Chapter 6
Application and Web
Security
08 Marks
Dheeraj S. Sadawarte
Content
 Application hardening
 Application patches
 web servers
 Active directory
 Web security threats
 Web traffic security approaches
 Secure socket layer
 Transport layer security
 Secure Electronic transaction.
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
2
Application Hardening
 Application
hardening is a securing an
application against local and Internet-based
attacks.
 We can remove functions of application that we
does not need.
 Most applications have problems of buffer
overflows in legitimate user input fields.
 So patching the application is only way to
secure it from attack.
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
3
Application patches
Hotfixes
 Hotfixes are usually small section of code, which
is designed to fix a specific problem.
Patches
 Patches are usually collections of fixes, they are
likely to be much larger, and they are usually
released on a periodic basis
Upgrades
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
4
Web Servers
 Data is stored in the form of HTML pages
 Clients can access through client side
application program such as web browser.
 Communication between web server and
browser done by using HTTP protocol.
 Provide the content and functionality to
remote user.
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
5
Active Directory
 Allow
a single login access to multiple
application, data sources and systems that
include advance encryption capabilities like
Kerberos and PKI.
 Contains information about network objects like
domains, server, workstation, printers, groups
and users.
 Every object is placed into a domain where it
can be used to control which user may access to
which object.
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
6
Active Directory
 Every domain has its own security policies,
administrative
control,
privileges
relationship with other domain.
and
 Hierarchical structure of domain is known as
forest.
 Microsoft uses a Lightweight Directory Access
Protocol (LDAP) to update and query active
directory.
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
7
Web Security



Web now widely used by business,
government, individuals
But Internet & Web are vulnerable
Have a variety of threats





Integrity
Confidentiality
Denial of service
Authentication
Need added security mechanisms
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
8
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
9
Web Traffic Security
Approaches
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
10
SSL (Secure Socket Layer)






Transport layer security service
Originally developed by Netscape
Version 3 designed with public input
Subsequently became Internet standard known
as TLS (Transport Layer Security)
Uses TCP to provide a reliable end-to-end
service
SSL has two layers of protocols
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
11
SSL (Secure Socket Layer)
 Lower layer is SSL Record Protocol
 provides basic security services to various higher
layer protocols
 Three higher-layer protocols
 Handshake Protocol,
 The Change Cipher Spec Protocol, and
 The Alert Protocol
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
12
SSL Architecture
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
13
L5 Data
L5 Data
L5 Data SH
L5 Data SH
L5 Data
L4 Data
L3 Data
01011011
31-Aug-15
H4
L5 Data
H3
L4 Data
H2
L3 Data
H4
H3
H2
01011011
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
14
SSL Architecture

SSL connection




A transport that provides suitable type of service
A transient, peer-to-peer, communications link
Associated with one SSL session
SSL session



An association between client & server
Created by the Handshake Protocol
Define a set of cryptographic parameters,
 which may be shared by multiple SSL connections
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
15
A session state is defined by the following
parameters
 Peer certificate: An X509.v3 certificate of the peer.
 Compression method: algorithm used to compress
 Cipher spec: data encryption algo, hash algo.
 Master secret: 48-byte secret shared between the
client and server
 Is resumable: A flag indicating whether session
can be used to initiate new connection
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
16
A connection state is defined by the
following parameters
 Server and client random: byte sequence
 Server write MAC secret: The secret key used in MAC
 Client write MAC secret: The secret key used in MAC
 Server write key: The secret encryption key for data
encrypted by the server and decrypted by the client.
 Client write key: The symmetric encryption key for data
encrypted by the client and decrypted by the server.
 Initialization vectors (IV) is maintained for each key
 Sequence numbers
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
17
SSL Record Protocol Services

Confidentiality




Using symmetric encryption with a shared secret
key defined by Handshake Protocol
AES, IDEA, RC2-40, DES-40, DES, 3DES,
Fortezza, RC4-40, RC4-128
Message is compressed before encryption
Message integrity


31-Aug-15
Using a MAC with shared secret key
Similar to HMAC but with different padding
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
18
SSL Record Protocol
Operation
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
19
SSL Change Cipher Spec
Protocol




One of 3 SSL specific protocols which use the
SSL Record protocol
A single message
Causes pending state to become current
Hence updating the cipher suite in use
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
20
SSL Alert Protocol


Conveys SSL-related alerts to peer entity
Severity


Specific alert



Warning or fatal
Fatal: unexpected message, bad record mac,
decompression failure, handshake failure, illegal
parameter
Warning: close notify, no certificate, bad certificate,
unsupported certificate, certificate revoked, certificate
expired, certificate unknown
Compressed & encrypted like all SSL data
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
21
SSL Handshake Protocol

Allows server & client to:




Authenticate each other
To negotiate encryption & MAC algorithms
To negotiate cryptographic keys to be used
comprises a series of messages in phases
1.
2.
3.
4.
Establish Security Capabilities
Server Authentication and Key Exchange
Client Authentication and Key Exchange
Finish
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
22
SSL
Handshake
Protocol
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
23
TLS (Transport Layer Security)



IETF standard RFC 2246 similar to SSLv3
Ensures privacy between communication appl.
With minor differences






31-Aug-15
In record format version number
Uses HMAC for MAC
Has additional alert codes
Some changes in supported ciphers
Changes in certificate types & negotiations
Changes in crypto computations & padding
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
24
 TLS Record Protocol
 It provides connection security with some encryption
method such as DES.
 TLS Handshake Protocol
 Allow server and client to authenticate each other.
 Message Authentication Code
HMACK(M)= H[(K+ XOR opad) ||H[(K+ XOR ipad)||M]]
 Pseudorandom function
 Alert codes
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
25
Secure Electronic transaction
 SET is open encryption and security specification that is





designed to protect credit card transaction on internet.
SET is not payment system but it is set of security
protocols and formats that enables user to employ the
credit card specification on internet.
It provide three services
It provides a secure communication channel for all parties.
It provides authentication by using X.509 V3 digital
certificate
It ensures the privacy because the information is only
available to parties when it required.
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
26
SET Overview
 Provide confidentiality of payment and ordering
information
 Ensure the integrity of all transmitted data
 Provide authentication that a cardholder is a
legitimate user of a credit card account
 Provide authentication that a merchant can
accept credit card transactions through its
relationship with financial institution
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
27
SET Overview
 Ensure the use of the best security practices and
system design techniques to protect all
legitimate parties in an electronic commerce
transaction
 Create a protocol that neither depends on
transport security mechanisms nor prevents
their use
 Facilitate and encourage interoperability among
software and network providers
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
28
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
29
SET Participants
Cardholder: A cardholder is an authorized holder
of a payment card that has been issued by an
issuer.
Merchant: A merchant is a person or org that has
goods and services to sell to the cardholder.
Issuer: This is a financial institution, such as a
bank, that provides the cardholder with the
payment card.
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
30
SET Participants
Acquirer:
A financial institution that establishes an
account with a merchant and processes
payment card authorizations and payments.
Certification Authority (CA):
This is an entity that is trusted to issue
X509v3
public-key
certificates
for
cardholders,
merchants,
and
payment
gateways.
31-Aug-15
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
31