Users and security · Encryption • Two-way encryption – Allows data to be encrypted and...
Transcript of Users and security · Encryption • Two-way encryption – Allows data to be encrypted and...
![Page 1: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/1.jpg)
Users and security • Authentication
– Making sure a user is who they say they are – ...on every request!
• Authorization – Making sure a user can only get to information they are
supposed to see – Making sure a user can only perform actions they are
supposed to
![Page 2: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/2.jpg)
Authentication • Username/password combination
– Most basic level of authentication 1. Get username/password from user 2. Verify against username/password stored in database
– Security concerns • Passwords stolen from database • Passwords intercepted in transit • Passwords sent to a rogue server • Password strength • Social engineering
![Page 3: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/3.jpg)
Database-level security • The obvious stuff
– Deny everything, allow what is necessary • Isolate, firewall
• Storing passwords (and other confidential information) – Don’t unless you have to! – Hash the password and store that instead
• One-way, cannot recover original • No one can get the actual passwords from the db
– For verification, hash the incoming password and compare to the stored hash
![Page 4: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/4.jpg)
Hashing • Vulnerable to brute-force attacks
– Attacker gets the hash – Attacker guesses passwords and hashes them until one
matches – Not as hard as it sounds
• Faster hardware, weak passwords, lookup tables
• MD5, SHA1 – Commonly available, out of date
• Public tables exist to crack any MD5 hash for passwords up to 8 characters
• SHA256, SHA521, BLOWFISH – Much better options, designed to run slowly
• But still can be brute-forced
![Page 5: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/5.jpg)
Hashing with salts • Make brute-force less efficient, leverage complexity
– Longer passwords – Slower hashing algorithms – Larger space of possible hashes
• Salting – Concatenate a random string to each password before
hashing – Store the random string (not secret) with the hash – Defeats look-up tables that pre-calculate hashes
![Page 6: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/6.jpg)
Example Hash $2a$10$KssILxWNR6k62B7yiX0GAe2Q7wwHlrzhF3LqtVvpyvHZf0MwvNfVu
• Bcrypt MCF format: – $<type>$<cost>$<salt><hash> – Type identifies the algorithm:
• 1 = md5 • 2, 2a, 2y = blowfish variants
– Cost is the number of iterations to run (making it slower) – Salt is 22 characters, hash is 31
![Page 7: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/7.jpg)
Encryption • Two-way encryption
– Allows data to be encrypted and decrypted – AES is the standard
• Implemented in MySQL and in PHP (Mcrypt)
– Relies on a secure key
• If the key is compromised, all encrypted data can be decrypted! – Again, only use if recovery is absolutely necessary (credit
cards, soc sec #s, etc)
![Page 8: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/8.jpg)
Use tested code • Don’t roll your own security code!
– Too easy to make errors – Especially with complex systems like AES
• Use an established library – Already well tested – Verified by people who actually understand the math – PHPass – MySQL AES_ENCRYPT/AES_DECRYPT
![Page 9: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/9.jpg)
Network-level security • What’s going over the wire?
– Data from client to server • Passwords, for instance
– Data back from server to client • URL query strings • Hidden form fields
– Data from web app to database? • Where does encryption happen?
![Page 10: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/10.jpg)
Encrypted network traffic • Everything on the internet wires is public!
– Too many points of failure to control – You must encrypt any private data
• A secret message for you:
BDB FKHHVH
![Page 11: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/11.jpg)
Encrypted network traffic • Everything on the internet wires is public!
– Too many points of failure to control – You must encrypt any private data
• Encrypting a conversation requires a priori information – You must have a trusted, private conversation first
• Solution: asymmetric encryption
![Page 12: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/12.jpg)
Asymmetric encryption • Public key/private key
– Public key is given out to everyone – Private key is kept secret
• To send a private message: – Encrypt with the public key – Can only be decrypted with the private key – Message is private
• To receive a message: – Encrypted with private key – Can be decrypted by anyone with the public key – Verifies that it was sent by the private key holder
![Page 13: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/13.jpg)
How does it work? • Math competition!
![Page 14: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/14.jpg)
How does it work? • Math competition!
– 71 and 37 are prime numbers – What is 71 * 37?
![Page 15: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/15.jpg)
How does it work? • Math competition!
– 158987 is the product of two prime numbers – What are those prime numbers?
![Page 16: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/16.jpg)
How does it work? • Math competition!
– 158987 is the product of two prime numbers – What are those prime numbers?
• (919 and 173)
![Page 17: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/17.jpg)
How does it work? • Based on a problem that is:
– Very hard to solve in one direction – Easy to solve in the other direction
• Factoring prime numbers – Find the largest prime factors of 293492849128492911
• Very hard to solve, a lot of guessing and checking
– But given the factors, easy to generate the original number
![Page 18: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/18.jpg)
Public-key encryption • This map is my public key
(everyone can see) • To send me a secret
number: – Draw out that map
![Page 19: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/19.jpg)
Public-key encryption • This map is my public key
(everyone can see) • To send me a secret
number: – Draw out that map – Put numbers on each corner
(can be negative) that add up to the number you chose
3 2
8
4
1
9
2
6
4
-4
![Page 20: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/20.jpg)
Public-key encryption • This map is my public key
(everyone can see) • To send me a secret
number: – Draw out that map – Put numbers on each corner
(can be negative) that add up to the number you chose
– For each corner, add the number on that corner to the numbers on all connected corners
– Tell me those totals only
3 2
8
4
1
9 14
15
14
2
6
4
-4
![Page 21: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/21.jpg)
Public-key encryption • This map is my private key
![Page 22: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/22.jpg)
Public-key encryption • This map is my private key • Marked intersections
– Indicate nodes that separate the graph
– The sum of those nodes is the original number
![Page 23: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/23.jpg)
Public-key encryption • This map is my private key • Marked intersections
– Indicate nodes that separate the graph
– The sum of those nodes is the original number
– Finding the separating intersections on a map with 100 nodes is a hard problem
– Factoring primes is harder
![Page 24: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/24.jpg)
Encrypted network traffic • Transport Layer Security (TLS)
– Encryption of HTTP traffic – Used to be called SSL – Pretty universally supported
• Starting a private (encrypted) conversation 1. Get the public key of the server 2. Encrypt a message with the public key and send
• Typically parameters for further encryption
3. Only the server can decrypt it!
![Page 25: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/25.jpg)
Encrypted network traffic • Transport Layer Security (TLS)
– Encryption of HTTP traffic – Used to be called SSL – Pretty universally supported
• Starting a private (encrypted) conversation 1. Get the public key of the server 2. Encrypt a message with the public key and send
• Typically parameters for further encryption
3. Only the server can decrypt it! (See any problems?)
![Page 26: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/26.jpg)
Encrypted Network Traffic • Anyone can claim to be the server
– Man-in-the-middle attack – Send you bogus public key
• Solution? – Certificate authorities
• Ask CA to verify public key actually belongs to server
![Page 27: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/27.jpg)
Encrypted Network Traffic • Anyone can claim to be the server
– Man-in-the-middle attack – Send you bogus public key
• Solution? – Certificate authorities
• Known reliable source • Ask CA to verify public key actually belongs to server (See any problems?)
![Page 28: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/28.jpg)
Encrypted Network Traffic • Anyone can claim to be the server
– Man-in-the-middle attack – Send you bogus public key
• Solution? – Certificate authorities
• Known reliable source • Ask CA to verify public key actually belongs to server (See any problems?) • Man-in-the-middle attack • Send you bogus verification • Solution?
![Page 29: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/29.jpg)
Encrypted Network Traffic • Anyone can claim to be the server
– Man-in-the-middle attack – Send you bogus public key
• Solution? – Certificate authorities
• Known reliable source • Ask CA to verify public key actually belongs to server (See any problems?) • Man-in-the-middle attack • Send you bogus verification • Solution?
– Web browser has public key for known CAs a priori
![Page 30: Users and security · Encryption • Two-way encryption – Allows data to be encrypted and decrypted – AES is the standard • Implemented in MySQL and in PHP (Mcrypt) – Relies](https://reader034.fdocuments.us/reader034/viewer/2022050313/5f759f19347cf3713b4a066e/html5/thumbnails/30.jpg)
Back to authentication • Security concerns
– Passwords stolen from database – Passwords intercepted in transit – Passwords sent to a rogue server
• Certificate Authorities
– Password strength – Social engineering
• Session IDs – Login credentials not resent with every request – Encryption to prevent session hijacking – Rotating session IDs