Web Security

Web SecurityBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.1Summary of the previous lecturePromoting a web applicationNewsletterAffiliate marketingSearch engine marketingContent managementUsage analysisTechniquesIndicatorsUse behavior analysisBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.2OutlineBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.3Web security overviewSecure transmission of dataUser’s security issuesService provider’s issues1. Web securityWeb client expect web applications to be securepreventing access from untrusted or malicious sources to private data service providers do not misuse their databy exchanging data with third partyBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.41. Web securitySeveral risks exist for service providers as wellprevent access from attackerscredit card number can be stolen data can be accessed and modifiedavailability of service can be reducedcan influence agreements and cause financial lose Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.51. Web securityWe can define security according to notions of users and service providers assecuring the end user’s computer and personal data stored on itsecuring information in transitsecuring the server and data stored on itBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.61. Web securityBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.7Desktop securitySecurity of personal datasecurity of the hostService availabilityNetwork securitySecure communication1. Web securitySecurity aspectsConfidentiality:means communication between a customer and a provider cannot be read by a third partydata encryption can be used Integrity:nobody is able to modify the exchanged informationBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.81. Web securitySecurity aspectsNon-repudiation:originators of messages should not be able to denycustomers ordering books at an online storeAuthentication:the process of verifying the identity of a person or general subject such as another application invoking a service on behalf of a human userusually implemented by login/password mechanismBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.91. Web securitySecurity aspectsAuthorizationis used to infer which privileges authenticated users are grantedAvailabilityguaranteeing the availability of Web applicationsservice downtime typically implies financial lossesBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.101. Web securitySecurity aspectsPrivacyprivacy demands the reliable handling of dataBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.112. Data encryptionBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.12Encryption is a basic technology for enabling secure messagingEncryption :translation of data into a format that is intended to be unreadable by anyone except the intended partychanging the original text to a secret message using mathematical function one-way encryptiontwo-way encryption2. Data encryptionBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.13Decryption: changing the secret message back to its original form2. Data encryptionBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.14Encryption/decryption process:Confidential messageHelloASD12#TYEncryption algorithmPlain textCipher textASD12#TYCipher textDecryption algorithmConfidential messageHelloTransmitted to the userPlain text2. Data encryptionUsed by Julius CaesarCaesar shifted each letter of his messages to his generals three places down in the alphabetSo BURN THE BRIDGE becomesEXUQ WKH EUKFIGA  DB  EC  FD  GE  HF  IG JH  K2. Data encryptionBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.16Cryptographic algorithms:Rely on keys as secret term for ciphering and decipheringWithout key it is computationally impossible to break an algorithmAn algorithm is considered strong if brute force attack is the only possible attack 2. Data encryptionBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.17Symmetric cryptography:Two-way encryption Use the same single key to encrypt and decrypt a messageAlso called private key cryptographyDES and AES are examples of symmetric cryptographic algorithms2. Data encryptionBasharat Mahmood, Department of Computer Science, CIIT,Islamabad, Pakistan.18Symmetric cryptography:Confidential messageHelloASD12#TYEncryption algorithmPlain textCipher textASD12#TYCipher textDecryption algorithmConfidential messageHelloTransmitted to the userPlain textKey 123452. Data encryptionBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.19Asymmetric cryptography:Also known as public key cryptographyUses two keys instead of oneThe public key is known to everyone and can be freely distributedThe private key is known only to the recipient of the messageRSA is an example of asymmetric cryptography2. Data encryptionBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.20Asymmetric cryptography:Confidential messageHelloASD12#TYEncryption algorithmPlain textCipher textASD12#TYCipher textDecryption algorithmConfidential messageHelloTransmitted to the userPlain textReceiver's public Key Receiver's private Key 2. Data encryptionBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.21Hashing algorithms:Hashing is a one-way processconverting a hash back to the original data is difficult or impossibleA hash is a unique “signature” for a set of datathis signature, called a hash or digest, represents the contents2. Data encryptionBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.22Digital signatures:A digital signature is basically a way to ensure that an electronic document is authenticIntegrityNon repudiation2. Data encryptionBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.23Digital signatures creation:sender creates a hash of the messagesender encrypts the message with his/her private keyattach the digital signature with message2. Data encryptionBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.24Digital signatures validation:Receiver decrypts the signature with sender’s public keyReceiver creates the hash of the messageCreated hash is compared with the decrypted message2. Data encryptionBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.25Message(m)Create hashh(m)Encrypt hash with private key sig(m)Attach signature with messagemessage + signatureCreateh(m)Decrypt signaturesig(m)Message is verifiedh(m)=sig(m)alteredyesNoTransmit message + signature3. Data encryption.Basharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.26Cryptography ensuresConfidentialityIntegrityAvailability Authenticity Non-repudiation3. Securing user’s dataBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.27After securely transmitting data user wantsPrivacy providers keep data carefullyprotect data from attackersSecured desktop3. Securing user’s dataBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.28Service providers need to establish trust relationshipcan specify data practices using platform for Privacy Preferences (P3P) standardUser can specify its preferences using P3P-agentP3P-capable browsers inform the user if service provider’s policies conflict with user’s preferences 3. Securing user’s dataBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.29Phishing and Web SpoofingPhishing is the most common attack to retrieve user’s personal informationWeb spoofing denotes mocking the web presence of famous companiessend email to users as representative of some well known companyencourage the user’s to enter their personal information3. Securing user’s dataBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.30Securing the desktopusers’ security can be at-risk through threats like viruses and wormsit is user’s responsibility to tackle with them3. Securing user’s dataBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.31Adware and spywareadware deliver advertising contents spyware monitor users activities and transfer gathered information to remote systemsRemote access/backdoorsprovide remote systems the ability to connect with user’s machinecan obtain personal information, damage files and control user’s machine 3. Securing user’s dataBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.32Viruses can damage files or repeat themselvesdistributed through email or by sharing infected filesWormsRepeat themselvesincrease traffic and consume processing power3. Securing user’s dataBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.33Trojan horsesDamage files but don’t replicateAppears as useful programs but performs other functionalities aims at data theft and destruction or illegitimate access on computational resources4. Service providers issuesBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.34Service provider wants to secure the server from attackersCommon attacks:Cross-site scripting (XSS)Attackers inject script in dynamically created pages and try to find user’s informationSQL-injectionAttackers inject sql commands as an inputSummaryBasharat Mahmood, Department of Computer Science,CIIT,Islamabad, Pakistan.35Web security overviewSecure transmission of dataUser’s security issuesService provider’s issuesReferencesChapter 13, Kappel, G., Proll, B. Reich, S. & Retschitzegger, W. (2006). Web Engineering, Hoboken, NJ: Wiley & SonBasharat Mahmood, COMSATS Institute of Information Technology, Islamabad, Pakistan.36