Topic 3 – Web Security Network Security and Cryptography

Network Security and

Cryptography

Topic 3:
Web Security

V2.0 © NCC Education Limited

Network Security and

Cryptography

Topic 3 – Lecture 1:
Web Security and IPSEC

V2.0 © NCC Education Limited

Web Security Topic 3 - 3.3

Scope and Coverage

This topic will cover:
• Overview of web security
• IPSEC
• SSL/TLS
• HTTPS

V2.0 © NCC Education Limited

V1.0 Visuals Handout – Page 1

Topic 3 – Web Security Network Security and Cryptography

Web Security Topic 3 - 3.4

Learning Outcomes
By the end of this topic students will be able to:
• Explain the concept of web security with SSL/TLS
• Demonstrate applying for and deploying a Digital
Certificate

V2.0 © NCC Education Limited

Web Security Topic 3 - 3.5

Web Security
• The Web presents us with some security issues that
may not be present in other networks:
- Two-way systems
- Multiple types of communication
- Importance to business
- Complex software
- Multiple connections to a server
- Untrained users

V2.0 © NCC Education Limited

Web Security Topic 3 - 3.6

Two-way Systems
• The Web works on a client-server model that allows
communication in both directions:
- Server sends files to clients
- Clients send files to servers

• Servers must be protected from malicious content

uploaded by clients:
- Deliberate upload
- Accidental upload, e.g. unwittingly uploading an
infected file

V2.0 © NCC Education Limited

V1.0 Visuals Handout – Page 2

Topic 3 – Web Security Network Security and Cryptography

Web Security Topic 3 - 3.7

Multiple Types of Communication

• The web does not deal with a limited small number
of file types:
- Text
- Image
- Video
- Sound …

• The web delivers real-time content.

• Multiple file types = multiple security threats

V2.0 © NCC Education Limited

Web Security Topic 3 - 3.8

Importance to Business
• Used to supply corporate information
• Used to supply product/service information
• Used for business transactions including financial
transactions
- banking, online shops, ordering systems, etc.
• If web servers are compromised, there may be very
serious consequences to a business.
- Loss of money & trade
- Loss of reputation

V2.0 © NCC Education Limited

Web Security Topic 3 - 3.9

Complex Software
• Servers are relatively easy to set up and configure.
• It is simple to create web content.
- Even complex looking web applications are often
simple to create
• This simplicity is made possible by complex
underlying software.
• Complex software often has undetected security
holes.
- You can be sure that someone will detect them!

V2.0 © NCC Education Limited

V1.0 Visuals Handout – Page 3

Topic 3 – Web Security Network Security and Cryptography

Web Security Topic 3 - 3.10

Multiple Connections
• The Web works because there are multiple
connections to a server.
• Different servers are connected to each other.
• What happens if a server is subverted and a
malicious attacker gains control?
- How many clients will be affected?
- How many other servers will be affected?
• An attack could have widespread consequences.

V2.0 © NCC Education Limited

10

Web Security Topic 3 - 3.11

Untrained Users
• The Web is used by many, many clients with no
training or understanding of security issues.
- How many people surf the Internet without antivirus
software?
- Add in the people who have out of date virus
definitions
• Many people do not have the tools or knowledge to
deal with threats on the Web.
• These same people will be interacting with servers
around the world.

V2.0 © NCC Education Limited

11

Web Security Topic 3 - 3.12

Traffic Security
• Maintaining the security of a server as a piece of
hardware is not fundamentally different to general
computer security.

• We will concentrate on the security of Web traffic

- At the Network level (IPSec)
- At the Transport level (SSL/TLS)

V2.0 © NCC Education Limited

12

V1.0 Visuals Handout – Page 4

Topic 3 – Web Security Network Security and Cryptography

Web Security Topic 3 - 3.13

TCP/IP and the OSI Model

V2.0 © NCC Education Limited

13

Web Security Topic 3 - 3.14

Network Level Security

IPSec

HTTP FTP SMTP

TCP

IP/IPSec

V2.0 © NCC Education Limited

14

Web Security Topic 3 - 3.15

Transport Level Security

SSL/TLS HTTP FTP SMTP

SSL or TLS

TCP

IP

V2.0 © NCC Education Limited

15

V1.0 Visuals Handout – Page 5

Topic 3 – Web Security Network Security and Cryptography

Web Security Topic 3 - 3.16

IP Security (IPSec)
• Provides security services at the IP layer for other
TCP/IP protocols and applications to use

• Provides the tools that devices on a TCP/IP

network need in order to communicate securely
- When two devices wish to securely communicate,
they create a secure path between themselves that
may traverse across many insecure intermediate
systems.

V2.0 © NCC Education Limited

16

Web Security Topic 3 - 3.17

Steps for an IPSec Connection

1. Agree on a set of security protocols to use so that
data is in a format both parties can understand.
2. Decide on an encryption algorithm to use in
encoding data.
3. Exchange the keys that are used to decrypt the
cryptographically encoded data.
4. Use the protocols, methods and keys agreed upon
to encode data and send it across the network.

V2.0 © NCC Education Limited

17

Web Security Topic 3 - 3.18

IPSec Core Protocols

• IPSec Authentication Header (AH)
- Provides authentication services
- Verifies the originator of a message
- Verifies that the data has not been changed on route
- Provides protection against replay attacks
• Encapsulating Security Payload (ESP)
- AH ensures integrity but not privacy
- Datagram can be further protected using ESP
- Encrypts the payload of the IP datagram

V2.0 © NCC Education Limited

18

V1.0 Visuals Handout – Page 6

Topic 3 – Web Security Network Security and Cryptography

Web Security Topic 3 - 3.19

Support Protocols & Mechanisms

• The core protocols are quite generic and rely on
other protocols and mechanisms to be agreed.
• Common algorithms used are MD5 and SHA-1
• IPSec provides flexibility in letting devices decide
how they want to implement security.
- Security policies and security associations are created.

• Devices need a way to exchange security

information.
- The Internet Key Exchange (IKE) provides this.

V2.0 © NCC Education Limited

19

Web Security Topic 3 - 3.20

IPSec Applications
• Securing a company’s Virtual Private network
(VPN) over the Internet

• Securing remote access over the Internet

• Establishing connections with partners via an

extranet

• Enhancing eCommerce security by adding to the

security mechanism in the application layer

V2.0 © NCC Education Limited

20

Web Security Topic 3 - 3.21

IPSec Advantages
• Can be applied to a firewall or router and apply to
all traffic across that boundary

• It is transparent to applications.

• It is transparent to end users.

• It can provide security for individual users if

required.

V2.0 © NCC Education Limited

21

V1.0 Visuals Handout – Page 7

Topic 3 – Web Security Network Security and Cryptography

Network Security and

Cryptography

Topic 3 – Lecture 2:
SSL/TLS and HTTPS

V2.0 © NCC Education Limited

22

Web Security Topic 3 - 3.23

Secure Socket Layer (SSL)

• Originally developed by Netscape in 1995 to
provide secure and authenticated connections
between browsers and servers

• Provides transport layer security

• Transport Layer Security (TLS) Version 1 is

essentially SSLv3.1

V2.0 © NCC Education Limited

23

Web Security Topic 3 - 3.24

SSL Architecture
• SSL uses TCP to provide a reliable and secure end-
to-end service.

• It is not a single protocol but two layers of protocols

(see next slide).

• The Hypertext Transfer Protocol (HTTP) used for

server/client interaction on the Internet can operate
on top of the SSL Record Protocol.

V2.0 © NCC Education Limited

24

V1.0 Visuals Handout – Page 8

Topic 3 – Web Security Network Security and Cryptography

Web Security Topic 3 - 3.25

SSL Architecture
SSL Handshake SSL Change Cipher SSL Alert HTTP
Protocol Spec Protocol Protocol

SSL Record Protocol

TCP

IP

V2.0 © NCC Education Limited

25

Web Security Topic 3 - 3.26

SSL Connections
• A connection is a transport* that provides a suitable
service.
• SSL connections are peer-to-peer relationships.
• These SSL connections are transient.
- They only last for a certain length of time.
• Each connection is associated with a session.

*as defined by the OSI model

V2.0 © NCC Education Limited

26

Web Security Topic 3 - 3.27

SSL Sessions
• A session in SSL is an association between a client
and a server.
• Such sessions are created by the SSL Handshake
Protocol.
• A session defines the security parameters.
• A session may be shared by multiple connections.
- Allows the same settings to be used by many
connections without the need for repeatedly sending
the security parameters

V2.0 © NCC Education Limited

27

V1.0 Visuals Handout – Page 9

Topic 3 – Web Security Network Security and Cryptography

Web Security Topic 3 - 3.28

SSL Record Protocol - 1

• Provides two services for SSL connections
- Confidentiality
- Integrity

• Transmitted data:
- Fragmented into manageable blocks
- Compressed (optional)
- Encrypted
- Header added and transmitted in a TCP segment

V2.0 © NCC Education Limited

28

Web Security Topic 3 - 3.29

SSL Record Protocol - 2

• Received data:
- Decrypted
- Verified
- Decompressed
- Reassembled
- Delivered to higher level users

V2.0 © NCC Education Limited

29

Web Security Topic 3 - 3.30

SSL Change Cipher Spec Protocol

• Very simple
• One single byte containing the value 1
• Has one single purpose:
- Causes the pending state to be copied into the
current state
- This updates the cipher suite to be used on a
connection.

V2.0 © NCC Education Limited

30

V1.0 Visuals Handout – Page 10

Topic 3 – Web Security Network Security and Cryptography

Web Security Topic 3 - 3.31

SSL Alert Protocol

• Used to convey SSL alerts to the peer entity
• Alert messages are compressed and encrypted as
specified by the session.
• Each message consists of two bytes:
- The first values indicates a warning or fatal alert
- The second indicates the type of alert
• A fatal alert will cause SSL to immediately terminate
the connection, but not other connections on the
same session.

V2.0 © NCC Education Limited

31

Web Security Topic 3 - 3.32

SSL Alert Types

• There are a number of alerts including the following.
The top four are fatal:
- unexpected_message
- decompression_failure
- handshake_failure
- illegal_parameter
- close_notify
- no_certificate
- certificate_revoked

V2.0 © NCC Education Limited

32

Web Security Topic 3 - 3.33

SSL Handshake Protocol - 1

• The most complex part of SSL
• Allows server and client to authenticate each other
• Allows server and client to negotiate the encryption
algorithms and keys that be used to protect data in
an SSL record
• This protocol is used before any application data is
sent.

V2.0 © NCC Education Limited

33

V1.0 Visuals Handout – Page 11

Topic 3 – Web Security Network Security and Cryptography

Web Security Topic 3 - 3.34

SSL Handshake Protocol - 2

• Consists of a series of messages, all with the same
format

• Each message has 3 fields

- Type (1 byte) – indicates 1 of 10 message types
- Length (3 bytes) – the length of the message in
bytes
- Content (0 or more bytes) – parameters associated
with the message

V2.0 © NCC Education Limited

34

Web Security Topic 3 - 3.35

Messages
• The series of messages are initiated by the client.
• The first phase establishes the security credentials.
• The second phase involves authenticating the
server and exchanging keys.
• The third phase involves authentication the client
and exchanging keys.
• The fourth phase is completing the exchange.

V2.0 © NCC Education Limited

35

Web Security Topic 3 - 3.36

HTTPS
• HTTP over SSL/TLS
• Used to create secure communications between a
Web browser and Web server
• Built into modern browsers
• Requires server to support HTTPS communication
- For example, at the time of writing, the Google
search engine does not support connections via
HTTPS

V2.0 © NCC Education Limited

36

V1.0 Visuals Handout – Page 12

Topic 3 – Web Security Network Security and Cryptography

Web Security Topic 3 - 3.37

HTTPS Compared to HTTP

• URL begins with https:// rather than http://

• HTTPS connections use port 443 whereas HTTP

uses port 80.
- Port 443 invokes SSL

• If all is well, the browser will typically show a

padlock or some other symbol to indicate the use of
SSL/TLS.

V2.0 © NCC Education Limited

37

Web Security Topic 3 - 3.38

HTTPS and Encryption

• The following elements of an HTTPS communication
are encrypted:
- URL of the requested document
- Contents of the document
- Contents of browser forms
• The fields filled in by the user in the browser
- Cookies
• From server to browser
• From browser to server
- Contents of the HTTP header

V2.0 © NCC Education Limited

38

Web Security Topic 3 - 3.39

SSL Advantages
• It is independent of the applications once a
connection has been created.
- After the initiating handshake, it acts as a secure
tunnel through which you can send almost anything.

• Has several implementation packages, both

commercial and freely available
- All major platforms (Windows, Linux, etc.) support
SSL
- No requirement for extra software packages

V2.0 © NCC Education Limited

39

V1.0 Visuals Handout – Page 13

Topic 3 – Web Security Network Security and Cryptography

Web Security Topic 3 - 3.40

SSL Disadvantages
• The extra security comes with extra processing
overhead.
• This overhead is largely at the server end.
• Means communications using SSL/TLS are a
slower than those without it
- Some sources suggest that HTTPS communication
can be up to three time slower than HTTP.
- With modern browsers, servers and connection
speeds, this should not cause significant problems.

V2.0 © NCC Education Limited

40

Web Security Topic 3 - 3.41

SSL/TLS Broken
• September 2011 - appears SSL/TLS
cryptography has been broken by researchers

• This has major implications for the secure

communications via the Internet
Reference for news emerging (September 2011):
http://www.computerweekly.com/Articles/2011/09/22/247969/Researchers-claim-to-have-
broken-SSLTLS-encryption.htm

V2.0 © NCC Education Limited

41

Web Security Topic 3 - 3.42

References
• Stallings, W. (2010). Cryptography and Network
Security: Principles and Practice. Pearson
Education.
• Thomas, S.A. (2000). SSL & TLS Essentials:
Securing the Web. Wiley.

V2.0 © NCC Education Limited

42

V1.0 Visuals Handout – Page 14

Topic 3 – Web Security Network Security and Cryptography

Web Security Topic 3 - 3.43

Topic 3 – Web Security

Any Questions?

V2.0 © NCC Education Limited

43

V1.0 Visuals Handout – Page 15