Security and Authentication

Similar documents
Documentation and Deployment

AJAX: From the Client-side with JavaScript, Back to the Server

Defeating All Man-in-the-Middle Attacks

Topic 15: Authentication

Security. SWE 432, Fall 2017 Design and Implementation of Software for the Web

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

Stop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico

Authentication in the Cloud. Stefan Seelmann

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

Security Improvements on Cast Iron

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Information Security CS 526 Topic 8

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Robust Defenses for Cross-Site Request Forgery

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Biting the Hand that Feeds You

Robust Defenses for Cross-Site Request Forgery

Contents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3. Obtaining A Signed Certificate 4

Most Common Security Threats (cont.)

Authentication Technology for a Smart eid Infrastructure.

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

AUTHENTICATION AND LOOKUP FOR NETWORK SERVICES

Cryptographic Protocols 1

Security and Privacy

P2_L12 Web Security Page 1

Definition. Quantifying Anonymity. Anonymous Communication. How can we calculate how anonymous we are? Who you are from the communicating party

Progress Exchange June, Phoenix, AZ, USA 1

Authentication CHAPTER 17

RKN 2015 Application Layer Short Summary

Ch 1: The Mobile Risk Ecosystem. CNIT 128: Hacking Mobile Devices. Updated

CS Paul Krzyzanowski

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

Web Security Model and Applications

Trust Infrastructure of SSL

Building a Secure PI Web API Environment

We will resume at 3:30 pm Enjoy your break!

CS November 2018

Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit

NIELSEN API PORTAL USER REGISTRATION GUIDE

Breaking SSL Why leave to others what you can do yourself?

Django: Views, Templates, and Sessions

OAuth and OpenID Connect (IN PLAIN ENGLISH)

So Many Ways to Slap a YoHo: Hacking Facebook & YoVille

Cookies, sessions and authentication

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Secure Frame Communication in Browsers Review

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

HTTP Mutual authentication protocol proposal. Yutaka OIWA RCIS, AIST

Barracuda Security Service User Guide

Advanced API Security

Business value of Federated Login for Enterprises Enterprise SaaS vendors Consumer websites

OpenID Security Analysis and Evaluation

CNIT 129S: Securing Web Applications. Ch 4: Mapping the Application

IERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu

Real-world security analyses of OAuth 2.0 and OpenID Connect

Findings for

Web Security: Vulnerabilities & Attacks

BEST PRACTICES FOR PERSONAL Security

CIS 4360 Secure Computer Systems XSS

Lecture 7: Dates/Times & Sessions. CS 383 Web Development II Wednesday, February 14, 2018

Security: Focus of Control

WHITE PAPER. ENSURING SECURITY WITH OPEN APIs. Scott Biesterveld, Lead Solution Architect Senthil Senthil, Development Manager IBS Open APIs

MTAT Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

Security Specification

Security and Anonymity

CSCD 303 Essential Computer Security Fall 2017

Palo Alto Networks PAN-OS

How to Render SSL Useless. Render SSL Useless. By Ivan Ristic 1 / 27

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

BEYOND TRADITIONAL PASSWORD AUTHENTICATION: PKI & BLOCKCHAIN

Evaluating the Security Risks of Static vs. Dynamic Websites

ASP.NET State Management Techniques

Man-In-The-Browser Attacks. Daniel Tomescu

Testing login process security of websites. Benjamin Krumnow

1000 Ways to Die in Mobile OAuth. Eric Chen, Yutong Pei, Yuan Tian, Shuo Chen,Robert Kotcher and Patrick Tague

Lecture 41 Blockchain in Government III (Digital Identity)

Information Security CS 526 Topic 11

Security: Focus of Control. Authentication

Handout 20 - Quiz 2 Solutions

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

WHITE PAPER. Authentication and Encryption Design

Web Security, Summer Term 2012

Web Security, Summer Term 2012

Security Course. WebGoat Lab sessions

Kerberos and Single Sign On with HTTP

DO NOT OPEN UNTIL INSTRUCTED

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Reminders. Emory Horror Code:

Today s Lecture. Secure Communication. A Simple Protocol. Remote Authentication. A Simple Protocol. Rules. I m Alice. I m Alice

DreamFactory Security Guide

Transcription:

Security and Authentication CS 370 SE Practicum, Cengiz Günay (Some slides courtesy of Eugene Agichtein and the Internets) CS 370, Günay (Emory) Security and Authentication Spring 2014 1 / 15

Agenda Upcoming milestones: 4/17: Testing/surveying ends; x bugs, improve concept 4/22: Hacking ends; submit survey reports (anonymous) 4/24: The APPrentice! Final demo to tech transfer and business people. You will be red! 5/5: Final deliverables: installation instructions, user documentation, code documentation, package CS 370, Günay (Emory) Security and Authentication Spring 2014 2 / 15

Agenda Upcoming milestones: Today: 4/17: Testing/surveying ends; x bugs, improve concept 4/22: Hacking ends; submit survey reports (anonymous) 4/24: The APPrentice! Final demo to tech transfer and business people. You will be red! 5/5: Final deliverables: installation instructions, user documentation, code documentation, package Security and authentication CS 370, Günay (Emory) Security and Authentication Spring 2014 2 / 15

Agenda Upcoming milestones: Today: 4/17: Testing/surveying ends; x bugs, improve concept 4/22: Hacking ends; submit survey reports (anonymous) 4/24: The APPrentice! Final demo to tech transfer and business people. You will be red! 5/5: Final deliverables: installation instructions, user documentation, code documentation, package Security and authentication First: Heartbleed caught the internet o guard CS 370, Günay (Emory) Security and Authentication Spring 2014 2 / 15

Entry/Exit Surveys Exit survey: JavaScript, AJAX, dynamic web frameworks Give a specic example usage of AJAX in a popular web service that you use. What do you think is the next step for web computing considering the rapid development of client-side technologies? Entry survey: Security What is the Heartbleed vulnerability? How come it wasn't discovered until now? How can a programmer make such a mistake? CS 370, Günay (Emory) Security and Authentication Spring 2014 4 / 15

Security: Heartbleed Open Source Code: CS 370, Günay (Emory) Security and Authentication Spring 2014 5 / 15

Security: Heartbleed Open Source Code: "Given enough eyeballs, all bugs are shallow" -Linus's Law (from the Cathedral and the Bazaar) CS 370, Günay (Emory) Security and Authentication Spring 2014 5 / 15

Security: Heartbleed Open Source Code: "Given enough eyeballs, all bugs are shallow" -Linus's Law (from the Cathedral and the Bazaar) Yeah, but OpenSSL fail? CS 370, Günay (Emory) Security and Authentication Spring 2014 5 / 15

Security: Heartbleed Open Source Code: "Given enough eyeballs, all bugs are shallow" -Linus's Law (from the Cathedral and the Bazaar) Yeah, but OpenSSL fail? Programmer submitted buggy code, reviewers didn't catch it either The whole world missed it for two years (except the NSA) Heartbeat feature was new and not that sensitive CS 370, Günay (Emory) Security and Authentication Spring 2014 5 / 15

Security: Heartbleed Open Source Code: "Given enough eyeballs, all bugs are shallow" -Linus's Law (from the Cathedral and the Bazaar) Yeah, but OpenSSL fail? Programmer submitted buggy code, reviewers didn't catch it either The whole world missed it for two years (except the NSA) Heartbeat feature was new and not that sensitive Isn't SSL supposed to be encrypted? CS 370, Günay (Emory) Security and Authentication Spring 2014 5 / 15

Security: Heartbleed Open Source Code: "Given enough eyeballs, all bugs are shallow" -Linus's Law (from the Cathedral and the Bazaar) Yeah, but OpenSSL fail? Programmer submitted buggy code, reviewers didn't catch it either The whole world missed it for two years (except the NSA) Heartbeat feature was new and not that sensitive Isn't SSL supposed to be encrypted? Yep, it leaked the data securely CS 370, Günay (Emory) Security and Authentication Spring 2014 5 / 15

Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS CS 370, Günay (Emory) Security and Authentication Spring 2014 6 / 15

Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data CS 370, Günay (Emory) Security and Authentication Spring 2014 6 / 15

Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data How is trust established? CS 370, Günay (Emory) Security and Authentication Spring 2014 6 / 15

Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data How is trust established? Certicate authorities hold public keys Owners of certicates encrypt data But allows man-in-the-middle (MiM) attacks CS 370, Günay (Emory) Security and Authentication Spring 2014 6 / 15

Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data How is trust established? Certicate authorities hold public keys Owners of certicates encrypt data But allows man-in-the-middle (MiM) attacks Why not use Web of Trust? CS 370, Günay (Emory) Security and Authentication Spring 2014 6 / 15

Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data How is trust established? Certicate authorities hold public keys Owners of certicates encrypt data But allows man-in-the-middle (MiM) attacks Why not use Web of Trust? Decentralized PGP system Problem: Expiration or lost private keys New entries untrusted, possible to create many fake entries with strong trust CS 370, Günay (Emory) Security and Authentication Spring 2014 6 / 15

Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data How is trust established? Certicate authorities hold public keys Owners of certicates encrypt data But allows man-in-the-middle (MiM) attacks Why not use Web of Trust? Decentralized PGP system Problem: Expiration or lost private keys New entries untrusted, possible to create many fake entries with strong trust When to use HTTPS? Before login? During login authentication? During whole session? CS 370, Günay (Emory) Security and Authentication Spring 2014 6 / 15

Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data How is trust established? Certicate authorities hold public keys Owners of certicates encrypt data But allows man-in-the-middle (MiM) attacks Why not use Web of Trust? Decentralized PGP system Problem: Expiration or lost private keys New entries untrusted, possible to create many fake entries with strong trust When to use HTTPS? Before login? During login authentication? During whole session? But there was a lot of heartbleed. What now? CS 370, Günay (Emory) Security and Authentication Spring 2014 6 / 15

Secure connections: SSL/TLS, HTTPS How does encryption work? Example: HTTPS: HTTP + SSL/TLS Long term public-private keys to establish trust Short term session keys to encrypt data How is trust established? Certicate authorities hold public keys Owners of certicates encrypt data But allows man-in-the-middle (MiM) attacks Why not use Web of Trust? Decentralized PGP system Problem: Expiration or lost private keys New entries untrusted, possible to create many fake entries with strong trust When to use HTTPS? Before login? During login authentication? During whole session? But there was a lot of heartbleed. What now? Not again.. CS 370, Günay (Emory) Security and Authentication Spring 2014 6 / 15

Cookie Authentication Authentication steps: 1 Client authenticates Cookie contents: 2 Server sends session key domain + data + expiration date 3 Client saves key in cookie and uses it during session CS 370, Günay (Emory) Security and Authentication Spring 2014 9 / 15

Cookie Authentication Authentication steps: 1 Client authenticates Cookie contents: 2 Server sends session key domain + data + expiration date 3 Client saves key in cookie and uses it during session Cookies? MiM: Can somebody else act as you if they had your cookie? CS 370, Günay (Emory) Security and Authentication Spring 2014 9 / 15

Cookie Authentication Authentication steps: 1 Client authenticates Cookie contents: 2 Server sends session key domain + data + expiration date 3 Client saves key in cookie and uses it during session Cookies? MiM: Can somebody else act as you if they had your cookie? Solutions: Cookie expiration, ushing cookies, disabling cookies. CS 370, Günay (Emory) Security and Authentication Spring 2014 9 / 15

Authentication steps: 1 Client authenticates 2 Server sends session key Cookie Authentication 3 Client saves key in cookie and uses it during session Cookies? MiM: Can somebody else act as you if they had your cookie? Solutions: Cookie expiration, ushing cookies, disabling cookies. Cross site logins? How do the like buttons on non-facebook sites work? Cookie contents: domain + data + expiration date CS 370, Günay (Emory) Security and Authentication Spring 2014 9 / 15

Authentication steps: 1 Client authenticates 2 Server sends session key Cookie Authentication 3 Client saves key in cookie and uses it during session Cookies? MiM: Can somebody else act as you if they had your cookie? Solutions: Cookie expiration, ushing cookies, disabling cookies. Cross site logins? How do the like buttons on non-facebook sites work? Multiple iframe elements can fetch pages from across domains (i.e. access dierent cookies) Cookie contents: domain + data + expiration date CS 370, Günay (Emory) Security and Authentication Spring 2014 9 / 15

Authentication steps: 1 Client authenticates 2 Server sends session key Cookie Authentication 3 Client saves key in cookie and uses it during session Cookies? MiM: Can somebody else act as you if they had your cookie? Solutions: Cookie expiration, ushing cookies, disabling cookies. Cross site logins? How do the like buttons on non-facebook sites work? Multiple iframe elements can fetch pages from across domains (i.e. access dierent cookies) Google AdSense: cross-site ads uses cookies Cookie contents: domain + data + expiration date CS 370, Günay (Emory) Security and Authentication Spring 2014 9 / 15

Authentication steps: 1 Client authenticates 2 Server sends session key Cookie Authentication 3 Client saves key in cookie and uses it during session Cookies? MiM: Can somebody else act as you if they had your cookie? Solutions: Cookie expiration, ushing cookies, disabling cookies. Cross site logins? How do the like buttons on non-facebook sites work? Multiple iframe elements can fetch pages from across domains (i.e. access dierent cookies) Google AdSense: cross-site ads uses cookies Helps NSA track you Cookie contents: domain + data + expiration date CS 370, Günay (Emory) Security and Authentication Spring 2014 9 / 15

Hacking: Email Tracking Track people via emails? CS 370, Günay (Emory) Security and Authentication Spring 2014 10 / 15

Hacking: Email Tracking Track people via emails? Email header codes (look at your Gmail headers!) Visible/invisible images (how??) CS 370, Günay (Emory) Security and Authentication Spring 2014 10 / 15

Hacking: Email Tracking Track people via emails? Email header codes (look at your Gmail headers!) Visible/invisible images (how??) Anonymous emails? demo phishing (only for the gullible) CS 370, Günay (Emory) Security and Authentication Spring 2014 10 / 15

Two-step authentication? More on authentication CS 370, Günay (Emory) Security and Authentication Spring 2014 11 / 15

Two-step authentication? More on authentication banks and other high-security places use it involves a 2nd device: phone calls, texting, password generator device CS 370, Günay (Emory) Security and Authentication Spring 2014 11 / 15

Two-step authentication? More on authentication banks and other high-security places use it involves a 2nd device: phone calls, texting, password generator device What's Google Authenticator? CS 370, Günay (Emory) Security and Authentication Spring 2014 11 / 15

Two-step authentication? More on authentication banks and other high-security places use it involves a 2nd device: phone calls, texting, password generator device What's Google Authenticator? Generates a unique password each time That can verify your authenticity (through public-private keys) CS 370, Günay (Emory) Security and Authentication Spring 2014 11 / 15

Two-step authentication? More on authentication banks and other high-security places use it involves a 2nd device: phone calls, texting, password generator device What's Google Authenticator? Generates a unique password each time That can verify your authenticity (through public-private keys) What're the best practices in authentication? Use PHP to transmit and store cleartext passwords? CS 370, Günay (Emory) Security and Authentication Spring 2014 11 / 15

Two-step authentication? More on authentication banks and other high-security places use it involves a 2nd device: phone calls, texting, password generator device What's Google Authenticator? Generates a unique password each time That can verify your authenticity (through public-private keys) What're the best practices in authentication? Use PHP to transmit and store cleartext passwords? Err, no. CS 370, Günay (Emory) Security and Authentication Spring 2014 11 / 15

Two-step authentication? More on authentication banks and other high-security places use it involves a 2nd device: phone calls, texting, password generator device What's Google Authenticator? Generates a unique password each time That can verify your authenticity (through public-private keys) What're the best practices in authentication? Use PHP to transmit and store cleartext passwords? Err, no. Standards: OAuth Facebook, Google, Microsoft APIs require it At version 2.0 CS 370, Günay (Emory) Security and Authentication Spring 2014 11 / 15

Two-step authentication? More on authentication banks and other high-security places use it involves a 2nd device: phone calls, texting, password generator device What's Google Authenticator? Generates a unique password each time That can verify your authenticity (through public-private keys) What're the best practices in authentication? Use PHP to transmit and store cleartext passwords? Err, no. Standards: OAuth Facebook, Google, Microsoft APIs require it At version 2.0 Complementary to OpenID passwordless logins via installing certicates in browser, smart cards, biometrics, etc. private key on the client side; personal URI holds public key CS 370, Günay (Emory) Security and Authentication Spring 2014 11 / 15

Structure looks ne, even has padding!

Structure looks ne, even has padding! First read type & length:

Structure looks ne, even has padding! First read type & length: Looks right so far:

Structure looks ne, even has padding! Response from Yahoo!: First read type & length: Looks right so far:

Upcoming episodes Documentation, coding style, sustainability, design patterns Scrum now! CS 370, Günay (Emory) Security and Authentication Spring 2014 15 / 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback