Security and Authentication CS 370 SE Practicum, Cengiz Günay (Some slides courtesy of Eugene Agichtein and the Internets) CS 370, Günay (Emory) Security and Authentication Spring 2014 1 / 15
Agenda Upcoming milestones: 4/17: Testing/surveying ends; x bugs, improve concept 4/22: Hacking ends; submit survey reports (anonymous) 4/24: The APPrentice! Final demo to tech transfer and business people. You will be red! 5/5: Final deliverables: installation instructions, user documentation, code documentation, package CS 370, Günay (Emory) Security and Authentication Spring 2014 2 / 15
Agenda Upcoming milestones: Today: 4/17: Testing/surveying ends; x bugs, improve concept 4/22: Hacking ends; submit survey reports (anonymous) 4/24: The APPrentice! Final demo to tech transfer and business people. You will be red! 5/5: Final deliverables: installation instructions, user documentation, code documentation, package Security and authentication CS 370, Günay (Emory) Security and Authentication Spring 2014 2 / 15
Agenda Upcoming milestones: Today: 4/17: Testing/surveying ends; x bugs, improve concept 4/22: Hacking ends; submit survey reports (anonymous) 4/24: The APPrentice! Final demo to tech transfer and business people. You will be red! 5/5: Final deliverables: installation instructions, user documentation, code documentation, package Security and authentication First: Heartbleed caught the internet o guard CS 370, Günay (Emory) Security and Authentication Spring 2014 2 / 15
Entry/Exit Surveys Exit survey: JavaScript, AJAX, dynamic web frameworks Give a specic example usage of AJAX in a popular web service that you use. What do you think is the next step for web computing considering the rapid development of client-side technologies? Entry survey: Security What is the Heartbleed vulnerability? How come it wasn't discovered until now? How can a programmer make such a mistake? CS 370, Günay (Emory) Security and Authentication Spring 2014 4 / 15
Security: Heartbleed Open Source Code: CS 370, Günay (Emory) Security and Authentication Spring 2014 5 / 15
Security: Heartbleed Open Source Code: "Given enough eyeballs, all bugs are shallow" -Linus's Law (from the Cathedral and the Bazaar) CS 370, Günay (Emory) Security and Authentication Spring 2014 5 / 15
Security: Heartbleed Open Source Code: "Given enough eyeballs, all bugs are shallow" -Linus's Law (from the Cathedral and the Bazaar) Yeah, but OpenSSL fail? CS 370, Günay (Emory) Security and Authentication Spring 2014 5 / 15
Security: Heartbleed Open Source Code: "Given enough eyeballs, all bugs are shallow" -Linus's Law (from the Cathedral and the Bazaar) Yeah, but OpenSSL fail? Programmer submitted buggy code, reviewers didn't catch it either The whole world missed it for two years (except the NSA) Heartbeat feature was new and not that sensitive CS 370, Günay (Emory) Security and Authentication Spring 2014 5 / 15
Security: Heartbleed Open Source Code: "Given enough eyeballs, all bugs are shallow" -Linus's Law (from the Cathedral and the Bazaar) Yeah, but OpenSSL fail? Programmer submitted buggy code, reviewers didn't catch it either The whole world missed it for two years (except the NSA) Heartbeat feature was new and not that sensitive Isn't SSL supposed to be encrypted? CS 370, Günay (Emory) Security and Authentication Spring 2014 5 / 15
Security: Heartbleed Open Source Code: "Given enough eyeballs, all bugs are shallow" -Linus's Law (from the Cathedral and the Bazaar) Yeah, but OpenSSL fail? Programmer submitted buggy code, reviewers didn't catch it either The whole world missed it for two years (except the NSA) Heartbeat feature was new and not that sensitive Isn't SSL supposed to be encrypted? Yep, it leaked the data securely CS 370, Günay (Emory) Security and Authentication Spring 2014 5 / 15
Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS CS 370, Günay (Emory) Security and Authentication Spring 2014 6 / 15
Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data CS 370, Günay (Emory) Security and Authentication Spring 2014 6 / 15
Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data How is trust established? CS 370, Günay (Emory) Security and Authentication Spring 2014 6 / 15
Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data How is trust established? Certicate authorities hold public keys Owners of certicates encrypt data But allows man-in-the-middle (MiM) attacks CS 370, Günay (Emory) Security and Authentication Spring 2014 6 / 15
Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data How is trust established? Certicate authorities hold public keys Owners of certicates encrypt data But allows man-in-the-middle (MiM) attacks Why not use Web of Trust? CS 370, Günay (Emory) Security and Authentication Spring 2014 6 / 15
Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data How is trust established? Certicate authorities hold public keys Owners of certicates encrypt data But allows man-in-the-middle (MiM) attacks Why not use Web of Trust? Decentralized PGP system Problem: Expiration or lost private keys New entries untrusted, possible to create many fake entries with strong trust CS 370, Günay (Emory) Security and Authentication Spring 2014 6 / 15
Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data How is trust established? Certicate authorities hold public keys Owners of certicates encrypt data But allows man-in-the-middle (MiM) attacks Why not use Web of Trust? Decentralized PGP system Problem: Expiration or lost private keys New entries untrusted, possible to create many fake entries with strong trust When to use HTTPS? Before login? During login authentication? During whole session? CS 370, Günay (Emory) Security and Authentication Spring 2014 6 / 15
Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data How is trust established? Certicate authorities hold public keys Owners of certicates encrypt data But allows man-in-the-middle (MiM) attacks Why not use Web of Trust? Decentralized PGP system Problem: Expiration or lost private keys New entries untrusted, possible to create many fake entries with strong trust When to use HTTPS? Before login? During login authentication? During whole session? But there was a lot of heartbleed. What now? CS 370, Günay (Emory) Security and Authentication Spring 2014 6 / 15
Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data How is trust established? Certicate authorities hold public keys Owners of certicates encrypt data But allows man-in-the-middle (MiM) attacks Why not use Web of Trust? Decentralized PGP system Problem: Expiration or lost private keys New entries untrusted, possible to create many fake entries with strong trust When to use HTTPS? Before login? During login authentication? During whole session? But there was a lot of heartbleed. What now? Not again.. CS 370, Günay (Emory) Security and Authentication Spring 2014 6 / 15
Cookie Authentication Authentication steps: 1 Client authenticates Cookie contents: 2 Server sends session key domain + data + expiration date 3 Client saves key in cookie and uses it during session CS 370, Günay (Emory) Security and Authentication Spring 2014 9 / 15
Cookie Authentication Authentication steps: 1 Client authenticates Cookie contents: 2 Server sends session key domain + data + expiration date 3 Client saves key in cookie and uses it during session Cookies? MiM: Can somebody else act as you if they had your cookie? CS 370, Günay (Emory) Security and Authentication Spring 2014 9 / 15
Cookie Authentication Authentication steps: 1 Client authenticates Cookie contents: 2 Server sends session key domain + data + expiration date 3 Client saves key in cookie and uses it during session Cookies? MiM: Can somebody else act as you if they had your cookie? Solutions: Cookie expiration, ushing cookies, disabling cookies. CS 370, Günay (Emory) Security and Authentication Spring 2014 9 / 15
Authentication steps: 1 Client authenticates 2 Server sends session key Cookie Authentication 3 Client saves key in cookie and uses it during session Cookies? MiM: Can somebody else act as you if they had your cookie? Solutions: Cookie expiration, ushing cookies, disabling cookies. Cross site logins? How do the like buttons on non-facebook sites work? Cookie contents: domain + data + expiration date CS 370, Günay (Emory) Security and Authentication Spring 2014 9 / 15
Authentication steps: 1 Client authenticates 2 Server sends session key Cookie Authentication 3 Client saves key in cookie and uses it during session Cookies? MiM: Can somebody else act as you if they had your cookie? Solutions: Cookie expiration, ushing cookies, disabling cookies. Cross site logins? How do the like buttons on non-facebook sites work? Multiple iframe elements can fetch pages from across domains (i.e. access dierent cookies) Cookie contents: domain + data + expiration date CS 370, Günay (Emory) Security and Authentication Spring 2014 9 / 15
Authentication steps: 1 Client authenticates 2 Server sends session key Cookie Authentication 3 Client saves key in cookie and uses it during session Cookies? MiM: Can somebody else act as you if they had your cookie? Solutions: Cookie expiration, ushing cookies, disabling cookies. Cross site logins? How do the like buttons on non-facebook sites work? Multiple iframe elements can fetch pages from across domains (i.e. access dierent cookies) Google AdSense: cross-site ads uses cookies Cookie contents: domain + data + expiration date CS 370, Günay (Emory) Security and Authentication Spring 2014 9 / 15
Authentication steps: 1 Client authenticates 2 Server sends session key Cookie Authentication 3 Client saves key in cookie and uses it during session Cookies? MiM: Can somebody else act as you if they had your cookie? Solutions: Cookie expiration, ushing cookies, disabling cookies. Cross site logins? How do the like buttons on non-facebook sites work? Multiple iframe elements can fetch pages from across domains (i.e. access dierent cookies) Google AdSense: cross-site ads uses cookies Helps NSA track you Cookie contents: domain + data + expiration date CS 370, Günay (Emory) Security and Authentication Spring 2014 9 / 15
Hacking: Email Tracking Track people via emails? CS 370, Günay (Emory) Security and Authentication Spring 2014 10 / 15
Hacking: Email Tracking Track people via emails? Email header codes (look at your Gmail headers!) Visible/invisible images (how??) CS 370, Günay (Emory) Security and Authentication Spring 2014 10 / 15
Hacking: Email Tracking Track people via emails? Email header codes (look at your Gmail headers!) Visible/invisible images (how??) Anonymous emails? demo phishing (only for the gullible) CS 370, Günay (Emory) Security and Authentication Spring 2014 10 / 15
Two-step authentication? More on authentication CS 370, Günay (Emory) Security and Authentication Spring 2014 11 / 15
Two-step authentication? More on authentication banks and other high-security places use it involves a 2nd device: phone calls, texting, password generator device CS 370, Günay (Emory) Security and Authentication Spring 2014 11 / 15
Two-step authentication? More on authentication banks and other high-security places use it involves a 2nd device: phone calls, texting, password generator device What's Google Authenticator? CS 370, Günay (Emory) Security and Authentication Spring 2014 11 / 15
Two-step authentication? More on authentication banks and other high-security places use it involves a 2nd device: phone calls, texting, password generator device What's Google Authenticator? Generates a unique password each time That can verify your authenticity (through public-private keys) CS 370, Günay (Emory) Security and Authentication Spring 2014 11 / 15
Two-step authentication? More on authentication banks and other high-security places use it involves a 2nd device: phone calls, texting, password generator device What's Google Authenticator? Generates a unique password each time That can verify your authenticity (through public-private keys) What're the best practices in authentication? Use PHP to transmit and store cleartext passwords? CS 370, Günay (Emory) Security and Authentication Spring 2014 11 / 15
Two-step authentication? More on authentication banks and other high-security places use it involves a 2nd device: phone calls, texting, password generator device What's Google Authenticator? Generates a unique password each time That can verify your authenticity (through public-private keys) What're the best practices in authentication? Use PHP to transmit and store cleartext passwords? Err, no. CS 370, Günay (Emory) Security and Authentication Spring 2014 11 / 15
Two-step authentication? More on authentication banks and other high-security places use it involves a 2nd device: phone calls, texting, password generator device What's Google Authenticator? Generates a unique password each time That can verify your authenticity (through public-private keys) What're the best practices in authentication? Use PHP to transmit and store cleartext passwords? Err, no. Standards: OAuth Facebook, Google, Microsoft APIs require it At version 2.0 CS 370, Günay (Emory) Security and Authentication Spring 2014 11 / 15
Two-step authentication? More on authentication banks and other high-security places use it involves a 2nd device: phone calls, texting, password generator device What's Google Authenticator? Generates a unique password each time That can verify your authenticity (through public-private keys) What're the best practices in authentication? Use PHP to transmit and store cleartext passwords? Err, no. Standards: OAuth Facebook, Google, Microsoft APIs require it At version 2.0 Complementary to OpenID passwordless logins via installing certicates in browser, smart cards, biometrics, etc. private key on the client side; personal URI holds public key CS 370, Günay (Emory) Security and Authentication Spring 2014 11 / 15
Structure looks ne, even has padding!
Structure looks ne, even has padding! First read type & length:
Structure looks ne, even has padding! First read type & length: Looks right so far:
Structure looks ne, even has padding! Response from Yahoo!: First read type & length: Looks right so far:
Upcoming episodes Documentation, coding style, sustainability, design patterns Scrum now! CS 370, Günay (Emory) Security and Authentication Spring 2014 15 / 15