Transcript Web Security Solutions - San Jose State University

Web Security
Instructor: Dr. Jerry Gao
San Jose State University
email: [email protected]
URL: http://www.engr.sjsu.edu/gaojerry
Copyright@ Jerry Gao, Ph.D
Topic: Web Security
Web Security
- Introduction Web Security
- Why Do We Concern about Security?
- Security Threats to Web-based Systems
- Theft and Fraud on the Internet
- Violations of Data Integrity
- Web Security Issues
- Client Security
- Server Security
- Communication Security
- Application Security
- Network Security
- OS Security
Copyright@ Jerry Gao, Ph.D
Topic: Web Security
Web Security Solutions
- Network Security Solutions
- Securing Your Web Site
- Security Solution for Data Transactions
- Client Security Solutions
- Server Security Solutions
- Access Control and Authentication
- Security Technology and Products
Copyright@ Jerry Gao, Ph.D
Topic: Web Security
Threats to E-Commerce
The number one rated concern for both business and consumers:
- loss of assets and privacy due to breaches in the security
of commercial transactions and corporate computer systems.
- single publicized breach can erode confidence in the business, damage the
reputation of the firm, hurt the e-commerce industry as a whole.
There are types of threats:
- Internal threats Solutions: - careful screening of employee trusted
- access control to company secrets
- External threats E-commerce web site open the door to the public.
A lot of malicious users try to break into the system.
Facts:
- 42% of 500 companies reported unauthorized use of their systems.
- 30% of the respondents reported losing upwards of U.S.$100 millions
due to security breaches..
Copyright@. Jerry Gao, Ph.D
Topic: Web Security
Vandalism and Sabotage on the Internet
Web defacing or vandalism
-- Rewriting someone else’s Web page by illegal means.
Fact:
In Sept. of 1996, the CIA Web site (www.odci.gov/cia) was cracked by a group
of Swedish hackers. The vandalized Web page read
“Welcome to the Central Stupidity Agency”. (linked to the Playboy Web site)
Results:
- Vandalizing an organization’s Web page can be extremely damaging to the
organization’s public relations and its public image.
- Vandalizing a financial concern can undermine a company’s business,
reputation and consumer confidence.
Copyright@ Jerry Gao, Ph.D
Topic: Web Security
Breach of Privacy or Confidentiality
While the electronic age has made communicating arguably easier, it has
made intercepting communications easier for unknown third parties.
Fact:
The White House was embarrassed when hackers managed to intercept and
publish on the Web transcripts from pagers messages sent while the President
was visiting Philadelphia in Sept. 1997.
In November of 1996, an error in using an e-commerce product called
SoftCart resulted in consumer credit card number collected for purchase
orders being exposed to the Internet-at-large.
Results:
- Loss of privacy and confidentiality
Copyright@ Jerry Gao, Ph.D
Topic: Web Security
Theft and Fraud on the Internet
Theft and fraud on the Internet are made possible when people are duped
into trusting the Web site and its operators, with whom no prior relationship
exit.
Fact:
A study of Deloitte & Touch reported that citizens and businesses in the
European Union have lost anywhere from 6 billion to 60 billion European
Currency Units because of fraud over the Internet.
Much of the fraud is a result of criminals setting up a site on the Web that
appears to be a legitimate business, when in fact it is a façade for a criminal
enterprise.
Results:
- Loss of money and assets
Copyright@. Jerry Gao, Ph.D
Topic: Web Security
Violations of Data Integrity
Data integrity attacks are not often discussed in the context of Internet
sessions, but they are a concern for e-commerce types of transactions.
Violations data integrity can have financial consequences.
Fact:
In March of 1997, AOL acknowledged that it posted in accurate stock
information about a particular company, Ezra Weinstein & Co. AOL,
however blames Standard & Poor (S&P), its stock information provided,
for the bad information.
Conclusion:
- Good data integrity techniques are needed to detect the corruption of data.
Copyright@. Jerry Gao, Ph.D
Topic: Web Security
Denial of Service
Denial of service attacks have been called the ultimate Internet security
nemesis.
A denial of service attack is aimed solely at making service unavailable.
The attacks are particularly difficult to defend against, because exploit
infrastructural weakness or flaws in protocols.
Copyright@. Jerry Gao, Ph.D
Topic: Web Security
Network Security Issues
The Network Server Vulnerabilities:(Table 5.1.)
- Deadly defaults -> the default configuration settings for
software installed out of the box.
- Web server flaws
- CGI script flaws
- Networking software vulnerabilities
- Denial-of-service attacks
- Weak authentication
- OS software holes
Methods of attacks:
- Attacks on network software
(web servers, distributed file servers)
- Protocol attacks
- Access the transport communication messages
- Directed attack over the network
(downed software, such as Java applets, ActiveX)
Copyright@ Jerry Gao, Ph.D
Topic: Web Security
Client Security Issues
Two key issues to client security to be considered:
- How does the attacker get at the client?
- What does he do once there?
Purposes of attack a client computer:
- Use of resources
- Destruction of information
- Theft of information
- Use of credentials
Methods of attack on client computers:
- Physical access to the computer.
- Opportunistic introduction of software (Viruses)
- Network security problems
- Directed attack over the Network
- Protocol attacks (such as installation, network connection)
Copyright@. Jerry Gao, Ph.D
Topic: Web Security
The Client-Side Vulnerabilities
Executable content applications make the Web an exciting and interactive
medium for Internet surfers.
Executable content, called active content and mobile code exist in many
forms:
ActiveX, Java applets, and JavaScript
In addition, data files, digital images, and email attachments can be
considered as executable content when they are plug-ins interpreters in
Web browsers.
These active contents make the client-side vulnerable to security
problems.
Copyright@. Jerry Gao, Ph.D
Topic: Web Security
The Client-Side Vulnerabilities
The major causes:
(A) Cookies:
- Cookies stored at the client side pose privacy and security
concerns for end users.
- Cookies work in simple applications, but they can be clumsy to
program in server-side applications.
(B) Web browsers:
- Web browsers have permission to read from and write to local
file systems. A malicious browser may corrupt local files through
the HTTP protocol.
(C) JavaScript:
- Unlike the potential security problems with ActiveX controls
Java applets, the problems with JavaScript tend to be privacy
infringement attacks against end users.
Copyright@. Jerry Gao, Ph.D
Topic: Web Security
The Client-Side Vulnerabilities
JavaScript problems cause the security problems at the client side:
Most common problems found with JavaScript related to usage monitoring:
- In 1996, John Robert LoVerso of the Open Group Research Institute
found several bugs in JavaScript that enable malicious Web Sites to violate
the privacy and potentially the security of Netscape and IE users.
- Netscape 2.0 and 2.01 allows users to upload a file from a user’s
disk by clicking a button.
- Robert LoVerso wrote a JavaScript to list the directory of a local
file system.
- Fire-off e-mail messages using the Navigator’s mail agent
without the user’s knowledge. This hole was closed off in
Navigator 2.02, but it reappeared in version 3.0.
Copyright@Jerry Gao, Ph.D
Topic: Web Security
The Client-Side Vulnerabilities
Java security model - Java Sandbox.
To address security issues, Java provides a security model - Java sandbox.
- The Sandbox prevents untrusted Java applets from accessing
sensitive system resources.
- The term “sandbox” is used by JavaSoft to represent an area in
which a Java applet can play but not escape.
- Java sandbox prevents applets from executing any file
input/output of the local file system.
- Many network operations are prohibited except connection.
Java sandbox is enforced by three technologies:
- the bytecode verifier: performs static checks while downloading
- the applet class loader: load classes into a client machine
- the security manager: provide dynamic checks during applet
execution
Copyright@. Jerry Gao, Ph.D
Topic: Web Security
The Client-Side Vulnerabilities
Java security problems - holes in the sandbox
Compared with other forms of active content, such as ActiveX controls,
JavaScript, e-mail attachments, and plug-ins, Java sandbox provides a very
good security model, it has been broken on more than one occasion.
The holes in the sandbox have been widely reported in national newspapers,
such as USA Today, and the Wall Street Journal.
Please references the Books for the details Java Security flaws.
“E-Commerce Security” by Anup K. Ghosh
“Java Security: Hostile Applets, Holes, and Antidotes”
Copyright@. Jerry Gao, Ph.D
Topic: Web Security
Server Security Issues
Two key issues to server security to be considered:
- How does the attacker get at the server?
- What does he do once there?
Purposes of attack a client computer:
- Access to information
- Alternation of information
- Access to security credentials
- Denial of service
Methods of attack on server computers:
- Logging in as an ordinary user
- guess password, take an existing session,
- inject commands in an session,
- exploit poorly set security controls.
- Exploiting bugs in applications (input checks)
- Exploiting incorrectly set security controls.
- file protection, debugging code
Copyright@. Jerry Gao, Ph.D
Topic: Web Security
Security Design: Issues and Principles
Primary Design Issues:
- Complexity:
- Software has bugs, and more complex software has more bugs.
- Complex software are often difficult to configure correctly.
- Configuration and Flexibility:
- Complex system are often difficult to configure correctly.
- People: - the more people who can access the system ->
the less secure the system will be.
Security Design Principles:
- Keep the security system very simple.
- Limit changes to system configuration.
- Consider new version carefully.
Copyright@. Jerry Gao, Ph.D
Topic: Web Security
Security Design: Process
- Create the security policy for an organization, Internet
business, and a web-based system.
- Define and select appropriate security mechanisms
- Design and structure the security solutions for a web-based system in the
aspects of:
network, communications,
computer and system environment
software (OS, database, server, client)
- Implement and configure the security solutions
- Develop feedback, monitoring, and auditing mechanisms
to observe system operations.
- Check, evaluate, and improve the security solutions using the
tracked results.
Copyright@. Jerry Gao, Ph.D
Topic: Web Security
Security Design Cycle
Design Environment
Security
Define policy
Design Application
Security
Evaluate
Monitor
Copyright@ Jerry Gao, Ph.D
Topic: Web Security
Application Security: Principles
Achieving computer security is difficult, but some general principles apply:
- Limit access to the system
- Use available security tools
- Protect complex systems with simple ones.
- Make sure the system is inside the envelope.
- Record configuration changes.
- Create backups.
- Assure that software is properly installed.
- Use authentication server
- Create user access control software and mechanisms
Copyright@. Jerry Gao, Ph.D
Topic: Web Security
Security Solutions
- Cracks in the Foundation
- Securing the Operating System
- Firewall
- Security Solutions to Client Software
- Java Security
- Securing the Data Transactions
- Secured Communication Protocols
- Secure Channels
- Stored-Account Payment Systems
- Stored-Value Payment Systems
- Securing Server Software
- Web Server Security
- Security Solutions for Application Software
Copyright@. Jerry Gao, Ph.D
Topic: Web Security
Firewall
A firewall consists of hardware, software, or both that isolates a private or
network from a public network.
Firewall functions include:
- Packet-level filtering
- Firewalls typically include packet-level(network-level) filters
which controls basic connectivity.
- Application relay
- Firewalls typically implement application protocol relay
functions.
- Audit and logging
- Firewalls create log files of communications activity which are
completely independent of the internal server machines.
- Concentration of security administration
- The firewall serves as a choke point through which all external
communications must pass.
Copyright@. Jerry Gao, Ph.D
Topic: Web Security
Firewall Example
Internet
Screening router
Screening router
Proxy server
Internal Lan
Network
server
Copyright@. Jerry Gao, Ph.D
client
client
client
Topic: Web Security
Firewall Example
WWW
Internet
CGI
mail
firewall
client
FTP
telnet
News
NOS
Copyright@ Jerry Gao, Ph.D
Topic: Web Security
Authentication
- Authentication is the process of establishing identity as an individual, a
function, or a member of a class of individuals.
- Authentication procedure use one or more factors:
- something you know, something you have, or something you are
- A high-security application generally requires a two-factor authentication
process:
Authentication is frequently confused with authorization - an example is an
ordinary house key.
Possession of the key authenticates one as a member of the class of people
authorized to enter the house.
Passwords:- password choice, password change,
- password used at multiple sites, password storage
- One-time passwords
- Hardware Tokens and Smart Cards
Copyright@. Jerry Gao, Ph.D
Topic: Web Security
Authentication Over Internet
- Web Authentication:
- Client Authentication:
- Basic authentication
- Digest authentication
- Client certificates
- Server Authentication:
- public key + SSL
- the certification authority
- Web Sessions:
- Basic authentication
- SSL + session keys
- Digest authentication (encryption) for each session
- Using custom URLs and Cookies
http://www.xyz.com/url/path/name/script.cgi?query&string&with&session_ID
http://www.xyz.com/<sessionID>url/path/name
Copyright@ Jerry Gao, Ph.D
Topic: Web Security
Securing Data Transactions: Solutions
- Securing Channels
- Establish Secure Sessions Using SSL
- Securing Web Sessions Using S-HTTP
- Secure Electronic Transactions
(Stored-Account Payment Systems)\
- First Virtual
- CyberCash
- Secure Electronic Transactions(SET)
- Stored-Value Payment Systems
- E-Cash, CyberCoin, Smart Cards, Mondex, Visa Cash, DigiCash
- Securing E-Cash
Copyright@ Jerry Gao, Ph.D
Topic: Web Security
Securing Channels
Problems:
- The Internet is inherently an insecure channel for sending messages.
A message is sent from one Internet site to another by going through a
number of intermediate sites. Thus, there is no fixed path and a secured
channel for Internet messages,
- Internet messages are essentially expose for any one along the path who
cares to read them.
Solution:
- Provide a secure channel between Web clients and Web servers.
- Netscape’s Secure Sockets Layer (SSL).
- Authentication, Key encryption, Digital Signatures.
- Securing Web Sessions Using S-HHTP.
Copyright@. Jerry Gao, Ph.D
Topic: Web Security
Insecure Internet Channels
Steve
XXXX
XXXX
John
application
Spy
application
TCP
IP
Data Link
TCP
TCP
IP
IP
Data Link
Data Link
Internet
Copyright@. Jerry Gao, Ph.D
Topic: Web Security
Insecure Internet Channels
Application Protocols
(SET, CyberCash, First Virtual)
S-HTTP
HTTP
S/MIME
Telnet, mail, news
ftp, nntp, nds, others
Secure Sockets Layer
Transport Control Protocol
Internet Protocol
Data Link Layer
Copyright@. Jerry Gao, Ph.D
Topic: Web Security
Securing Channels
About Netscape’s SSL:
- SSL is a layered approach to providing a secure channel. It is a another protocol on
top of the TCP/IP in the network.
- SSL resides underneath the application layer.
Provided functions and capabilities:
- SSL provides secure communications, authentication of the server,
and data integrity of the message packet.
.--> authenticating the Web server and/or client
- SSL provides end-to-end encryption of the data that is sent between a Web client and
Web server
--> encrypting the communication channel.
Limitations:
- SSL only provide secure web sessions. It does not provide any security for mail and
file transfer.
- In the future, it may support encryption of other network services, such as
email, and FTP.
Copyright@. Jerry Gao, Ph.D
Topic: Web Security
Securing Channels
SSL uses two different encryption technologies:
- public key (asymmetric encryption) - different key is used to decrypt a
message than the one used to encrypt the message.
- Public key: shared with anyone
- Private key: known to only one person.
Two work together much like a mechanical lock and key.
--> used to authenticate the server and/or client and to exchange
a private session key between the Web server & client.
Advantage: Good for a large group of users, Scale well.
Problem: slow than symmetric encryption.
- private key (symmetric encryption)
-> secure the communications.
Advantage: faster than asymmetric encryption..
Problem: a) both parties have to agree on a shared secret key in advance.
b) it does not scale well to a large community of users.
Copyright@. Jerry Gao, Ph.D
Topic: Web Security
Securing Channels
Set up an SSL session:
SSL Web Server
SSL Web Client
Client Hello
Encryption suites, challenge string
Server Hello
Server certificate, cipher s, connection ID
Server Response
- client auth.
- session keys
Client certificate, encrypted master key
Server Response
- client auth.
- session keys
Client finish, signed connection ID
Server verify, signed challenge string
Server finish, signed session ID
session
session
Application Data
Copyright@. Jerry Gao, Ph.D
Topic: Web Security
Securing Channels
SSL uses two different encryption technologies:
- public key (asymmetric encryption) - different key is used to decrypt a
message than the one used to encrypt the message.
- Public key: shared with anyone
- Private key: known to only one person.
Two work together much like a mechanical lock and key.
--> used to authenticate the server and/or client and to exchange
a private session key between the Web server & client.
Advantage: Good for a large group of users, Scale well.
Problem: slow than symmetric encryption.
- private key (symmetric encryption)
-> secure the communications.
Advantage: faster than asymmetric encryption..
Problem: a) both parties have to agree on a shared secret key in advance.
b) it does not scale well to a large community of users.
Copyright@ Jerry Gao, Ph.D
Topic: Web Security
Securing Web Sessions Using S-HTTP
About S-HTTP (The Secure HyperText Transfer Protocol):
- an extension of the HTTP that serves up Web pages.
- developed by Enterprise Integration Technologies.
- commercialized by Terisa Systems,
- distributed to t he CommerceNet consortium.
Functions and features:
- Provides a secure means for clients to communicate with Web servers.
- Unlike SSL, S-HTTP runs at the application layer parallel with the HTTP
and other network services.
- interoperable with nonsecure HTTP services.
- support the negotiation of secure properties between clients and servers.
- Support a number of different secure technologies:
- symmetric encryption for data confidentiality.
- public encryption for client/server authentication.
- message digests for data integrity.
Copyright@. Jerry Gao, Ph.D