How to create secure web sites

Similar documents
Chapter 21 How to create secure web sites

Authentication CHAPTER 17

Configure Settings and Customize Notifications on FindIT Network Probe

Table of Contents. Single Sign On 1

Tyler Identity User Account Management New World ERP Foundation

You can also set the expiration time of the cookie in another way. It may be easier than using seconds.

User authentication, passwords

ITS331 IT Laboratory I: (Laboratory #11) Session Handling

Chapters 10 & 11 PHP AND MYSQL

Using SSL to Secure Client/Server Connections

How to Configure Authentication and Access Control (AAA)

How to use PHP with a MySQL database

How to use SQL to create a database

Database Systems Fundamentals

Security Guide. Configuration of Permissions

PHP: Cookies, Sessions, Databases. CS174. Chris Pollett. Sep 24, 2008.

Introduction to relational databases and MySQL

Contents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3. Obtaining A Signed Certificate 4

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

AppGate 11.0 RELEASE NOTES

ConnectUPS-X / -BD /-E How to use and install SSL, SSH

BROWSER-BASED SUPPORT CONSOLE USER S GUIDE. 31 January 2017

Installation Manual on Intra SSL Service (PC Check)

How to code control statements

User Directories. Overview, Pros and Cons

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

AppScaler SSO Active Directory Guide

D9.2.2 AD FS via SAML2

Configuring the CSS for Device Management

esignlive SAML Administrator's Guide Product Release: 6.5 Date: July 05, 2018 esignlive 8200 Decarie Blvd, Suite 300 Montreal, Quebec H4P 2P5

CS November 2018

Ciphermail Gateway PDF Encryption Setup Guide

Oracle SQL. murach s. and PL/SQL TRAINING & REFERENCE. (Chapter 2)

Manual for configuring VPN in Windows 7

UCS Manager Communication Services

Architecture. Steven M. Bellovin October 31,

Module 3 MySQL Database. Database Management System

Security and Authentication

Security in Confirmit Software - Individual User Settings

HP Instant Support Enterprise Edition (ISEE) Security overview

The Cisco HCM-F Administrative Interface

Using.htaccess to Restrict OU Directory by Usernames and Passwords in an.htpasswd File

USER GUIDELINES. Q 2. Is it necessary to configure password retrieval question and answer? How can I do that? Q 3. How can I change password?

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

Configuring Secure Socket Layer HTTP

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Configuring Secure Socket Layer HTTP

Public Key Infrastructure. What can it do for you?

The following topics provide more information on user identity. Establishing User Identity Through Passive Authentication

Backend IV: Authentication, Authorization and Sanitization. Tuesday, January 13, 15

Internet Script Editor

Database and MySQL Temasek Polytechnic

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Contents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3. Obtaining A Signed Certificate 4

3.1 Getting Software and Certificates

Script.byu.edu SharePoint Instructions

How to Configure Guest Access with the Ticketing System

Security Guide. Configuration of Report and System Permissions

An Apple Subsidiary. This software addresses an issue where the OpenSSL library used by FileMaker Server 13.0v1 was vulnerable to the Heartbleed bug.

Identity Policies. Identity Policy Overview. Establishing User Identity through Active Authentication

Contents. xvii xix xxiil. xxvii

Security Fundamentals

CONTENTS IN DETAIL INTRODUCTION 1 THE FAQS OF LIFE THE SCRIPTS EVERY PHP PROGRAMMER WANTS (OR NEEDS) TO KNOW 1 2 CONFIGURING PHP 19

Cisco SSL Encryption Utility

Autopopulation; Session & Cookies

Configuring SSL. SSL Overview CHAPTER

LDAP Configuration Guide

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

SCRIPTING, DATABASES, SYSTEM ARCHITECTURE

Security: Focus of Control

Lesson 13 Securing Web Services (WS-Security, SAML)

Accessing the Ministry Secure File Delivery Service (SFDS)

Uniform Resource Locators (URL)

Content and Purpose of This Guide... 1 User Management... 2

User Authentication Principles and Methods

Integrating a directory server

System Setup. Accessing the Administration Interface CHAPTER

Salesforce Mobile App Security Guide

WHITE PAPER. Authentication and Encryption Design

Real Application Security Administration

Configuring and Using your Nationwide Extranet Virtual Machine

Lecture 7: Dates/Times & Sessions. CS 383 Web Development II Wednesday, February 14, 2018

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Cisco Unified Serviceability

Transport Level Security

Modern cryptography 2. CSCI 470: Web Science Keith Vertanen

Grandstream Networks, Inc. GWN7000 OpenVPN Site-to-Site VPN Guide

Instructions For Configuring Your Browser Settings and Online Banking FAQ's

Security: Focus of Control. Authentication

Perceptive Matching Engine

Lecture 6 Session Control and User Authentication. INLS 760 Web Databases Spring 2013 Rob Capra

owncloud Android App Manual

Managing Certificates

Configuring Network Composer and workstations for Full SSL Filtering and Inspection

Odette CA Help File and User Manual

Configuring SSL Security

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

Implementing Secure Socket Layer

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Transcription:

2017, Mike Murach & Associates, Inc. 1/20/2019 A request made with a secure connection Chapter 21 How to create secure web sites The URL starts with https A lock icon is displayed C21, Slide 1 2017, Mike Murach & Associates, Inc. C21, Slide 4 Objectives Applied 1. Use a secure connection and the Secure Sockets Layer (SSL) protocol for your web pages whenever that s needed. 2. Use form-based authentication for your web pages whenever that s needed. 3. Use PHP to encrypt and decrypt data whenever that s needed. Key terms Transport Layer Security (TLS) Secure Sockets Layer (SSL) secure connection encryption 2017, Mike Murach & Associates, Inc. C21, Slide 2 2017, Mike Murach & Associates, Inc. C21, Slide 5 Objectives (continued) A digital secure certificate Knowledge 1. Describe the use of the SSL protocol for getting a secure connection and providing for authentication, including the use of a digital secure certificate, SSL strength, and the $_SERVER array. 2. Distinguish between form-based authentication and basic authentication. 3. Describe the use of PHP for encrypting and validating passwords that are stored in a database. 4. List the four cryptography libraries presented in this chapter. 5. Describe the use of the Defuse cryptography library for encrypting the data that s stored in a database and for decrypting the data after it s retrieved from the database. 2017, Mike Murach & Associates, Inc. C21, Slide 3 2017, Mike Murach & Associates, Inc. C21, Slide 6 1

Types of digital secure certificates Server certificate Client certicate Key terms certification authority (CA) registration authority (RA) SSL strength 2017, Mike Murach & Associates, Inc. C21, Slide 7 2017, Mike Murach & Associates, Inc. C21, Slide 10 How authentication works Authentication is the process of determining whether a server or client is who and what it claims to be. When a browser makes an initial attempt to communicate with a server over a secure connection, the server authenticates itself by providing a digital secure certificate. If the digital secure certificate is registered with the browser, the browser won t display the certificate by default. However, the user still has the option to view the certificate. In some rare cases, the server may request that a client authenticate itself by presenting its own digital secure certificate. URLs for secure connections on a local system Test if secure connections are configured correctly https://localhost/ Request a secure connection https://localhost/book_apps/ch21_ssl/ Return to a regular connection http://localhost/book_apps/ch21_ssl/ 2017, Mike Murach & Associates, Inc. C21, Slide 8 2017, Mike Murach & Associates, Inc. C21, Slide 11 Authorities that issue digital secure certificates www.symantec.com/ssl-sem-page www.godaddy.com/ssl www.globalsign.com www.startcom.org www.comodo.com SSL strengths 40-bit 56-bit 128-bit 256-bit URLs for secure connections over the Internet Request a secure connection https://www.murach.com/ Return to a regular connection http://www.murach.com/ 2017, Mike Murach & Associates, Inc. C21, Slide 9 2017, Mike Murach & Associates, Inc. C21, Slide 12 2

A warning page for the security certificate Form-based authentication Allows the developer to code a login form that gets the username and password. Allows the developer to only request the username and password once per session. By default, it doesn t encrypt the username and password before sending them to the server. Basic authentication Causes the browser to display a dialog box that gets the username and password. Requires the browser to send the username and password for every protected page. By default, it doesn t encrypt the username and password before sending them to the server. 2017, Mike Murach & Associates, Inc. C21, Slide 13 2017, Mike Murach & Associates, Inc. C21, Slide 16 The $_SERVER array Index HTTPS HTTP_HOST REQUEST_URI Description Returns a non-empty value if the current request is using HTTPS. Returns the host for the current request. Returns the URI (Uniform Resource Identifier) for the current request. Digest authentication Causes the browser to display a dialog box that gets the user name and password. Encrypts the username and password before sending them to the server. 2017, Mike Murach & Associates, Inc. C21, Slide 14 2017, Mike Murach & Associates, Inc. C21, Slide 17 A utility file that redirects to a secure connection // make sure the page uses a secure connection $https = filter_input(input_server, 'HTTPS'); if (!$https) { $host = filter_input(input_server, 'HTTP_HOST'); $uri = filter_input(input_server, 'REQUEST_URI'); $url = 'https://'. $host. $uri; header("location: ". $url); exit(); Two functions for working with passwords Function Description password_hash($password, Creates a new hash of the password $algorithm) using a strong salt and a strong oneway encryption algorithm. password_verify($password, Returns TRUE if the specified $hash) password matches the specified hash. Two constants for setting the algorithm Constant Description PASSWORD_BCRYPT Uses the bcrypt algorithm to create a hash that s 60 characters long. PASSWORD_DEFAULT Uses the default algorithm of the password_hash() function. With PHP 5.5 and 7.1, the default algorithm is bcrypt. 2017, Mike Murach & Associates, Inc. C21, Slide 15 2017, Mike Murach & Associates, Inc. C21, Slide 18 3

Code that hashes a password using the default algorithm $password = 's3sam3'; $hash = password_hash($password, PASSWORD_DEFAULT); Code that verifies whether a password is valid $valid_password = password_verify('s3sam3', '$2y$10$xIqN2cVy8HVuKNKUwxFQR.xRP9oRj.FF8r52spVc.XCaEFy7iLHmu'); if ($valid_password) { echo "Password is valid.<br>"; The admin_db.php file (continued) function is_valid_admin_login($email, $password) { global $db; $query = 'SELECT password FROM administrators WHERE emailaddress = :email'; $statement = $db->prepare($query); $statement->bindvalue(':email', $email); $statement->execute(); $row = $statement->fetch(); $statement->closecursor(); $hash = $row['password']; return password_verify($password, $hash); 2017, Mike Murach & Associates, Inc. C21, Slide 19 2017, Mike Murach & Associates, Inc. C21, Slide 22 A script that creates a table for storing usernames and passwords CREATE TABLE administrators ( adminid INT NOT NULL AUTO_INCREMENT, emailaddress VARCHAR(255) NOT NULL, password VARCHAR(255) NOT NULL, firstname VARCHAR(60), lastname VARCHAR(60), PRIMARY KEY (adminid) ); A login form INSERT INTO administrators (adminid, emailaddress, password) VALUES (1, 'admin@myguitarshop.com', '$2y$10$lHqybsUxtrV/y6j6WfG3.utNzpVTkNCm/neRFPnaaQiBWOJVIIEiq'), (2, 'joel@murach.com', '$2y$10$.imVkbsvI2XTC13bMONdUOllyhddj/IhYZBGU87nqZ1j8ebXPezre'), (3, 'mike@murach.com', '$2y$10$21KIM2059gSrnAQWV.5Ciufzo9sNqONmmzIhE8qvd/IDaeQvHG1Eq'); 2017, Mike Murach & Associates, Inc. C21, Slide 20 2017, Mike Murach & Associates, Inc. C21, Slide 23 The admin_db.php file function add_admin($email, $password) { global $db; $hash = password_hash($password, PASSWORD_DEFAULT); $query = 'INSERT INTO administrators (emailaddress, password) VALUES (:email, :password)'; $statement = $db->prepare($query); $statement->bindvalue(':email', $email); $statement->bindvalue(':password', $hash); $statement->execute(); $statement->closecursor(); A protected page 2017, Mike Murach & Associates, Inc. C21, Slide 21 2017, Mike Murach & Associates, Inc. C21, Slide 24 4

The controller for the protected pages // Start session management and include necessary functions session_start(); require_once('model/database.php'); require_once('model/admin_db.php'); // Get the action to perform $action = filter_input(input_post, 'action'); if ($action == NULL) { $action = filter_input(input_get, 'action'); if ($action == NULL) { $action = 'show_admin_menu'; // If the user isn't logged in, force the user to login if (!isset($_session['is_valid_admin'])) { $action = 'login'; A utility file that forces a valid admin user // make sure user is a valid administrator if (!isset($_session['is_valid_admin'])) { header("location:." ); Code at the top of the login page // require a secure connection require_once('util/secure_conn.php'); Code the top of the other protected pages // require a secure connection require_once('util/secure_conn.php'); // require a valid admin user require_once('util/valid_admin.php'); 2017, Mike Murach & Associates, Inc. C21, Slide 25 2017, Mike Murach & Associates, Inc. C21, Slide 28 The controller for the protected pages (continued) // Perform the specified action switch($action) { case 'login': $email = filter_input(input_post, 'email'); $password = filter_input(input_post, 'password'); if (is_valid_admin_login($email, $password)) { $_SESSION['is_valid_admin'] = true; include('view/admin_menu.php'); else { $login_message = 'You must login to view this page.'; include('view/login.php'); A login dialog box for basic authentication 2017, Mike Murach & Associates, Inc. C21, Slide 26 2017, Mike Murach & Associates, Inc. C21, Slide 29 The controller for the protected pages (continued) case 'show_admin_menu': include('view/admin_menu.php'); case 'show_product_manager': include('view/product_manager.php'); case 'show_order_manager': include('view/order_manager.php'); case 'logout': $_SESSION = array(); // Clear all session data session_destroy(); // Clean up the session ID $login_message = 'You have been logged out.'; include('view/login.php'); A protected page 2017, Mike Murach & Associates, Inc. C21, Slide 27 2017, Mike Murach & Associates, Inc. C21, Slide 30 5

The unauthorized page Code at the top of each protected page // require a secure connection require_once('util/secure_conn.php'); // require a valid admin user require_once('util/valid_admin.php'); 2017, Mike Murach & Associates, Inc. C21, Slide 31 2017, Mike Murach & Associates, Inc. C21, Slide 34 The $_SERVER array for basic authentication Index PHP_AUTH_USER PHP_AUTH_PW Description The username from the authentication dialog box or a NULL value if the dialog box hasn t been displayed. The password from the authentication dialog box or a NULL value if the dialog box hasn t been displayed. Four cryptography libraries mcrypt Libsodium Defuse OpenSSL 2017, Mike Murach & Associates, Inc. C21, Slide 32 2017, Mike Murach & Associates, Inc. C21, Slide 35 Code that forces a valid admin user require_once('model/database.php'); require_once('model/admin_db.php'); $email = ''; $password = ''; if (isset($_server['php_auth_user']) && isset($_server['php_auth_pw'])) { $email = $_SERVER['PHP_AUTH_USER']; $password = $_SERVER['PHP_AUTH_PW']; if (!is_valid_admin_login($email, $password)) { header('www-authenticate: Basic realm="admin"'); header('http/1.0 401 Unauthorized'); include('unauthorized.php'); exit(); The URL for the Defuse Crypto library https://github.com/defuse/php-encryption One way to install the Defuse cryptography library 1. Go to the URL shown above. 2. Follow the instructions there to download the defuse-crypto.phar file that contains the library. If you re serious about security, you should also follow the instructions there to verify the integrity of the defuse-crypto.phar file. 3. Copy the defuse-crypto.phar file to a logical place on your file system, such as the xampp/php/lib directory. 2017, Mike Murach & Associates, Inc. C21, Slide 33 2017, Mike Murach & Associates, Inc. C21, Slide 36 6

Some methods of the Key class createnewrandomkey() savetoasciisafestring() loadfromasciisafestring($keyascii) Some methods of the Crypto class encrypt($data, $key) decrypt($data, $key) The Crypt class (crypt.php) require_once('/xampp/php/lib/defuse-crypto.phar'); use Defuse\Crypto\Key; use Defuse\Crypto\Crypto; use Defuse\Crypto\Exception\WrongKeyOrModifiedCiphertextException; class Crypt { private $key; public function construct() { // make sure the following code points to a file that exists // and contains a valid key $keyascii = file_get_contents('/xampp/php/defuse-key.txt'); $this->key = Key::loadFromAsciiSafeString($keyAscii); public function encrypt($data) { $encrypted_data = Crypto::encrypt($data, $this->key); return $encrypted_data; 2017, Mike Murach & Associates, Inc. C21, Slide 37 2017, Mike Murach & Associates, Inc. C21, Slide 40 Code that creates an encryption key and saves it to a file require_once('/xampp/php/lib/defuse-crypto.phar'); use Defuse\Crypto\Key; $key = Key::createNewRandomKey(); $keyascii = $key->savetoasciisafestring(); file_put_contents('/xampp/php/defuse-key.txt', $keyascii); The Crypt class (crypt.php) (continued) public function decrypt($encrypted_data) { try { $data = Crypto::decrypt($encrypted_data, $this->key); return $data; catch (WrongKeyOrModifiedCiphertextException $ex) { throw new Exception($ex->getMessage()); 2017, Mike Murach & Associates, Inc. C21, Slide 38 2017, Mike Murach & Associates, Inc. C21, Slide 41 Code that encrypts and decrypts data require_once('/xampp/php/lib/defuse-crypto.phar'); use Defuse\Crypto\Key; use Defuse\Crypto\Crypto; use Defuse\Crypto\Exception\WrongKeyOrModifiedCiphertextException; // set up credit card variable $credit_card_no = '4111111111111111'; // get encryption key $keyascii = file_get_contents('/xampp/php/defuse-key.txt'); $key = Key::loadFromAsciiSafeString($keyAscii); // encrypt data $encrypted_data = Crypto::encrypt($credit_card_no, $key); echo 'Encrypted data: '. $encrypted_data. '<br>'; // decrypt data try { $decrypted_data = Crypto::decrypt($encrypted_data, $key); echo 'Decrypted data: '. $decrypted_data. '<br>'; catch (WrongKeyOrModifiedCiphertextException $ex) { echo 'Exception: '. $ex->getmessage(). '<br>'; Code that uses the Crypt class to encrypt and decrypt data require 'crypt.php'; $credit_card_no = '4111111111111111'; // Create the Crypt object $crypt = new Crypt(); // Use the Crypt object to encrypt the data $encrypted_data = $crypt->encrypt($credit_card_no); echo 'Encrypted data: '. $encrypted_data. '<br>'; // Use the Crypt object to decrypt the data try { $decrypted_data = $crypt->decrypt($encrypted_data); echo 'Decrypted data: '. $decrypted_data. '<br>'; catch (Exception $ex) { echo 'Exception: '. $ex->getmessage(); 2017, Mike Murach & Associates, Inc. C21, Slide 39 2017, Mike Murach & Associates, Inc. C21, Slide 42 7

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback