1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more...
-
Upload
virgil-watson -
Category
Documents
-
view
217 -
download
0
Transcript of 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more...
![Page 1: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/1.jpg)
1
Secure HTTP
Herng-Yow Chen
![Page 2: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/2.jpg)
2
Outline
When digest authentication is not strong enough?
How a more complicated technology secures HTTP transactions from eavesdropping and tampering?
Using digital cryptography.
![Page 3: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/3.jpg)
3
HTTPS
https scheme
security icon
![Page 4: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/4.jpg)
4
HTTPS (cont.)
Network interfacesNetwork interfaces
I PI P
T C PT C P
H T T PH T T P Application layer
Transport layer
Network layer
Data link layer
(a) HTTP
H T T PH T T P Application layer
Security layerSSL or TLSSSL or TLS
T C PT C P Transport layer
I PI P Network layer
Network interfacesNetwork interfacesData link layer
(b) HTTPS
![Page 5: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/5.jpg)
5
Digital cryptography
Ciphers Keys Symmetric-key cryptosystems Asymmetric-key cryptosystems Public-key cryptography Digital signatures Digital certificates
![Page 6: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/6.jpg)
6
Plaintext and Ciphertext
Meet me at the pier at midnight
Plaintext
Encoder
Phhw ph dw wkh slhu dw plgqljkw
Decoder
Ciphertext
Meet me at the pier at midnight
Plaintext
![Page 7: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/7.jpg)
7
Rotate-by-3 cipher example
Cipher ABCDEFGHIJKLMNOPQRSTUVWXYZ
ABCDEFGHI JKLMNOPQRSTUVWXYZABC
Plaintext MEET ME AT THE AT PIRE AT MIDNIGHT
Ciphertext
PHHW PH DW WKH DW SLHU DW PLGQLJKW
![Page 8: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/8.jpg)
8
Keyed Ciphers (rotate-by-n), using different keys
Meet me at the pier at midnight
Plaintext
nffu nf bu uif qjfs bu njeojhiu
Ciphertext
(a)
Key=1
Meet me at the pier at midnight
Plaintext
oggv og cv vjg rkgt cv okfpkijv
Ciphertext
(b)
Key=2
Rotate(n) encoder
Rotate(n) encoder
Meet me at the pier at midnight
Plaintext
phhw ph dw wkh slhu dw plgqlijkw
Ciphertext
(c)
Key=3
Rotate(n) encoder
![Page 9: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/9.jpg)
9
Digital Ciphers
![Page 10: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/10.jpg)
10
Plaintext is encoded with encoding key e
Ciphertext CKey=e
Encoder E
Plaintext PC = E (P, e)
![Page 11: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/11.jpg)
11
Symmetric-Key Cryptography
Plaintext P
Key=d
Decoder D
Ciphertext CP = D (C, d)
If d = e
Popular symmetric-key cryptography algorithm are DES, Triple-DES, RC2, and RC4.
![Page 12: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/12.jpg)
12
Key Length and Enumeration Attacks
Attack cost 40-bit key
56-bit key
64-bit key
80-bit key
128-bit key
$100,000 2 secs 35 hours 1 years 70,000 years
1019 years
$1,000,000 200 msecs
3.5 hours 37 days 7,000 years
1018 years
$10,000,000 20 msecs
21 mins 4 days 700 years 1017 years
$100,000,000 2msecs 2 mins 9 hours 70 years 1016 years
$1,000,000,000
200 usecs
13 secs 1 hours 7 years 1015 years
![Page 13: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/13.jpg)
13
Public-Key Cryptography
Public
key=es
Private key=ds
server
Plaintext
Internet
Encrypted ciphertext
client
Plaintext
Using different keys for encoding and decoding
![Page 14: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/14.jpg)
14
Public-Key cryptography assigns a single, public encoding key to each host
A
B D
C
kBX
kAX
kCX
kDX
(a) Symmetric-key cryptography
A
B D
C
ex
(b) Public-key cryptography
ex
ex
ex
![Page 15: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/15.jpg)
15
Signatures Are Cryptographic Checksums
Plaintextmessage
Signature
A
Messagedigest
Privatekey=dA
D
B
Public key=eA
E Same?
Messagedigest
Messagedigest
![Page 16: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/16.jpg)
16
The Guts of a Certificate
![Page 17: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/17.jpg)
17
X.509 v3 Certificates
![Page 18: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/18.jpg)
18
Verifying that a signature is real
Signing authority’s public key
E Same?
B
Messagedigest
Messagedigest
![Page 19: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/19.jpg)
19
HTTPS Overview
Network interfacesNetwork interfaces
I PI P
T C PT C P
H T T PH T T P Application layer
Transport layer
Network layer
Data link layer
(a) HTTP
H T T PH T T P Application layer
Security layerSSL or TLSSSL or TLS
T C PT C P Transport layer
I PI P Network layer
Network interfacesNetwork interfacesData link layer
(b) HTTPS
![Page 20: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/20.jpg)
20
HTTPS Schemes
client Server
(a) HTTP request 80
HTTP
client Secure Server
(b) HTTPS request 443
HTTPS
clientSecure Server
(C) HTTPS over HTTP tunnel 443
HTTPS
Proxy
8080
HTTP tunnel
![Page 21: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/21.jpg)
21
Secure Transport Setup
![Page 22: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/22.jpg)
22
Secure Transport Setup (cont.)
(a) Unencrypted HTTP transaction (b) Enencrypted HTTPS transaction
![Page 23: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/23.jpg)
23
SSL Handshake (simplified)
![Page 24: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/24.jpg)
24
Server Certificates
client Server
InternetServer Certificate
Certificate serial number 35:DE:F4:CF
Certificate expiration date
Wed, Sep 17, 2003
Site’s organization name Joe’s Hardware Online
Site’s DNS hostname www.joes-hardware.com
Site’s public key
Certificate issuer name RSA Data Security
Certificate issuer signature
Jone doe
HTTPS certificates are X.509 certificates with site information
![Page 25: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/25.jpg)
25
Virtual Hosting and CertificatesCertificate name mismatches bring up certificate error dialog boxes
![Page 26: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/26.jpg)
26
Virtual Hosting and Certificates (cont.)
![Page 27: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/27.jpg)
27
Tunneling Secure Traffic Through Proxies
client
client
Public Internet
Firewallproxy
Securityperimeter
Corporate firewall proxy
![Page 28: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/28.jpg)
28
Tunneling Secure Traffic Through Proxies (cont.)
www.cajun-gifts.comproxy.ncnu.edu.tw
client.ncnu.edu.twbdfwr73ytr6ouydoiw687eqidfjwvd76weti76fig287hdi98r82yr87pfdy72y87193836PDUyqe719eyty3gee98y8787
Proxy cannot proxy an encrypted request
![Page 29: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/29.jpg)
29
Reference
HTTP Security Web Security, Privacy & Commerce Simson Garfinkel, O’reilly & Associates, Inc. This is one of the best,
most readable introductions to web security and the use of SSL/TLS and digital certificates.
http://www.ietf.org/rfc/rfc2818.txt RFC 2818, “HTTP Over TLS,” specifies how to implement secure HT
TP over Transport Layer Security (TLS), the modern successor to SSL.
http://www.ietf.org/rfc/rfc2246.txt RFC 2817, “Upgrading to TLS Within HTTP/1.1,” explains hoe to use
the Upgrade mechanism in HTTP/1.1 to initiate TLS over an existing TCP connection. This allows unsecured and secured HTTP traffic to share the same well-known port (in this case, http: at 80 rather than https: at 443). It also enables virtual hosting, so a single HTTP+TLS server can disambiguate traffic intended for several hostnames at a single IP address.
![Page 30: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/30.jpg)
30
Reference (cont.)
SSL and TLS http://ww.ietf.org/rfc/rfc2246.txt RFC 2246, “The TLS Protocol Version 1.0,” specifies Version 1.0 of the
TLS protocol (the successor to SSL). TLS provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, and message forgery.
http://developer.netscape.com/docs/manuals/security/sslin/contents.htm
“Introduction to SSL” introduces the Secure Sockets Layer (SSL) protocol. Originally developed by Netscape, SSL has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers.
http://www.netscape.com/eng/ssl3/draft302.txt “The SSL Protocol Version 3.0” is Netscape’s 1996 specification for SSL.
![Page 31: 1 Secure HTTP Herng-Yow Chen. 2 Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from.](https://reader035.fdocuments.us/reader035/viewer/2022062714/56649d0a5503460f949dc8ee/html5/thumbnails/31.jpg)
31
Reference (cont.)
http://developer.netscape.com/tech/security/ssl/howitworks.html
“How SSL Works” is Netscape’s introduction to key cryptography.
http://www.openssl.org The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general-purpose cryptography library.