KEMBAR78
Chapter 2 Web Security | PDF | Transport Layer Security | Public Key Cryptography
0% found this document useful (0 votes)
168 views62 pages

Chapter 2 Web Security

Web security techniques include HTTP authentication, which requires users to authenticate with a username and password before accessing protected URLs. HTTPS provides more secure communication than HTTP by using SSL/TLS encryption. Common web security threats can be mitigated using techniques like firewalls, encryption, and authentication.

Uploaded by

liyagahnug61
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
168 views62 pages

Chapter 2 Web Security

Web security techniques include HTTP authentication, which requires users to authenticate with a username and password before accessing protected URLs. HTTPS provides more secure communication than HTTP by using SSL/TLS encryption. Common web security threats can be mitigated using techniques like firewalls, encryption, and authentication.

Uploaded by

liyagahnug61
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 62

Web Security

Chapter 2

1
Lecturer: Eng. Dheeg Hajji Hassan
Master of Arts in Project Planning and Management,
MBA in Health Care Management,
MBA in Accounting and Finance,
(Double Bachelor Degree), Writer
Manager, Workplace Professional Training
Institute(WPTI)

©Copyright©Eng. Dheeg Hajji Hassan(MBA in HCM,


MBA in ACC)©2024 2
2
Outline

Threats to LANs & Wireless LANs

Wireless LAN Security Techniques

Web security

Summary

3
Web Security

4
HTTP Authentication

Protect web content from those who don’t have a “need to know”

Require users to authenticate using a userid/password before
they are allowed access to certain URLs

HTTP/1.1 requires that when a user makes a request for a
protected resource the server responds with a authentication
request header

WWW-Authenticate

contains enough pertinent information to carry out a “challenge-response”
session between the user and the server

Client requests a protected resource

Client
Web Server
Server responds with a 401 (not
authorized and a challenge request
for the client to authenticate 5
Compare 3 Minutes

HTTP 
HTTPS

Reasons 
Reasons

Objectives 
Objectives

Functions 
Functions

6
Client Response

Well established clients like Firefox, Internet Explorer …. will
respond to the challenge request (WWW-Authenticate) by
presenting the user with a small pop-up window with data entry
fields for

userid

password

a Submit button and a Cancel button

entering a valid userid and password will post the data to the
server, the server will attempt authentication and if
authenticated will serve the originally requested resource.

7
WWW-Authenticate


The authentication request received by the browser will look
something like:

WWW-Authenticate = Basic realm=“defaultRealm”

Basic indicates the HTTP Basic authentication is requested

realm indicates the context of the login

realms hold all of the parts of security puzzle

Users

Groups

ACLs (Access Control Lists)

Basic Authentication

userid and password are sent base 64 encoded (might as well be
plain text)

hacker doesn’t even need to unencode all he has to do is “replay”
the blob of information he stole over and over ( this is called a
“replay attack”)
8
WWW-Authenticate


Digest Authentication

attempts to overcome the shortcomings of Basic Authentication

WWW-Authenticate = Digest realm=“defaultRealm” nonce=“Server
SpecificString”

see RFC 2069 for description of nonce, each nonce is different

the nonce is used in the browser in a 1-way function (MD5, SHA-1….) to
encode the userid and password for the server, this function essentially
makes the password good for only one time

Common browsers don’t use Digest Authentication but an applet could
as an applet has access to all of the Java Encryption classes needed to
create the creation of a Digest.

9
WWW-Authenticate

Secure Sockets Layer (SSL)

Invented by Netscape and made public domain for everyone’s use

An additional layer to the TCP/IP stack that sits between the
Application and Transport layers

ensures that all application data is encrypted but TCP/IP headers are
not

usually run on port 443 (default HTTPS port)

Public Key Cryptography

owner of a private key sends a public key to all who want to
communicate with him (keys are both prime factors of a large (1024
bit) number). Owner keeps the private key secret and uses it to
decrypt information sent to him that has been encrypted with the
public-key

RSA algorithm is most notable public-key cipher algorithm

Digital Certificates

issued by a disinterested third party (ex. Verisign)

the Certificate contains the public-key for the specific Web Server
and a digital signature of the certifying authority
10
5 Minutes Question


Why do we need
Web Security?

11
Back to SSL

Once a secure session is established the source requests the
destinations certificate ( sent in the http header (uncncrypted))

once the source accepts the authenticity of the certificate it uses
the public-key from the certificate to encrypt the generated
session key for protecting the conversation between the source
and destination.

Session is encrypted using a symmetric cipher (slow)

conversation is encrypted using an asymmetric cipher (fast)

its done this way to speed up overall communications, strong
encryption (slow) is used as little as possible while weaker
encryption is used for most exchanges

actual cipher algorithms are negotiated on a per-session basis

12
Java Cryptographic Packages

Separate packages that are now included as part of
1. JDK (Java developer kit)
2. JCE - Java Cryptography classes
3. JSSE - Java Secure Sockets Extension
4. JAAS - Java Authentication and Authorization Services
5. Java GSS API - Java Generic Security Services API
(Application Programming Interface)
6. SSL: Secure Sockets Layers
7. Java Certification Path API

13
JCE (Java Cryptography Extension)


JCE covers

encryption and decryption

symmetric bulk encryption, such as DES, RC2, and IDEA

Symmetric stream encryption, such as RC4

Asymmetric encryption, such as RSA

Password-based encryption (PBE)

key agreement

Message Authentication Code (MAC)

Strong Cryptography is the default

unlimited is available (depending on export restrictions)

14
JSSE(Java Secure Sockets Extension)

Provides support for communications using SSL (Secure
Sockets Layer) and TLS (Transport Layer Security)

commonly thought of as HTTPS

part of javax.net

SSL (and thus HTTPS) permits encrypted traffic to be
exchanged between the client and server.

After an SSL client initiates a conversation with an SSL server, the server
sends an X.509 certificate back to the client for authentication. The client
then checks the validity of the certificate. Assuming the server is verified,
the client generates a premaster secret key, encrypts it with the server's
public key from the certificate, and sends the encrypted key back to the
server. From this premaster key, the client and server generate a master
key for the session. After some basic handshaking, the encrypted exchange
can commence.

The JSSE library hides these inner workings of the SSL protocol
from you.
15
JAAS (Java Authentication and Authorization Services)

JAAS provides for the authentication of users and the
authorization of tasks based upon that authentication

Previously, anyone authenticated had access to the same
security restrictions. Now, you can control what tasks are
available for a specific authenticated user

requires modification of security policies

16
Java GSS-API


adds Kerberos V5 support to the Java platform.

Kerberos originated at the Massachusetts Institute of
Technology (MIT) as project Athena back in 1987.

Essentially, a network authentication protocol.

Defined in RFC 1510 from 1993

biggest draw is not having to send passwords over the net.

offers single sign-on within one domain -- if everything within the
domain has been Kerberos-enabled.

support is also provided for single sign-on across different security
realms over a network.

Used in conjunction with JAAS, once a user's identity is
established, future authentication requests are no longer
necessary.
17
Java Certification Path API

Certification Path API provides classes for building and
validating certificate chains, an important requirement of a
Public Key Infrastructure (PKI).

These certificates provide for the storage of security keys for
users. By trusting the issuer of a certificate that holds the keys,
and trusting the issuer of the certificate that trusts the original
certificate, you establish chains of trust

Building and validating certification paths is an important part of
many standard security protocols, such as SSL/TLS,
Secure/MIME (S/MIME), and IP Security (IPsec).

18
5 Minutes Question


What Java
Cryptographic
Packages are very
important to it?

19
Fundamental Premise

Security cannot be considered in
isolation and to be effective must
consider the entire system

That is, network and LAN security must
be:

Consistent with other security mechanisms

E.g. application, data, hardware, and physical

Supportive of other security mechanisms

20
What are common tools applications
used in web security?
Web Vulnerability Scanning Tools
1.Burp Suite. A powerful tool for network protection
2.Nikto. One of the best open-source vulnerability

scanner management tools


3.Paros Proxy. Java-based web proxy Paros Proxy

includes several useful tools for


running security tests
4.NMap

5.Nessus Professional

6.Nexpose.

21
5 minutes Question


What will happen to
the organization if
does not use Web
Security?

22
Threats

23
LAN Threats
Protecting Integrity

Protecting Secrecy

Network Traffic

Protecting Availability

24
3 Minutes Question


What do we mean
network traffic?

25
Specific LAN Threats

Availability

Worms/Virus DoS

Errant applications creating lots of
traffic/malformed traffic

Authentication

Spying devices on LAN

For example, a contractor connecting to LAN

Secrecy

Sniffers being connected to the LAN to collect
passwords, etc.

26
Authentication

27
Current State of LAN
Authentication

Usually none!

If in the building can plug in to the LAN

Can cause severe problems:

Using LAN for illegal purposes
(company/person may be liable)

Can more easily compromise servers

For example, send spam from your mail servers

Wireless LANs are bringing issue out

28
Authentication services

802.1X – IEEE standard for LAN authentication

Can use PKI certificate-based authentication

Kerberos (closed environment)

Single login (once per session)

To multiple servers/domains

‘Ticket’ for each server

X.509 (open environment)

Based on public key infrastructure

Used in SSL, IPSEC, S/MIME, SET…

One-way, two-way or three-way authentication

29
Kerberos

Kerberos: the network authentication


protocol.

Kerberos is a network authentication
protocol. It is designed to provide strong
authentication for client/server
applications by using secret-key

30
Kerberos

31
X.509 Authentication

A B
[Ta, Ra, B, EkpubB(Kab) ] sgnA
One-way authentication

[Ta, Ra, B, EkpubB(Kab) ] sgnA

Two-way authentication
[Tb, Rb, A, Ra, EkpubA(Kab) ] sgnB

[Ta, Ra, B, EkpubB(Kab) ] sgnA


[Tb, Rb, A, Ra, EkpubA(Kab) ] sgnB

Three-way authentication
[Rb] sgnA

32
IEEE 802.1X Terminology
Institute of Electrical and Electronics Engineers

Authentication
Supplicant Authenticator Server
Uncontrolled port

Controlled port
802.1X
• created to control access to any 802 LAN
•used as a transport for Extensible Authentication Protocol
(EAP, RFC 2284)
33
802.1X Model

AP
Authentication
STA Associate
Server
EAP Identity Request
EAP Identity Response EAP Identity Response

EAP Auth Request EAP Auth Request

EAP Auth Response EAP Auth Response

EAP-Success EAP-Success

Authentication traffic

Port Status:
Normal Data
34
Wireless LAN Security

35
Introduction

802.11 standard specifies the operating
parameters of wireless local area networks
(WLAN)

History: 802.11, b, a, g, i

Minimal security in early versions

Original architecture not well suited for
modern security needs

802.11i attempts to address security issues
with WLANs

36
802.11b

Wired Equivalent Privacy (WEP)

Confidentiality

Encryption

40-bit keys (increased to 104-bit by WEP2)

Based on RC4 algorithm

Access Control

Shared key authentication + Encryption

Data Integrity

Integrity checksum computed for all messages

37
802.11b

Vulnerabilities in WEP

Poorly implemented encryption

Key reuse, small keys, no keyed MIC

Weak authentication

No key management

No interception detection

38
802.11b

Successful attacks on 802.11b

Key recovery - AirSnort

Man-in-the-middle

Denial of service

Authentication forging

Known plaintext

Known ciphertext

39
802.11i

Security Specifications

Improved Encryption

CCMP (AES), TKIP, WRAP

2-way authentication

Key management

Ad-hoc network support

Improved security architecture

40
802.11i Authentication

Source: Cam-Winget, Moore, Stanley and Walker


41
802.11 Encryption

Source: Cam-Winget, Moore, Stanley and Walker

42
802.11i – Potential Weaknesses


Hardware requirements

Hardware upgrade needed for AES support

Strength of TKIP and Wrap questionable in the long term

Authentication server needed for 2-way
authentication

Complexity

The more complex a system is, the more likely it
may contain an undetected backdoor

Patchwork nature of “fixing” 802.11b

43
No Control over WLAN?

Often you want to connect to a wireless LAN
over which you have no control

Options:

If you can, connect securely (WPA2, 802.11i, etc.)

If unsecured, connect to your secure systems
securely:

VPN – Virtual Private Network

SSL connections to secure systems

Be careful not to expose passwords

Watch for direct attacks on untrusted networks

44
WLAN Security - Going Forward


802.11i appears to be a significant improvement
over 802.11b from a security standpoint

Vendors are nervous about implementing 802.11i
protocols due to how quickly WEP was
compromised after its release

Only time will tell how effective 802.11i actually
will be

Wireless networks will not be completely secure
until the standards that specify them are
designed from the beginning with security in
mind

45
Summary

Wireless LAN Security is not
independent of the greater network
security and system security

Threats to the Wireless LAN are largely
in terms of being available and in
providing a means to attack systems on
the network

That is, not many folks attack routers (yet)

46
Test yourself

3 marks

© Copyright © Eng. 47
Dheeg Hajji
47
Hassan(MPPM, MBA
NAME:
ID:

1. Web Security is based on:-


a. Person

b. System

c. Browsers

d. A and B
© Copyright © Eng. 48
Dheeg Hajji
48
Hassan(MPPM, MBA
2. Web Security saves
a.Data

b.People

c.Organization

d.All of them

© Copyright © Eng. 49
Dheeg Hajji
49
Hassan(MPPM, MBA
3. Network Security
Reduces
a.Fraud

b.Data sustainability

c.Date Preferences

d.Misleading the Managers

© Copyright © Eng. 50
Dheeg Hajji
50
Hassan(MPPM, MBA
4. SSL is shortening by
Secure Secret Layer
a.

b.Secure System Layer


c.Secure Science Layer

d.Secure Socket Layer

© Copyright © Eng. 51
Dheeg Hajji
51
Hassan(MPPM, MBA
5. Java Cryptographic Packages
includes
a.JMD
b.JDK

c.JSM

d.All of them
© Copyright © Eng. 52
Dheeg Hajji
52
Hassan(MPPM, MBA
6. Functions of JAVA
cryptography includes
a.Constant data

b.Consistency of data

c.Concise Data

d.All of them
© Copyright © Eng. 53
Dheeg Hajji
53
Hassan(MPPM, MBA
7. Authentication protocols
include
a.Digest Authentication

b.Digital Authentication

c.SML

d.A and B
© Copyright © Eng. 54
Dheeg Hajji
54
Hassan(MPPM, MBA
8. Web security protects your
a.Network and connection

b.Network and data from breaches

c.Network and data management

d.Network and system

demonstration
© Copyright © Eng. 55
Dheeg Hajji
55
Hassan(MPPM, MBA
9. Kerberos is
a.Used for computers and servers

b.Used for computers and system of the

organization
c.Used for computers and data

management
d.Used for organization and equipment

© Copyright © Eng. 56
Dheeg Hajji
56
Hassan(MPPM, MBA
10.JDK is shortening by
a. JAVA Developer Kit

b. JAVA Developer Knowledge


c. JAVA Design Kit
© Copyright © Eng. 57
Dheeg Hajji
57
Hassan(MPPM, MBA
Discussion

How security websites in Somaliland? What
they are venerable? How they protected their
data? Do they have safe protocol? What do
you recommend for them to control their
website security?

58
Practical Section

AAA- Authentication TACAST + AND
RADIUS SERVER

ACL

ASA Firewall Inside, DMZ and Outside

59
References

ftp://ftp.prenhall.com/pub/esm/web_marketing
/ptr/pfleeger/ch07.pdf
- Charles & Shari Pfleeger’s chapter on
network security

http://www.gocsi.com/forms/fbi/pdf.jhtml - To
request the Computer Security Institute/FBI
yearly survey results (widely referenced)

60
Lecturer: Eng. Dheeg Hajji Hassan
Master of Arts in Project Planning and
Management,
MBA in Health Care Management,
MBA in Accounting and Finance,
(Double Bachelor Degree), Writer
Manager, Workplace Professional Training
Institute(WPTI)

©Copyright©Eng. Dheeg Hajji Hassan(MBA in HCM,


MBA in ACC)©2024 61
61
END
62

You might also like