Web Security: SSL/TLS

Similar documents
Protocol Rollback and Network Security

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 20

ECE458 Winter Web Security. Slides from John Mitchell and Vitaly Shmatikov (Modified by Vijay Ganesh)

Authenticity of Public Keys

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

HTTP. Internet Engineering. Fall Bahador Bakhshi CE & IT Department, Amirkabir University of Technology

Method of control. Lots of ways to architect C&C: Star topology; hierarchical; peer-to-peer Encrypted/stealthy communication.

Network Security Web Security and SSL/TLS. Angelos Keromytis Columbia University

Security Protocols/Standards

Cyber Security Workshop Ethical Web Hacking

Transport Layer Security Protocols

No. Time Source Destination Protocol Info HTTP GET /ethereal-labs/http-ethereal-file1.html HTTP/1.

Browser Security Model

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

T14 SECURITY TESTING: ARE YOU A DEER IN THE HEADLIGHTS? Ryan English SPI Dynamics Inc BIO PRESENTATION. Thursday, May 18, :30PM

Cryptography for Software and Web Developers

Lecture 7: Transport Level Security SSL/TLS. Course Admin

Binding Security Tokens to TLS Channels. A. Langley, Google Inc. D. Balfanz, Google Inc. A. Popov, Microsoft Corp.

Security Engineering Part III Network Security. Security Protocols (I): SSL/TLS

COMP 112 Assignment 1: HTTP Servers

What is Web Security? Motivation

Protocolo HTTP. Web and HTTP. HTTP overview. HTTP overview

reference: HTTP: The Definitive Guide by David Gourley and Brian Totty (O Reilly, 2002)

CS5008: Internet Computing

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

Introduction to Computer Security

Communication Systems SSL

Vulnerabilità dei protocolli SSL/TLS

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

The Top Web Application Attacks: Are you vulnerable?

Network Technologies

Web Security (SSL) Tecniche di Sicurezza dei Sistemi 1

Breaking the Myths of Extended Validation SSL Certificates

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Web Browser and the Internet

Secure development and the SDLC. Presented By Jerry

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

TLS/SSL in distributed systems. Eugen Babinciuc

Web Security. Mahalingam Ramkumar

CSC Network Security

Web Security Considerations

CSC 474 Information Systems Security

Certificates and network security

Criteria for web application security check. Version

Security-Assessment.com White Paper Leveraging XSRF with Apache Web Server Compatibility with older browser feature and Java Applet

Chapter 7 Transport-Level Security

3.2: Transport Layer: SSL/TLS Secure Socket Layer (SSL) Transport Layer Security (TLS) Protocol

sessionx Desarrollo de Aplicaciones en Red Web Applications History (1) Content History (2) History (3)

HTTP Response Splitting

Outline Definition of Webserver HTTP Static is no fun Software SSL. Webserver. in a nutshell. Sebastian Hollizeck. June, the 4 th 2013

Hack Proof Your Webapps

Real-Time Communication Security: SSL/TLS. Guevara Noubir CSU610

Breaking the Security Myths of Extended Validation SSL Certificates

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Computer security Lecture 10. Web security, Mobile security

Practical Invalid Curve Attacks on TLS-ECDH

A Tale of the Weaknesses of Current Client-side XSS Filtering

Network Security Essentials Chapter 5

Secure Socket Layer (SSL) and Trnasport Layer Security (TLS)

Managing and Securing Computer Networks. Guy Leduc. Chapter 4: Securing TCP. connections. connections. Chapter goals: security in practice:

Project #2. CSE 123b Communications Software. HTTP Messages. HTTP Basics. HTTP Request. HTTP Request. Spring Four parts

Web Application Security

Web and Security 1 / 40

Lektion 2: Web als Graph / Web als System

Internet Technologies. World Wide Web (WWW) Proxy Server Network Address Translator (NAT)

HTML5. Eoin Keary CTO BCC Risk Advisory.

Where every interaction matters.

TLS-RSA-PSK. Channel Binding using Transport Layer Security with Pre Shared Keys

SSL: Secure Socket Layer

APPLICATION SECURITY AND ITS IMPORTANCE

THE PROXY SERVER 1 1 PURPOSE 3 2 USAGE EXAMPLES 4 3 STARTING THE PROXY SERVER 5 4 READING THE LOG 6

The Web: some jargon. User agent for Web is called a browser: Web page: Most Web pages consist of: Server for Web is called Web server:

Dawn Song

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

CS 361S - Network Security and Privacy Spring Homework #1

Is Your SSL Website and Mobile App Really Secure?

Java Web Application Security


Web Application Security Assessment and Vulnerability Mitigation Tests

Web application security

Lab Exercise SSL/TLS. Objective. Step 1: Open a Trace. Step 2: Inspect the Trace

SSL BEST PRACTICES OVERVIEW

Using etoken for SSL Web Authentication. SSL V3.0 Overview

Chapter 17. Transport-Level Security

Securing SharePoint Server with Windows Azure Multi- Factor Authentication

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Hypertext for Hyper Techs

Information Security

Web Application Security

CONTENT of this CHAPTER

CS640: Introduction to Computer Networks. Applications FTP: The File Transfer Protocol

Secure HTTP

HTTP Caching & Cache-Busting for Content Publishers

SSL/TLS: The Ugly Truth

HTTP Protocol. Bartosz Walter

Introduction Les failles les plus courantes Les injections SQL. Failles Web. Maxime Arthaud. net7. Jeudi 03 avril 2014.

Ethical Hacking Penetrating Web 2.0 Security

Overview. SSL Cryptography Overview CHAPTER 1

Secure Sockets Layer

Transcription:

CSE 484 / CSE M 584: Computer Security and Privacy Web Security: SSL/TLS Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...

SSL/TLS: More Details Secure Sockets Layer and Transport Layer Security protocols Same protocol design, different crypto algorithms De facto standard for Internet security The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications Deployed in every Web browser; also VoIP, payment systems, distributed systems, etc. 4/27/15 CSE 484 / CSE M 584 - Spring 2015 2

TLS Basics TLS consists of two protocols Familiar pattern for key exchange protocols Handshake protocol Use public- key cryptography to establish a shared secret key between the client and the server Record protocol Use the secret key established in the handshake protocol to protect communication between the client and the server 4/27/15 CSE 484 / CSE M 584 - Spring 2015 3

Basic Handshake Protocol ClientHello C Client announces (in plaintext): Protocol version it is running Cryptographic algorithms it supports Fresh, random number S 4/27/15 CSE 484 / CSE M 584 - Spring 2015 4

Basic Handshake Protocol C, version c, suites c, N c ServerHello C Server responds (in plaintext) with: Highest protocol version supported by both the client and the server Strongest cryptographic suite selected from those offered by the client Fresh, random number S 4/27/15 CSE 484 / CSE M 584 - Spring 2015 5

Basic Handshake Protocol C, version c, suites c, N c version s, suite s, N s, ServerKeyExchange C Server sends his public- key certificate containing either his RSA, or his Diffie- Hellman public key (depending on chosen crypto suite) S 4/27/15 CSE 484 / CSE M 584 - Spring 2015 6

Basic Handshake Protocol C, version c, suites c, N c version s, suite s, N s, certificate, ServerHelloDone C ClientKeyExchange The client generates secret key material and sends it to the server encrypted with the server s public key (if using RSA) S 4/27/15 CSE 484 / CSE M 584 - Spring 2015 7

Basic Handshake Protocol C, version c, suites c, N c version s, suite s, N s, certificate, ServerHelloDone C {Secret c } PKs if using RSA C and S share secret key material (secret c ) at this point switch to keys derived from secret c, N c, N s switch to keys derived from secret c, N c, N s S Finished Finished Record of all sent and received handshake messages 4/27/15 CSE 484 / CSE M 584 - Spring 2015 8

Core SSL 3.0 Handshake C, version c =3.0, suites c, N c version s =3.0, suite s, N s, certificate, ServerHelloDone C {Secret c } PKs if using RSA C and S share secret key material (secret c ) at this point switch to keys derived from secret c, N c, N s switch to keys derived from secret c, N c, N s S Finished Finished 4/27/15 CSE 484 / CSE M 584 - Spring 2015 9

Version Rollback Attack C, version c =2.0, suites c, N c Server is fooled into thinking he is communicating with a client who supports only SSL 2.0 Version s =2.0, suite s, N s, certificate, ServerHelloDone C {Secret c } PKs if using RSA S C and S end up communicating using SSL 2.0 (weaker earlier version of the protocol that does not include Finished messages) 4/27/15 CSE 484 / CSE M 584 - Spring 2015 10

Chosen- Protocol Attacks Why do people release new versions of security protocols? Because the old version got broken! New version must be backward- compatible Not everybody upgrades right away Attacker can fool someone into using the old, broken version and exploit known vulnerability Similar: fool victim into using weak crypto algorithms Defense is hard: must authenticate version in early designs Many protocols had version rollback attacks SSL, SSH, GSM (cell phones) 4/27/15 CSE 484 / CSE M 584 - Spring 2015 11

Version Check in SSL 3.0 C, version c =3.0, suites c, N c Embed version number into secret version s =3.0, suite s, N s, certificate for PK s, ServerHelloDone C {version c, secret c } PKs Check that received version is equal to the version in ClientHello S C and S share secret key material secret c at this point switch to key derived from secret c, N c, N s switch to key derived from secret c, N c, N s 4/27/15 CSE 484 / CSE M 584 - Spring 2015 12

CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Basic Web Security Model Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...

Browser and Network Browser OS Hardware request reply website Network 4/27/15 CSE 484 / CSE M 584 - Spring 2015 14

HTTP: HyperText Transfer Protocol Used to request and return data Methods: GET, POST, HEAD, Stateless request/response protocol Each request is independent of previous requests Statelessness has a significant impact on design and implementation of applications Evolution HTTP 1.0: simple HTTP 1.1: more complex 4/27/15 CSE 484 / CSE M 584 - Spring 2015 15

HTTP Request Method File HTTP version Headers GET /default.asp HTTP/1.0 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Connection: Keep-Alive If-Modified-Since: Sunday, 17-Apr-96 04:32:58 GMT Blank line Data none for GET 4/27/15 CSE 484 / CSE M 584 - Spring 2015 16

HTTP Response HTTP version Status code Reason phrase Headers HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Content-Length: 2543 Data <HTML> Some data... blah, blah, blah </HTML> 4/27/15 CSE 484 / CSE M 584 - Spring 2015 17

Websites Storing Info in Browser A cookie is a file created by a website to store information in the browser Browser HTTP Header: Set- cookie: POST login.cgi username and pwd NAME=VALUE ; domain = (who can read) ; expires = (when expires) ; secure = (send only over HTTPS) Server If expires = NULL, this session only Browser GET restricted.html Cookie: NAME=VALUE Server HTTP is a stateless protocol; cookies add state 4/27/15 CSE 484 / CSE M 584 - Spring 2015 18

What Are Cookies Used For? Authentication The cookie proves to the website that the client previously authenticated correctly Personalization Helps the website recognize the user from a previous visit Tracking Follow the user from site to site; learn his/her browsing behavior, preferences, and so on 4/27/15 CSE 484 / CSE M 584 - Spring 2015 19

Goals of Web Security Safely browse the Web A malicious website cannot steal information from or modify legitimate sites or otherwise harm the user even if visited concurrently with a legitimate site - in a separate browser window, tab, or even iframe on the same webpage Support secure Web applications Applications delivered over the Web should have the same security properties we require for standalone applications 4/27/15 CSE 484 / CSE M 584 - Spring 2015 20

All of These Should Be Safe Safe to visit an evil website Safe to visit two pages at the same time Safe delegation 4/27/15 CSE 484 / CSE M 584 - Spring 2015 21

Security Vulnerabilities in 2011 Source: IBM X- Force 4/27/15 CSE 484 / CSE M 584 - Spring 2015 22

Two Sides of Web Security Web browser Responsible for securely confining Web content presented by visited websites Web applications Online merchants, banks, blogs, Google Apps Mix of server- side and client- side code Server- side code written in PHP, Ruby, ASP, JSP runs on the Web server Client- side code written in JavaScript runs in the Web browser Many potential bugs: XSS, XSRF, SQL injection 4/27/15 CSE 484 / CSE M 584 - Spring 2015 23

Where Does the Attacker Live? Browser OS Malware Hardware attacker request Network attacker reply website Web Network attacker 4/27/15 CSE 484 / CSE M 584 - Spring 2015 24

Web Attacker Controls a malicious website (attacker.com) Can even obtain an SSL/TLS certificate for his site User visits attacker.com why? Phishing email, enticing content, search results, placed by an ad network, blind luck Attacker has no other access to user machine! Variation: iframe attacker An iframe with malicious content included in an otherwise honest webpage Syndicated advertising, mashups, etc. 4/27/15 CSE 484 / CSE M 584 - Spring 2015 25

HTML and JavaScript <html> <p> The script on this page adds two numbers <script> var num1, num2, sum num1 = prompt("enter first number") num2 = prompt("enter second number") sum = parseint(num1) + parseint(num2) alert("sum = " + sum) </script> </html> Browser receives content, displays HTML and executes scripts A potentially malicious webpage gets to execute some code on user s machine! 4/27/15 CSE 484 / CSE M 584 - Spring 2015 26

Browser Sandbox Goal: safely execute JavaScript code provided by a website No direct file access, limited access to OS, network, browser data, content that came from other websites Same origin policy Can only access properties of documents and windows from the same domain, protocol, and port 4/27/15 CSE 484 / CSE M 584 - Spring 2015 27

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information