Security In Web Scenario
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Security In Web Scenario as PDF for free.
More details
- Words: 468
- Pages: 22
Security in web scenario
Contents: • What Do We Mean By Security? • The Foundations of Security • General Types of Attacks • Network Threats • Web traffic security approaches • IP Security (IPSec) • Secure Socket Layer • Kerberos • Pretty Good Privacy • Secure Electronic Transaction • Host Threats
What Do We Mean By Security? Security is fundamentally about protecting assets. Assets may be tangible items, such as a Web page or your customer database — or they may be less tangible, such as your company’s reputation.
The Foundations of Security
Attacks Threats Vulnerabilities
General Types of Attacks •Active Attacks 2.Masquerade 3.Replay 4.Modification of messages 5.Denial of service •Passive Attacks 7.Release of message contents 8.Traffic Analysis
Release of message contents Read Contents of message from Bob to Alice
Darth
Internet Bob
Alice
Traffic Analysis
Observe the pattern of messages from Bob to Alice
Darth
Internet Bob
Alice
Masquerade Message from Darth that appears to be from Bob
Darth
Internet Bob
Alice
Replay Capture message from Bob to Alice; later replay message to Alice
Darth
Internet Bob
Alice
Modification of messages Darth modifies message from Bob to Alice
Darth
Internet Bob
Alice
Denial of service Darth disrupts services provided by server
Darth
Internet Bob
Server
Network Threats ● Information gathering ● Sniffing ● Spoofing ● Session hijacking ● Denial of service
Web traffic security approaches
HTTP
FTP
SMTP
HTTP
FTP
TCP
SSL or TLS
IP/IPSec
TCP IP
Network Level
Transport Level
S/MIME Kerberos
PGP SMTP
UDP
SET HTTP
TCP IP Application Level
SMTP
IP Security (IPSec) Architecture
ESP Protocol
AH Protocol
Encryption algorithm
Authentication algorithm
DOI Key Management IPSec Document Overview
Secure Socket Layer SSL Handshake Protocol
SSL Change Cipher Spec Protocol
SSL Alert Protocol
SSL Record Protocol TCP IP SSL Protocol Stack
HTTP
Kerberos Once per user logon session
Request ticket grating ticket
Authenticatio n Server (AS)
Ticket + Session key
Ticket granting server (TGS) Ticket + Session key
Request Service grating ticket Once per type of service
Request service
Once per service session Provide server authenticator
Kerberos
Pretty Good Privacy X ← file
No
Signatur e Required ?
Yes
Generate Signature X ← Signature || X
Compress X ← Z(X)
Confidential ity Required?
Yes
Encrypt key, X X ← E(Pub, Ks ) || E(Ks, X)
No
Convert to radix X ← R64[X]
Transmission of PGP Messages
Convert to radix 64 X ← R64-1[X]
Confidential ity Required?
Yes
Decrypt key, X Ks ← D(PRb, E(Pub,Ks)) X ← D(Ks, E(Ks, X))
No
Decompress X ← Z-1(X)
No
Signatur e Required ?
Yes
Strip Signature from X Verify Signature
Reception of PGP Messages
Secure Electronic Transaction Merchant Cardholder
Internet Certificate authority
Issuer
Payment Network
Acquirer Payment gateway
Host Threats •Viruses, Trojan horses, and worms •Footprinting •Profiling •Password cracking •Denial of service •Arbitrary code execution •Unauthorized access
Thank You
Contents: • What Do We Mean By Security? • The Foundations of Security • General Types of Attacks • Network Threats • Web traffic security approaches • IP Security (IPSec) • Secure Socket Layer • Kerberos • Pretty Good Privacy • Secure Electronic Transaction • Host Threats
What Do We Mean By Security? Security is fundamentally about protecting assets. Assets may be tangible items, such as a Web page or your customer database — or they may be less tangible, such as your company’s reputation.
The Foundations of Security
Attacks Threats Vulnerabilities
General Types of Attacks •Active Attacks 2.Masquerade 3.Replay 4.Modification of messages 5.Denial of service •Passive Attacks 7.Release of message contents 8.Traffic Analysis
Release of message contents Read Contents of message from Bob to Alice
Darth
Internet Bob
Alice
Traffic Analysis
Observe the pattern of messages from Bob to Alice
Darth
Internet Bob
Alice
Masquerade Message from Darth that appears to be from Bob
Darth
Internet Bob
Alice
Replay Capture message from Bob to Alice; later replay message to Alice
Darth
Internet Bob
Alice
Modification of messages Darth modifies message from Bob to Alice
Darth
Internet Bob
Alice
Denial of service Darth disrupts services provided by server
Darth
Internet Bob
Server
Network Threats ● Information gathering ● Sniffing ● Spoofing ● Session hijacking ● Denial of service
Web traffic security approaches
HTTP
FTP
SMTP
HTTP
FTP
TCP
SSL or TLS
IP/IPSec
TCP IP
Network Level
Transport Level
S/MIME Kerberos
PGP SMTP
UDP
SET HTTP
TCP IP Application Level
SMTP
IP Security (IPSec) Architecture
ESP Protocol
AH Protocol
Encryption algorithm
Authentication algorithm
DOI Key Management IPSec Document Overview
Secure Socket Layer SSL Handshake Protocol
SSL Change Cipher Spec Protocol
SSL Alert Protocol
SSL Record Protocol TCP IP SSL Protocol Stack
HTTP
Kerberos Once per user logon session
Request ticket grating ticket
Authenticatio n Server (AS)
Ticket + Session key
Ticket granting server (TGS) Ticket + Session key
Request Service grating ticket Once per type of service
Request service
Once per service session Provide server authenticator
Kerberos
Pretty Good Privacy X ← file
No
Signatur e Required ?
Yes
Generate Signature X ← Signature || X
Compress X ← Z(X)
Confidential ity Required?
Yes
Encrypt key, X X ← E(Pub, Ks ) || E(Ks, X)
No
Convert to radix X ← R64[X]
Transmission of PGP Messages
Convert to radix 64 X ← R64-1[X]
Confidential ity Required?
Yes
Decrypt key, X Ks ← D(PRb, E(Pub,Ks)) X ← D(Ks, E(Ks, X))
No
Decompress X ← Z-1(X)
No
Signatur e Required ?
Yes
Strip Signature from X Verify Signature
Reception of PGP Messages
Secure Electronic Transaction Merchant Cardholder
Internet Certificate authority
Issuer
Payment Network
Acquirer Payment gateway
Host Threats •Viruses, Trojan horses, and worms •Footprinting •Profiling •Password cracking •Denial of service •Arbitrary code execution •Unauthorized access
Thank You
Related Documents
Security In Web Scenario
April 2020 24
Web Security
May 2020 25
Web Security
November 2019 33
Scenario
October 2019 65
Scenario
October 2019 70
Scenario
May 2020 42More Documents from ""
Information System For Brokerage House
June 2020 23
Security In Web Scenario
April 2020 24
Book Shop Automation _srs
May 2020 21
A New Approach To Web Applications
June 2020 41