A Web Framework For Selective Encryption
description
Transcript of A Web Framework For Selective Encryption
![Page 1: A Web Framework For Selective Encryption](https://reader035.fdocuments.net/reader035/viewer/2022062501/56816755550346895ddc0c28/html5/thumbnails/1.jpg)
A Web Framework For Selective Encryption
Richie Steigerwald
![Page 2: A Web Framework For Selective Encryption](https://reader035.fdocuments.net/reader035/viewer/2022062501/56816755550346895ddc0c28/html5/thumbnails/2.jpg)
Privacy on the Web
![Page 3: A Web Framework For Selective Encryption](https://reader035.fdocuments.net/reader035/viewer/2022062501/56816755550346895ddc0c28/html5/thumbnails/3.jpg)
Session Cookies
![Page 4: A Web Framework For Selective Encryption](https://reader035.fdocuments.net/reader035/viewer/2022062501/56816755550346895ddc0c28/html5/thumbnails/4.jpg)
Session Cookies
![Page 5: A Web Framework For Selective Encryption](https://reader035.fdocuments.net/reader035/viewer/2022062501/56816755550346895ddc0c28/html5/thumbnails/5.jpg)
HTTPS
![Page 6: A Web Framework For Selective Encryption](https://reader035.fdocuments.net/reader035/viewer/2022062501/56816755550346895ddc0c28/html5/thumbnails/6.jpg)
Why HTTPS is slow
![Page 7: A Web Framework For Selective Encryption](https://reader035.fdocuments.net/reader035/viewer/2022062501/56816755550346895ddc0c28/html5/thumbnails/7.jpg)
HTTPS• HTTPS stands for Hypertext
Transfer Protocol over Secure Socket Layer, or HTTP over SSL
• SSL acts like a sub layer under regular HTTP application layering
• HTTPS encrypts an HTTP message prior to transmission and decrypts a message upon arrival.
Application (HTTP)
Security (SSL)
Transport (TCP)
Network (TCP)
Data Link (PPP)
Physical (modem, ADSL, cable)
![Page 8: A Web Framework For Selective Encryption](https://reader035.fdocuments.net/reader035/viewer/2022062501/56816755550346895ddc0c28/html5/thumbnails/8.jpg)
HTTPS
• Authentication• Integrity• Privacy
![Page 9: A Web Framework For Selective Encryption](https://reader035.fdocuments.net/reader035/viewer/2022062501/56816755550346895ddc0c28/html5/thumbnails/9.jpg)
Authentication
Integrity
Privacy
Selective Encryption
• Authentication– Encrypt cookies
• Data integrity– Encrypt data checksum
• Data privacy– Encrypt private data
![Page 10: A Web Framework For Selective Encryption](https://reader035.fdocuments.net/reader035/viewer/2022062501/56816755550346895ddc0c28/html5/thumbnails/10.jpg)
Authentication
• For all requests, encrypt– Cookie– Secret Code
• For all responses, encrypt– Secret Code
![Page 11: A Web Framework For Selective Encryption](https://reader035.fdocuments.net/reader035/viewer/2022062501/56816755550346895ddc0c28/html5/thumbnails/11.jpg)
Integrity
• Perform authentication related encryption
• In the response, attach and encrypt checksum with secret code
Don’t read
this while I’m
presenting! If
this is
distracting
you then I
guess my presentation is pretty boring anyway. I actually wrote this presentation this morning. I hope it’s going well. Anyway, here’s something interesting: Apparently some brothel in Borneo (dunno WTF that is) was using a shaved orangutan as a sex slave. I just saw that on reddit. Maybe you’re looking at reddit right now, I don’t blame you.
*(a$TH(0et1?be912zHZ&?
![Page 12: A Web Framework For Selective Encryption](https://reader035.fdocuments.net/reader035/viewer/2022062501/56816755550346895ddc0c28/html5/thumbnails/12.jpg)
Privacy
• Perform authentication related security
• Encrypt the entire request/response
SSL in the 90’s
![Page 13: A Web Framework For Selective Encryption](https://reader035.fdocuments.net/reader035/viewer/2022062501/56816755550346895ddc0c28/html5/thumbnails/13.jpg)
Framework Interface
• Developers should only have to specify what level of security to use
• Framework should keep track of sessions and perform checksums automatically
![Page 14: A Web Framework For Selective Encryption](https://reader035.fdocuments.net/reader035/viewer/2022062501/56816755550346895ddc0c28/html5/thumbnails/14.jpg)
Server
• Keep track of sessions– Guarantee it’s the same
person
• Checksums
• Encryption
![Page 15: A Web Framework For Selective Encryption](https://reader035.fdocuments.net/reader035/viewer/2022062501/56816755550346895ddc0c28/html5/thumbnails/15.jpg)
Client
• Decrypt and verify secret code
• Decrypt and verify checksum
• Decrypt private data
• Sandbox received code
![Page 16: A Web Framework For Selective Encryption](https://reader035.fdocuments.net/reader035/viewer/2022062501/56816755550346895ddc0c28/html5/thumbnails/16.jpg)
Validation
• Guarantee authenticity with near-HTTP speeds
• Guarantee integrity with speeds faster than HTTPS
![Page 17: A Web Framework For Selective Encryption](https://reader035.fdocuments.net/reader035/viewer/2022062501/56816755550346895ddc0c28/html5/thumbnails/17.jpg)
Performance
• Checksum faster than encryption
![Page 18: A Web Framework For Selective Encryption](https://reader035.fdocuments.net/reader035/viewer/2022062501/56816755550346895ddc0c28/html5/thumbnails/18.jpg)
Problems
• Tradeoff speed vs. privacy
• Encrypting shorter messages easier to crack
![Page 19: A Web Framework For Selective Encryption](https://reader035.fdocuments.net/reader035/viewer/2022062501/56816755550346895ddc0c28/html5/thumbnails/19.jpg)
Questions