2) Secure HyperText Transfer Protocol Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 1
Table of Contents HyperText Transfer Protocol - HTTP � Credentials in HTTP � Need for security � Symetric and Asymetric Cryptography � Public Key Infrastructure � SSL and TLS � How to Configure your Web Server � Conclision: Limitations � References � Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 2
HyperText Transfer Protocol - HTTP Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 3
HyperText Transfer Protocol - HTTP Request From the client (browser) to the server Contains a description of the browser (user agent, accept) Contains the description of the requested page / or the information sent Response Only generated as a “response” to a request Contains the status of the response (success/fail/partial) Contains the document (body) Contains meta-information Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 4
HTTP Request Request GET http: //www.benoist.ch:80/SoftSec/ HTTP/1.1 Host: www.benoist.ch User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS ց → X 10.6; fr; rv:1.9.2.15) Gecko/20110303 Firefox ց → /3.6.15 Accept: text/html,application/xhtml+xml,application/ ց → xml;q=0.9,* /*;q=0.8 Accept-Language: fr-fr,fr-ch;q=0.9,fr;q=0.7,en-us;q ց → =0.6,en;q=0.4,de-de;q=0.3,de-ch;q=0.1 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 5
HTTP Response Response HTTP/1.1 200 OK Date: Wed, 09 Mar 2011 08:29:25 GMT Server: Apache/2.2.11 (Unix) DAV/2 mod_ssl/2.2.11 ց → OpenSSL/0.9.8l PHP/5.2.9 mod_perl/2.0.4 Perl/v5 ց → .10.0 X-Powered-By: PHP/5.2.9 X-Transfer-Encoding: chunked Content-Type: text/html Content-length: 11527 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang= ց → "en" lang="en"> <head> <meta http-equiv="Content-Type" content=" ց → text/html;�charset=iso-8859-1" /> Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 6
GET vs. POST GET Primarily for accessing information Forms containing small ammount of information Content of forms “URL encoded” inside the URL URL is to be seen in the browser URL stored in caches and logfiles. GET http: //localhost:80/coursWebProgramming/examples/http/forms ց → .php?text1=Hello+World&text2=80 HTTP/1.1 Host: localhost ... Proxy-Connection: keep-alive Referer: http: //localhost/coursWebProgramming/examples/http/ ց → forms.php Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 7
GET vs. POST (Cont.) POST Primarily for sending info to the server Forms containing large ammount of information Content is URL encoded in the BODY of the message POST http: //localhost:80/coursWebProgramming/examples/http/ ց → forms.php?text1=Hello+World&text2=80 HTTP/1.1 Host: localhost ... Referer: http: //localhost/coursWebProgramming/examples/http/ ց → forms.php?text1=Hello+World&text2=80 Content-Type: application/x-www-form-urlencoded Content-length: 26 text1=Hello+World&text2=80 Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 8
Sending credentials in HTTP Username Password In a form (GET / POST) Using HTTP authorization schema (as a http header field encoded in base 64) Authorization: Basic YmllOmJpZQ== Transfered clear text GET form write username and password directly inside the URL bar and the log files POST let the information transfer clear text in the body of the request Basic http authorization sends the username and password in each request unencrypted (just encoded in base 64). You can decode (not decrypt) the username and password using: echo ’YmllOmJpZQ==’ | openssl base64 -d Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 9
Credentials in HTTP Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 10
Credentials in HTTP Cookies Small information Resent inside every request Contains a session ID Credentials are stored on the server and associated to the sessionID GET http: //localhost:80/coursWebProgramming/examples ց → /phpWeb/session3.php HTTP/1.1 Host: localhost ... Referer: http: //localhost/coursWebProgramming/ ց → examples/phpWeb/session2.php?firstName=Emmanuel Cookie: PHPSESSID=105fc85ea2e9884eea1f9bed88e6b70f Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 11
Evesdroping and Tampering credentials in HTTP Anybody can listen or fake any credentials in HTTP GET / POST / Cookies are sent unencrypted and cleartext Basic authentication is sent unencrypted and Base64 encoded Both can easily be listened and/or spoofed and/or manipulated by a third party. Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 12
Need for security Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 13
Needs for security Confidentiality Nobody can read the message I send For both Security and Privacy Authentication of the partner Am I realy talking with the server I am supposed to? Am I realy the person I am supposed to be? Integrity of the Message Is the message the one that my partner sent? Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 14
Symetric and Asymetric Cryptography Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 15
Symetric Cryptography Symetric Cryptography Alice and Bob share the same Key K (which is secret) Alice encrypts the message with K Bob decrypts the message with K If Charly doesn’t have K , he can not read the message Efficiency This type of crypto is very efficient Problem How to exchange the key if you do not meet your correspondant Alice and Bob need a secure chanel to exchange the key Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 16
Asymetric Cryptography Knowledge of Keys is Asymetric Alice wants to send a message M to Bob Alice has access to the public key K Bpub of Bob Bob knows a pair ( K Bpub , K Bpriv ) Encryption of a message Alice encrypts the message using Bob’s Public key K Bpub Bob decrypts the message using his private key K Bpriv Problem How can Bob be sure it is Alice who sent the message? Charlie may have intercepted the message and replaced by another one Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 17
Signing a message Bob wants to be certain the message was sent by Alice He wants to check the integrity of the message Signing of the message Alice also has a pair of keys:( K Apub , K Apriv ) Bob knows the public key of Alice K Apub Alice uses her private key to sign the message sent to Bob Bob uses the public key to verify the signature of Alice Since Charly does not know the private key, he can not forge such a message Bob is convinced that Alice has sent this message Combining both : encrypting and signing Alice writes a message M She creates a signature σ ( M ) with her private key K Apriv She encrypts both M and σ ( M ) with Bob’s public key K Bpub Bob receives the encrypted message, Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 18
Public Key Infrastructure Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 19
Public Key Infrastructure A lot of keys have to be exchanged Alice needs the public key of Bob Bob needs the public key of Alice etc. How to exchange keys in a secure way? Alice and Bod never met eachother They trust the same third party (called Certificate Authority - CA) They both have received (in a secure way) the public key of the CA Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 20
Certificate Alice wants to receive Bob’s public key Bob creates his key pair Bob is identified by CA and gives his Name and public key to the CA CA signes a “certificate” containing the following information ◮ Name of the Certificate Authority ◮ Name of the owner of the certificate (Bob) ◮ Address, . . . ◮ Public key of Bob So if Alice trusts the verification of CA, she trusts the public key of Bob. Problems in real life Alice and Bob may not have the same certificate authority: We have a chain of trust (or web of trust) The Public Key Infrastructure PKI uses a Root Certificate who anybody trusts. You need a way to revoke compromised keys . . . Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 21
Public Key Infrastructure (simplified) Berner Fachhochschule | Haute ´ ecole sp´ ecialis´ ee bernoise | Berne University of Applied Sciences 22
Recommend
More recommend