Cryptography and Cryptography and Network Security Network Security Chapter 17 Chapter 17 Fourth Edition Fourth Edition by William Stallings by William Stallings Lecture slides by Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – Web Security Chapter 17 – Web Security Use your mentality Use your mentality Wake up to reality Wake up to reality — — From the song, "I've Got You under From the song, "I've Got You under My Skin“ by Cole Porter My Skin“ by Cole Porter Web Security Web Security  Web now widely used by business, Web now widely used by business, government, individuals government, individuals  but Internet & Web are vulnerable but Internet & Web are vulnerable  have a variety of threats have a variety of threats  integrity integrity  confidentiality confidentiality  denial of service denial of service  authentication authentication  need added security mechanisms need added security mechanisms SSL (Secure Socket Layer) SSL (Secure Socket Layer)  transport layer security service transport layer security service  originally developed by Netscape originally developed by Netscape  version 3 designed with public input version 3 designed with public input  subsequently became Internet standard subsequently became Internet standard known as TLS (Transport Layer Security) known as TLS (Transport Layer Security)  uses TCP to provide a reliable end-to- uses TCP to provide a reliable end-to- end service end service  SSL has two layers of protocols SSL has two layers of protocols Where SSL Fits Where SSL Fits SSL Architecture SSL Architecture SSL Architecture SSL Architecture  SSL connection SSL connection  a transient, peer-to-peer, communications link a transient, peer-to-peer, communications link  associated with 1 SSL session associated with 1 SSL session  SSL session SSL session  an association between client & server an association between client & server  created by the Handshake Protocol created by the Handshake Protocol  define a set of cryptographic parameters define a set of cryptographic parameters  may be shared by multiple SSL connections may be shared by multiple SSL connections SSL Record Protocol Services SSL Record Protocol Services  message integrity message integrity  using a MAC with shared secret key using a MAC with shared secret key  similar to HMAC but with different padding similar to HMAC but with different padding  confidentiality confidentiality  using symmetric encryption with a shared using symmetric encryption with a shared secret key defined by Handshake Protocol secret key defined by Handshake Protocol  AES, IDEA, RC2-40, DES-40, DES, 3DES, AES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128 Fortezza, RC4-40, RC4-128  message is compressed before encryption message is compressed before encryption SSL Record Protocol SSL Record Protocol Operation Operation SSL Change Cipher Spec SSL Change Cipher Spec Protocol Protocol  one of 3 SSL specific protocols which one of 3 SSL specific protocols which use the SSL Record protocol use the SSL Record protocol  a single message a single message  causes pending state to become causes pending state to become current current  hence updating the cipher suite in use hence updating the cipher suite in use [...]... MAC algorithms to negotiate cryptographic keys to be used     comprises a series of messages in phases 1 2 3 4 Establish Security Capabilities Server Authentication and Key Exchange Client Authentication and Key Exchange Finish SSL Handshake Protocol TLS (Transport Layer Security)  IETF standard RFC 2246 similar to SSLv3  with minor differences        in record format version number uses . Skin“ by Cole Porter My Skin“ by Cole Porter Web Security Web Security  Web now widely used by business, Web now widely used by business, government,. by Lawrie Brown Lecture slides by Lawrie Brown Chapter 17 – Web Security Chapter 17 – Web Security Use your mentality Use your mentality Wake up to reality Wake