ECE-8843 http://www.csc.gatech.edu/copeland/jac/8813-03/ Prof. John A. Copeland john.copeland@ece.gatech.edu 404 894-5177 fax 404 894-0035 Office: GCATT Bldg 579 email or call for office visit, or call Kathy Cheek, 404 894-5696 Chapter 7: 07-WebSec.pdf has PDF copies of slides from Chap. 7 of the text, “Network Security Essentials, Applications and Standards” by William Stallings)
Threats Consequences Countermeasures Integrity • Modification of data • Loss of information • Cryptographic checksums • Trojan horse browser • Compromise of machine • Modification of memory • Vulnerability to all threats • Modification of messages in transit Confidentiality • Eavesdropping on the net • Loss of information • Encryption • Theft of info from server • Loss of privacy • Web Proxies • Theft of data from client • Info about network configuration • Information about which clients talk to server Denial of Service • Killing of user threads • Disruptive • Difficult to prevent • Flooding machine with bogus • Annoying requests • Filling disk or memory • Prevent users from getting work done • Isolating machines by DNS attacks Authentication • Impersonate users • Misrepresentation of user • Cryptographic techniques • Data forgery • Belief that false data is valid
HTTP FTP SMTP S/MIME PGP SET HTTP FTP SMTP SSL or TLS Kerberos SMTP HTTP TCP TCP UDP TCP IP/IPSec IP IP (a) Network Level (b) Transport Level (c) Application Level Figure 7.1 Relative Location of Security Facilities in the TCP/IP Protocol Stack
SSL SSL Change SSL Alert HTTP Handshake Cipher Spec Protocol Protocol Protocol SSL Record Protocol TCP IP Figure 7.2 SSL Protocol Stack
Application Data Fragment Compress Add MAC Encrypt Append SSL Record Header Figure 7.3 SSL Record Protocol Operation
Content Major Minor Compressed Type Version Version Length Plaintext encrypted (optionally compressed) MAC (0, 16, or 20 bytes) Figure 7.4 SSL Record Format
1 byte 1 byte 3 bytes � 0 bytes 1 Type Length Content (a) Change Cipher Spec Protocol (c) Handshake Protocol 1 byte 1 byte � 1 byte OpaqueContent Level Alert (b) Alert Protocol (d) Other Upper-Layer Protocol (e.g., HTTP) Figure 7.5 SSL Record Protocol Payload
Client Server client_hello Establish security capabilities, including protocol version, session ID, cipher suite, compression method, and initial random server_hello numbers. t e i ca e rtif c ser v er_ k e y _ e xc h an g e certi fi c a te_ r equest Server may send certificate, key exchange, and request certificate. Server signals end of hello message phase. d one l o_ e l r _h r ve s e Time ce r tif i ca t e c l ie n t_ k ey_ e xchange Client sends certificate if requested. Client sends key exchange. Client may send certificate verification. c ertifi c at e _ v erif y c han ge _ cip h er_s p ec finished change _ cip h er_sp e c Change cipher suite and finish handshake protocol. fin i shed Note: Shaded transfers are optional or situation-dependent messages that are not always sent. Figure 7.6 Handshake Protocol Action
seed HMAC secret A(1) seed || HMAC HMAC secret secret A(2) seed || HMAC HMAC secret secret A(3 ) • • • seed || HMAC secret • • • length= hash size Figure 7.7 TLS Function P_hash (secret, seed)
Merchant Internet Cardholder Internet Certificate Authority Issuer Payment Network Payment Acquirer Gateway Figure 7.8 Secure Electronic Commerce Components
PI PIMD KR c H Dual POMD Signature || H E OI OIMD H PI� =� Payment Information PIMD� =� PI message digest OI� =� Order Information OIMD� =� OI message digest H� =� Hash function (SHA-1) POMD�=� Payment Order message digest ||� =� Concatenation E� =� Encryption (RSA) KR c � =� Customer's private signature key Figure 7.9 Construction of Dual Signature
Request Message PI E Passed on by merchant to + payment gateway K s Dual Signature + Digital Envelope + OIMD + E PIMD Received + by merchant OI KU b PI� =� Payment Information OI� =� Order Information PIMD�=� PI message digest + OIMD�=� OI message digest Dual Signature E� =� Encryption (RSA for asymmetric; + � �� DES for symmetric) Cardholder K s � =� Temporary symmetric key Certificate KU b � =� Bank's public key-exchange key Figure 7.10 Cardholder Sends Purchase Request
Request Message OI� =� Order Information OIMD� =� OI message digest POMD� =� Payment Order message digest Passed on by merchant to D� =� Decryption (RSA) payment gateway H� =� Hash function (SHA-1) + KU c � =� Customer's public signature key Digital Envelope + POMD PIMD || H + OI H Compare OIMD + Dual Signature D + POMD Cardholder Certificate KU c Figure 7.11 Merchant Verifies Customer Purchase Request
Recommend
More recommend