online security
DESCRIPTION
Online Security. Tuesday April 8, 2003 Maxence Crossley. Outline. How do we authenticate a service? How do we encrypt a session? How do we prevent a “replay attack”? Another Problem: Spoofing. How do we authenticate a session?. Certification Authorities (CAs) VeriSign SecureNet - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Online Security](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56813e00550346895da7db46/html5/thumbnails/1.jpg)
Online SecurityOnline Security
Tuesday April 8, 2003Tuesday April 8, 2003
Maxence CrossleyMaxence Crossley
![Page 2: Online Security](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56813e00550346895da7db46/html5/thumbnails/2.jpg)
OutlineOutline
How do we authenticate a service?How do we authenticate a service? How do we encrypt a session?How do we encrypt a session? How do we prevent a “replay attack”?How do we prevent a “replay attack”? Another Problem: SpoofingAnother Problem: Spoofing
![Page 3: Online Security](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56813e00550346895da7db46/html5/thumbnails/3.jpg)
How do we authenticate a session?How do we authenticate a session?
Certification Authorities Certification Authorities (CAs)(CAs) VeriSignVeriSign SecureNetSecureNet Digital Signature TrustDigital Signature Trust
Distribute and store Distribute and store certificatescertificates
![Page 4: Online Security](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56813e00550346895da7db46/html5/thumbnails/4.jpg)
Public Key CryptographyPublic Key Cryptography
Server publishes public key with Certification Server publishes public key with Certification AgencyAgency
Client encrypts message with public keyClient encrypts message with public key Server decrypts message with private keyServer decrypts message with private key
Source: http://waubonsie.com/security/www.html
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
![Page 5: Online Security](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56813e00550346895da7db46/html5/thumbnails/5.jpg)
Private Key CryptographyPrivate Key Cryptography
Server and Client share a secret and private keyServer and Client share a secret and private key Client encrypts message with private keyClient encrypts message with private key Server decrypts message with private keyServer decrypts message with private key
Source: http://waubonsie.com/security/www.html
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
![Page 6: Online Security](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56813e00550346895da7db46/html5/thumbnails/6.jpg)
How do we encrypt a session? How do we encrypt a session? SSLSSL
Client requests a secured fileClient requests a secured file Server sends its certificateServer sends its certificate Client checks with CA that the signature is Client checks with CA that the signature is
validvalid Client generates a unique session key and Client generates a unique session key and
sends it to serversends it to server
Source: http://waubonsie.com/security/www.html
![Page 7: Online Security](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56813e00550346895da7db46/html5/thumbnails/7.jpg)
How do we encrypt a session?How do we encrypt a session?
Source: http://waubonsie.com/security/www.html
![Page 8: Online Security](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56813e00550346895da7db46/html5/thumbnails/8.jpg)
How do we encrypt a session?How do we encrypt a session?
Source: http://waubonsie.com/security/www.html
![Page 9: Online Security](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56813e00550346895da7db46/html5/thumbnails/9.jpg)
How do we encrypt a session?How do we encrypt a session?
Source: http://waubonsie.com/security/www.html
![Page 10: Online Security](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56813e00550346895da7db46/html5/thumbnails/10.jpg)
What is a “replay attack”?What is a “replay attack”?
When an attacker uses captured authentication When an attacker uses captured authentication tokens to gain access to a user’s account while tokens to gain access to a user’s account while bypassing normal authenticationbypassing normal authentication
Sniffing a URL that has a session ID in itSniffing a URL that has a session ID in it Attacker can obtain access to users accountAttacker can obtain access to users account
Source: http://www.owasp.org/asac/auth-session/replay.shtml
![Page 11: Online Security](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56813e00550346895da7db46/html5/thumbnails/11.jpg)
CountermeasuresCountermeasures
Source: http://www.owasp.org/asac/auth-session/replay.shtml
““Generate hard to reverse-engineer Session Generate hard to reverse-engineer Session IDs for authenticated web users (i.e. IDs for authenticated web users (i.e. use strong crypto, MD5 use strong crypto, MD5 hashes, etc.)” hashes, etc.)”
““Build and require SSL (or other encryption) Build and require SSL (or other encryption) into the web application so that the into the web application so that the authentication token can not authentication token can not be easily sniffed in transit between be easily sniffed in transit between browser and server; Ensure that all cookies browser and server; Ensure that all cookies enable the "secure" field (see enable the "secure" field (see OWASP's explanation of cookies)”OWASP's explanation of cookies)”
![Page 12: Online Security](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56813e00550346895da7db46/html5/thumbnails/12.jpg)
CountermeasureCountermeasure
Source: http://www.owasp.org/asac/auth-session/replay.shtml
““Provide a logout function that expires all Provide a logout function that expires all cookies and other authentication cookies and other authentication tokens”tokens”
““Users can choose not to select the "Remember Users can choose not to select the "Remember Me" option on web application accounts so that Me" option on web application accounts so that authentication tokens are not persistent after authentication tokens are not persistent after logout”logout”
![Page 13: Online Security](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56813e00550346895da7db46/html5/thumbnails/13.jpg)
Another Problem: SpoofingAnother Problem: Spoofing
Web users rely on visual clues when deciding to Web users rely on visual clues when deciding to trust a sitetrust a site Location bar informationLocation bar information SSL iconsSSL icons SSL warningsSSL warnings Certificate informationCertificate information Response timeResponse time
These cues can be forgedThese cues can be forged
Source: http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/
![Page 14: Online Security](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56813e00550346895da7db46/html5/thumbnails/14.jpg)
SpoofingSpoofing
Source: http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/
![Page 15: Online Security](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56813e00550346895da7db46/html5/thumbnails/15.jpg)
SpoofingSpoofing
Source: http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/
![Page 16: Online Security](https://reader035.vdocuments.mx/reader035/viewer/2022062422/56813e00550346895da7db46/html5/thumbnails/16.jpg)
CountermeasuresCountermeasures
Mozilla with SRD Mozilla with SRD (synchronized random (synchronized random dynamic) Boundarydynamic) Boundary
Trusted Reference Trusted Reference Window in lower right Window in lower right cornercorner
Untrusted Outer Untrusted Outer WindowWindow
Colors chosen at Colors chosen at randomrandom
Source: http://www.cs.dartmouth.edu/~pkilab/demos/countermeasures/