Professional Documents
Culture Documents
Lecture 12. Web Application Security
Lecture 12. Web Application Security
Confidentiality
Integrity Availability
5 ( ±2 ) Aspects of Security
Confidentiality
Non-Repudiation Authorization
Integrity Authentication
Availability
5 ( ±2 ) Aspects of Security
Confidentiality Privacy
Integrity Availability
Confidentiality
Information exchanged between the client
and service provider cannot be read by an
unauthorized party.
Encryption is the fundamental technology
for ensuring confidentiality
Messages in transit
Messages in storage
Confidentiality vs. Privacy
Confidentiality: Obligation of provider to restrict
access.
Privacy: individual right to control access.
Integrity
The assurance that data & information cannot be
altered.
Accidental corruption
Willful alteration
Here, we discuss integrity in terms of data integrity
Data has not been altered during transmission
In CIA model, source integrity = authentication
Primary technologies/techniques to ensure integrity:
Digital signatures
Hash algorithms
Checksums
Availability
Authorized clients have timely and
reliable access to resources.
Proper availability depends on application
“Myth of the Nines”
How reliable is 99.9% availability?
Relevant technologies/techniques
High availability protocols
Redundancy
System design without single point of failure
Authentication
Is the client (person or machine) really who
they claim to be?
The most secure authentication schemes
use 3 factors:
Something you know – e.g., password
Something you have – e.g., key/token
Something you are – e.g., fingerprint
Technologies
Login/password combination
Public Key Infrastructure
Biometrics
Authorization
Allowing access only to those resources
to which the client has been granted
permission.
Granting authorization may depend on:
Identity
Client characteristic (e.g., age, domain)
Access control list (ACL) is still the
primary technology.
So, what’s the difference between
authentication & authorization?
Non-Repudiation (Auditing)
Preventing both the sender & receiver of
information from denying their involvement
in an exchange.
Sender receives proof of delivery.
Recipient receives proof of origin.
Non-repudiation encompasses:
Approval & sending (origin)
Submission
Transport
Receipt & Knowledge (delivery)
Privacy
The client’s expectation that their data will
be released only to those parties that they
authorize.
Common view of privacy invasions
Cookies
Spyware
Privacy expectations vary across societies
and industries.
High: Europe, health care (HIPAA Privacy
Rule)
Low: North America in general
Fundamental
Technologies
Introduction to Encryption
A mathematical process for transforming a plain text
message into cipher text.
A cipher is an algorithm for encrypting or decrypting a
message.
Classical ciphers – substitution & transposition
Modern ciphers – mathematical transformations
Symmetric vs. asymmetric
Block vs. stream
A cipher is said to be strong if it cannot be broken by a
brute-force attack (i.e., trying all possible keys)
Symmetric Key Algorithms
The sender/receiver use the same key to
encrypt/decrypt a message.
Examples: AES, Blowfish, DES, Triple-DES
Not all algorithms are created alike.
Secrecy of the key
Key length
Inversion of the encryption algorithm
Known parts of the plaintext.
Biggest advantage: speed
Biggest disadvantages: key exchange, storage
How DES Works
<script>alert(“Whoops”);</script>