Đang tải... (xem toàn văn)
The topic discussed in this chapter are: Secure Socket Layer (SSL), three SSL-specific protocols that use the SSL Record Protocol, integrating SSL/TLS with HTTP => HTTPS, HTTPS and SSH. This chapter you would be able to present an understanding of how web security is achieved through different protocols; you would be able demonstrate knowledge about SSH, HTTPS, TLS etc.
Network Security Lecture 30 Presented by: Dr Munam Ali Shah Part Internet Security (Last lecture of last Part) Summary of the Previous Lecture We had a discussion about following topics ● ● ● Email Security Pretty Good Privacy Why PGP is famous PGP Operating Message generation Message Reception Internet Mail Architecture Email Threats Outlines of today’s lecture ■ Secure Socket Layer (SSL) Architecture Connection Session Record Protocol Service Record Protocol operation ■ Three SSL-specific protocols that use the SSL Record Protocol SSL Change Cipher Spec Protocol Alert Protocol Handshake Protocol ■ Integrating SSL/TLS with HTTP ■ HTTPS and SSH HTTPS Objectives ■ You would be able to present an understanding of how web security is achieved through different protocols ■ You would be able demonstrate knowledge about SSH, HTTPS, TLS etc Web Security ■ Web now widely used by business, government, individuals ■ but Internet & Web are vulnerable ■ have a variety of threats ● integrity ● confidentiality ● denial of service ● authentication ■ need added security mechanisms Web Traffic Security Approaches A number of approaches to providing Web security are possible The various approaches that have been considered are similar in the services they provide and, to some extent, in the mechanisms that they use, but they differ with respect to their scope of applicability and their relative location within the TCP/IP protocol stack SSL (Secure Socket Layer) ■ ■ ■ ■ Transport layer security service originally developed by Netscape version designed with public input subsequently became Internet standard known as TLS (Transport Layer Security) ■ uses TCP to provide a reliable end-to-end service ■ SSL has two layers of protocols SSL Architecture The SSL Record Protocol provides basic security services to various higherlayer protocols In particular, the Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web client/server interaction, can operate on top of SSL Three higher-layer protocols are also defined as part of SSL: the Handshake Protocol, Change Cipher Spec Protocol, and Alert Protocol These SSL-specific protocols are used in the management of SSL exchanges SSL Architecture Ø SSL connection la transient, peer-to-peer, communications link l associated with SSL session Ø SSL session l an association between client & server l created by the Handshake Protocol l define a set of cryptographic parameters l may be shared by multiple SSL connections The lock UI: ■ Firefox 3: help users authenticate site (no SSL) (SSL) The lock UI: help users authenticate site ■ Firefox 3: clicking on bottom lock icon gives The lock UI: Extended Validation (EV) Certs • Harder to obtain than regular certs • requires human lawyer at CA to approve cert request • Designed for banks and large e-commerce sites • Helps block “semantic attacks”: www.bankofthevvest.com A general UI attack: picture-in-picture HTTPS Ø HTTPS (HTTP over SSL) l combination of HTTP & SSL/TLS to secure communications between browser & server documented in RFC2818 no fundamental change using either SSL or TLS Ø use https:// URL rather than http:// l and port 443 rather than 80 Ø encrypts l URL, document contents, form data, cookies, HTTP headers HTTPS Use ■ connection initiation ● TLS handshake then HTTP request(s) ■ connection closure ● have “Connection: close” in HTTP record ● TLS level exchange close_notify alerts ● can then close TCP connection ● must handle TCP close before alert exchange sent or completed Secure Shell (SSH) Ø protocol for secure network communications l designed Ø Ø Ø Ø Ø to be simple & inexpensive SSH1 provided secure remote logon facility l replace TELNET & other insecure schemes l also has more general client/server capability SSH2 fixes a number of security flaws documented in RFCs 4250 through 4254 SSH clients & servers are widely available method of choice for remote login/ X tunnels SSH Protocol Stack SSH Transport Layer Protocol ■ server authentication occurs at transport layer, based on server/host key pair(s) ● server authentication requires clients to know host keys in advance ■ packet exchange ● establish TCP connection ● can then exchange data identification string exchange, algorithm negotiation, key exchange, end of key exchange, service request ● using specified packet format SSH User Authentication Protocol Ø authenticates client to server Ø three message types: l SSH_MSG_USERAUTH_REQUEST l SSH_MSG_USERAUTH_FAILURE l SSH_MSG_USERAUTH_SUCCESS Ø authentication methods used l public-key, password, host-based SSH Connection Protocol ■ runs on SSH Transport Layer Protocol ■ assumes secure authentication connection ■ used for multiple logical channels ● ● ● ● ● SSH communications use separate channels either side can open with unique id number flow controlled have three stages: opening a channel, data transfer, closing a channel four types: session, x11, forwarded-tcpip, direct-tcpip SSH Connection Protocol Exchange Summary ■ Have discussed: ● ● ● ● Need for web security SSL/TLS transport layer security protocols HTTPS Secure shell (SSH) Next lecture topics ■ Our course “Network Security” finishes here ■ We will revise the entire course of network security in next two lectures, i.e., Lecture 31 and 32 The End ... Services ■ confidentiality ● using symmetric encryption with a shared secret key defined by Handshake Protocol ● AES, IDEA, RC 2-4 0, DES-40, DES, 3DES, Fortezza, RC 4-4 0, RC 4-1 28 ● message is compressed... solution: browser sends corporate network ■ CONNECT domain-name ■ before client-hello (dropped by proxy) Virtual hosting: ■ two sites hosted at same IP address client-hello web server ■ solution in... Internet standard known as TLS (Transport Layer Security) ■ uses TCP to provide a reliable end-to-end service ■ SSL has two layers of protocols SSL Architecture The SSL Record Protocol provides