Post on 19-Dec-2015
Online SecurityOnline Security
Tuesday April 8, 2003Tuesday April 8, 2003
Maxence CrossleyMaxence Crossley
OutlineOutline
How do we authenticate a service?How do we authenticate a service? How do we encrypt a session?How do we encrypt a session? How do we prevent a “replay attack”?How do we prevent a “replay attack”? Another Problem: SpoofingAnother Problem: Spoofing
How do we authenticate a session?How do we authenticate a session?
Certification Authorities Certification Authorities (CAs)(CAs) VeriSignVeriSign SecureNetSecureNet Digital Signature TrustDigital Signature Trust
Distribute and store Distribute and store certificatescertificates
Public Key CryptographyPublic Key Cryptography
Server publishes public key with Certification Server publishes public key with Certification AgencyAgency
Client encrypts message with public keyClient encrypts message with public key Server decrypts message with private keyServer decrypts message with private key
Source: http://waubonsie.com/security/www.html
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
Private Key CryptographyPrivate Key Cryptography
Server and Client share a secret and private keyServer and Client share a secret and private key Client encrypts message with private keyClient encrypts message with private key Server decrypts message with private keyServer decrypts message with private key
Source: http://waubonsie.com/security/www.html
QuickTime™ and aTIFF (Uncompressed) decompressorare needed to see this picture.
How do we encrypt a session? How do we encrypt a session? SSLSSL
Client requests a secured fileClient requests a secured file Server sends its certificateServer sends its certificate Client checks with CA that the signature is Client checks with CA that the signature is
validvalid Client generates a unique session key and Client generates a unique session key and
sends it to serversends it to server
Source: http://waubonsie.com/security/www.html
How do we encrypt a session?How do we encrypt a session?
Source: http://waubonsie.com/security/www.html
How do we encrypt a session?How do we encrypt a session?
Source: http://waubonsie.com/security/www.html
How do we encrypt a session?How do we encrypt a session?
Source: http://waubonsie.com/security/www.html
What is a “replay attack”?What is a “replay attack”?
When an attacker uses captured authentication When an attacker uses captured authentication tokens to gain access to a user’s account while tokens to gain access to a user’s account while bypassing normal authenticationbypassing normal authentication
Sniffing a URL that has a session ID in itSniffing a URL that has a session ID in it Attacker can obtain access to users accountAttacker can obtain access to users account
Source: http://www.owasp.org/asac/auth-session/replay.shtml
CountermeasuresCountermeasures
Source: http://www.owasp.org/asac/auth-session/replay.shtml
““Generate hard to reverse-engineer Session Generate hard to reverse-engineer Session IDs for authenticated web users (i.e. IDs for authenticated web users (i.e. use strong crypto, MD5 use strong crypto, MD5 hashes, etc.)” hashes, etc.)”
““Build and require SSL (or other encryption) Build and require SSL (or other encryption) into the web application so that the into the web application so that the authentication token can not authentication token can not be easily sniffed in transit between be easily sniffed in transit between browser and server; Ensure that all cookies browser and server; Ensure that all cookies enable the "secure" field (see enable the "secure" field (see OWASP's explanation of cookies)”OWASP's explanation of cookies)”
CountermeasureCountermeasure
Source: http://www.owasp.org/asac/auth-session/replay.shtml
““Provide a logout function that expires all Provide a logout function that expires all cookies and other authentication cookies and other authentication tokens”tokens”
““Users can choose not to select the "Remember Users can choose not to select the "Remember Me" option on web application accounts so that Me" option on web application accounts so that authentication tokens are not persistent after authentication tokens are not persistent after logout”logout”
Another Problem: SpoofingAnother Problem: Spoofing
Web users rely on visual clues when deciding to Web users rely on visual clues when deciding to trust a sitetrust a site Location bar informationLocation bar information SSL iconsSSL icons SSL warningsSSL warnings Certificate informationCertificate information Response timeResponse time
These cues can be forgedThese cues can be forged
Source: http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/
SpoofingSpoofing
Source: http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/
SpoofingSpoofing
Source: http://www.cs.dartmouth.edu/~pkilab/demos/spoofing/
CountermeasuresCountermeasures
Mozilla with SRD Mozilla with SRD (synchronized random (synchronized random dynamic) Boundarydynamic) Boundary
Trusted Reference Trusted Reference Window in lower right Window in lower right cornercorner
Untrusted Outer Untrusted Outer WindowWindow
Colors chosen at Colors chosen at randomrandom
Source: http://www.cs.dartmouth.edu/~pkilab/demos/countermeasures/