Security: Refer Chapter-10 From Gary P. Schneider
Security: Refer Chapter-10 From Gary P. Schneider
Security: Refer Chapter-10 From Gary P. Schneider
Server sends back the page xhtml to the browser AND stores some data
in a cookie on the user’s PC.
At the next page request for domain www.example.com, all
cookie data associated with this domain is sent too.
Cookies Categories:
1)Time duration :
• Session cookies :which exist until the Web client ends the
connection
• Persistent cookies: which remain on the client computer
indefinitely
2)Source:
• Cookies can be placed on the client computer by the Web
server site, in which case they are called first-party cookies, or
they can be placed by a different Web site, in which case they
are called third-party cookies
THREAT BY COOKIES
• A cookie itself cannot harm the computer, as it
does not and cannot hold code .However, the
cookie can support (help) malicious actions to
be taken on the respective system.
• The cookie will only contain information that
you freely provide to a Web site.
• A malicious user could use the stolen cookies
to impersonate or steal user’s identity online.
Avoid This Threat
• The most complete way for Web site visitors to
protect themselves from revealing private
information or being tracked by cookies is to disable
cookies entirely.
• Most Web browsers have settings that allow the
user to refuse only third-party cookies or to review
each cookie before it is accepted. Eg: Browsers such
as Google Chrome, Microsoft Internet Explorer,
Mozilla Firefox, and Opera provide cookie
management functions.
Digital Certificates:
• A digital certificate or digital ID is an
attachment to an e-mail message or a
program embedded in a Web page that
verifies that the sender or Web site is who or
what it claims to be
• It is issued by a Certification Authority (CA),
and serves the same purpose as a driver’s
license or a passport
A DIGITAL CERTIFICATE INCLUDES SIX MAIN
ELEMENTS:
• Certificate owner’s identifying information,
such as name, organization, address etc
• Certificate owner’s public encryption key
• Dates between which the certificate is valid
• Serial number of the certificate
• Name of the certificate issuer
• Digital signature of the certificate issuer
Process of obtaining a Certificate
1.Subscriber (sender) generates a public\private key pair. Applies
to CA for digital certificate with the public key.
2.CA verifies subscriber's identity and issues digital certificate
containing the public key.
3.CA publishes certificate to public, on-line repository.
4.Subscriber signs message with private key and sends message
to second party.
5.Receiving party verifies digital signature with sender's public
key and requests verification of sender's digital certificate from
CA's public repository.
6.Repository reports status of subscriber's certificate.
Main Uses:
• Proving the Identity of the sender of a transaction
• Non Repudiation – the owner of the certificate
cannot deny partaking in the transaction
• Encryption and checking the integrity of data -
provide the receiver with the means to encode a
reply.
• Single Sign-On - It can be used to validate a user and
log them into various computer systems without
having to use a different password for each system
Steganography
• It describes process of hiding information
within another piece of information.
Physical Security for clients
• A biometric security device: on that uses an
element of a person’s biological makeup to
perform the identification.
Communication Channel Security
• Provide multiple alternative paths
• Message travelling on internet is subject to:
Secrecy threats
Integrity threats
Necessity threats
Secrecy Threats
• Secrecy: prevention of unauthorized information disclosure.
• Privacy: protection of individual rights to nondisclosure. It
covers business and legal issues. Eg. E-Mail
• Sniffer programs : provides means to record information that
passes through a computer or router that is handling
internet traffic.
• Backdoors (electronic holes): it is element of program that
allow users to run the program without any authentication
process.
• Data exposure is a security breach : Type of browser being
used and IP address.
Integrity Threats
• Also known as active wiretapping
• Integrity violations Example: unprotected banking
transactions, Cybervandalism (electronic defacing –
someone’s replaces website regular content with
his/her own content)
• Masquerading or spoofing : pretending to be someone
you are not. Eg. DNS.
• Victims of spoofing are Amazon.com, eBay
• Phishing expeditions combine spam with spoofing.
Such as paypal.
Necessity Threats
• Occurs as a delay or denial commonly called
denial-of-service (DoS) attacks
• Example: Internet worm attack of 1998,
disabled thousands of computer systems that
were connected to internet.
Threats to Wireless Networks
• Security of connection depends on Wireless
Encryption Protocol (WEP) i.e. Set of rules for
encrypting transmissions from wireless device
to WAP.
• Wireless Access Points(WAP)- technical
standard for accessing information over mobile
wireless networks
• Attackers called Wardrivers practice
Warchalking
ENCRYPTION
• Encryption is the coding of information by using a
mathematically based program and a secret key to produce a
string of characters that is unintelligible.
• The science that studies encryption is called Cryptography, i.e.
Secret writing.
• Resistance of an encrypted message to attack attempts
depends on the size (in bits) of the key.
• Encryption is subdivided into three functions:
1. Hash code
2. Asymmetric encryption
3. Symmetric encryption
Hash Coding
• Calculates a numeric hash value from a
message
• Unique
• Message Integrity: Check original hash value
and the hash value computed by the receiver
Asymmetric Encryption/ public key
encryption
• Using two different mathematically related
numeric keys.
• RSA Public Key Cryptosystem
• A public key is freely distributed
• A private key—belongs to the key owner, and
is secret.
• Sender encrypts using receiver’s public key
• Receiver decrypts using it’s own private key
Pretty good Privacy
• A set of software tools that can use several
different encryption algorithms to perform
public-key encryption
• Individuals can use PGP to encrypt their e-mail
messages to protect them from being read if
they are intercepted on the Internet
Symmetric Encryption/ Private Key
encryption
• Uses a single numeric key to encode and
decode data
• Fast and efficient
• If the key is made public, then all messages
sent previously using that key become
vulnerable
Data Encryption Standard (DES)
• Private-key encryption system
• Size of DES private keys must be increased
regularly because researchers use increasingly
fast computers to break them
• Triple or 3 DES-stronger version
• Advanced Encryption Standard AES uses
longer bit lengths to increase the difficulty of
cracking its keys
ASYMMETRIC SYSTEMS-ADVANTAGES
• Slower
• One entry point for the attacker is the Web server and its software.
1. Confidentiality of information
2. Integrity of data
3. Cardholder account authentication
4. Merchant authentication
SET Network Architecture
Seller
Buyer
Bank
Agent
SET Transactions
SET Digital Certificate System
• The authentication system is based on X.509
digital certificate framework
• This allows merchants, cardholders, acquires
to verify the identities of each other by
exchanging digital certificates.
ORGANISATIONS THAT PROMOTE COMUTER
SECURITY
• Following the occurrence of the Internet Worm of
1988, a number of organizations were formed to
share information about threats to computer
systems
• These organizations are devoted to the principle that
sharing information about attacks and defences for
those attacks can help everyone create better
computer security
• Some of the organizations began at universities
others were launched by government agencies
CERT
• Computer Emergency Response Team
• In 1988, a group of researchers met to study the Internet Worm attack
soon after it occurred
• They wanted to understand how worms worked and how to prevent
damage from future attacks of this type
• The organization is now operated as part of the federally funded
Software Engineering Institute at Carnegie Mellon
• Today, CERT responds to thousands of security incidents each year and
provides a wealth of information to help Internet users and companies to
become more knowledgeable about security risks
• CERT posts alerts to inform the Internet community about security
events, and it is regarded as a primary authoritative source for
information about viruses, worms, and other types of attacks
OTHER ORGANIZATIONS
• SANS ( systems administrator, audit, network and security) Institute includes
members who work in computer security consulting firms and information
technology departments of companies as Systems Administrator, Audit,
Network Security
• It operates the SANS Internet Storm Centre, a Web site that provides current
information on the location and intensity of computer attacks throughout the
world
• CERIAS Centre for Education and Research in Information Assurance and
Security is a centre for multidisciplinary research and education in information
security
• The Centre for Internet Security is a not-for-profit cooperative organization
helps reduce technical failures or deliberate attacks on the computer systems
• A British publication, Infosecurity.com, is available online and includes articles
about all types of online security issues