1 / 31

Secure HTTP

Secure HTTP. Herng-Yow Chen. Outline. When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from eavesdropping and tampering? Using digital cryptography. HTTPS. https scheme. security icon. HTTPS (cont.). H T T P. Application layer.

rendor
Download Presentation

Secure HTTP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure HTTP Herng-Yow Chen

  2. Outline When digest authentication is not strong enough? How a more complicated technology secures HTTP transactions from eavesdropping and tampering? Using digital cryptography.

  3. HTTPS https scheme security icon

  4. HTTPS (cont.) H T T P Application layer H T T P Application layer SSL or TLS Security layer Transport layer T C P T C P Transport layer Network layer I P I P Network layer Network interfaces Network interfaces Data link layer Data link layer (b) HTTPS (a) HTTP

  5. Digital cryptography Ciphers Keys Symmetric-key cryptosystems Asymmetric-key cryptosystems Public-key cryptography Digital signatures Digital certificates

  6. Plaintext and Ciphertext Plaintext Ciphertext Phhw ph dw wkh slhu dw plgqljkw Meet me at the pier at midnight Encoder Plaintext Meet me at the pier at midnight Decoder

  7. Rotate-by-3 cipher example

  8. Keyed Ciphers (rotate-by-n), using different keys Plaintext Meet me at the pier at midnight (a) Ciphertext Key=1 nffu nf bu uif qjfs bu njeojhiu Rotate(n) encoder Plaintext Meet me at the pier at midnight (b) Ciphertext Key=2 oggv og cv vjg rkgt cv okfpkijv Rotate(n) encoder Plaintext Meet me at the pier at midnight (c) Ciphertext Key=3 phhw ph dw wkh slhu dw plgqlijkw Rotate(n) encoder

  9. Digital Ciphers

  10. Plaintext is encoded with encoding key e Plaintext P C = E (P, e) Key=e Ciphertext C Encoder E

  11. Symmetric-Key Cryptography If d = e Ciphertext C P = D (C, d) Key=d Plaintext P Decoder D Popular symmetric-key cryptography algorithm are DES, Triple-DES, RC2, and RC4.

  12. Key Length and Enumeration Attacks

  13. Public-Key Cryptography Using different keys for encoding and decoding client Plaintext Private key=ds Public key=es Encrypted ciphertext Internet Plaintext server

  14. Public-Key cryptography assigns a single, public encoding key to each host A A kAX ex B D B D kBX kDX ex ex kCX ex C C (a) Symmetric-key cryptography (b) Public-key cryptography

  15. Signatures Are Cryptographic Checksums Plaintext message B A Message digest Message digest Same? E D Signature Message digest Public key=eA Private key=dA

  16. The Guts of a Certificate

  17. X.509 v3 Certificates

  18. Verifying that a signature is real B Message digest Message digest Same? E Signing authority’s public key

  19. HTTPS Overview H T T P Application layer H T T P Application layer SSL or TLS Security layer Transport layer T C P T C P Transport layer Network layer I P I P Network layer Network interfaces Network interfaces Data link layer Data link layer (b) HTTPS (a) HTTP

  20. HTTPS Schemes (a) HTTP request 80 HTTP Server client (b) HTTPS request 443 HTTPS Secure Server client (C) HTTPS over HTTP tunnel 443 8080 HTTPS client Secure Server HTTP tunnel Proxy

  21. Secure Transport Setup

  22. Secure Transport Setup (cont.) (a) Unencrypted HTTP transaction (b) Enencrypted HTTPS transaction

  23. SSL Handshake (simplified)

  24. Server Certificates HTTPS certificates are X.509 certificates with site information Internet client Server Certificate Server

  25. Virtual Hosting and Certificates Certificate name mismatches bring up certificate error dialog boxes

  26. Virtual Hosting and Certificates (cont.)

  27. Tunneling Secure Traffic Through Proxies Corporate firewall proxy Public Internet client client Firewall proxy Security perimeter

  28. Tunneling Secure Traffic Through Proxies (cont.) Proxy cannot proxy an encrypted request proxy.ncnu.edu.tw www.cajun-gifts.com client.ncnu.edu.tw bdfwr73ytr6ouydoiw687eqidfjwvd76weti76fig287hdi9 8r82yr87pfdy72y87193836PDUyqe719eyty3gee98y8787

  29. Reference HTTP Security Web Security, Privacy & Commerce Simson Garfinkel, O’reilly & Associates, Inc. This is one of the best, most readable introductions to web security and the use of SSL/TLS and digital certificates. http://www.ietf.org/rfc/rfc2818.txt RFC 2818, “HTTP Over TLS,” specifies how to implement secure HTTP over Transport Layer Security (TLS), the modern successor to SSL. http://www.ietf.org/rfc/rfc2246.txt RFC 2817, “Upgrading to TLS Within HTTP/1.1,” explains hoe to use the Upgrade mechanism in HTTP/1.1 to initiate TLS over an existing TCP connection. This allows unsecured and secured HTTP traffic to share the same well-known port (in this case, http: at 80 rather than https: at 443). It also enables virtual hosting, so a single HTTP+TLS server can disambiguate traffic intended for several hostnames at a single IP address.

  30. Reference (cont.) SSL and TLS http://ww.ietf.org/rfc/rfc2246.txt RFC 2246, “The TLS Protocol Version 1.0,” specifies Version 1.0 of the TLS protocol (the successor to SSL). TLS provides communications privacy over the Internet. The protocol allows client/server applications to communicate in a way that is designed to prevent eavesdropping, tampering, and message forgery. http://developer.netscape.com/docs/manuals/security/sslin/contents.htm “Introduction to SSL” introduces the Secure Sockets Layer (SSL) protocol. Originally developed by Netscape, SSL has been universally accepted on the World Wide Web for authenticated and encrypted communication between clients and servers. http://www.netscape.com/eng/ssl3/draft302.txt “The SSL Protocol Version 3.0” is Netscape’s 1996 specification for SSL.

  31. Reference (cont.) http://developer.netscape.com/tech/security/ssl/howitworks.html “How SSL Works” is Netscape’s introduction to key cryptography. http://www.openssl.org The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and open source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, as well as a full-strength, general-purpose cryptography library.

More Related