Network Security Lecture Notes PDF
Document Details
Uploaded by PreeminentPrairieDog
Hofstra University
2006
Hofstra University
Tags
Summary
These lecture notes cover network security, specifically web security. They detail topics like HTTP fundamentals, HTML fundamentals, famous web attacks, and security considerations. The notes also discuss web traffic security approaches, SSL origins, and the cryptography involved in TLS.
Full Transcript
NETWORK SECURITY Web Security 04/24/06 HOFSTRA UNIVERSITY – NETWORK SECURITY COURSE, CSC290A 1 HTTP FUNDAMENTALS RFC 1945 – HTTP 1.0 RFC 2616 – HTTP 1.1 RFC 2396 – URL/URI syntax www.w3.org - World Wide Web Consortium (W3C) - Check this site...
NETWORK SECURITY Web Security 04/24/06 HOFSTRA UNIVERSITY – NETWORK SECURITY COURSE, CSC290A 1 HTTP FUNDAMENTALS RFC 1945 – HTTP 1.0 RFC 2616 – HTTP 1.1 RFC 2396 – URL/URI syntax www.w3.org - World Wide Web Consortium (W3C) - Check this site regularly 04/24/06 2 HTTP FUNDAMENTALS Traditional Client/Server Model Listens on port 80 Glorified FTP server HTTP transmits resources rather than files Universal Resource Locator (URL) – a subset of URI 04/24/06 3 HTTP FUNDAMENTALS A request line has three parts, separated by spaces: a method name, the local path of the requested resource, and the version of HTTP being used. GET /path/to/file/index.html HTTP/1.0 Other methods: HEAD and POST 04/24/06 4 HTML FUNDAMENTALS An important heading A slightly less important heading This is the first paragraph. This is the second paragraph. This is a really interesting topic! 5 HTML FUNDAMENTALS 04/24/06 6 FAMOUS WEB ATTACKS “These cyber assaults have caused millions of Internet users to be denied services. At this time we are not aware of the motives behind these attacks. But they appear to be intended to disrupt legitimate electronic commerce.” –Janet Reno in response to a series of DoS attack in early 2000. 04/24/06 7 FAMOUS WEB ATTACKS The Royal Canadian Mounted Police have charged a teenage computer hacker in one of the February cyber attacks that crippled several popular Web sites. The suspect is a 15-year- old boy known online by the nickname "Mafiaboy" – FOX News, 4/19/2000 04/24/06 8 FAMOUS WEB ATTACKS A 17-year-old New Hampshire computer junkie known as "Coolio" may be charged in a handful of vandalism incidents at private and government Web sites according to U.S. federal law enforcement sources. Coolio hacked into and defaced three Web sites: D.A.R.E., an anti-drug organization; Internet security company RSA Security; and the U.S. government's Chemical Weapons Convention site, FBI 04/24/06 9 WEB SECURITY CONSIDERATIONS Internet is two way – unlike tradition publishing, it’s vulnerable to attacks High visibility – public image, reputation, copyrights Complex software – protocol is simple, but client/server application is complex Vulnerability point – web server can be a launch pad for further attacks 04/24/06 10 WEB SECURITY THREATS 04/24/06 HOFSTRA UNIVERSITY – NETWORK SECURITY COURSE, CSC290A 11 WEB TRAFFIC SECURITY APPROACHES Classify security threats by location: web server, web browser and network traffic We’re concerned with traffic IPsec Secure Sockets Layer (SSL) Transport Layer Security (TLS) Secure Electronic Transaction (SET) 04/24/06 12 WEB SECURITY APPROACHES Transparent Above TCP. Application to end users Embedded Specific - in packages SET SSL ORIGINS Originated by Netscape Competed with SHTTP Version 3 became Internet draft TLS (Transport Layer Security) is an attempt to develop a common standard SSLv3.1 = TLS 04/24/06 14 WHAT IS SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary goal of the TLS protocol is to provide privacy and data integrity between two communicating applications” In practice, used to protect information transmitted between browsers and Web servers Based on Secure Sockets Layers protocol, ver 3.0 Same protocol design, different algorithms Deployed in nearly every web browser HISTORY OF THE PROTOCOL SSL 1.0 Internal Netscape design, early 1994? Lost in the mists of time SSL 2.0 Published by Netscape, November 1994 Several problems (next slide) SSL 3.0 Designed by Netscape and Paul Kocher, November 1996 TLS 1.0 TLS BASICS TLS consists of two protocols Handshake protocol Use public-key cryptography to establish a shared secret key between the client and the server Record protocol Use the secret key established in the handshake protocol to protect communication between the client and the server We will focus on the handshake protocol TLS HANDSHAKE PROTOCOL Two parties: client and server Negotiate version of the protocol and the set of cryptographic algorithms to be used Interoperability between different implementations of the protocol Authenticate client and server (optional) Use digital certificates to learn each other’s public keys and verify each other’s identity Use public keys to establish a shared secret HANDSHAKE PROTOCOL STRUCTURE ClientHello ServerHello, [Certificate], [ServerKeyExchange], [CertificateRequest], ServerHelloDone C [Certificate], ClientKeyExchange, S [CertificateVerify] switch to negotiated cipher Finished switch to negotiated cipher Finished Use of cryptography Version, Crypto choice, nonce Version, Choice, nonce, signed certificate containing server’s public key Ks C Secret key K encrypted with S server’s key Ks switch to negotiated cipher hash of sequence of messages hash of sequence of messages SSL/TLS Cryptography Summary Public-key encryption Key chosen secretly (handshake protocol) Key material sent encrypted with public key Symmetric encryption Shared (secret) key encryption of data packets Signature-based authentication Client can check signed server certificate And vice-versa, in principal Hash for integrity Client, server check hash of sequence of messages MAC used in data packets (record protocol)
