TEAMFLY Team-Fly ® Security Technologies for the World Wide Web For quite a long time, computer security was a rather narrow field of study that was populated mainly by theoretical computer scientists, electrical engineers, and applied mathematicians. With the proliferation of open sys- tems in general, and of the Internet and the World Wide Web (WWW) in particular, this situation has changed fundamentally. Today, computer and network practitioners are equally interested in computer security, since they require technologies and solutions that can be used to secure applications related to electronic commerce. Against this background, the field of computer security has become very broad and includes many topics of interest. The aim of this series is to publish state-of- the-art, high standard technical books on topics related to computer security. Further information about the series can be found on the WWW at the following URL: http://WWW.esecurity.ch/serieseditor.html Also, if you’d like to contribute to the series by writing a book about a topic related to computer security, feel free to contact either the Commissioning Editor or the Series Editor at Artech House. Recent Titles in the Artech House Computer Security Series Rolf Oppliger, Series Editor Computer Forensics and Privacy, Michael A. Caloyannides Demystifying the IPsec Puzzle, Sheila Frankel Developing Secure Distributed Systems with CORBA, Ulrich Lang and Rudolf Schreiner Implementing Electronic Card Payment Systems, Cristian Radu Implementing Security for ATM Networks, Thomas Tarman and Edward Witzke Information Hiding Techniques for Steganography and Digital Watermarking, Stefan Katzenbeisser and Fabien A. P. Petitcolas, editors Internet and Intranet Security, Second Edition, Rolf Oppliger Non-repudiation in Electronic Commerce, Jianying Zhou Secure Messaging with PGP and S/MIME, Rolf Oppliger Security Fundamentals for E-Commerce, Vesna Hassler Security Technologies for the World Wide Web, Second Edition, Rolf Oppliger For a listing of recent titles in the Artech House Computing Library, turn to the back of this book. Security Technologies for the World Wide Web Second Edition Rolf Oppliger Artech House Boston * London Library of Congress Cataloging-in-Publication Data Oppliger, Rolf. Security technologies for the World Wide Web/Rolf Oppliger.—2nd ed. p. cm. — (Artech House computer security library) Includes bibliographical references and index. ISBN 1-58053-348-5 (alk. paper) 1. Computer security. 2. World Wide Web (Information retrieval system)—Security measures I. Title II. Series. QA76.9.A.25 O67 2002 005.8—dc21 2002032665 British Library Cataloguing in Publication Data Oppliger, Rolf Security technologies for the World Wide Web.—2nd ed.— (Artech House computer security library) 1. World Wide Web—Security measures I. Title 005.8 ISBN 1-58053-348-5 Cover design by Christine Stone © 2003 ARTECH HOUSE, INC. 685 Canton Street Norwood, MA 02062 Many screen shots in this book are copyright 2002 Microsoft Corporation (USA) or Opera Software ASA (Nor - way). All rights reserved. These pages may not be reprinted or copied without express written permission of Mi - crosoft or Opera Software. Microsoft Corporation and Opera Software ASA have not authorized, sponsored, endorsed, or approved this publication and are not resposible for its content. Microsoft and the Microsoft corporate logos are trademarks and trade names of Microsoft Corporation. Similarly, Opera and Opera Software logos are trademarks and trade names of Microsoft Corporation. Similarly, Opera and Opera Software logos are trademarks and trade names of Opera Software ASA. All other product names and logos are trademarks of their respective owners. All rights reserved. Printed and bound in the United States of America. No part of this book may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying, recording, or by any information storage and retrieval system, without permission in writing from the publisher. All terms mentioned in this book that are known to be trademarks or service marks have been appropriately capitalized. Artech House cannot attest to the accuracy of this information. Use of a term in this book should not be regarded as affecting the validity of any trademark or service mark. International Standard Book Number: 1-58053-348-5 Library of Congress Catalog Card Number: 2002032665 10987654321 To my daughter, Lara Contents Preface . . xv References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx Acknowledgments . . xxiii 1 Introduction . . . 1 1.1 Internet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 1.2 WWW 5 1.3 Vulnerabilities, threats, and countermeasures . . . . . . . . . . . . . 8 1.4 Generic security model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10 1.4.1 Security policy 12 1.4.2 Host security. 13 1.4.3 Network security 13 1.4.4 Organizational security 16 1.4.5 Legal security 17 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 2 HTTP Security . . 21 2.1 HTTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21 2.2 User authentication, authorization, and access control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 vii 2.3 Basic authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 2.4 Digest access authentication . . . . . . . . . . . . . . . . . . . . . . . . . . 34 2.5 Certificate-based authentication . . . . . . . . . . . . . . . . . . . . . . . 41 2.6 Server configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 2.6.1 Configuring HTTP basic authentication 42 2.6.2 Configuring HTTP digest access authentication 45 2.7 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48 3 Proxy Servers and Firewalls 49 3.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49 3.2 Static packet filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 3.3 Dynamic packet filtering or stateful inspection. . . . . . . . . . . . . 57 3.4 Circuit-level gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 3.5 Application-level gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 3.6 Firewall configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68 3.6.1 Dual-homed firewall 69 3.6.2 Screened host firewall . . . 71 3.6.3 Screened subnet firewall. . 72 3.7 Network address translation . . . . . . . . . . . . . . . . . . . . . . . . . . 74 3.8 Configuring the browser. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76 3.9 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83 4 Cryptographic Techniques 87 4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87 4.2 Cryptographic hash functions . . . . . . . . . . . . . . . . . . . . . . . . . 90 4.3 Secret key cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92 4.3.1 DES 93 4.3.2 Triple-DES 93 4.3.3 IDEA 95 4.3.4 SAFER 95 4.3.5 Blowfish 95 viii 4.3.6 CAST-128 95 4.3.7 RC2, RC4, RC5, and RC6 95 4.3.8 AES 96 4.4 Public key cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 4.4.1 RSA 100 4.4.2 Diffie-Hellman 101 4.4.3 ElGamal 102 4.4.4 DSS 102 4.4.5 ECC 102 4.5 Digital envelopes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103 4.6 Protection of cryptographic keys . . . . . . . . . . . . . . . . . . . . . . 105 4.7 Generation of pseudorandom bit sequences . . . . . . . . . . . . . . 107 4.8 Legal issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107 4.8.1 Patent claims 108 4.8.2 Regulations 109 4.8.3 Electronic and digital signature legislation 110 4.9 Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111 References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113 5 Internet Security Protocols . . 117 5.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117 5.2 Network access layer security protocols . . . . . . . . . . . . . . . . . 118 5.2.1 Layer 2 Forwarding Protocol 121 5.2.2 Point-to-Point Tunneling Protocol 122 5.2.3 Layer 2 Tunneling Protocol 124 5.2.4 Virtual private networking 124 5.3 Internet layer security protocols . . . . . . . . . . . . . . . . . . . . . . 125 5.3.1 IP security architecture 128 5.3.2 IPsec protocols 131 5.3.3 IKE Protocol 136 5.3.4 Implementations 141 5.4 Transport layer security protocols . . . . . . . . . . . . . . . . . . . . . 143 5.5 Application layer security protocols. . . . . . . . . . . . . . . . . . . . 143 5.5.1 Security-enhanced application protocols 144 ix [...]... provide this type of information 2 The acronym CERT stands for Computer Emergency Response Team xvii The reader of Security Technologies for the World Wide Web, Second Edition gets an overview of all major topics that are relevant for the WWW and its security properties As such, the book is intended for anyone who is concerned about security on the Web, is in charge of security for a network, or manages... relevant for Web security Unfortunately, and due to the dynamic nature of the field, it has become necessary to update the book and come up with a second edition after only a relatively short period of time There are many new terms and buzzwords that need to be explained and put into perspective Consequently, Security Technologies for the World Wide Web, Second Edition elaborates on some well-known security. .. Internet Security Glossary was published as informational RFC 2828 (or FYI 36, respectively) [9] This document can be used as a reference for anyone working in the field.5 However, Security Technologies for the World Wide Web, 5 There are many other glossaries available on the Internet Examples include a glossay compiled by Networks Associates, Inc at http://www.pgp.com/glossary/default.asp and another... as, for example, the WWW First and foremost, there must be a security policy that formalizes the proper and improper use of the (networked or distributed) system, the possible threats against it, as 1.4 Generic security model 11 well as countermeasures that must be employed to protect assets from these threats Most importantly, the security policy is to specify the goals that should be achieved For. .. generic security model for computer networks and distributed systems takes into account the following five aspects: 1 Security policy; 2 Host security; 3 Network security; 4 Organizational security; 5 Legal security These aspects are illustrated in Figure 1.1 and further addressed in the remaining part of this chapter Whereas the rest of this book focuses exclusively on network security, the other aspects... that uses the WWW as a platform for providing information It can be used for lectures, courses, and tutorials It can also be used for self-study or serve as a handy reference for Web professionals Further information can also be found in other books on WWW security Among these books, I particularly recommend [4–6].3 There are also some books that focus entirely on one specific cryptographic security. .. instead More precisely, the various chapters outlined above address zero, one, or even more than one of the abovementioned classes of security issues There has been a long tradition in the computer and network security literature of providing various kinds of checklists Again, Security Technologies for the World Wide Web, Second Edition breaks with this tradition, mainly because security is more than... (i.e., the Secure Sockets Layer or Transport Layer Security protocol) that is widely deployed on the WWW [7, 8] These books are recommended reading but are more narrow in scope than Security Technologies for the World Wide Web Finally, there is also a frequently asked questions (FAQ) document available on the Web.4 While it is not intended that this book be read linearly from front to back, the material... particular, Security Technologies for the World Wide Web, Second Edition has been organized in 15 chapters, summarized as follows: w w In Chapter 2, we elaborate on the security features of the Hypertext Transfer Protocol (H T T P) Most importantly, we address the user authentication and authorization schemes provided by HTTP and some implementations thereof w In Chapter 3, we explain and address the implications... at the end of each chapter This is also true for the various RFC documents that are relevant for WWW security. 6 At the end of the book, an About the Author section is included to tell you a little bit about me Finally, there is an Index to help you find particular terms Some authors make a clear distinction between client-side security, server-side security, and document security, and structure their