PPT ON WEB SECURITY BY MONODIP SINGHA ROY
-
Upload
monodip-singha-roy -
Category
Documents
-
view
128 -
download
5
Transcript of PPT ON WEB SECURITY BY MONODIP SINGHA ROY
![Page 1: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/1.jpg)
1
WEB SECURITY(SECURE SOCKET LAYER)
MONODIP SINGHA ROY M.TECH Dr. B.C.ROY ENGINEERING COLLEGE
![Page 2: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/2.jpg)
2
ContentsWEB SECURITYWEB SECURITY TERMINOLOGYSSL ( SECURE SOCKET LAYER )SSL ARCHITECTURETLS ( TRANSPORT LAYER
SECURITY )PROS AND CONS OF SSL/TLSSUMMARY
![Page 3: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/3.jpg)
3
WEB SECURITYAlmost everything in today’s
world relies on computer and internet. ◦Communications (emails, phones)◦Transportation (car engine system,
airplane navigation system)◦Medicine ( medical records,
equipments)◦Shopping (online store, online
payments)◦Entertainment (digital cables)
![Page 4: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/4.jpg)
4
What is WEB SECURITY ??
Web security , also known as “cyber security “ involves protecting the information by protecting , preventing and responding to the attacks.
![Page 5: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/5.jpg)
5
WEB SECURITY: TERMNOLOGYHACKERS: People who strive to
exploit weaknesses in software and computer for their own gain.
VIRUSES: Infects your computer before actually u can do something.
WORMS: Propagates without users intervention.
TROJAN: A software that claims to do something while in fact doing something in background.
![Page 6: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/6.jpg)
6
WEB SECURITY: TERNINOLOGY
RANSOMWARE:◦A form of Trojan that has been since
1989, as known as ‘PC CYBORG’ Trojan.
◦It affects the user computer by encrypting the user’s personal files.
◦The victim then contacted and offered the decrypt key in exchange of cash.
![Page 7: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/7.jpg)
7
WEB SECURITY: TERMINOLOGYKEYLOGGERS:
◦It is an software that monitor users activity such as key typed in keyboard.
◦KeyLoggers can Record keystrokes on keyboards. Record mouse movement and clicks. Record menus that are invoked. Takes screenshot of the desktop at pre
defined intervals.
![Page 8: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/8.jpg)
8
Web SecurityWeb now widely used by
business, government, individualsbut Internet & Web are
vulnerablehave a variety of threats
◦integrity◦confidentiality◦denial of service◦authentication
need added security mechanisms.
![Page 9: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/9.jpg)
9
What is SSL?SSL – Secure Socket Layer it provides a �
secure transport connection between applications (e.g., a web server and a browser)
SSL was developed by Netscapeuses TCP to provide a reliable end-to-end
serviceSSL has two layers of protocols SSL v3.0 was
specified in an Internet Draft (1996) it �evolved into RFC 246 and was renamed to TLS (Transport Layer Security)
TLS can be viewed as SSL v3.1
![Page 10: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/10.jpg)
10
SSL Architecture
![Page 11: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/11.jpg)
11
SSL Components
SSL HANDSHAKE PROTOCOL
SSL RECORD PROTOCOL
SSL ALERT PROTOCOL
SSL CHANGE CIPHER SPEC PROTOCOL
• Negotiation of security algorithms and parameters.• Key exchange.• Server authentication and optionally client authentication.
• Fragmentation.• Compression.• Encryption.• Message authentication and integrity protection.
• Error message ( fatal alerts and warning )
• A single message that indicates the end of SSL handshake.
![Page 12: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/12.jpg)
12
Sessions and ConnectionsAn SSL session is a connection between
client and server. Sessions are stateful ; the session state
includes security algorithm and parameters. A session may include multiple secure
connection between same server and client. Connections of the same session share the
session state. Sessions are used to avoid expensive
negotiation of new security parameters for each state.
![Page 13: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/13.jpg)
13
Session States… Session state
◦Session identifier – arbitrary byte sequence chosen by the server to identify the session.
◦Peer certificate – may be null.◦Compression method.◦Cipher Spec – bulk data encryption
algorithm and MAC algorithm ( eg. DES, MD5 ).
◦Master key – a 48 byte secret key is used in between client and server.
◦Resumable – a flag indicating whether the session can be used to initiate new connections.
![Page 14: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/14.jpg)
14
Connection States…Connection State
◦Server and client random – random byte sequence is chosen by the client and server for new connection.
◦Server write MAC secret – secret key is used in MAC operations on data sent by the server.
◦Client write MAC secret – secret key is used in MAC operations on data sent by the client.
◦Server write key – secret encryption key for data, encrypted by the server.
◦Client write key – secret encryption key for data, encrypted by the client.
![Page 15: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/15.jpg)
15
How States changes??Operating state: current using
statePending state: state to be usedOperating state < Pending state:
at the transmission and reception of change cipher spec messageThe
sending part of the pending state is copied into the sending part of
operating state
The receiving
part of the pending state is
copied into the
receiving part of
operating stateParty
AParty
B
Change Cipher Spec
![Page 16: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/16.jpg)
16
SSL session◦an association between client &
server◦created by the Handshake Protocol◦define a set of cryptographic
parameters◦may be shared by multiple SSL
connections
SSL connection◦a transient, peer-to-peer,
communications link◦associated with 1 SSL session
![Page 17: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/17.jpg)
17
SSL Handshake ProtocolHandshake protocol is used to
exchange all the information required by both sides for the exchange of actual application data by the TRANSPORT LAYER SECURITY
![Page 18: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/18.jpg)
18
SSL Record Protocolconfidentiality
◦using symmetric encryption with a shared secret key defined by Handshake Protocol
◦IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128
◦message is compressed before encryption
message integrity◦using a MAC with shared secret key◦similar to HMAC but with different
padding
![Page 19: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/19.jpg)
19
SSL Change Cipher Spec Protocol
one of 3 SSL specific protocols which use the SSL Record protocol
a single messagecauses pending state to become
currenthence updating the cipher suite
in use.
![Page 20: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/20.jpg)
20
SSL Alert Protocolconveys SSL-related alerts to peer
entityseverity
warning or fatalspecific alert
unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter
close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown
compressed & encrypted like all SSL data
![Page 21: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/21.jpg)
21
What is TSL??Internet Engineering Task Force
standard RFC 2246 similar to SSLv3 with minor differences:◦In record format version number◦Uses HMAC for MAC◦Has optional alert code◦Some changes in supported ciphers◦Change in use of certificate
negotiation ◦Change in use of padding
![Page 22: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/22.jpg)
22
Changes from SSLv3 to TLS…Fortezza removedAdditional alerts addedModification of hash calculationProtocol version 3.1 in client
hello, server hello
![Page 23: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/23.jpg)
23
TLS : PrivacyEncrypt message so it cannot be
readUse conventional cryptography
with shared key◦DES , 3DES◦RC2, RC4◦IDEA
A (Message) $@#&!@ B(Message)
![Page 24: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/24.jpg)
24
TLS: Key Exchange
Need secure method to exchange key
Use public key encryption for this
Choices are RSA & Diffie-Hellman
![Page 25: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/25.jpg)
25
TLS: Integrity
Compute fixed length message authentication code (MAC)◦Includes hash of message◦Includes a shared secret key◦Includes sequence number◦Transmit MAC with message
![Page 26: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/26.jpg)
26
TLS : AuthenticationVerify identities of participantsClient authentication is optionalCertificate is used to associate
identity with public key and other attributes
A B
CERTIFICATES
![Page 27: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/27.jpg)
27
TLS: HTTP ApplicationHTTP is most common TLS
application https://Requires TLS-capable web serverRequires TLS-capable web
browser◦Netscape navigator◦Internet explorer◦Cryptozilla
![Page 28: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/28.jpg)
28
Implementation of SSL/TLSSSL & TLS have widely been
implemented◦Open source software projects
( openSSL, NSS & GnuTLS)◦Microsoft windows : part of its secure
channel◦Browsers
Apple safari Internet explorer Mozilla firefox
![Page 29: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/29.jpg)
29
Pros & Cons of SSL/TLSPros :
◦Customer will trust your website: many visitors are now savvy enough to recognize when a webpage is encrypted and protected by SSL.
◦Avoid dispute due to credit/debit card frauds: visitors uses their credit/debit cards information's on unprotected servers and faces identity theft.
![Page 30: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/30.jpg)
30
Cons ….Cons :
◦Regular renewal : just like website domain and hosting plan, SSL certificates also expires after short period of time ; usually one to five years.
◦Complex installation : SSL is very difficult to install on websites for those who are unaware of website development.
![Page 31: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/31.jpg)
31
Application of SSL/TLSOn top of the Transport layer
protocols◦Primarily with TCP◦Datagram transport layer security
(DTLS) for UDPEncapsulating the applications
protocols◦HTTP◦Securing WWW traffic◦FTP, SMTP, etc
![Page 32: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/32.jpg)
32
SUMMARYSSL/TLS address the need for
security in internet communications◦Privacy – conventional encryption◦Integrity – message authentication
codes◦Authentication – X.509
SSL in use today with web browsers and servers.
![Page 33: PPT ON WEB SECURITY BY MONODIP SINGHA ROY](https://reader035.fdocuments.in/reader035/viewer/2022081801/588921081a28ab77528b54a1/html5/thumbnails/33.jpg)
33
Thank You