down by the receiver
Application Layer
Transport Layer
Internet Layer
TCP/IP Reference Model:
HTTP protocol
Host-to-Network
•HTTP client opens connection to server
•HTTP client sends “request” message
•HTTP server responds
•HTTP server closes connection
Application Layer
Transport Layer
Internet Layer
TCP/IP Reference Model:
HTTP protocol
Host-to-Network
Header Name
Meaning
Authorization
Send userid/password
Content-Length
How many bytes of data?
Date
Current time/date
From
Location
Referer
URL previously visited
User-Agent
Web browser name
TCP/IP Reference Model:
sending http packets
Application layer
HTTP packet
Headers
TCP packet
Headers
TCP packet
HTTP packet
Head
ers
HTTP packet
Head
ers
Transport layer
Data
IP packet
TCP packet
Headers
Headers
Data
IP packet
Headers
Data
TCP packet
HTTP packet
Head
ers
Data
Headers
Headers
HTTP packet
Head
ers
Data
Internet layer
World Wide Web & security
WWW was not designed with security
in mind
Problems:
• eavesdropping
• spoofing
• altering information in transit
• executing malicious code
•…
World Wide Web: motivations for
hacking
Students: for fun
Sales representative: make false claims
Businessman: steal competitors info
Ex-employee: revenge
Spy: steal military secrets
Stockbroker: deny promise
Client: deny acquisition
…
Security Issues
Confidentiality
Authentication
identification of who is sending
Integrity
secrecy of what is send
message send = message received
Nonrepudiation
sender cannot deny sending a message
Security & TCP/IP Reference Model
Application Layer
Transport Layer
Internet Layer
• Physically secure clients and
Host-to-Network
servers
•Secure wires
Security & TCP/IP Reference Model
Application Layer
Transport Layer
Internet Layer
Host-to-Network
•Filter (IP-) packages
Security & TCP/IP Reference Model
Application Layer
Transport Layer
Internet Layer
Host-to-Network
• Encrypt entire connection
(transparent)
Security & TCP/IP Reference Model
Application Layer
Transport Layer
Internet Layer
Host-to-Network
• Explicit cryptography
•Must handle user
authentication and nonrepudiation
Cryptography: introduction
What? a collection of techniques to
keep information secure
Purpose twofold:
• Encrypt the original, understandable
message into a non-understandable
message (using an encryption key)
• Ability to decrypt the unreadable
message back into its original form
(using a decryption key)
Cryptography: basics (1/2)
Cryptography: Basics (2/2)
Good encryption/decryption
algorithm
Key length crucial
• How longer the key is, how longer the work for
the cryptanalyst
• Prevent kid from reading email: 64-bit key
• Governmental information: at least 256 bits
needed
Cryptography: basic techniques
Substitution Cipher
Substitute one letter by another
• Caesar cipher: shift letters 3 positions
A -> C, B -> D, C -> E, …
• Generalization: shift letters k positions
• Improvement: monoalphabetic
substituion
plain text: a b c d e f g h i j k l m n …
ciphertext: q w e r t y u i o p a s d f …
Disadvantages: statistical attacks,
probable word attack
Cryptography: basic techniques
Transposition Cipher
Re-order letters, not disguise
Key is word not containing any
repeated letters (e.g.
MEGABUCK)
Purpose of the key is to
number the columns
Plain text is written in rows,
ciphertext read out by means
of columns
Safer than substitution, but
still vulnerable
Cryptography: basic techniques
One-Time Pad
1. Choose a random bit string
2. Convert plaintext into bitstring (e.g. ASCII)
3. Compute exclusive OR of these bitstrings
Potentially unbreakable because each plaintext is
a candidate
Disadvantage: key cannot be memorized, amount
of data limited, tedious synchronization
Cryptography algorithms:
fundamental principles
Redundancy
• To avoid garbage to be miss-interpreted
as a valid message
Freshness
• To avoid resending old messages
Cryptography algorithms:
categories
Symmetric key algorithm
• use same key to encrypt and decrypt
Public key algorithm
• one key to encrypt, another to decrypt
Hybrid cryptosystems
• public key algorithm for exchange of
(symmetric) session key
Symmetric Key Algorithms
Very fast
Fairly easy to implement
Used for bulk encryption
Two techniques:
• Stream algorithms (encrypt bits of message
one at a time)
• Block algorithms (encrypt a number of bits as
one unit)
often implemented as a network of black
boxes each imposing a reversible
transformation on the plaintext
Symmetric Key Algorithms: how?
Mutually decide on cryptography
algorithm C & D to use
Mutually decide which key K to use
Person A uses key to produce
cyphertext from the plaintext (CK(T))
Person B uses key to decrypt
cyphertext back into plaintext
(DK(CK(T))
Symmetric Key Algorithms:
disadvantages
key must be exchanged secretly (the
problem of key management)
Particular hacks are possible
Symmetric Key Algorithms:
Data Encryption Standard
Official U.S. government standard,
1977, ANSI standard in 1981
Encrypts block of 64 bits
Uses 56 bit key
19 distinct stages
No longer safe
Symmetric Key Algorithms:
other examples
DESX
• two additional steps
Triple-DES
• DES three times with different keys
IDEA
• 128 bit key
• believed to be strong
• used by PGP
RC2, RC4, RC5
Public Key Algorithms
Use of 2 keys (public key and private
key)
Proposed by Diffie and Hellman
(Stanford, 1976)
Slow
Difficult to produce encryption
algorithm
Few existing algorithms
Public Key Algorithms
Public Key Algorithms:
RSA
Named after inventors: Rivest,
Shamir, Adleman
Based on prime factorization
Widely used
Used primarily for distributing onetime session keys for use with e.g.
DES
Public Key Algorithms:
other examples
Diffie-Hellman key exchange
ElGamal (based on discrete
algorithms)
Digital Signature Standard (DSS)
Hybrid Cryptosystems
Use slow, public key algorithm to
exchange key K
Use K as key for a symmetric key
algorithm
Combines advantages of both public
and private key algorithms
WWW Security
Authentication
Authentication protocols
Technique to verify that the
communication partner is who it is
supposed to be
E.g. Bob’s process asks the file
server to delete the file salaries.txt
• Is it actually Bob’s process? → authentication
• Is Bob authorized to do that? → authorization
Authentication protocols:
based on a shared secret key
Suppose Bob and Alice already have a secret key
KAB
Based on sending a random number RB
(challenge) to the one asking a service
Response going to challenger KAB(RB)
Known as challenge-response protocols
Authentication protocols:
Challenge - Response
Shortened protocol
Authentication protocols:
Challenge - Response
Shortened protocol
This is wrong: reflection attack!!!
Authentication protocols:
Reflection attack with multiple sessions
Authentication protocols:
Challenge – Response
Bob doesn’t send anything before
Alice is authenticated!!
Authentication protocols:
Challenge – Response
Requirements
• Have initiator prove identity first
• Have initiator and responder
use different keys
• Use different challenges
• Avoid unrestricted parallel
sessions
Authentication:
Digital signatures
To solve the absence of an authorized
handwritten signature for legal, financial
and other documents
Basically 3 things are needed
• The receiver can verify the claimed identity of
the sender
• The sender cannot later repudiate the contents
of the message
• The receiver cannot possibly construct the
message himself
Authentication: digital signatures
Secret key signatures
One central authority that knows
everything and whom everyone
trusts → Big Brother
Each user chooses a secret key and
caries it by hand to BB’s office
Authentication: digital signatures
Secret key signatures
Authentication: digital signatures
Public key signatures
No central authority needed
BB has no access to the messages
Message Digests
Signature methods often couple
authentication and secrecy
Crypthography is slow, so it is desirable to
be able to send signed plaintexts
De Jonge and Chaum, 1987:
authentication scheme that does not
require encrypting the entire message
Message Digests
One-way hash function computes a fixedlength bit string from an arbitrarily long
piece of plaintext
Hash function is called a message digest
Given MD(P), it is impossible to find P
No 2 messages can be generated that
have the same message digest
Authentication:
Message Digest: Digital Signature
How?
If intruder changes P underway, Bob will see
this when he computes MD(P) himself
Bob cannot change P since there is no P’ so
that MD(P) = MD(P’)
Authentication:
Message Digest: Digital Signature
Can also be used in the BB signature
protocol
Several message digest functions
have been proposed (MD5, SHA, ...)
WWW Security
Communication
Communication:
transport level security
Secure Socket Layer (SSL) standard
SSL creates a secure connection between a client
and a server
By convention, URL’s that require an SSL
connection start with https://
Provides data encryption, server authentication,
message integrity, and optional client
authentication for a TCP/IP connection
SSL (v. 3.0): how?
Comes with 2 strengths: 40-bit and 128bit session key
Runs above the transport layer (TCP) and
below the application layer (http, ...)
2 phases:
• Handshake
• Data transfer
SSL (v.3.0): how?
Handshake phase
• agree on set of cryptographic algorithms
• establish set of cryptography keys
• Web Server authenticates browser using
certificates
Data transfer
• Client and server communicate using SSL Record
Protocol
• SSL Record Protocol defines a message format
used to transmit encrypted data
Communication:
application level security
SSL does not provide nonrepudiation
In addition to SSL, messages should
be digitally signed
WWW Security
Anonymity and Privacy
Anonymity and Privacy:
why?
Not to reveal surfing habits
Avoid being subject of targeted spam
Camouflage illegal actions
Anonymity at application level
Browser discloses personal information
• Referring header
• User-Agent header
Cookies
• enables web server to store information on
local machine
• ideal for user profiling
Same username/password for different
sites
Anonymity at network level
IP address always revealed
Web proxy solution, but only for local
observers
WWW Security
Current technologies
Pretty Good Privacy (1/3)
PGP is a tool, not a protocol!
Set of standards for encrypting messages, providing keys
and digital signatures
DES, 3DES, CAST, IDEA, ... for symmetric encryption
RSA, DSS or Diffie-Hellman for asymmetric encryption
MD5 or SHA-1 for calculation of digests
Confidentiality, integrity, authentication, nonrepudiation
Pretty Good Privacy (2/3)
PGP is a hybrid cryptosystem
PGP first compresses the plaintext
Then PGP creates a session key (one-time only
secret key)
This session key is used in a fast symmetric key
algorithm to encrypt the plaintext
Session key is encrypted to the receivers public
key
Pretty Good Privacy (3/3)
Each user maintains 2 data
structures:
• Private key ring contains one or more
personal private-public key pairs, so the
user can change periodically
• Public key ring contains public keys of
the user’s correspondents
Secure Multi Purpose Internet Mail
Extensions (S/MIME)
Standard for sending files with binary attachment
over the internet
Toolkit for email clients
Based on the RSA encryption method
Competitor for PGP
Confidentiality, integrity, authentication,
nonrepudiation
Secure Electronic Transaction (1/2)
Cryptographic protocol for ensuring
the security of financial transactions
on the Internet
Three parts:
• User has an electronic wallet (digital
certificate)
• Merchant also has certificates
• SET payment server (bank)
Secure Electronic Transaction (2/2)
How?
• Encrypted credit card number is sent to
merchant
• Merchant digitally signs the payment
and forward it to bank
• Bank decrypts and executes
Advantage: merchants do not see
credit card number
WWW Security
(Client side) Mobile Code
(Client side) Mobile Code:
introduction
Examples: Java applets, ActiveX,
Javascript, VBScripts, …
Dangerous: can potentially do
everything the user is allowed to do
Mobile Code:
Java applets
JDK 1.1
•
•
•
•
applet runs in sandbox
sandbox model is extremely restrictive
trades functionality for safety
limited environment:
No acces to file system on client machine
No opening of other network connection other than from
which the applet came
No execution of programs on client machine
Cannot even find name of users home directory (where JVM
is located)
Mobile Code:
Java applets
JDK 1.2 Security Issues
•
•
•
•
uses digital signature
All code can be subject to a security policy
Security policy defines a set of permissions
Runtime system organizes code into individual
domains
• Each domain encloses a set of classes with the
same set of permissions
• privileges assigned to pieces of code