Date post: | 19-May-2015 |
Category: |
Technology |
Upload: | ali-habeeb |
View: | 248 times |
Download: | 3 times |
Information System Information System SecuritySecurity
Lectures 7 and 8Lectures 7 and 8
Web SecurityWeb Security
22
ReferencesReferences
[1] Google Code for Educator: Sample Course [1] Google Code for Educator: Sample Course Content, Web Security. Content, Web Security.
http://code.google.com/edu/content/submissions/web_security/listing..
[2] [2] Network security, The complete ReferenceNetwork security, The complete Reference. R. . R. Bragg, M. Rhodes-Ousley, K. Strassberg. McGraw-Bragg, M. Rhodes-Ousley, K. Strassberg. McGraw-Hill Osborne, 2004.Hill Osborne, 2004.
33
OutlineOutline
1.1. Web SystemWeb System
2.2. Web System SecurityWeb System Security
3.3. Simple Web ServerSimple Web Server
4.4. Web Server SecurityWeb Server Security
5.5. Web Browser SecurityWeb Browser Security
6.6. Web Application SecurityWeb Application Security
7.7. Communication SecurityCommunication Security
44
1. Web System1. Web System
Generic web application work flow diagram:Generic web application work flow diagram:
55
Web SystemWeb System
Web Browser
HTML forms, Java, Cookies,
JavaScript, VBScript,
Plug-ins, etc.
http request
Web Server
Web Application
CGI, Java Servlets, ASP, SSI,
J2EE, PHP, etc.
Web Server
Resources
Applications
http reply
http/SSL/
TCP/IP
66
2. Web System Security 2. Web System Security
1.1. Web Server SecurityWeb Server Security
2.2. Web Browser Security Web Browser Security
3.3. Web Application SecurityWeb Application Security
4.4. Channel SecurityChannel Security
77
3. Simple Web Server3. Simple Web Server**
To illustrate what can go wrong if we do not design for security in To illustrate what can go wrong if we do not design for security in our web applications from the start, consider a simple web server our web applications from the start, consider a simple web server implemented in Java.implemented in Java.
All this program does is serve documents using HTTP.All this program does is serve documents using HTTP.
We will walkthrough the code in the following slides.We will walkthrough the code in the following slides.
This web server only supports simple HTTP GET This web server only supports simple HTTP GET requests.requests.
* * Slides 7-17 taken from [1]Slides 7-17 taken from [1]
88
Some Preliminaries…Some Preliminaries…
((HHyperyperTText ext TTransfer ransfer PProtocol): The communications protocol rotocol): The communications protocol used to connect to servers on the Web.used to connect to servers on the Web.
Its primary function is to establish a connection with a Web Its primary function is to establish a connection with a Web server and transmit HTML pages to the client browser or any server and transmit HTML pages to the client browser or any other files required by an HTTP application. other files required by an HTTP application.
http is stateless (ie, request/reply)http is stateless (ie, request/reply)
Addresses of Web sites begin with an Addresses of Web sites begin with an http://http:// prefix. prefix.
99
Some Preliminaries…Some Preliminaries…
A typical HTTP request that a browser makes to a A typical HTTP request that a browser makes to a web server:web server:
Get / HTTP/1.0Get / HTTP/1.0
When the server receives this request for filename / When the server receives this request for filename / (which means the (which means the rootroot document on the web document on the web server), it attempts to load index.html. It sends server), it attempts to load index.html. It sends back:back:
HTTP/1.0 200 OKHTTP/1.0 200 OK
followed by the document contents.followed by the document contents.
1010
SimpleWebServer: main()SimpleWebServer: main()
/* This method is called when the program is run from the /* This method is called when the program is run from the command line. */command line. */
public static void main (String argv[]) throws Exception { public static void main (String argv[]) throws Exception {
/* Create a SimpleWebServer object, and run it *//* Create a SimpleWebServer object, and run it */
SimpleWebServer sws = new SimpleWebServer(); SimpleWebServer sws = new SimpleWebServer();
sws.run(); sws.run();
} }
1111
SimpleWebServer ClassSimpleWebServer Class
public class SimpleWebServer { public class SimpleWebServer { /* Run the HTTP server on this TCP port. */ /* Run the HTTP server on this TCP port. */ private static final int PORT = 8080; private static final int PORT = 8080; /* The socket used to process incoming connections/* The socket used to process incoming connections from web clients */from web clients */ private static ServerSocket dServerSocket; private static ServerSocket dServerSocket; public SimpleWebServer () throws Exception { public SimpleWebServer () throws Exception { dServerSocket = new ServerSocket (PORT); dServerSocket = new ServerSocket (PORT); }} public void run() throws Exception { public void run() throws Exception {
while (true) {while (true) { /* wait for a connection from a client *//* wait for a connection from a client */ Socket s = dServerSocket.accept();Socket s = dServerSocket.accept(); /* then process the client's request *//* then process the client's request */ processRequest(s);processRequest(s); } } }}
1212
SimpleWebServer: SimpleWebServer: processRequest 1processRequest 1 /* Reads the HTTP request from the client, and/* Reads the HTTP request from the client, and responds with the file the user requested orresponds with the file the user requested or a HTTP error code. */a HTTP error code. */
public void processRequest(Socket s) throws public void processRequest(Socket s) throws Exception { Exception {
/* used to read data from the client */ /* used to read data from the client */
BufferedReader br = BufferedReader br =
new BufferedReader (new InputStreamReader new BufferedReader (new InputStreamReader (s.getInputStream()));(s.getInputStream()));
/* used to write data to the client *//* used to write data to the client */
OutputStreamWriter osw = OutputStreamWriter osw =
new OutputStreamWriter (s.getOutputStream());new OutputStreamWriter (s.getOutputStream());
1313
SimpleWebServer: SimpleWebServer: processRequest 2processRequest 2 /* read the HTTP request from the client *//* read the HTTP request from the client */ String request = br.readLine(); String request = br.readLine(); String command = null; String command = null; String pathname = null;String pathname = null; /* parse the HTTP request *//* parse the HTTP request */ StringTokenizer st = StringTokenizer st =
new StringTokenizer (request, " "); new StringTokenizer (request, " ");
command = st.nextToken(); command = st.nextToken(); pathname = st.nextToken();pathname = st.nextToken();
1414
SimpleWebServer: SimpleWebServer: processRequest 3processRequest 3
if (command.equals("GET")) { if (command.equals("GET")) { /* if the request is a GET/* if the request is a GET try to respond with the filetry to respond with the file the user is requesting */the user is requesting */ serveFile (osw,pathname);serveFile (osw,pathname);
} } else {else {
/* if the request is a NOT a GET,/* if the request is a NOT a GET, return an error saying this serverreturn an error saying this server does not implement the requested command */does not implement the requested command */ osw.write ("HTTP/1.0 501 Not Implemented\n\osw.write ("HTTP/1.0 501 Not Implemented\n\n");n");
}} /* close the connection to the client *//* close the connection to the client */ osw.close();osw.close();
1515
SimpleWebServer:SimpleWebServer:serveFile 1serveFile 1
public void serveFile (OutputStreamWriter osw, public void serveFile (OutputStreamWriter osw, String pathname) throws Exception {String pathname) throws Exception {
FileReader fr=null; FileReader fr=null; int c=-1; int c=-1; StringBuffer sb = new StringBuffer();StringBuffer sb = new StringBuffer(); /* remove the initial slash at the beginning/* remove the initial slash at the beginning of the pathname in the requestof the pathname in the request */ */ if (pathname.charAt(0)=='/') if (pathname.charAt(0)=='/') pathname=pathname.substring(1); pathname=pathname.substring(1); /* if there was no filename specified by the/* if there was no filename specified by the client, serve the "index.html" file */client, serve the "index.html" file */ if (pathname.equals("")) if (pathname.equals("")) pathname="index.html"; pathname="index.html";
1616
SimpleWebServer:SimpleWebServer:serveFile 2serveFile 2/* try to open file specified by pathname *//* try to open file specified by pathname */ try { try {
fr = new FileReader (pathname); fr = new FileReader (pathname);
c = fr.read(); c = fr.read();
} } catch (Exception e) {catch (Exception e) {
/* if the file is not found,return the/* if the file is not found,return the appropriate HTTP response code */appropriate HTTP response code */ osw.write ("HTTP/1.0 404 Not Found\n\n"); osw.write ("HTTP/1.0 404 Not Found\n\n");
return; return;
}}
1717
SimpleWebServer:SimpleWebServer:serveFile 3serveFile 3
/* if the requested file can be /* if the requested file can be successfully opened and read, then return successfully opened and read, then return an OK response code and send the contents an OK response code and send the contents of the file */of the file */
osw.write ("HTTP/1.0 200 OK\n\n"); osw.write ("HTTP/1.0 200 OK\n\n");
while (c != -1) { while (c != -1) { sb.append((char)c); sb.append((char)c);
c = fr.read(); c = fr.read();
} }
osw.write (sb.toString());osw.write (sb.toString());
1818
SimpleWebServer SimpleWebServer VulnerabilitiesVulnerabilities Can you identify any security vulnerabilities in Can you identify any security vulnerabilities in
SimpleWebServer? Or what can go wrong?SimpleWebServer? Or what can go wrong?
Yes: Yes: Denial of Service (DoS): Denial of Service (DoS): – An attacker makes a web server unavailable, butAn attacker makes a web server unavailable, but
– How?How?
DoS on SimpleWebServer:DoS on SimpleWebServer:– Just send a carriage return as the first message instead of a properly Just send a carriage return as the first message instead of a properly
formatted GET message…formatted GET message…
– The web server crashesThe web server crashes
– Service to all subsequent clients is denied until the web server is restartedService to all subsequent clients is denied until the web server is restarted
1919
4. Web Server Security: 4. Web Server Security: OverviewOverview
Consider the following HTML code:Consider the following HTML code:<html><html>
<head><head>
<title> Hello world </title><title> Hello world </title>
</head></head>
</html></html>
Attackers can try 2 strategies to penetrate the web server hosting Attackers can try 2 strategies to penetrate the web server hosting this HTML code:this HTML code:– Exploit web application insecurityExploit web application insecurity
there no Exploit in this codethere no Exploit in this code
– Hacking web server itselfHacking web server itself See the SimpleWebServer : DoS attackSee the SimpleWebServer : DoS attack
2020
Web Server Security: Goals Web Server Security: Goals of server attacksof server attacks
1.1. Web site defacementWeb site defacement– Corruption of the HTML code.Corruption of the HTML code.
– Example: Next slideExample: Next slide
2.2. Data CorruptionData Corruption– Any data on the server can be deleted or modified.Any data on the server can be deleted or modified.
3.3. Data TheftData Theft– eg, credit card number stolen from ecommerce site.eg, credit card number stolen from ecommerce site.
4.4. Denial of serviceDenial of service– Clients are no more served.Clients are no more served.
2121
http://www.syria-news.com
2222
Web Server Security: Types Web Server Security: Types of attacksof attacks
1.1. Directory traversalDirectory traversal
2.2. Script permissionsScript permissions
3.3. Directory BrowsingDirectory Browsing
4.4. Default samplesDefault samples
2323
Web Server Security: Types Web Server Security: Types of attacksof attacks
1.1. Directory traversalDirectory traversal– Is a method for accessing directories other than the allowed ones.Is a method for accessing directories other than the allowed ones.
– In Microsoft’s IIS, if the OS XP is installed on drive c: and adminstrator In Microsoft’s IIS, if the OS XP is installed on drive c: and adminstrator didn’t change the directory name, the default web site directory is c:\didn’t change the directory name, the default web site directory is c:\inetpubinetpub
– Attackers can read file they are not meant to. For exampleAttackers can read file they are not meant to. For example If the attacker try If the attacker try http://www.somesite.com/../autoexec.bat then the server
may return the content of autoexec.bat.
2424
Web Server Security: Types Web Server Security: Types of attacksof attacks
2.2. Script permissionsScript permissions In order to run server-side applications (eg, CGI, Perl, etc.), In order to run server-side applications (eg, CGI, Perl, etc.),
administrator must grant executable permission to the directory where administrator must grant executable permission to the directory where these applications reside.these applications reside.
What happens if the admin grand permissions to the wrong directory?What happens if the admin grand permissions to the wrong directory?
Example: if the admin grants executable permission to c: then what Example: if the admin grants executable permission to c: then what happens if the attacker tryhappens if the attacker try http://www.somesite.com/../Windows/system32/cmd.exe%20%2fc%20dir
2525
Web Server Security: Types Web Server Security: Types of attacksof attacks
The web server parse the request and execute The web server parse the request and execute
../windows/system32/cmd.exe /c dir ../windows/system32/cmd.exe /c dir
ie, listing all files in the current directory.ie, listing all files in the current directory.
– Attacker can execute commands that delete or modify files on the web Attacker can execute commands that delete or modify files on the web server. server.
3.3. Directory BrowsingDirectory Browsing If Directory browsing is enabled attacker, can browse that directory and If Directory browsing is enabled attacker, can browse that directory and
its subdirectories.its subdirectories.
Knowledge of the existence of some file can help attacker launching an Knowledge of the existence of some file can help attacker launching an attack.attack.
2626
Web Server ProtectionWeb Server Protection
1.1. Run web server service with Least privileges.Run web server service with Least privileges.
2.2. Install most recent security patches of server software.Install most recent security patches of server software.
3.3. Install most recent security patches of OS.Install most recent security patches of OS.
4.4. Secure other network services running on the same machine.Secure other network services running on the same machine.
5.5. Delete unneeded applications.Delete unneeded applications.
6.6. Grant script permissions only to isolated directory containing Grant script permissions only to isolated directory containing the scripts in question.the scripts in question.
7.7. Maintain adequate logs and backups..Maintain adequate logs and backups..
8.8. Secure your web server using third-party security products: Secure your web server using third-party security products: antiviruses, Firewalls, vulnerabilities scanners, input validation, antiviruses, Firewalls, vulnerabilities scanners, input validation, etc.etc.
2727
5. Web browser Security5. Web browser Security
Browser sends requests– May reveal private information (in forms, cookies)– Also sends other information that may be damaging:
IP address OS Browser version/type, etc.
Browser receives information, code– May corrupt hosts by running unsafe code– Information may exercise a bug in the browser allowing
arbitrary remote code execution.
2828
Web browser SecurityWeb browser Security
Cookies– Cookie mechanism
Mobile code– Java applet– JavaScript– VBScript
2929
Web browser Security: Web browser Security: CookiesCookies
HTTP is stateless. This causes problems in a lot of transactions that need a concept of a “session”:– A customer wants to purchase an item online.– A customer logs onto their bank to pay bills– Sites like Yahoo allow users to customize their view of the portal– As the user jumps from web page to web page, the server can’t
keep track of whether it’s the same user, or another user requesting the same page
– Servers use cookies to keep track of their users.
A cookie is a file created by an Internet site to store information on your computer– Once a cookie is saved on your computer, only the Web site that
created the cookie can read it.– Example: google’s cookie
3030
Web browser Security: Web browser Security: CookiesCookies
PREF
ID=186f76e084b84d56:TM=1193982844:LM=1193982844:S=O8OM9yhkCkr98Ej_ google.co.uk/1536 //3081004544 // 30038711 //2452507808 // 29891852*
Problems– Cookies maintain record of your browsing habits
May include any information a web site knows about you
– Browser attacks could invade your “privacy”
– Stealing someone’s cookies may allow attacker to impersonate the victim:
Session hijacking
3131
Web browser Security: Web browser Security: Mobile CodeMobile Code
Mobile code runs on clients’ machine.Mobile code runs on clients’ machine. It’s an executable content (eg, applets).It’s an executable content (eg, applets). Things to do:Things to do:
– Protect machine from downloaded code.Protect machine from downloaded code.
– Needs protection from content providers.Needs protection from content providers.
Normal users are asked to make security decisions /policies.Normal users are asked to make security decisions /policies.
Web browser
Web Server
executes applet
Mobile Code (eg, applet)
3232
6. Web application Security6. Web application Security
1.1. SQL injectionSQL injection
1.1. Common Gateway InterfaceCommon Gateway Interface
3333
SQL injectionSQL injection
SQL (Structured Query Language) is a language SQL (Structured Query Language) is a language that Communicates with DBs, Example:that Communicates with DBs, Example:– Select * from Users where username =’admin’ and Select * from Users where username =’admin’ and password = ‘somepasswd’password = ‘somepasswd’
– Looks for user whose username = admin and password = somepasswdLooks for user whose username = admin and password = somepasswd
SQL injection is a technique to inject crafted SQL into user input SQL injection is a technique to inject crafted SQL into user input fields that are a part of web forms, can be used to:fields that are a part of web forms, can be used to:– bypass custom login to a web site,bypass custom login to a web site,
– Log in to a web site, orLog in to a web site, or
– take over a sitetake over a site
3434
SQL injection: Simple login SQL injection: Simple login bypassing bypassing
Consider the following web site’s login form:Consider the following web site’s login form:
……<form action = “login.asp” method = “post”><form action = “login.asp” method = “post”><p> Username:<input type=text name= “username” /> </p><p> Username:<input type=text name= “username” /> </p><p> Password:<input type=password name= “password” /> <p> Password:<input type=password name= “password” /> </p></p>
<p> <input type=submit name= “submit” value=”login” /> <p> <input type=submit name= “submit” value=”login” /> </p></p>
</form></form>……
– It’s a web page that requests 2 pieces of information from the user username It’s a web page that requests 2 pieces of information from the user username and password and it submits the information in the fields to login.asp (written and password and it submits the information in the fields to login.asp (written in asp)in asp)
3535
SQL injection: Simple login SQL injection: Simple login bypassing bypassing
The file login.asp:The file login.asp:Dim adoConnectionDim adoConnectionSet Set adoConnection=server.CreateObject(“ADODB.ConnectiadoConnection=server.CreateObject(“ADODB.Connection”)on”)
……Dim strLoginSQLDim strLoginSQLstrLoginSQL=”select * from users where username =” strLoginSQL=”select * from users where username =” & Request.Form (“username”) & “ ‘ and password =’ & Request.Form (“username”) & “ ‘ and password =’ “ & Request.Form(“password”) & “ ‘ ““ & Request.Form(“password”) & “ ‘ “
Dim adoResultDim adoResultSet adoResult=adoConnection.Execute(strLoginSQL)Set adoResult=adoConnection.Execute(strLoginSQL)If not adoResult.EOF ThenIf not adoResult.EOF Then‘‘We are here all went okWe are here all went ok
Else Else ‘‘Wrong loginWrong login
End IfEnd If
3636
SQL injection: Simple login SQL injection: Simple login bypassing bypassing
If the user enters If the user enters adminadmin as a username and as a username and adminpasswdadminpasswd, the , the following sql command is constructed:following sql command is constructed: Select * from users where username =’admin’ and Select * from users where username =’admin’ and password = ‘adminpasswd’password = ‘adminpasswd’
The username and password are placed inside the SQL string, The username and password are placed inside the SQL string, but without any checks:but without any checks:– What happens if an attacker enter ‘a’ or “1”=“1” as a username and any What happens if an attacker enter ‘a’ or “1”=“1” as a username and any
password?password?
– The resulting SQL string is:The resulting SQL string is:
Select * from users where username = Select * from users where username = ‘a’ or ‘a’ or “1”=“1” -- ’ “1”=“1” -- ’ and password = ‘anypassword’and password = ‘anypassword’
– This code will return data because “1”=“1”This code will return data because “1”=“1”
– the attacker bypass the login.the attacker bypass the login.
3737
SQL injectionSQL injection
Worse!Worse!– The attacker can use built-in procedures to read or write files, or to invoke The attacker can use built-in procedures to read or write files, or to invoke
programs in the database computerprograms in the database computer
– For example the For example the xp_cmdshellxp_cmdshell stored procedure invokes shell commands stored procedure invokes shell commands on the server’s computer like on the server’s computer like dir, copy, renamedir, copy, rename, etc., etc.
– From the last example, a hacker can enter some username as a username andFrom the last example, a hacker can enter some username as a username and a’exec master..xp_cmdshell ‘del c:\winnt\system32\a’exec master..xp_cmdshell ‘del c:\winnt\system32\*.dll’*.dll’ as a passwordas a password . .
This will cause the database to delete all DLLs in the specified directory. This will cause the database to delete all DLLs in the specified directory.
3838
SQL injection: SolutionsSQL injection: Solutions
Filter all input fields for apostrophes to prevent unauthorized Filter all input fields for apostrophes to prevent unauthorized loginslogins
Filter all input fields for SQL commands like Filter all input fields for SQL commands like insert, insert, select, deleteselect, delete, and , and execexec to prevent server manipulation to prevent server manipulation
Limit input field length (which will limit hackers’ options), and Limit input field length (which will limit hackers’ options), and validate the input length with server-side scripts.validate the input length with server-side scripts.
Place the database on a different computer than the web server.Place the database on a different computer than the web server.– If the database is hacked, it’ll be harder to reach the web server.If the database is hacked, it’ll be harder to reach the web server.
Limit the user privileges of the server-side scripts.Limit the user privileges of the server-side scripts. Delete all unneeded extended stored procedures to limit hackers’ Delete all unneeded extended stored procedures to limit hackers’
possibilities.possibilities.
3939
Common Gateway InterfaceCommon Gateway Interface
Common Gateway Interface (CGI)Common Gateway Interface (CGI)– meta-language for translating URLs or HTML forms into executable meta-language for translating URLs or HTML forms into executable
programs.programs.
An attacker may exploit bugs in CGI scripts to gain unauthorized access to files on the web server, or even to take control of the host.
CGI scripts can present security holes in two ways:– they may intentionally or unintentionally leak information about the host
system that will help hackers break in.
– Scripts that process user input may be vulnerable to attacks in which the remote user tricks them into executing commands (always remember: “user input is evil”).
4040
7. Communication Security7. Communication Security
VulnerabilitiesVulnerabilities– Tapping or eavesdropping: Tapping or eavesdropping: occurs when a device is placed near or into occurs when a device is placed near or into
the cabling.the cabling.
– Sniffing: usingSniffing: using Sniffers ( special programs) in order to eavesdrop on the Sniffers ( special programs) in order to eavesdrop on the network traffic. network traffic.
– IP spoofing: IP spoofing: An attacker can place any IP address as the source address of An attacker can place any IP address as the source address of
an IP datagram, so can be dangerous to base access control an IP datagram, so can be dangerous to base access control decisions on raw IP addresses alone.decisions on raw IP addresses alone.
An attacker may be able to replay, delay, reorder, modifiy or An attacker may be able to replay, delay, reorder, modifiy or inject IP datagrams.inject IP datagrams.
– DNS spoofing: DNS server is lured to translate names (eg, DNS spoofing: DNS server is lured to translate names (eg, www.scs-net.org) into attackers’ IP addresses. ) into attackers’ IP addresses.
Communication Protection: SSLCommunication Protection: SSL
4141
SSLSSL
Secure Sockets LayerSecure Sockets Layer (SSL) was developed (in 1994) by (SSL) was developed (in 1994) by Netscape Corporation to provide security between web client Netscape Corporation to provide security between web client and server.and server.
SSL designed to be under HTTP:SSL designed to be under HTTP:– HTTP | SSL | TCPHTTP | SSL | TCP
SSL permits:SSL permits:– Authentication of peer entitiesAuthentication of peer entities
– Exchange of secret keysExchange of secret keys
– Use of exchanged keys to authenticate and encrypt transmitted data Use of exchanged keys to authenticate and encrypt transmitted data between communicating peer entities.between communicating peer entities.
4242
SSL ArchitectureSSL Architecture
SSL consists of two sublayers:SSL consists of two sublayers:– SSL Record Protocol: provide security services to higher-layer SSL Record Protocol: provide security services to higher-layer
protocols (in particular, HTTP) including SSL management protocols.protocols (in particular, HTTP) including SSL management protocols.– SSL Management protocols: Handshake, Cipher Change, and Alert SSL Management protocols: Handshake, Cipher Change, and Alert
ProtocolsProtocols
SSL Architecture
4343
SSL Record ProtocolSSL Record Protocol
The SSL Record Protocol uses the keys derived from the Handshake The SSL Record Protocol uses the keys derived from the Handshake Protocol’s master key to securely deliver data.Protocol’s master key to securely deliver data.
Provides two security functions:Provides two security functions:– Confidentiality and Message IntegrityConfidentiality and Message Integrity
Data
Compression(optional)
Encrypt
Record protocol Header
fragment fragment fragmentFragmentation
To be transmitted in a TCP segment
MAC
4444
SSL Record ProtocolSSL Record Protocol
Protected data : SSL Record protocol allows application Protected data : SSL Record protocol allows application protocols above SSL to be secured.protocols above SSL to be secured.
Fragmentation: messages are broken into blocks Fragmentation: messages are broken into blocks Compression: optional Compression: optional
– Compression algorithm is not specified Compression algorithm is not specified
MAC: computed over compressed data.MAC: computed over compressed data.– SSL MAC is similar to HMACSSL MAC is similar to HMAC
– MAC key is derived from the master key.MAC key is derived from the master key.
Encryption may be stream or block mode.Encryption may be stream or block mode.– Symmetric encryption is usedSymmetric encryption is used
– There are only a limited selection of ciphers and MAC algorithms that There are only a limited selection of ciphers and MAC algorithms that are allowed (eg, DES, 3DES, IDEA, RC4, etc)are allowed (eg, DES, 3DES, IDEA, RC4, etc)
4545
SSL Handshake Protocol SSL Handshake Protocol
Used to allow the server and client toUsed to allow the server and client to– authenticate each other using certificates,authenticate each other using certificates,
– negotiate encryption and MAC algorithms, and negotiate encryption and MAC algorithms, and
– establish keys to be used to protect data sent in SSL Record.establish keys to be used to protect data sent in SSL Record.
Used before any application data is transmitted. Used before any application data is transmitted.
4646
S-HTTPS-HTTP
Secure HTTP (S-HTTP) is a superset of HTTP with security Secure HTTP (S-HTTP) is a superset of HTTP with security support.support.
Created in 1994 by Enterprise Integration Technology (EIT) Created in 1994 by Enterprise Integration Technology (EIT) Adopted by IETF as RFC 2660. Adopted by IETF as RFC 2660. Allows message to be encapsulated in various ways (message-Allows message to be encapsulated in various ways (message-
oriented).oriented). Encapsulation for encryption, signing and MACEncapsulation for encryption, signing and MAC
Not widely used (not supported by Internet explorer or Not widely used (not supported by Internet explorer or Netscape) Netscape)