Web Security. Introduction: Understand applicable laws, legal issues and ethical issues regarding computer crime

Transcription

1 International Journal for Science and Emerging ISSN No. (Online): Technologies with Latest Trends 12(1): 1-6 (2013) ISSN No. (Print): Web Security Amandeep Kang*, Navdeep Kaholn** and Mandeep*** Swami Sarvanand Institute Management & Technology Punjab, India (Received 9 September 2013 Accepted 5 October 2013) Abstract: The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to compromises of various sorts, with a range of threats as shown. These can be described as passive attacks including eavesdropping on network traffic between browser and server and gaining access to information on a Web site that is supposed to be restricted, and active attacks including impersonating another user, altering messages in transit between client and server, and altering information on a Web site. The web needs added security mechanisms to address these threats. Keywords: Web Security Overview, SSL (Secure Socket Layer), SSL Architecture, Difference between an SSL connection and an SSL Session, protocols comprise SSL,SSL Alert Protocol:, The State of Web Security Issues Introduction: This course presents the foundational principles of information and web security in the context of the systems development and security life cycle process. The focus is on both managerial as well as technical aspects. This course covers security principles; security needs, threats, and attacks; legal, ethical and professional issues; security technology including firewalls, VPNs, intrusion detection, access control; cryptography; physical security; security implementation; security maintenance and change management. The course is platform independent and supports the CISSP certification. Course Objectives: at the completion of this course, you will:understand security concepts, security professional roles, and security resources in the context of systems and security development life cycle Understand applicable laws, legal issues and ethical issues regarding computer crime Understand the business need for security, threats, attacks, top ten security vulnerabilities, and secure software development Understand risk management concepts, risk identification and assessment, risk control strategies, quantitative and qualitative risk control practices, risk management and risk control practices Understand information security policies, standards and practices, the information security blueprint Understand the use of firewall and VPN technologies in physical design Understand the use of intrusion detection, access control and other security tools in physical design

2 2 Amandeep Kang*, Navdeep Kaholn** and Mandeep*** Understand cryptography concepts, algorithms, and digital signatures used to protect information Understand the concepts and techniques for establishing physical security Three higher-layer protocols are also defined as part of SSL: the Handshake Protocol, Change Cipher Spec Protocol, and Alert Protocol. These SSL-specific protocols are used in the management of SSL exchanges. Understand how to implement and execute the information security blueprint Understand the information security function within the organization, HR and staffing issues, security credentials, and privacy Understand security maintenance issues, the use of security management models, and the use of digital forensics. SSL (Secure Socket Layer) SSL probably most widely used Web security mechanism. Its implemented at the Transport layer; cf IPSec at Network layer; or various Application layer mechanisms eg. S/MIME & SET (later). SSL is designed to make use of TCP to provide a reliable end-to-end secure service. Netscape originated SSL. Version 3 of the protocol was designed with public review and input from industry and was published as an Internet draft document. Subsequently, the IETF TLS working group was formed to develop a common standard. SSL is not a single protocol but rather two layers of protocol, as shown next. SSL Architecture The SSL Record Protocol provides basic security services to various higher-layer protocols. In particular, the Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web client/server interaction, can operate on top of SSL. Difference between an SSL connection and an SSL Session A Connection is a transport that provides a suitable type of service. For SSL,such connections are peer-to-peer relationships. The connections are transient An SSL session is an association between a client and a server. Sessions are created by the Handshake Protocol. Sessions define a set of cryptographic security parameters, which can be shared among multiple connections. protocols comprise SSL? The protocols that comprise SSL are:ssl Handshake Protocol,SSL Change Cipher Spec Protocol,SSL Alert Protocol,Hypertext Transfer Protocol(HTTP) and SSL Recprd Protocol. The parameters that define an SSL session state A session state is defined by the following parameters:

3 3 Amandeep Kang*, Navdeep Kaholn** and Mandeep*** Session identifier, Peer certificate, Compression method, Cipher spec, Master secret, Is reusable The parameters that define an SSL session connection. A connection state is defined by the following parameters: Server and client random, Server write MACsecret,Client write MACsecret,Server write key, Client write key, Initialization vectors, Sequence numbers. SSL Alert Protocol: conveys SSL-related alerts to peer entity severity:warning or fatal specific alert :fatal unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter warning: close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown compressed & encrypted like all SSL data. SSL Handshake Protocol allows server & client to: authenticate each other,to negotiate encryption & MAC algorithms,to negotiate cryptographic keys to be used,comprises a series of messages in phases,establish Security Capabilities, Server Authentication and Key Exchange Client Authentication and Key Exchange,Finish. TLS (Transport Layer Security IETF standard RFC 2246 similar to SSLv3,with minor differences in record format version number,uses HMAC for MAC a pseudo-random function expands secrets has additional alert codes, some changes in supported ciphers, changes in certificate types & negotiations, changes in crypto computations & padding. Secure Electronic Transactions (SET) SET is an open encryption and security specification designed to protect credit card transactions on the Internet. SETv1 emerged from a call for security standards by MasterCard and Visa in Beginning in 1996, there have been numerous tests of the concept, and by 1998 the first wave of SETcompliant products was available. SET is not itself a payment system, rather it is a set of security protocols and formats that enables users to employ the existing credit card payment infrastructure on an open network, such as the Internet, in a secure fashion, by providing: a secure communications channel among all parties involved in a transaction trust through the use of X.509v3 digital certificates privacy because the information is only available to parties in a transaction when and where necessary. SET Components: Cardholder: purchasers interact with merchants from personal computers over the Internet Merchant: a person or organization that has goods or services to sell to the cardholder

4 4 Amandeep Kang*, Navdeep Kaholn** and Mandeep*** Issuer: a financial institution, such as a bank, that provides the cardholder with the payment card. Acquirer: a financial institution that establishes an account with a merchant and processes payment card authorizations and payments Payment gateway: a function operated by the acquirer or a designated third party that processes merchant payment messages Certification authority (CA): an entity that is trusted to issue X.509v3 public-key certificates for cardholders, merchants, and payment gateways. SET Transaction: -customer opens account -customer receives a certificate -merchants have their own certificates -customer places an order -merchant is verified -order and payment are sent -merchant requests payment authorization -merchant confirms order -merchant provides goods or service -merchant requests payment Dual Signature: The purpose of the SET dual signature is to link two messages that are intended for two different recipients, the order information (OI) for the merchant and the payment information (PI) for the bank. The merchant does not need to know the customer s credit card number, and the bank does not need to know the details of the customer s order, however the two items must be linked in a way that can be used to resolve disputes if necessary. The customer takes the hash (using SHA-1) of the PI and the hash of the OI, concatenates them, and hashes the result. Finally,the customer encrypts the final hash with his or her private signature key, creating the dual signature. This can be summarized as: DS=E(PRc, [H(H(PI) H(OI))]) SET Purchase Request: The purchase request exchange consists of four messages: Initiate Request, Initiate Response, Purchase Request, and Purchase Response. In order to send SET messages to the merchant, the cardholder must have a copy of the certificates of the merchant and the payment gateway. The customer requests the certificates in the Initiate Request message, sent to the merchant. The merchant generates a response and signs it with its private signature key. The cardholder verifies the merchant and gateway certificates by means of their respective CA signatures and then creates the OI and PI. Next, the cardholder prepares the Purchase Request message with Purchase-related information & Order-related information. The Purchase Response message includes a response block that acknowledges the order and references the corresponding transaction number.

5 5 Amandeep Kang*, Navdeep Kaholn** and Mandeep*** The State of Web Security Issues While security vulnerability research can expose technical weaknesses that may be exploited, incident research provides indepth information about the most common targets, motives and attack vectors of modern hackers. And where better to turn for a sense of where we stand today than the Web Hacking Incidents Database (WHID). Analysis of WHID reveals that in 2009 social networks were at the greatest risk, malware and defacement remained the most common outcome of Web attacks, and SQL injection was the most common attack vector. Here s a deeper dive on the findings and what you can do about them. Perhaps not surprisingly, analysis of Web hacking incidents reveals that social network sites such as Twitter and Facebook are becoming premier targets for hackers. One in five incidents (19%) between January and June 2009 targeted social network sites, making them the most commonly attacked market. Many attacks on social networks involve cross-site scripting (XSS) worms. Additionally, insufficient anti-automation controls permit hackers to brute force attack log-in credentials. In one incident, an attacker accessed a Twitter Admin account that had a password reset tool and compromised 33 high-profile accounts, including President Obama s. Web attacks are driven by crime. Most occur because the hacker wants money, not glory. However, in some instances, the attacks are performed by professionals seeking to advance a cause. In 2009, defacement of Web sites was still the number one driver for Web hacking (28%). Defacement includes visible changes and covert changes, such as the planting of malicious code. Criminals exploit Web application vulnerabilities to plant malware that subsequently infects clients who visit the Web site. The hacked sites become the hacker s primary method of distributing viruses, Trojans and root kits. On the other end of the spectrum, ideologists use the Internet to express themselves using Web hacking to deface Web sites. The majority of defacement incidents are of a political nature, targeting political parties, candidates and government departments, typically with a specific message related to a campaign. Web defacements are a serious problem and a critical barometer for estimating exploitable vulnerabilities in Web sites. Defacement statistics are valuable since they are one of the few incidents that are publicly facing and thus cannot be easily swept under the rug. Conclusion: You will need to use more than one technique to secure your Web service. The combination of techniques depends on what your security requirements are. Pay attention to where you deploy the Web service, and make sure that your critical data is protected from the public Internet. Web services, by providing a well-defined interface, can offer quite a bit of data protection by putting the Web service on the public Internet and allowing only the Web service server to get at the data. By locking down the boxes and allowing only authenticated users to access the data, you lock out a number of malicious users.

6 6 Amandeep Kang*, Navdeep Kaholn** and Mandeep*** Of the users you do allow through, you will want to monitor what they are doing and store that data in a log. Even if you allow everyone through, you should include logging mechanisms and design these early in the development process. Adding logging after the fact is error prone and time consuming. References: [1] nternet-protocols.htm [2]technet.microsoft.com/enus/library/cc aspx [3] Article [4] Configuration Reference system.webserver security. [5] _3-1_ip.html -