13. Secure Online Transactions

What We Will Cover Announcements Please sit at a computer station and start Apache or IIS When class is over, please shut down your computer Log Tails Introduction 13.1: Encryption 13.1.1: Understanding Cryptography 13.1.2: Single-Key Cryptography 13.1.3: Public-Key Cryptography 13.1.4: Authorization vs. Authentication 13.1.5: Digital Signatures Lab Exercise 13.1 13.2: Secure Socket Layer 13.2.1: What Is SSL? 13.2.2: How Does SSL Work? Lab Exercise 13.2 13.3: Certificate Authorities 13.3.1: Certificates 13.3.2: Certificate Authorities Lab Exercise 13.3 13.4: Access Control Lists 13.4.1: What Is an ACL? 13.4.2: Defining an ACL Lab Exercise 13.4 Lesson 14 Wrap Up Assignments Due Next: N/A Log Tails From Last Lab Any questions? Quiz Review WebCT An applet can 1. read an image off the client’s computer 2. access the client’s available memory 3. call other programs on same web page 4. make network connections to the host server Where To Next? Course Descriptions CIS 165 PH: Intro. to Programming Database-Driven Web Sites With PHP CIS 175: Fundamentals of Computer Security CIS 181: Networking Fundamentals Web Registration back to top Introduction Can listen in on someone else's online communication Can masquerade or spoof the identity of another machine So what's an e-commerce business to do? Will discuss methods of making online transactions more secure back to top 13.1: Encryption Objectives At the end of the lesson the student will be able to: Describe weaknesses in cryptography Foundation of many security techniques is the encryption of data Encryption transforms data into seemingly unreadable string of data Opposite of encryption is decryption Decryption transforms encrypted data back into useable information Encryption and decryption are the two major processes of cryptography back to top 13.1.1: Understanding Cryptography Many forms of cryptography, but the principles are the same You want to protect your data from eavesdropping, spying, or falling into the wrong hands Cryptography allows us to take the original data and encrypt it into an unreadable form If the cryptography is reversible, then a special key is used during encryption and decryption Plaintext is information before encryption and after decryption Ciphertext is encrypted data To see the plaintext we must decrypt the ciphertext using an algorithm and key For Example Let's encrypt the following message using the given algorithm and key: Plaintext: Meet me on the bridge at midnight Algorithm: C = P + K Using the Standard English Alphabet ABCDEFGHIJKLMNOPQRSTUVWXYZ Where: C is the ciphertext character P is the plaintext character K is the value of the key Key: 3 To generate the ciphertext (C) form plaintext (P), add the key (K) to the current position in the alphabet Ciphertext: Phhw ph rq wkh fruqhu dw plgqljkw The ciphertext message is not in any recognizable or readable form Anyone intercepting this message would have some difficulty understanding what it meant To decrypt the message, we simply reverse the encryption process In this case, shift each of the ciphertext characters left by three Another Example Let's encrypt the following message using the given algorithm and key: Plaintext: Meet me on the corner at midnight Algorithm: C = Key(P) Key: Here we simply substitute one symbol for another to generate they ciphertext The key in this case is the mapping of characters to the symbols This method has the advantage of not having such an easily guessed key Computers routinely smap characters to numbers, for example ASCII For instance, ASCII maps the letter "A" to the number sixty-five Since ASCII is commonly known, it is not used for secret messages Because computers map characters to numbers, they can be used for encoding and decoding secret messages back to top 13.1.2: Single-Key Cryptography In our example we used single-key or secret-key cryptography Both the encryption and decryption processes use the same key This makes the algorithm a symmetric process For this reason the key must be kept secret Anyone who obtains the key can easily read the ciphertext message For Example Data Encryption Standard (DES) was developed by the government in 1977 The original DES is based upon a 56-bit key that yields 256 possible keys This is about 72 quadrillion keys Although the number of keys for DES is enormous, it is susceptible to attack Generally, the larger the key length, the more secure the encryption method More keys make it harder to test the possibilities Weakness of Single-Key Cryptography Though widely used, there is one main problem with single-key cryptography Both the sender and receiver of the encrypted message must know the key Securely exchanging the secret key becomes difficult Perhaps if we met on the corner at midnight? back to top 13.1.3: Public-Key Cryptography Another method of encryption is public-key cryptography Public-key cryptography uses a "private" key and a "public" key The public key is available to anyone while the private key remains secret Messages are encrypted using the intended recipient's public key Messages can only be decrypted using the recipients private key Other Uses of Public and Private Keys Public and private keys are generated in pairs Encryption with one key can only be decrypted with the other key It does not matter which one is kept private and which one is made public Once you choose, just don't forget and release the other by mistake This allows a very useful task beyond simply encrypting sensitive data With your private key, you can encrypt a message Anyone can read the message using your public key However, this decryption is proof that the message came from the owner of the private key This technique can be used to prove the identity of the private key's owner Proving someone's identity is called authentication back to top 13.1.4: Authorization vs. Authentication There is a difference between authorization and authentication Authorization establishes your authority to perform some act Authentication establishes that you are not false or an imitation One common method of authentication is login name and password Passwords are relatively simple to implement and use Main idea is that only you and the system know your password When you provide your password, the system believes it is you Passwords by themselves do not provide strong authentication Most passwords are easily guessed Most people only have a few passwords they use over and over Passwords can be captured electronically: keystroke capture, packet sniffer Most common security problem: people tell someone their password A stronger form of authentication is the digital signature back to top 13.1.5: Digital Signatures A digital signature is the electronic version of a physical signature With paper and pen, a person signs a document with a physical signature In the digital world, users and machines sign documents or data using digital signature Digital signatures are most often based on public-key cryptography As was mentioned earlier, public and private keys are related Encrypting using one key requires the corresponding key to decrypt Only the owner of the public and private key pair should know the private key Thus any message must have been encrypted by the owner of the key pair Allows us to authenticate that a message originated from the identity it appears to have originated from For Example To send an authenticatable secret message from Alice to Bob: Alice encrypts her message with her private key Alice encrypts her message with Bob's public key Alice transmit the message and Bob receives the message Bob decrypts the message with his private key Bob decrypts the message with Alice's public key back to top Lab Exercise 13.1 Use the next 10 minutes to complete the following. Start a text file named exercise13.txt Will be adding to this file during the lesson -- save it often. Prepare the exercise header as described in the HowTo on submitting exercises Label this exercise: Lab 13.1 Perform the following exercises and answer the questions. Exercises and Questions Understand Weaknesses in Cryptography Using the Standard English alphabet and the following ciphertext, which was encoded using an ordinary shift algorithm, answer the following question. F HTIJ XZHM FX YMNX NX STY YTT XJHZWJ What is the plaintext equivalent of the ciphertext? Pick any 10 words at random from this page (or any other source) and record the number of occurrences of each letter from all 10 words together. What are five most common characters in the words you chose? If a Web client and server have never met before, why is public-key cryptography better suited for communication? back to top 13.2: Secure Socket Layer Objectives At the end of the lesson the student will be able to: Describe the advantage of SSL Identify careless use of SSL Secure Socket Layer (SSL) was developed by Netscape Can be used to encrypt data sent between a client and a server back to top 13.2.1: What Is SSL? Secure Socket Layer is an actual network layer added to the protocol stack Resides just above the transport layer and beneath the application layer Known as Transport Layer Security (TLS) OSI Protocol Stack Internet Protocol Stack Can be used in a variety of Web applications Both the client and server applications must support the use of SSL Netscape, Microsoft and most other modern browsers and servers support SSL SSL encrypts the data sent between the client and server Also authenticates to whom the remote connection is being made This prevents someone masquerading as an identity they are not SSL uses a variety of encryption algorithms Connection can use different key lengths for different clients and servers Depends on the client and server software and the keys they support Client and server will always attempt to use the strongest-supported encryption algorithm back to top 13.2.2: How Does SSL Work? Secure Socket Layer transaction must go through an initial handshaking. Most of the steps are described below: First step is for the client to connect to the server using port 443 (https). The client includes information identifying the session and a list of known ciphers and key sizes. Server will send back to the client what is called a certificate. The certificate, among other things, contains the server's public key. In addition, the server will send a digitally signed message signed using the server's private key. The client decrypts the signed message using the server's previously sent public key. This proves that the server is the one that digitally signed the message Once this trust has been established, the client encrypts the secret single key to generate what is known as the session key. This session key will be used to carry out the encrypted conversation Single-key encryption is typically more efficient than public-key Public-key method is used simply to pass the key for the single-key algorithm Client encrypts the session key using the server's public key and then sends a message that all future messages from the client will be encrypted with the session key. The server sends a message to the client that all future messages will be encrypted using the session key. The SSL handshake is complete and the session begins. From this point on, all data sent between the client and server will be encrypted using this secret key For Example Here is a simplified conversation between a client and server using SSL. Client ==> [ "Hello" ] ==> Server Client <== [ "Hello" + server-certificate ] <== Server Client <== [ ("Message 1") server-private-key ] <== Server Client ==> [ (secret-key) server-public-key ] ==> Server Client <== [ ("Message 2") secret key ] <== Server Further Information Apache and SSL setco.org: A Secure Electronic Transaction system developed by and for the major credit card companies back to top Lab Exercise 13.2 Use the next 10 minutes to complete the following. Note that some of these exercises have been modified from those in the text book. Label this exercise: Lab 13.2. Understand the Advantage of SSL Start Ethereal to monitor a connection to the page: http://172.30.1.100/secret.html. Thus, apply the following filter: host 172.30.1.100 What do you see in the sniffer output as you load this page? Run the sniffer and load the slightly modified URL for this exercise that uses https rather than http https://172.30.1.100/secret.html What do you see in the sniffer output now as you load this page? What port and transport protocol (TCP or UDP) is being used by the server? Identify Careless Use of SSL The following HTML online form is used to collect credit card information. <HTML> <HEAD> <TITLE>Order Form</TITLE> </HEAD> <BODY> <FORM method="post" action="http://secure.yourserver.com/cgi-bin/order.pl"> Name: <input type="text" name="customer"> Credit Card: <input type="text" name="cc"> </FORM> </BODY> </HTML> If the HTML document is accessed using SSL (https://), is the user safe when submitting credit card information? back to top 13.3: Certificate Authorities Objectives At the end of the lesson the student will be able to: Describe what a certificate is Obtain your own certificate To establish an SSL session, the server sends a certificate A certificate is an electronic document that pairs a public key with the owner's identity Sending a certificate allows us to include more data than the public key Can include the owner's identity and often other data as well Digitally signing messages authenticates the sender of the message to be the owner of the public and private key pair However, there is a flaw in authenticating the actual identity of the sender back to top 13.3.1: Certificates Possible to contact the wrong server initially and be passed false keys A certificate provides a form of identity Can associate a user or machine's identity with the public key they own Similar concept to a driver's license or passport Rather than just asking for a driver's license number, can ask to see the actual license back to top 13.3.2: Certificate Authorities The entity that issues a certificate to a user or host is called a certificate authority (CA). CA validates the authenticity of certificates it issues guaranteeing that the identity contained in the certificate is the true owner of the corresponding public key Certificate authority is like an online version of a notary public check a certificates authenticity with the issuing certificate authority back to top Lab Exercise 13.3 Use the next 10 minutes to complete the following. Note that some of these exercises have been modified from those in the text book. Label this exercise: Lab 13.3 Understand What a Certificate Is When visiting a site that uses SSL, you can view the site's certificate while you are connected. You can click the "Security" icon, which is represented by a padlock or a key. If you are using Internet Explorer, you can view existing certificates: Tools => Internet Options => Content => Certificates. In Mozilla: Edit => Preferences => Privacy & Security => Certificates For this exercise view a certificate. Either select one while making an online transaction or view an existing certificate. What information is contained within this site's certificate? Who issued this certificate? Obtaining Your Own Certificate Connect to the following URL: http://www.verisign.com. What types of certificates does VeriSign offer? Connect to the following URL: http://www.thawte.com. What types of certificates does Thawte offer? Note: you can create your own certificate following the instructions given in lesson 4.4.4. back to top 13.4: Access Control Lists Objectives At the end of the lesson the student will be able to: Describe how ACLs work Describe the benefits that ACLs provide Access control lists are not directly related to encryption technologies However, they are associated with authorization and authentication Also commonly found in conjunction with Web pages using SSL back to top 13.4.1: What Is an ACL? An access control list (ACL) is a method of limiting access to a particular portion of a Web site Most web sites are open to everyone Anyone requesting a file is allowed access to it without restriction Some files should not be freely available to everyone Yet the Web is a convenient method of distributing files to those who should access them Common application is a "members-only" area Another use is to restrict access to personal information Why have Google index your phone number and address? An ACL can be used to place a restriction on a single file or an entire directory, including its subdirectories Restricting access to a directory by using an ACL requires the user to enter a login and password If the login and password match, then the file is sent If the login and password do not match, an error is returned The authorization and authentication are performed by the Web server Web server bases its decision on the information stored in the ACL back to top 13.4.2: Defining an ACL Each Web server has its own method and syntax for defining an ACL In general, however, they all follow the same guidelines Each ACL defines a realm and the users that may access that realm The ACL is then assigned to one or more files or directories to restrict access For Example Following is an example for the Apache Web server This ACL protects the "Secret" realm, allowing only defined valid users access The usernames and passwords are stored in a file /etc/http/passwd The method the client and server will use to authenticate users will be the Basic authentication type Authname "Secret" AuthType Basic AuthUserFile /etc/http/passwd Require valid-user This ACL would simply be stored in a file The name of the file would be defined in the Web server's configuration file Common names are .htaccess or .acl Each time a directory is accessed, the server would look for a file of this name Server restricts access based on the defined ACL contained within the file. Further Information Apache Access Control Example: lesson 4.3.1 IIS Access Control: lesson 4.3.1 back to top Lab Exercise 13.4 Use the next 10 minutes to complete the following. Label this exercise: Lab 13.4 Understand How ACLs Work Connect to the companion Web site for this exercise by clicking here. It is restricted by an ACL. What happens as you load this page? A valid username for this realm is testuser with a password of security. What happens when you enter an invalid username or password? What happens when you enter a valid username and password? Connect to the companion Web site for this exercise by clicking here. It is restricted by the same ACL used in Question 1. What happens as you load this page? Quit and restart your browser and then reload the URL from Question 4. What happens as you load this page? Connect to the companion Web site for this exercise by clicking here. It is restricted by a different ACL. What happens as you load this page? Understand the Benefits That ACLs Provide Using the packet sniffer, restart your browser and load one of the URLs from Lab 13.4 above, then answer the following questions. What data is sent from the client to the Web server when requesting a URL prior to the challenge prompt? What data is sent from the Web server to the client prior to the challenge prompt? What data is sent from the client to the Web server after submitting a valid username and password? What data is sent from the Web server to the client after submitting a valid username and password? back to top Wrap Up When class is over, please shut down your computer => Logout => Shut Down Due Next: N/A You may complete unfinished exercises at any time before the next class. Be sure to submit the file to the instructor before the beginning of the next class to receive credit. Instructions on submitting exercises are available from the HowTo's page. back to top Home | WebCT | Announcements | Schedule | Expectations | Syllabus | Help | FAQ's | HowTo's | Links Last Updated: 7/16/2003 4:45:45 PM