1. Information System SecurityInformation System Security
Lectures 7 and 8Lectures 7 and 8
Web SecurityWeb Security

2. 22
ReferencesReferences
[1] Google Code for Educator: Sample Course Content, Web[1] Google Code for Educator: Sample Course Content, Web
Security.Security.
http://code.google.com/edu/content/submissions/web_secuhttp://code.google.com/edu/content/submissions/web_secu
..
[2][2] Network security, The complete ReferenceNetwork security, The complete Reference. R. Bragg, M.. R. Bragg, M.
Rhodes-Ousley, K. Strassberg. McGraw-Hill Osborne,Rhodes-Ousley, K. Strassberg. McGraw-Hill Osborne,
2004.2004.

3. 33
OutlineOutline
1.1. Web SystemWeb System
2.2. Web System SecurityWeb System Security
3.3. Simple Web ServerSimple Web Server
4.4. Web Server SecurityWeb Server Security
5.5. Web Browser SecurityWeb Browser Security
6.6. Web Application SecurityWeb Application Security
7.7. Communication SecurityCommunication Security

4. 44
1. Web System1. Web System
 Generic web application work flow diagram:Generic web application work flow diagram:

5. 55
Web SystemWeb System
Web
Browser
HTML forms,
Java, Cookies,
JavaScript,
VBScript,
Plug-ins, etc.
http request
Web
Server
Web
Application
CGI, Java
Servlets,
ASP, SSI,
J2EE, PHP,
etc.
Web
Server
Resources
Applications
http reply
http/SSL/
TCP/IP

6. 66
2. Web System Security2. Web System Security
1.1. Web Server SecurityWeb Server Security
2.2. Web Browser SecurityWeb Browser Security
3.3. Web Application SecurityWeb Application Security
4.4. Channel SecurityChannel Security

7. 77
3. Simple Web Server3. Simple Web Server **
 To illustrate what can go wrong if we do not design for securityTo illustrate what can go wrong if we do not design for security
in our web applications from the start, consider a simple webin our web applications from the start, consider a simple web
server implemented in Java.server implemented in Java.
 All this program does is serve documents using HTTP.All this program does is serve documents using HTTP.
 We will walkthrough the code in the following slides.We will walkthrough the code in the following slides.
 This web server only supports simple HTTP GET requests.This web server only supports simple HTTP GET requests.
** Slides 7-17 taken from [1]Slides 7-17 taken from [1]

8. 88
Some Preliminaries…Some Preliminaries…
 ((HHyperyperTTextext TTransferransfer PProtocol): The communications protocolrotocol): The communications protocol
used to connect to servers on the Web.used to connect to servers on the Web.
 Its primary function is to establish a connection with a WebIts primary function is to establish a connection with a Web
server and transmit HTML pages to the client browser or anyserver and transmit HTML pages to the client browser or any
other files required by an HTTP application.other files required by an HTTP application.
 http is stateless (ie, request/reply)http is stateless (ie, request/reply)
 Addresses of Web sites begin with anAddresses of Web sites begin with an http://http:// prefix.prefix.

9. 99
Some Preliminaries…Some Preliminaries…
 A typical HTTP request that a browser makes to a webA typical HTTP request that a browser makes to a web
server:server:
Get / HTTP/1.0Get / HTTP/1.0
 When the server receives this request for filename / (whichWhen the server receives this request for filename / (which
means themeans the rootroot document on the web server), it attemptsdocument on the web server), it attempts
to load index.html. It sends back:to load index.html. It sends back:
HTTP/1.0 200 OKHTTP/1.0 200 OK
followed by the document contents.followed by the document contents.

10. 1010
SimpleWebServer: main()SimpleWebServer: main()
/* This method is called when the program is run from the/* This method is called when the program is run from the
command line. */command line. */
public static void main (String argv[]) throws Exception {public static void main (String argv[]) throws Exception {
/* Create a SimpleWebServer object, and run it *//* Create a SimpleWebServer object, and run it */
SimpleWebServer sws = new SimpleWebServer();SimpleWebServer sws = new SimpleWebServer();
sws.run();sws.run();
}}

11. 1111
SimpleWebServer ClassSimpleWebServer Class
public class SimpleWebServer {public class SimpleWebServer {
/* Run the HTTP server on this TCP port. *//* Run the HTTP server on this TCP port. */
private static final int PORT = 8080;private static final int PORT = 8080;
/* The socket used to process incoming connections/* The socket used to process incoming connections
from web clients */from web clients */
private static ServerSocket dServerSocket;private static ServerSocket dServerSocket;
public SimpleWebServer () throws Exception {public SimpleWebServer () throws Exception {
dServerSocket = new ServerSocket (PORT);dServerSocket = new ServerSocket (PORT);
}}
public void run() throws Exception {public void run() throws Exception {
while (true) {while (true) {
/* wait for a connection from a client *//* wait for a connection from a client */
Socket s = dServerSocket.accept();Socket s = dServerSocket.accept();
/* then process the client's request *//* then process the client's request */
processRequest(s);processRequest(s);
}}
}}

12. 1212
SimpleWebServer: processRequest 1SimpleWebServer: processRequest 1
/* Reads the HTTP request from the client, and/* Reads the HTTP request from the client, and
responds with the file the user requested orresponds with the file the user requested or
a HTTP error code. */a HTTP error code. */
public void processRequest(Socket s) throwspublic void processRequest(Socket s) throws
Exception {Exception {
/* used to read data from the client *//* used to read data from the client */
BufferedReader br =BufferedReader br =
new BufferedReader (new InputStreamReadernew BufferedReader (new InputStreamReader
(s.getInputStream()));(s.getInputStream()));
/* used to write data to the client *//* used to write data to the client */
OutputStreamWriter osw =OutputStreamWriter osw =
new OutputStreamWriter (s.getOutputStream());new OutputStreamWriter (s.getOutputStream());

13. 1313
SimpleWebServer: processRequest 2SimpleWebServer: processRequest 2
/* read the HTTP request from the client *//* read the HTTP request from the client */
String request = br.readLine();String request = br.readLine();
String command = null;String command = null;
String pathname = null;String pathname = null;
/* parse the HTTP request *//* parse the HTTP request */
StringTokenizer st =StringTokenizer st =
new StringTokenizer (request, " ");new StringTokenizer (request, " ");
command = st.nextToken();command = st.nextToken();
pathname = st.nextToken();pathname = st.nextToken();

14. 1414
SimpleWebServer: processRequest 3SimpleWebServer: processRequest 3
if (command.equals("GET")) {if (command.equals("GET")) {
/* if the request is a GET/* if the request is a GET
try to respond with the filetry to respond with the file
the user is requesting */the user is requesting */
serveFile (osw,pathname);serveFile (osw,pathname);
}}
else {else {
/* if the request is a NOT a GET,/* if the request is a NOT a GET,
return an error saying this serverreturn an error saying this server
does not implement the requested command */does not implement the requested command */
osw.write ("HTTP/1.0 501 Notosw.write ("HTTP/1.0 501 Not
Implementednn");Implementednn");
}}
/* close the connection to the client *//* close the connection to the client */
osw.close();osw.close();

15. 1515
SimpleWebServer:SimpleWebServer:
serveFile 1serveFile 1
public void serveFile (OutputStreamWriter osw,public void serveFile (OutputStreamWriter osw,
String pathname) throws Exception {String pathname) throws Exception {
FileReader fr=null;FileReader fr=null;
int c=-1;int c=-1;
StringBuffer sb = new StringBuffer();StringBuffer sb = new StringBuffer();
/* remove the initial slash at the beginning/* remove the initial slash at the beginning
of the pathname in the requestof the pathname in the request */*/
if (pathname.charAt(0)=='/')if (pathname.charAt(0)=='/')
pathname=pathname.substring(1);pathname=pathname.substring(1);
/* if there was no filename specified by the/* if there was no filename specified by the
client, serve the "index.html" file */client, serve the "index.html" file */
if (pathname.equals(""))if (pathname.equals(""))
pathname="index.html";pathname="index.html";

16. 1616
SimpleWebServer:SimpleWebServer:
serveFile 2serveFile 2
/* try to open file specified by pathname *//* try to open file specified by pathname */
try {try {
fr = new FileReader (pathname);fr = new FileReader (pathname);
c = fr.read();c = fr.read();
}}
catch (Exception e) {catch (Exception e) {
/* if the file is not found,return the/* if the file is not found,return the
appropriate HTTP response code */appropriate HTTP response code */
osw.write ("HTTP/1.0 404 Not Foundnn");osw.write ("HTTP/1.0 404 Not Foundnn");
return;return;
}}

17. 1717
SimpleWebServer:SimpleWebServer:
serveFile 3serveFile 3
/* if the requested file can be/* if the requested file can be
successfully opened and read, then returnsuccessfully opened and read, then return
an OK response code and send the contentsan OK response code and send the contents
of the file */of the file */
osw.write ("HTTP/1.0 200 OKnn");osw.write ("HTTP/1.0 200 OKnn");
while (c != -1) {while (c != -1) {
sb.append((char)c);sb.append((char)c);
c = fr.read();c = fr.read();
}}
osw.write (sb.toString());osw.write (sb.toString());

18. 1818
SimpleWebServerSimpleWebServer
VulnerabilitiesVulnerabilities
 Can you identify any security vulnerabilities inCan you identify any security vulnerabilities in
SimpleWebServer? Or what can go wrong?SimpleWebServer? Or what can go wrong?
 Yes:Yes: Denial of Service (DoS):Denial of Service (DoS):
– An attacker makes a web server unavailable, butAn attacker makes a web server unavailable, but
– How?How?
 DoS on SimpleWebServer:DoS on SimpleWebServer:
– Just send a carriage return as the first message instead of a properlyJust send a carriage return as the first message instead of a properly
formatted GET message…formatted GET message…
– The web server crashesThe web server crashes
– Service to all subsequent clients is denied until the web server is restartedService to all subsequent clients is denied until the web server is restarted

19. 1919
4. Web Server Security:4. Web Server Security:
OverviewOverview
 Consider the following HTML code:Consider the following HTML code:
<html><html>
<head><head>
<title> Hello world </title><title> Hello world </title>
</head></head>
</html></html>
 Attackers can try 2 strategies to penetrate the web server hostingAttackers can try 2 strategies to penetrate the web server hosting
this HTML code:this HTML code:
– Exploit web application insecurityExploit web application insecurity
 there no Exploit in this codethere no Exploit in this code
– Hacking web server itselfHacking web server itself
 See the SimpleWebServer : DoS attackSee the SimpleWebServer : DoS attack

20. 2020
Web Server Security: Goals ofWeb Server Security: Goals of
server attacksserver attacks
1.1. Web site defacementWeb site defacement
– Corruption of the HTML code.Corruption of the HTML code.
– Example: Next slideExample: Next slide
1.1. Data CorruptionData Corruption
– Any data on the server can be deleted or modified.Any data on the server can be deleted or modified.
1.1. Data TheftData Theft
– eg, credit card number stolen from ecommerce site.eg, credit card number stolen from ecommerce site.
1.1. Denial of serviceDenial of service
– Clients are no more served.Clients are no more served.

21. 2121
http://www.syria-news.com

22. 2222
Web Server Security: Types ofWeb Server Security: Types of
attacksattacks
1.1. Directory traversalDirectory traversal
2.2. Script permissionsScript permissions
3.3. Directory BrowsingDirectory Browsing
4.4. Default samplesDefault samples

23. 2323
Web Server Security: Types ofWeb Server Security: Types of
attacksattacks
1.1. Directory traversalDirectory traversal
– Is a method for accessing directories other than the allowed ones.Is a method for accessing directories other than the allowed ones.
– In Microsoft’s IIS, if the OS XP is installed on drive c: and adminstratorIn Microsoft’s IIS, if the OS XP is installed on drive c: and adminstrator
didn’t change the directory name, the default web site directory isdidn’t change the directory name, the default web site directory is
c:inetpubc:inetpub
– Attackers can read file they are not meant to. For exampleAttackers can read file they are not meant to. For example
 If the attacker tryIf the attacker try http://www.somesite.com/../autoexec.bathttp://www.somesite.com/../autoexec.bat then the server
may return the content of autoexec.bat.

24. 2424
Web Server Security: Types ofWeb Server Security: Types of
attacksattacks
2.2. Script permissionsScript permissions
 In order to run server-side applications (eg, CGI, Perl, etc.),In order to run server-side applications (eg, CGI, Perl, etc.),
administrator must grant executable permission to the directory whereadministrator must grant executable permission to the directory where
these applications reside.these applications reside.
 What happens if the admin grand permissions to the wrong directory?What happens if the admin grand permissions to the wrong directory?
 Example: if the admin grants executable permission to c: then whatExample: if the admin grants executable permission to c: then what
happens if the attacker tryhappens if the attacker try
http://www.somesite.com/../Windows/system32/cmd.exe%20%2fc%20dirhttp://www.somesite.com/../Windows/system32/cmd.exe%20%2fc%20dir

25. 2525
Web Server Security: Types ofWeb Server Security: Types of
attacksattacks
 The web server parse the request and executeThe web server parse the request and execute
../windows/system32/cmd.exe /c dir../windows/system32/cmd.exe /c dir
ie, listing all files in the current directory.ie, listing all files in the current directory.
– Attacker can execute commands that delete or modify files on the webAttacker can execute commands that delete or modify files on the web
server.server.
3.3. Directory BrowsingDirectory Browsing
 If Directory browsing is enabled attacker, can browse that directory andIf Directory browsing is enabled attacker, can browse that directory and
its subdirectories.its subdirectories.
 Knowledge of the existence of some file can help attacker launching anKnowledge of the existence of some file can help attacker launching an
attack.attack.

26. 2626
Web Server ProtectionWeb Server Protection
1.1. Run web server service with Least privileges.Run web server service with Least privileges.
2.2. Install most recent security patches of server software.Install most recent security patches of server software.
3.3. Install most recent security patches of OS.Install most recent security patches of OS.
4.4. Secure other network services running on the same machine.Secure other network services running on the same machine.
5.5. Delete unneeded applications.Delete unneeded applications.
6.6. Grant script permissions only to isolated directory containingGrant script permissions only to isolated directory containing
the scripts in question.the scripts in question.
7.7. Maintain adequate logs and backups..Maintain adequate logs and backups..
8.8. Secure your web server using third-party security products:Secure your web server using third-party security products:
antiviruses, Firewalls, vulnerabilities scanners, input validation,antiviruses, Firewalls, vulnerabilities scanners, input validation,
etc.etc.

27. 2727
5. Web browser Security5. Web browser Security
 Browser sends requests
– May reveal private information (in forms, cookies)
– Also sends other information that may be damaging:
 IP address
 OS
 Browser version/type, etc.
 Browser receives information, code
– May corrupt hosts by running unsafe code
– Information may exercise a bug in the browser allowing arbitrary
remote code execution.

28. 2828
Web browser SecurityWeb browser Security
 Cookies
– Cookie mechanism
 Mobile code
– Java applet
– JavaScript
– VBScript

29. 2929
Web browser Security:Web browser Security:
CookiesCookies
 HTTP is stateless. This causes problems in a lot of transactions that
need a concept of a “session”:
– A customer wants to purchase an item online.
– A customer logs onto their bank to pay bills
– Sites like Yahoo allow users to customize their view of the portal
– As the user jumps from web page to web page, the server can’t keep track
of whether it’s the same user, or another user requesting the same page
– Servers use cookies to keep track of their users.
 A cookie is a file created by an Internet site to store information on
your computer
– Once a cookie is saved on your computer, only the Web site that created
the cookie can read it.
– Example: google’s cookie

30. 3030
Web browser Security:Web browser Security:
CookiesCookies
 PREF
ID=186f76e084b84d56:TM=1193982844:LM=1193982844:S=O8OM9
yhkCkr98Ej_
google.co.uk/
1536 //3081004544 // 30038711 //2452507808 // 29891852
*
 Problems
– Cookies maintain record of your browsing habits
 May include any information a web site knows about you
– Browser attacks could invade your “privacy”
– Stealing someone’s cookies may allow attacker to impersonate the victim:
 Session hijacking

31. 3131
Web browser Security: MobileWeb browser Security: Mobile
CodeCode
 Mobile code runs on clients’ machine.Mobile code runs on clients’ machine.
 It’s an executable content (eg, applets).It’s an executable content (eg, applets).
 Things to do:Things to do:
– Protect machine from downloaded code.Protect machine from downloaded code.
– Needs protection from content providers.Needs protection from content providers.
 Normal users are asked to make security decisions /policies.Normal users are asked to make security decisions /policies.
Web
browser
Web
Server
executes
applet
Mobile Code
(eg, applet)

32. 3232
6. Web application Security6. Web application Security
1.1. SQL injectionSQL injection
1.1. Common Gateway InterfaceCommon Gateway Interface

33. 3333
SQL injectionSQL injection
 SQL (Structured Query Language) is a language thatSQL (Structured Query Language) is a language that
Communicates with DBs, Example:Communicates with DBs, Example:
– Select * from Users where username =’admin’ andSelect * from Users where username =’admin’ and
password = ‘somepasswd’password = ‘somepasswd’
– Looks for user whose username = admin and password = somepasswdLooks for user whose username = admin and password = somepasswd
 SQL injection is a technique to inject crafted SQL into user inputSQL injection is a technique to inject crafted SQL into user input
fields that are a part of web forms, can be used to:fields that are a part of web forms, can be used to:
– bypass custom login to a web site,bypass custom login to a web site,
– Log in to a web site, orLog in to a web site, or
– take over a sitetake over a site

34. 3434
SQL injection: Simple loginSQL injection: Simple login
bypassingbypassing
 Consider the following web site’s login form:Consider the following web site’s login form:
……
<form action = “login.asp” method = “post”><form action = “login.asp” method = “post”>
<p> Username:<input type=text name= “username” /> </p><p> Username:<input type=text name= “username” /> </p>
<p> Password:<input type=password name= “password” /><p> Password:<input type=password name= “password” />
</p></p>
<p> <input type=submit name= “submit” value=”login” /><p> <input type=submit name= “submit” value=”login” />
</p></p>
</form></form>
……
– It’s a web page that requests 2 pieces of information from the user usernameIt’s a web page that requests 2 pieces of information from the user username
and password and it submits the information in the fields to login.asp (writtenand password and it submits the information in the fields to login.asp (written
in asp)in asp)

35. 3535
SQL injection: Simple loginSQL injection: Simple login
bypassingbypassing
 The file login.asp:The file login.asp:
Dim adoConnectionDim adoConnection
SetSet
adoConnection=server.CreateObject(“ADODB.ConnectiadoConnection=server.CreateObject(“ADODB.Connecti
on”)on”)
……
Dim strLoginSQLDim strLoginSQL
strLoginSQL=”select * from users where username =”strLoginSQL=”select * from users where username =”
& Request.Form (“username”) & “ ‘ and password =’& Request.Form (“username”) & “ ‘ and password =’
“ & Request.Form(“password”) & “ ‘ ““ & Request.Form(“password”) & “ ‘ “
Dim adoResultDim adoResult
Set adoResult=adoConnection.Execute(strLoginSQL)Set adoResult=adoConnection.Execute(strLoginSQL)
If not adoResult.EOF ThenIf not adoResult.EOF Then
‘‘We are here all went okWe are here all went ok
ElseElse
‘‘Wrong loginWrong login
End IfEnd If

36. 3636
SQL injection: Simple loginSQL injection: Simple login
bypassingbypassing
 If the user entersIf the user enters adminadmin as a username andas a username and adminpasswdadminpasswd, the, the
following sql command is constructed:following sql command is constructed:
Select * from users where username =’admin’ andSelect * from users where username =’admin’ and
password = ‘adminpasswd’password = ‘adminpasswd’
 The username and password are placed inside the SQL string,The username and password are placed inside the SQL string,
but without any checks:but without any checks:
– What happens if an attacker enter ‘a’ or “1”=“1” as a username and anyWhat happens if an attacker enter ‘a’ or “1”=“1” as a username and any
password?password?
– The resulting SQL string is:The resulting SQL string is:
Select * from users where username =Select * from users where username = ‘a’ or‘a’ or
“1”=“1” -- ’“1”=“1” -- ’ and password = ‘anypassword’and password = ‘anypassword’
– This code will return data because “1”=“1”This code will return data because “1”=“1”
– the attacker bypass the login.the attacker bypass the login.

37. 3737
SQL injectionSQL injection
 Worse!Worse!
– The attacker can use built-in procedures to read or write files, or to invokeThe attacker can use built-in procedures to read or write files, or to invoke
programs in the database computerprograms in the database computer
– For example theFor example the xp_cmdshellxp_cmdshell stored procedure invokes shell commandsstored procedure invokes shell commands
on the server’s computer likeon the server’s computer like dir, copy, renamedir, copy, rename, etc., etc.
– From the last example, a hacker can enter some username as a username andFrom the last example, a hacker can enter some username as a username and
a’exec master..xp_cmdshell ‘dela’exec master..xp_cmdshell ‘del
c:winntsystem32*.dll’c:winntsystem32*.dll’ as a passwordas a password ..
 This will cause the database to delete all DLLs in the specified directory.This will cause the database to delete all DLLs in the specified directory.

38. 3838
SQL injection: SolutionsSQL injection: Solutions
 Filter all input fields for apostrophes to prevent unauthorizedFilter all input fields for apostrophes to prevent unauthorized
loginslogins
 Filter all input fields for SQL commands likeFilter all input fields for SQL commands like insert,insert,
select, deleteselect, delete, and, and execexec to prevent server manipulationto prevent server manipulation
 Limit input field length (which will limit hackers’ options), andLimit input field length (which will limit hackers’ options), and
validate the input length with server-side scripts.validate the input length with server-side scripts.
 Place the database on a different computer than the web server.Place the database on a different computer than the web server.
– If the database is hacked, it’ll be harder to reach the web server.If the database is hacked, it’ll be harder to reach the web server.
 Limit the user privileges of the server-side scripts.Limit the user privileges of the server-side scripts.
 Delete all unneeded extended stored procedures to limit hackers’Delete all unneeded extended stored procedures to limit hackers’
possibilities.possibilities.

39. 3939
Common Gateway InterfaceCommon Gateway Interface
 Common Gateway Interface (CGI)Common Gateway Interface (CGI)
– meta-language for translating URLs or HTML forms into executablemeta-language for translating URLs or HTML forms into executable
programs.programs.
 An attacker may exploit bugs in CGI scripts to gain unauthorized
access to files on the web server, or even to take control of the
host.
 CGI scripts can present security holes in two ways:
– they may intentionally or unintentionally leak information about the host
system that will help hackers break in.
– Scripts that process user input may be vulnerable to attacks in which the
remote user tricks them into executing commands (always remember:
“user input is evil”).

40. 4040
7. Communication Security7. Communication Security
 VulnerabilitiesVulnerabilities
– Tapping or eavesdropping:Tapping or eavesdropping: occurs when a device is placed near or intooccurs when a device is placed near or into
the cabling.the cabling.
– Sniffing: usingSniffing: using Sniffers ( special programs) in order to eavesdrop on theSniffers ( special programs) in order to eavesdrop on the
network traffic.network traffic.
– IP spoofing:IP spoofing:
 An attacker can place any IP address as the source address of an IPAn attacker can place any IP address as the source address of an IP
datagram, so can be dangerous to base access control decisions ondatagram, so can be dangerous to base access control decisions on
raw IP addresses alone.raw IP addresses alone.
 An attacker may be able to replay, delay, reorder, modifiy or inject IPAn attacker may be able to replay, delay, reorder, modifiy or inject IP
datagrams.datagrams.
– DNS spoofing: DNS server is lured to translate names (eg,DNS spoofing: DNS server is lured to translate names (eg,
www.scs-net.orgwww.scs-net.org) into attackers’ IP addresses.) into attackers’ IP addresses.
 Communication Protection: SSLCommunication Protection: SSL

41. 4141
SSLSSL
 Secure Sockets LayerSecure Sockets Layer (SSL) was developed (in 1994) by(SSL) was developed (in 1994) by
Netscape Corporation to provide security between web clientNetscape Corporation to provide security between web client
and server.and server.
 SSL designed to be under HTTP:SSL designed to be under HTTP:
– HTTP | SSL | TCPHTTP | SSL | TCP
 SSL permits:SSL permits:
– Authentication of peer entitiesAuthentication of peer entities
– Exchange of secret keysExchange of secret keys
– Use of exchanged keys to authenticate and encrypt transmitted dataUse of exchanged keys to authenticate and encrypt transmitted data
between communicating peer entities.between communicating peer entities.

42. 4242
SSL ArchitectureSSL Architecture
 SSL consists of two sublayers:SSL consists of two sublayers:
– SSL Record Protocol: provide security services to higher-layer protocolsSSL Record Protocol: provide security services to higher-layer protocols
(in particular, HTTP) including SSL management protocols.(in particular, HTTP) including SSL management protocols.
– SSL Management protocols: Handshake, Cipher Change, and AlertSSL Management protocols: Handshake, Cipher Change, and Alert
ProtocolsProtocols
SSL Architecture

43. 4343
SSL Record ProtocolSSL Record Protocol
 The SSL Record Protocol uses the keys derived from the HandshakeThe SSL Record Protocol uses the keys derived from the Handshake
Protocol’s master key to securely deliver data.Protocol’s master key to securely deliver data.
 Provides two security functions:Provides two security functions:
– Confidentiality and Message IntegrityConfidentiality and Message Integrity
Data
Compression
(optional)
Encrypt
Record protocol
Header
fragment fragment fragmentFragmentation
To be transmitted in a
TCP segment
MAC

44. 4444
SSL Record ProtocolSSL Record Protocol
 Protected data : SSL Record protocol allows applicationProtected data : SSL Record protocol allows application
protocols above SSL to be secured.protocols above SSL to be secured.
 Fragmentation: messages are broken into blocksFragmentation: messages are broken into blocks
 Compression: optionalCompression: optional
– Compression algorithm is not specifiedCompression algorithm is not specified
 MAC: computed over compressed data.MAC: computed over compressed data.
– SSL MAC is similar to HMACSSL MAC is similar to HMAC
– MAC key is derived from the master key.MAC key is derived from the master key.
 Encryption may be stream or block mode.Encryption may be stream or block mode.
– Symmetric encryption is usedSymmetric encryption is used
– There are only a limited selection of ciphers and MAC algorithms thatThere are only a limited selection of ciphers and MAC algorithms that
are allowed (eg, DES, 3DES, IDEA, RC4, etc)are allowed (eg, DES, 3DES, IDEA, RC4, etc)

45. 4545
SSL Handshake ProtocolSSL Handshake Protocol
 Used to allow the server and client toUsed to allow the server and client to
– authenticate each other using certificates,authenticate each other using certificates,
– negotiate encryption and MAC algorithms, andnegotiate encryption and MAC algorithms, and
– establish keys to be used to protect data sent in SSL Record.establish keys to be used to protect data sent in SSL Record.
 Used before any application data is transmitted.Used before any application data is transmitted.

46. 4646
S-HTTPS-HTTP
 Secure HTTP (S-HTTP) is a superset of HTTP with securitySecure HTTP (S-HTTP) is a superset of HTTP with security
support.support.
 Created in 1994 by Enterprise Integration Technology (EIT)Created in 1994 by Enterprise Integration Technology (EIT)
 Adopted by IETF as RFC 2660.Adopted by IETF as RFC 2660.
 Allows message to be encapsulated in various ways (message-Allows message to be encapsulated in various ways (message-
oriented).oriented).
 Encapsulation for encryption, signing and MACEncapsulation for encryption, signing and MAC
 Not widely used (not supported by Internet explorer orNot widely used (not supported by Internet explorer or
Netscape)Netscape)