WebSecurity.ppt 138KB Jun 23 2011 09:33:02 AM
Web Security
CS-431
HTTP Authentication
•
•
•
Protect web content from those who don’t have a “need to know”
Require users to authenticate using a userid/password before they are
allowed access to certain URLs
HTTP/1.1 requires that when a user makes a request for a protected
resource the server responds with a authentication request header
– WWW-Authenticate
• contains enough pertinent information to carry out a “challenge-response”
session between the user and the server
Client requests a protected resource
Client
Web Server
Server responds with a 401 (not
authorized and a challenge request
for the client to authenticate
Client Response
•
Well established clients like Firefox, Internet Explorer …. will respond to
the challenge request (WWW-Authenticate) by presenting the user with a
small pop-up window with data entry fields for
– userid
– password
– a Submit button and a Cancel button
•
entering a valid userid and password will post the data to the server, the
server will attempt authentication and if authenticated will serve the
originally requested resource.
WWW-Authenticate
• The authentication request received by the browser will look
something like:
– WWW-Authenticate = Basic realm=“defaultRealm”
• Basic indicates the HTTP Basic authentication is requested
• realm indicates the context of the login
– realms hold all of the parts of security puzzle
» Users
» Groups
» ACLs (Access Control Lists)
• Basic Authentication
– userid and password are sent base 64 encoded (might as well be plain
text)
– hacker doesn’t even need to unencode all he has to do is “replay” the blob
of information he stole over and over ( this is called a “replay attack”)
WWW-Authenticate
•
Digest Authentication
–
–
–
–
•
attempts to overcome the shortcomings of Basic Authentication
WWW-Authenticate = Digest realm=“defaultRealm” nonce=“Server SpecificString”
see RFC 2069 for description of nonce, each nonce is different
the nonce is used in the browser in a 1-way function (MD5, SHA-1….) to encode the
userid and password for the server, this function essentially makes the password
good for only one time
Common browsers don’t use Digest Authentication but an applet could as an
applet has access to all of the Java Encryption classes needed to create the
creation of a Digest.
WWW-Authenticate
•
Secure Sockets Layer (SSL)
– Invented by Netscape and made public domain for everyone’s use
– An additional layer to the TCP/IP stack that sits between the Application
and Transport layers
• ensures that all application data is encrypted but TCP/IP headers are not
• usually run on port 443 (default HTTPS port)
•
Public Key Cryptography
– owner of a private key sends a public key to all who want to communicate
with him (keys are both prime factors of a large (1024 bit) number).
Owner keeps the private key secret and uses it to decrypt information
sent to him that has been encrypted with the public-key
– RSA algorithm is most notable public-key cipher algorithm
•
Digital Certificates
– issued by a disinterested third party (ex. Verisign)
– the Certificate contains the public-key for the specific Web Server and a
digital signature of the certifying authority
back to SSL
•
•
•
•
•
•
Once a secure session is established the source requests the destinations
certificate ( sent in the http header (uncncrypted))
once the source accepts the authenticity of the certificate it uses the
public-key from the certificate to encrypt the generated session key for
protecting the conversation between the source and destination.
Session is encrypted using a symmetric cipher (slow)
conversation is encrypted using an asymmetric cipher (fast)
its done this way to speed up overall communications, strong encryption
(slow) is used as little as possible while weaker encryption is used for most
exchanges
actual cipher algorithms are negotiated on a per-session basis
Java Cryptographic Packages
•
Separate packages that are now included as part of JDK
–
–
–
–
JCE - Java Cryptography classes
JSSE - Java Secure Sockets Extension
JAAS - Java Authentication and Authorization Services
Java GSS API - Java Generic Security Services API
– Java Certification Path API
JCE
•
JCE covers
– encryption and decryption
•
•
•
•
•
symmetric bulk encryption, such as DES, RC2, and IDEA
Symmetric stream encryption, such as RC4
Asymmetric encryption, such as RSA
Password-based encryption (PBE)
– key agreement
– Message Authentication Code (MAC)
Strong Cryptography is the default
– unlimited is available (depending on export restrictions)
JSSE
•
Provides support for communications using SSL (Secure Sockets Layer)
and TLS (Transport Layer Security)
– commonly thought of as HTTPS
•
•
part of javax.net
SSL (and thus HTTPS) permits encrypted traffic to be exchanged
between the client and server.
– After an SSL client initiates a conversation with an SSL server, the server sends an
X.509 certificate back to the client for authentication. The client then checks the
validity of the certificate. Assuming the server is verified, the client generates a
premaster secret key, encrypts it with the server's public key from the certificate,
and sends the encrypted key back to the server. From this premaster key, the client
and server generate a master key for the session. After some basic handshaking,
the encrypted exchange can commence.
•
The JSSE library hides these inner workings of the SSL protocol from
you.
JAAS
•
•
•
JAAS provides for the authentication of users and the authorization of
tasks based upon that authentication
Previously, anyone authenticated had access to the same security
restrictions. Now, you can control what tasks are available for a specific
authenticated user
requires modification of security policies
Java GSS-API
•
•
•
adds Kerberos V5 support to the Java platform.
Kerberos originated at the Massachusetts Institute of Technology
(MIT) as project Athena back in 1987.
Essentially, a network authentication protocol.
– Defined in RFC 1510 from 1993
– biggest draw is not having to send passwords over the net.
– offers single sign-on within one domain -- if everything within the domain
has been Kerberos-enabled.
– support is also provided for single sign-on across different security realms
over a network.
– Used in conjunction with JAAS, once a user's identity is established,
future authentication requests are no longer necessary.
Java Certification Path API
•
•
•
Certification Path API provides classes for building and validating
certificate chains, an important requirement of a Public Key Infrastructure
(PKI).
These certificates provide for the storage of security keys for users. By
trusting the issuer of a certificate that holds the keys, and trusting the
issuer of the certificate that trusts the original certificate, you establish
chains of trust
Building and validating certification paths is an important part of many
standard security protocols, such as SSL/TLS, Secure/MIME (S/MIME), and
IP Security (IPsec).
CS-431
HTTP Authentication
•
•
•
Protect web content from those who don’t have a “need to know”
Require users to authenticate using a userid/password before they are
allowed access to certain URLs
HTTP/1.1 requires that when a user makes a request for a protected
resource the server responds with a authentication request header
– WWW-Authenticate
• contains enough pertinent information to carry out a “challenge-response”
session between the user and the server
Client requests a protected resource
Client
Web Server
Server responds with a 401 (not
authorized and a challenge request
for the client to authenticate
Client Response
•
Well established clients like Firefox, Internet Explorer …. will respond to
the challenge request (WWW-Authenticate) by presenting the user with a
small pop-up window with data entry fields for
– userid
– password
– a Submit button and a Cancel button
•
entering a valid userid and password will post the data to the server, the
server will attempt authentication and if authenticated will serve the
originally requested resource.
WWW-Authenticate
• The authentication request received by the browser will look
something like:
– WWW-Authenticate = Basic realm=“defaultRealm”
• Basic indicates the HTTP Basic authentication is requested
• realm indicates the context of the login
– realms hold all of the parts of security puzzle
» Users
» Groups
» ACLs (Access Control Lists)
• Basic Authentication
– userid and password are sent base 64 encoded (might as well be plain
text)
– hacker doesn’t even need to unencode all he has to do is “replay” the blob
of information he stole over and over ( this is called a “replay attack”)
WWW-Authenticate
•
Digest Authentication
–
–
–
–
•
attempts to overcome the shortcomings of Basic Authentication
WWW-Authenticate = Digest realm=“defaultRealm” nonce=“Server SpecificString”
see RFC 2069 for description of nonce, each nonce is different
the nonce is used in the browser in a 1-way function (MD5, SHA-1….) to encode the
userid and password for the server, this function essentially makes the password
good for only one time
Common browsers don’t use Digest Authentication but an applet could as an
applet has access to all of the Java Encryption classes needed to create the
creation of a Digest.
WWW-Authenticate
•
Secure Sockets Layer (SSL)
– Invented by Netscape and made public domain for everyone’s use
– An additional layer to the TCP/IP stack that sits between the Application
and Transport layers
• ensures that all application data is encrypted but TCP/IP headers are not
• usually run on port 443 (default HTTPS port)
•
Public Key Cryptography
– owner of a private key sends a public key to all who want to communicate
with him (keys are both prime factors of a large (1024 bit) number).
Owner keeps the private key secret and uses it to decrypt information
sent to him that has been encrypted with the public-key
– RSA algorithm is most notable public-key cipher algorithm
•
Digital Certificates
– issued by a disinterested third party (ex. Verisign)
– the Certificate contains the public-key for the specific Web Server and a
digital signature of the certifying authority
back to SSL
•
•
•
•
•
•
Once a secure session is established the source requests the destinations
certificate ( sent in the http header (uncncrypted))
once the source accepts the authenticity of the certificate it uses the
public-key from the certificate to encrypt the generated session key for
protecting the conversation between the source and destination.
Session is encrypted using a symmetric cipher (slow)
conversation is encrypted using an asymmetric cipher (fast)
its done this way to speed up overall communications, strong encryption
(slow) is used as little as possible while weaker encryption is used for most
exchanges
actual cipher algorithms are negotiated on a per-session basis
Java Cryptographic Packages
•
Separate packages that are now included as part of JDK
–
–
–
–
JCE - Java Cryptography classes
JSSE - Java Secure Sockets Extension
JAAS - Java Authentication and Authorization Services
Java GSS API - Java Generic Security Services API
– Java Certification Path API
JCE
•
JCE covers
– encryption and decryption
•
•
•
•
•
symmetric bulk encryption, such as DES, RC2, and IDEA
Symmetric stream encryption, such as RC4
Asymmetric encryption, such as RSA
Password-based encryption (PBE)
– key agreement
– Message Authentication Code (MAC)
Strong Cryptography is the default
– unlimited is available (depending on export restrictions)
JSSE
•
Provides support for communications using SSL (Secure Sockets Layer)
and TLS (Transport Layer Security)
– commonly thought of as HTTPS
•
•
part of javax.net
SSL (and thus HTTPS) permits encrypted traffic to be exchanged
between the client and server.
– After an SSL client initiates a conversation with an SSL server, the server sends an
X.509 certificate back to the client for authentication. The client then checks the
validity of the certificate. Assuming the server is verified, the client generates a
premaster secret key, encrypts it with the server's public key from the certificate,
and sends the encrypted key back to the server. From this premaster key, the client
and server generate a master key for the session. After some basic handshaking,
the encrypted exchange can commence.
•
The JSSE library hides these inner workings of the SSL protocol from
you.
JAAS
•
•
•
JAAS provides for the authentication of users and the authorization of
tasks based upon that authentication
Previously, anyone authenticated had access to the same security
restrictions. Now, you can control what tasks are available for a specific
authenticated user
requires modification of security policies
Java GSS-API
•
•
•
adds Kerberos V5 support to the Java platform.
Kerberos originated at the Massachusetts Institute of Technology
(MIT) as project Athena back in 1987.
Essentially, a network authentication protocol.
– Defined in RFC 1510 from 1993
– biggest draw is not having to send passwords over the net.
– offers single sign-on within one domain -- if everything within the domain
has been Kerberos-enabled.
– support is also provided for single sign-on across different security realms
over a network.
– Used in conjunction with JAAS, once a user's identity is established,
future authentication requests are no longer necessary.
Java Certification Path API
•
•
•
Certification Path API provides classes for building and validating
certificate chains, an important requirement of a Public Key Infrastructure
(PKI).
These certificates provide for the storage of security keys for users. By
trusting the issuer of a certificate that holds the keys, and trusting the
issuer of the certificate that trusts the original certificate, you establish
chains of trust
Building and validating certification paths is an important part of many
standard security protocols, such as SSL/TLS, Secure/MIME (S/MIME), and
IP Security (IPsec).