8/14/2019 Security in Web Scenario
1/22
Security in webscenario
8/14/2019 Security in Web Scenario
2/22
Contents:Contents: What Do We Mean By Security?What Do We Mean By Security? The Foundations of SecurityThe Foundations of Security General Types of AttacksGeneral Types of Attacks Network ThreatsNetwork Threats Web traffic security approachesWeb traffic security approaches IP Security (IPSec)IP Security (IPSec) Secure Socket LayerSecure Socket Layer
KerberosKerberos Pretty Good PrivacyPretty Good Privacy Secure Electronic TransactionSecure Electronic Transaction Host ThreatsHost Threats
8/14/2019 Security in Web Scenario
3/22
What Do We Mean ByWhat Do We Mean By
Security?Security?
Security is fundamentally aboutSecurity is fundamentally aboutprotecting assets. Assets may beprotecting assets. Assets may be
tangible items, such as a Web pagetangible items, such as a Web pageor your customer database or theyor your customer database or theymay be less tangible, such as yourmay be less tangible, such as yourcompanys reputation.companys reputation.
8/14/2019 Security in Web Scenario
4/22
The Foundations of Security
8/14/2019 Security in Web Scenario
5/22
8/14/2019 Security in Web Scenario
6/22
General Types of AttacksGeneral Types of Attacks
Active AttacksActive Attacks
2.2.MasqueradeMasquerade
3.3.ReplayReplay
4.4.Modification of messagesModification of messages5.5.Denial of serviceDenial of servicePassive AttacksPassive Attacks
7.7.Release of message contentsRelease of message contents
8.8.Traffic AnalysisTraffic Analysis
8/14/2019 Security in Web Scenario
7/22
Internet
Release of messageRelease of messagecontentscontents
DarthDarth
BobBob AliceAlice
Read Contents
of message
from Bob toAlice
8/14/2019 Security in Web Scenario
8/22
Traffic AnalysisTraffic Analysis
Internet
DarthDarth
BobBob AliceAlice
Observe the
pattern of
messages from
Bob to Alice
8/14/2019 Security in Web Scenario
9/22
8/14/2019 Security in Web Scenario
10/22
ReplayReplay
Internet
DarthDarth
BobBob AliceAlice
Capture message
from Bob to Alice;
later replay
message to Alice
8/14/2019 Security in Web Scenario
11/22
Modification of messagesModification of messages
Internet
DarthDarth
BobBob AliceAlice
Darth modifies
message from Bob
to Alice
8/14/2019 Security in Web Scenario
12/22
Denial of serviceDenial of service
Internet
DarthDarth
BobBob
Darth disrupts
services provided
by server
ServerServer
8/14/2019 Security in Web Scenario
13/22
Information gatheringInformation gathering
SniffingSniffing
SpoofingSpoofing Session hijackingSession hijacking
Denial of serviceDenial of service
Network ThreatsNetwork Threats
8/14/2019 Security in Web Scenario
14/22
Web traffic securityapproaches
HTTP FTP SMTP
TCP
IP/IPSec
HTTP FTP SMTP
SSL or TLS
TCP
IP
S/MIME PGP SET
Kerberos SMTP HTTP
UDP TCP
IP
Network LevelNetwork Level Transport LevelTransport Level
Application LevelApplication Level
8/14/2019 Security in Web Scenario
15/22
IP Security (IPSec)
Architecture
ESP Protocol AH Protocol
Encryptionalgorithm
Authenticationalgorithm
DOI
KeyManagement
IPSec Document OverviewIPSec Document Overview
8/14/2019 Security in Web Scenario
16/22
Secure Socket Layer
SSLSSLHandshakeHandshake
ProtocolProtocol
SSL ChangeSSL ChangeCipher SpecCipher Spec
ProtocolProtocol
SSL AlertSSL AlertProtocolProtocol
HTTPHTTP
SSL Record ProtocolSSL Record Protocol
TCPTCP
IPIP
SSL Protocol StackSSL Protocol Stack
8/14/2019 Security in Web Scenario
17/22
Kerberos
Authentication Server (AS)
Ticketgranting
server (TGS)
Once per userlogon session
Request ticket
grating ticketTicket +
Session key
Request Service
grating ticket
Ticket +
Session key
Once per type
of service
Kerberos
Once per
service session
Request service
Provide server
authenticator
8/14/2019 Security in Web Scenario
18/22
Pretty Good Privacy
X file
Generate SignatureX Signature || X
CompressX Z(X)
Encrypt key, XX E(Pub, Ks ) || E(Ks, X)
Convert toradix
X R64[X]
Signature
Required?
Confidentiality
Required?
No
Yes
Transmission of PGP Messages
Yes
No
8/14/2019 Security in Web Scenario
19/22
Strip Signature from XVerify Signature
DecompressX Z-1(X)
Decrypt key, XKs D(PRb, E(Pub,Ks))
X D(Ks, E(Ks, X))
Convert toradix 64 X
R64-1[X]
SignatureRequired
?
Confidentiality
Required?
No
Yes
Yes
No
Reception of PGP Messages
8/14/2019 Security in Web Scenario
20/22
Secure ElectronicTransaction
PaymentNetwork
Internet
Merchant
Cardholder
Certificate
authority
Issuer
Acquirer
Payment
gateway
8/14/2019 Security in Web Scenario
21/22
Host Threats
Viruses, Trojan horses, and wormsFootprinting
ProfilingPassword crackingDenial of service
Arbitrary code executionUnauthorized access
8/14/2019 Security in Web Scenario
22/22
Thank YouThank You