23559568 אבטחת מידע

:
2000
www.mh2000.co.il :
2000
www.mh2000.co.il
.1

: , ,
" Java " :10 ,

, , ,
, ) , ,(
VPN (Virtual Private Networking) :
: ) ,(hosts , ,
) ,(routers ).(switches
2000 www.mh2000.co.il

.
.
: , ,,
.
?

#
:
# #
?
?
,,
' )(?
#
?
2000
www.mh2000.co.il
# #
:
#

, %
# ) #//
(.

# :
:
,
: ,FireWall

:
: ,
2000 www.mh2000.co.il
2. SSL - Secure Socket Layer

(Based on Netscape SSL description document)
An Introduction To Key Cryptography

RSA public key cryptography is widely used for
authentication and encryption in the computer industry,
from RSA Security Inc.
Netscape uses RSA public key cryptography for Internet
security: The implementation of the Secure Sockets Layer
(SSL) protocol employs the RSA public key cryptography
techniques discussed in this document.
Public key encryption is a technique that uses a pair of
asymmetric keys for encryption and decryption:
Each pair of keys consists of a public key and a
private key.
The public key is made public by distributing it
widely.
The private key is never distributed; it is always
kept secret.
Data that is encrypted with the public key can be
decrypted only with the private key.
Conversely, data encrypted with the private key can
be decrypted only with the public key.
This asymmetry is the property that makes public key
cryptography so useful.
www.mh2000.co.il
2000
SSL - Secure Socket Layer
Using Public Key Cryptography For

Authentication
Authentication is the process of verifying identity so that
one entity can be sure that another entity is who it claims to
be.
Our example will involve communication between Alice
and Bob, where public key cryptography will be used to
verify identity. The notation {something}key means that
something has been encrypted or decrypted using key.
Suppose Alice wants to authenticate Bob. Bob has a pair of
keys, one public and one private:
Bob discloses to Alice his public key (the way he
does this is discussed later).
Alice then generates a random message and sends it
to Bob:
A->
B
random-message
Bob uses his private key to encrypt the message and

returns the encrypted version to Alice:
B->
A
{random-message}bobs-priva
te-key
Alice receives this message and decrypts it by using

Bob's previously published public key. She compares
the decrypted message with the one she originally
sent to Bob; if they match, she knows she's talking to
Bob.
An impostor presumably wouldn't know Bob's private key
and would therefore be unable to properly encrypt the
random message for Alice to check.
www.mh2000.co.il 2000
Digital signature
Unless you know exactly what you are encrypting, it is
never a good idea to encrypt something with your private
key and then send it to somebody else.
This is because the encrypted value can be used against you
(remember, only you could have done the encryption
because only you have the private key).
So, instead of encrypting the original message sent by
Alice, Bob constructs a message digest and encrypts that.
A message digest is derived from the random message in a
way that has the following useful properties:
The digest is difficult to reverse. Someone trying to
impersonate Bob couldn't get the original message back
from the digest.
An impersonator would have a hard time finding a
different message that computed to the same digest value.
By using a digest, Bob can protect himself:
He computes the digest of the random message sent by
Alice and then encrypts the result.
He sends the encrypted digest back to Alice.
Alice can compute the same digest and authenticate Bob
by decrypting Bob's message and comparing values.
The technique just described is known as a digital
signature.
In the revised authentication protocol some (or all) of the
data is originated by Bob:
A->B
hello, are you bob?

www.mh2000.co.il
2000

B->A
Alice, This Is bob

{ digest[Alice, This
Is Bob] }
bobs-private-key
When he uses this protocol, Bob knows what message he is

sending to Alice, and he doesn't mind signing it:
He sends the unencrypted version of the message first,
"Alice, This Is Bob."
Then he sends the digested-encrypted version second.
Alice can easily verify that Bob is Bob, and Bob hasn't
signed anything he doesn't want to.
10
Certificate
How does Bob hand out his public key in a trustworthy
way?
Say the authentication protocol looks like this:
A->B
B->A
A->B
B->A
hello
Hi, I'm Bob,
bobs-public-key
prove it
Alice, This Is bob
Is Bob] }
bobs-private-key
With this protocol, anybody can be Bob. All you need is a

public and private key:
You lie to Alice and say you are Bob, and then you
provide your public key instead of Bob's.
You prove it by encrypting something with the private
key you have
Alice can't tell you're not Bob.
To solve this problem, the standards community has
invented an object called a certificate. A certificate has the
following content:
The certificate issuer's name
The entity for whom the certificate is being issued (AKA
the subject)
The public key of the subject
Some time stamps
The certificate is signed using the certificate issuer's private
www.mh2000.co.il
2000
11
key. Everybody knows the certificate issuer's public key

(that is, the certificate issuer has a certificate, and so on...).
Certificates are a standard way of binding a public key to a
name.
By using this certificate technology, everybody can
examine Bob's certificate to see whether it's been forged.
Assuming that Bob keeps tight control of his private key
and that it really is Bob who gets the certificate, then all is
well. Here is the amended protocol:
A->B
B->A
A->B
B->A
hello
Hi, I'm Bob,
bobs-certificate
prove it
Alice, This Is bob
Is Bob] }
bobs-private-key
when Alice receives Bob's first message, she can examine

the certificate, check the signature (as above, using a
digest and public key decryption), and then check the
subject (Bob's name) and see that it is indeed Bob.
She trust that the public key is Bob's public key and
request Bob to prove his identity.
Bob goes through the same process as before, making a
message digest of his design and then responding to Alice
with a signed version of it.
Alice can verify Bob's message digest by using the public
key taken from the certificate and checking the result.
A bad guy - let's call him M - can do the following:
A->M
M->A
hello
Hi, I'm Bob,
12
A->M
M->A
bobs-certificate
prove it
????
But M can't satisfy Alice in the final message. M doesn't

have Bob's private key, so he can't construct a message that
Alice will believe came from Bob.
www.mh2000.co.il
2000
13
Exchanging A Secret
Once Alice has authenticated Bob, she can do another thing
- she can send Bob a message that only Bob can decode:
A->B
{secret}bobs-public
-key
The only way to find the secret is by decrypting the above

message with Bob's private key.
Exchanging a secret is another powerful way of using
public key cryptography.
Even if the communication between Alice and Bob is
being observed, nobody but Bob can get the secret.
This technique strengthens Internet security by using the
secret as another key, but this time it's a key to a symmetric
cryptographic algorithm (such as DES, RC4, or IDEA):
Alice knows the secret because she generated it before
sending it to Bob.
Bob knows the secret because Bob has the private key
and can decrypt Alice's message.
Because they both know the secret, they can both
initialize a symmetric cipher algorithm and then start
sending messages encrypted with it.
14
The revised protocol:

A->B
B->A
A->B
B->A
A->B
B->A
hello
Hi, I'm Bob,
bobs-certificate
prove it
Alice, This Is bob
Is Bob] }
bobs-private-key
ok bob, here is a
secret {secret}
bobs-public-key
{some
message}secret-key
How secret-key is computed is up to the protocol being

defined, but it could simply be a copy of secret.
www.mh2000.co.il
2000
15
MAC (Message Authentication Code)

Although M can't discover the secret that Alice and Bob
have exchanged, he can interfere in their conversation by
damaging it.
For example, if M is sitting between Alice and Bob, he can
choose to pass most information back and forth unchanged
but mangle certain messages :
A->M
M->B
hello
hello
B->M
M->A
Hi, I'm Bob,

bobs-certificate
Hi, I'm Bob,
bobs-certificate
A->M
M->B
B->M
M->A
A->M
M->B
B->M
M->A
prove it
prove it
Alice, This Is bob
Is Bob] }
bobs-private-key
Alice, This Is bob
Is Bob] }
bobs-private-key
ok bob, here is a
secret {secret}
bobs-public-key
ok bob, here is a
secret {secret}
bobs-public-key
{some
message}secret-key
Garble[ {some
message}secret-key ]
M passes the data through without modification until

Alice and Bob share a secret.
M gets in the way by garbling Bob's message to Alice. By
16
this point Alice trusts Bob, so she may believe the garbled
message and try to act on it.
Note that M doesn't know the secret - all he can do is
damage the data encrypted with the secret key. Depending
on the protocol, M may not produce a valid message. Then
again, he may get lucky.
To prevent this kind of damage, Alice and Bob can
introduce a message authentication code (MAC) into their
protocol.
A MAC is a piece of data that is computed by using a
secret and some transmitted data.
The digest algorithm described above has just the right
properties for building a MAC function that can defend
against M:
MAC := Digest[ some
message, secret ]
Because M doesn't know the secret, he can't compute the

right value for the digest. Even if M randomly garbles
messages, his chance of success is small if the digest data
is large.
For example, by using MD5 (a cryptographic digest
algorithm invented by RSA), Alice and Bob can send
128-bit MAC values with their messages.
The odds of M's guessing the right MAC are approximately
1 in 18,446,744,073,709,551,616 - for all practical
purposes, never.
Here is the sample protocol, revised yet again:
www.mh2000.co.il
2000
17

A->B
B->A
A->B
B->A
hello
Hi, I'm Bob,
bobs-certificate
prove it
Alice, This Is bob
Is Bob] }
bobs-private-key
ok bob, here is a
secret {secret}
bobs-public-key
{some
message,MAC}secret-key
Now, M can garble messages all he wants, but the MAC

computations will reveal him for the fraud he is.
Alice or Bob can discover the bogus MAC value and stop
talking. M can no longer put words in Bob's mouth.
The "Parrot"
Another technique M can use is the "Parrot":
If M is recording conversations, he may not understand
them but he can replay them.
M can do some really nasty things sitting between Alice
and Bob.
The solution is to introduce random elements from both
sides of the conversation.
18
SSL and HTTPS

SSL (Secure Socket Layer) is the scheme proposed by
Netscape Communications Corporation.
It is a low level encryption scheme used to encrypt
transactions in higher-level protocols such as HTTP, NNTP
and FTP.
The SSL protocol includes provisions for:
server authentication (verifying the server's identity to the
client)
encryption of data in transit
optional client authentication (verifying the client's
identity to the server).
HTTPS is the HTTP protocol implemented with netscape
SSL.
www.mh2000.co.il
2000
19
Internet Server Security
3. Internet Server Security

Many features that increase the convenience of using and
running the server also increase the chances of a security
breach.
Here is a list of potentially dangerous features.
Automatic directory listings

The automatic directory listings Internet servers have the
potential to give the hacker access to sensitive information.
This information can include:
backup files containing the source code to CGI scripts
source-code control logs
symbolic links that you once created for your
convenience and forgot to remove
directories containing temporary files
Turning off automatic directory listings doesn't:
prevent people from fetching files whose names they
guess at.
prevent an automatic text keyword search program
that inadvertently adds the "hidden" file to its index.
To be safe, remove unwanted files from your document
root entirely.
20
Symbolic Link Following

Some servers allow extending the document tree with
symbolic links.
This can lead to security breaches when someone
accidentally creates a link to a sensitive area of the system,
for example /etc.
A safer way to extend the directory tree is to include an
explicit entry in the server's configuration file (this
involves a PathAlias directive in NCSA-style servers, and
a Pass rule in the CERN server).
The NCSA and Apache servers allow you to turn symbolic
link following off completely.
Another option allows you to enable symbolic link
following only if the owner of the link matches the owner
of the link's target (i.e. you can compromise the security of
a part of the document tree that you own, but not someone
else's part).
Server Side Includes

The "exec" form of server side includes are a major security
hole.
Their use should be restricted to trusted users or turned off
completely.
In NCSA httpd and Apache, you can turn off the exec form
of includes in a directory by placing this statement in the
appropriate directory control section of access.conf:
Options IncludesNoExec
www.mh2000.co.il
2000
21
User-Maintained directories
Allowing any user on the host system to add documents to
your web site is a wonderfully democratic system.
However, you do have to trust your users not to open up
security holes. This can include:
publishing files that contain sensitive system information,
creating CGI scripts, server side includes, or symbolic
links that open up security holes.
Unless you really need this feature, it's best to turn it off.
When a user needs to create a home page, it's probably best
to give him his own piece of the document root to work in,
and to make sure that he understands what he's doing.
Whether home pages are located in user's home directories
or in a piece of the document root, it's best to disallow
server-side includes and CGI scripts in this area.
22
Share the same document tree between ftp and

Web servers
Many sites like to share directories between the FTP
daemon and the Web daemon.
This is OK so long as there's no way that a remote user
can upload files that can later be read or executed by the
Web daemon.
Consider this scenario: the WWW server that has been
configured to execute any file ending with the extension
".cgi":
Using your ftp daemon, a remote hacker uploads a
perl script to your ftp site and gives it the .cgi
extension.
He then uses his browser to request the
newly-uploaded file from your Web server.
Bingo! he's fooled your system into executing the
commands of his choice.
You can overlap the ftp and Web server hierarchies, but
be sure to limit ftp uploads to an "incoming" directory
that can't be read by the "nobody" user.
www.mh2000.co.il
2000
23
Protecting Confidential Documents

There are three types of access restriction available:
Restriction by IP address, subnet, or domain :
only browsers connecting from certain IP (Internet)
addresses, IP subnets, or domains can access protected
documents/directories
Restriction by user name and password :
Remote user has to provide a name and password in
order to get access to Documents or directories
Encryption using public key cryptography :
Encrypt documents (and requests for documents) text can be read only by recipient
Use public key cryptography for authentication
24
Restriction by IP address, subnet or domain

Restriction by IP address is secure against casual nosiness
but not against a determined hacker. There are several
ways around IP address restrictions.
With the proper equipment and software, a hacker can
"spoof" his IP address
Nor is there any guarantee that the person contacting
your server from an authorized host is in fact the
person you think he is. The remote host may have
been broken into and is being used as a front.
IP address restriction must be combined with something
that checks the identity of the user, such as a check for
user name and password.
IP address restriction can be made much safer by running
the server behind a firewall machine that is capable of
detecting and rejecting attempts at spoofing IP addresses.
Such detection works best for intercepting packets
from the outside world that claim to be from trusted
machines on your internal network.
If a browser is set to use a proxy server to fetch
documents, then the server will only know about the IP
address of the proxy, not the real user's.
If the proxy is in a trusted domain, anyone can use that
proxy to access your site.
Unless you know that you can trust a particular proxy
to do its own restriction, don't add the IP address of a
proxy (or a domain containing a proxy server) to the
list of authorized addresses.
www.mh2000.co.il
2000
25
Restriction by host or domain name has the same risks as

restriction by IP address
also suffers from the risk of "DNS spoofing", an
attack in which your server is temporarily fooled into
thinking that a trusted host name belongs to an alien
IP address.
To lessen that risk, some servers can be configured to do
an extra DNS lookup for each client.
After translating the IP address of the incoming
request to a host name, the server uses the DNS to
translate from the host name back to the IP address.
If the two addresses don't match, the access is
forbidden.
26
Restriction by user name and password?

Too often users choose obvious passwords like middle
names, their birthday, their office phone number, or the
name a pet:
these passwords can be guessed at
some WWW servers don't complain after repeated
unsuccessful guesses. A hacker can employ a
password guessing program to break in.
password is vulnerable to interception as it is
transmitted from browser to server.
moreover, browser sends the password each time it
fetches a protected document. This makes it easier for
a hacker to intercept the transmitted data as it flows
across the Internet.
Passwords need to be encrypted - using a public key
cryptography, for example
It is more secure to use a combination of IP address
restriction and password
www.mh2000.co.il
2000
27
FireWalls
4. FireWalls
A firewall puts up a barrier that controls the flow of
traffic between networks.
The safest firewall would block all traffic, but that defeats
the purpose of making the connection, so you need to
strictly control selected traffic in a secure way.
The highest level of protection today is provided by
application-level proxy servers.
28
proxy server
A proxy server (a.k.a application gateway) is an
application that mediates traffic between a protected
network and the Internet.
Proxy services run at the application level of the network
protocol stack for each different type of service (FTP,
HTTP, etc.):
Proxies Contain extra logging or support for user

authentication.
Since proxies must ``understand'' the application protocol
being used, they can also implement protocol specific
security
e.g., an FTP proxy might be configurable to permit
incoming FTP and block outgoing FTP
Proxy servers are application specific. In order to support
a new protocol via a proxy, a proxy must be developed
for it.
One popular set of proxy servers is the TIS Internet
Firewall Toolkit (``FWTK'') which includes proxies for
Telnet, rlogin, FTP, X-Window, HTTP/Web, and
NNTP/Usenet news
www.mh2000.co.il
2000
29
FireWalls
Classifying Firewalls
Any device that controls network traffic for security
reasons can be called a firewall, and in fact the term
"firewall" is used in a generic way.
Three major types of firewalls that use different strategies
for protecting network resources:
The most basic firewall devices are built on routers
and work in the lower layers of the network protocol
stack. They provide packet filtering and are often
called screening routers:
High-end proxy server gateways operate at the upper

levels of the protocol stack (i.e., all the way up to the
application layer).
They provide proxy services on external networks for
internal clients and perform advanced monitoring and
traffic control by looking at certain information inside
packets:
30
The third type of firewall uses stateful inspection

techniques.
Routers are often used in conjunction with gateways to
build a multitiered defense system, although many
commercial firewall products may provide all the
functionality you need.
www.mh2000.co.il
2000
31
FireWalls
Screening Router (Packet Filters)

Screening routers look at information related to the
hard-wired IP address of a computer (Network layer), and
even the types of connections (Transport layer) and then
provide filtering based on that information.
A screening router may be a stand-alone routing device or
a computer that contains two network interface cards
(dual-homed system).
The router connects two networks and performs packet
filtering to control traffic between the networks.
Administrators program the device with a set of rules that
define how packet filtering is done.
Ports can also be blocked: can block all applications
except HTTP (Web) services.
Rules defined for routers may not be sufficient to
protect network resources, especially if the Internet is
connected to one side of the router.
32
Proxy Server Gateways

Gateways work at a higher level in the protocol stack
Provide more opportunities for monitoring and
controlling access between networks.
A gateway is like a middle-man, relaying messages
from internal clients to external services.
The proxy service changes the IP address of the client
packets
Then it acts as a proxy agent for the client on the
Internet.
Proxies reduce the threat from hackers who monitor
network traffic
The proxy hides the addresses of all internal
computers
Proxies reduce performance and transparency of
access to other networks
There are two types of proxy servers:
1) Network Level
2) Application Level
Network Level Firewall
Controls network connection between internal and
external systems (i.e., there is no "air-gap").
A virtual "circuit" exists between the internal client and
the proxy server.
Internet requests go through this circuit to the proxy
www.mh2000.co.il
2000
33
FireWalls
server, and the proxy server delivers those requests to the

Internet after changing the IP address.
External users only see the IP address of the proxy server.
Responses are then received by the proxy server and sent
back through the circuit to the client.
While traffic is allowed through, external systems never
see the internal systems. This type of connection is often
used to connect "trusted" internal users to the Internet.
Application Level Firewall
Provides all the basic proxy features and also provides
extensive packet analysis.
Packets from the outside are examined and evaluated to
determine if the security policy allows the packet to enter
into the internal network.
The proxy server also looks at the data in the packets to
stop hackers from hiding information in the packets.
A typical application-level gateway can provide proxy
services for applications and protocols like Telnet, FTP
(file transfers), HTTP (Web services), and SMTP
(e-mail).
A separate proxy must be installed for each
application-level service
Security policies can be much more powerful and flexible
because
All of the information in packets can be used by
administrators to write the rules that determine how
packets are handled by the gateway.
34
Can also strip computer names to hide internal

systems
Can evaluate the contents of packets for appropriateness
and security: e.g., set up a filter that discards any e-mail
messages that contain "dirty" words.
www.mh2000.co.il
2000
35
FireWalls
Stateful Inspection Techniques

Disadvantages of proxies:
Must evaluate a lot of information in a lot of packets
Need to install a separate proxy for each application
Stateful Inspection: Instead of examining the contents of
each packet, the bit patterns of the packets are compared
to packets that are already known to be trusted
The server saves state of request packets like port
number, and source and destination address.
When the outside system responds, the firewall server
compares the received packets with the saved state to
determine if they are allowed in.
Stateful inspection:
Advantage: provides speed and transparency
Disadvantage: Inside packets make their way to the
outside network, thus exposing internal IP addresses
to potential hackers.
Some firewall vendors are using stateful inspection and
proxies together for added security.
36
FireWall Example
Our ISP has assigned us the addresses:
201.123.102.32 for our gateway's external interface
201.123.102.33 for our external mail server.
Organizational policy says:
Allow all outgoing TCP connections
Allow incoming SMTP (port 25) and DNS (port 53) to
external mail server
Block all other traffic
FireWall server commands :
deny ALL
forward tcp ALL to 201.123.102.33 25
forward tcp ALL to 201.123.102.33 53
forward udp ALL to 201.123.102.33 53
www.mh2000.co.il
2000
37
FireWalls
Firewall Policies
If an intruder can find a hole in firewall, then the firewall
has failed. There are no in-between states.
Must implement a firewall policy.
The most basic firewall policy is as follows:
Block all traffic, then allow specific services on a
case-by-case basis.
This policy is restrictive but secure.
Security policies must be outlined in advance so
administrators and users know what type of activities are
allowed on the network.
Policy statement should address internal and external
access, remote user access, virus protection and
avoidance, encryption requirements, program usage, and a
number of other considerations, as outlined here:
Network traffic to and from outside networks such as
the Internet must pass through the firewall. The traffic
must be filtered to allow only authorized packets to
pass.
Never use a firewall for general-purpose file storage
or to run programs, except for those required by the
firewall.
Do not allow any passwords or internal addresses to
cross the firewall.
If you need to provide services to the public, put them
on the outside of the firewall and implement internal
settings that protect the server from attacks that would
deny service.
38
Accept the fact that you might need to completely

restore public systems from backup in the event of an
attack.
www.mh2000.co.il
2000
39
E-Commerce
5. E-Commerce
eCommerce is the use of internetworked computers to
create and transform business relationships.
Applications provide business solutions that improve the
quality of goods and services, increase the speed of
service delivery, and reduce the cost of business
operations.
It's a new methodology of doing business in three focal
areas:
Business-to-business
Business-to-consumer
Intra-business
Mostly associated with buying and selling information,
products, and services via the Internet
Also used to transfer and share information within
organizations
through
intranets
to
improve
decision-making and eliminate duplication of effort.
40
E-Commerce Usage (based on report from

CommerceNet)
Purchasing & Shopping in the USA and Canada as
Compared to Usage 1995 - 1999 (in Millions of people):
www.mh2000.co.il
2000
41
E-Commerce
Shopping & Purchasing Highlights:
55 million people shop online (researching and

comparing the price and features of products and
services online)
28 million purchase online (complete financial
transaction performed electronically over the Internet)
9 Million people are purchasing on the Internet at least
once a month.
1 Million people purchase something once a week.
42
Overall Top Shopping categories:
www.mh2000.co.il
2000
43
E-Commerce
E-Commerce resources
CommerceNet
(www.commercenet.com)
is
a
not-for-profit market and business development
organization, whose mission is to support electronic
commerce.
The
Israeli
E-Commerce
(http://ecomm.netvision.net.il)
http://www.ecommerce.gov/:
US
e-commerce policies and resources
Forum
government
CNET's Builder.com
CyberAtlas
eMarketer
ComputerWorld's
Electronic
(www.computerworld.com/stats)
Commerce
Stats
ICEC: International Center for Electronic Commerce

(icec.net)
WebMonkey's E-Commerce tutorial
WebMonkey's Telecommuters toolkit
Roy Davies' Electronic Money, or E-Money, and Digital
Cash resource includes pointers to e-money, history of
money, and value of information sources. (www.ex.ac.uk)
44
Paying in the internet

Oayment options:
Credit cards
Debit cards
Purchase order
Customer accounts?
Mostly, e-commerce transactions are credit card-based.
Credit card transactions involve a number of groups:
the merchant
the merchant bank
the customers,
the customers' banks
the companies that issued the customers' credit cards
the large credit and debit "acquiring banks" who
manage the whole mess.
All need to work together :
Don't charge the cards until the products are shipped
or delivered to the customers.
3 Phases:
1. Authentication: checking that credit cards have
valid numbers, have actually been issued, and
are not reported stolen.
2. Authorization. This process checks whether
funds are available for purchases. If they are,
you can put reservations on those funds.
3. Settlement. Once products are shipped to the
www.mh2000.co.il
2000
45
E-Commerce
customers, then you let the banks know. The

banks will release the funds that were previously
reserved, and the money will make its way
through numerous banks and intermediaries into
your account.
can get complex:
how to process returns?
How to handle partial sales?
How to deal with back orders?
How to handle tax, security, shipping ?
Vendors of internet payment Applications :
CyberCash
Verifone
OpenMarket
CyberSource
E-Commerce Security
netscape SSL protocol makes e-commerce and e-payment
secure
URLs that begin with "https://" are using SSL. (Think
of the "s" as standing for "secure.")
Need a digital ID (also known as an authentication
certificate)
Certificate is kind of like your passport or driver's
license. It's a form of identification verifying that
someone reputable confirms that you really are who
you say you are. You can get a certificate from
companies like verisign.
46
Certificate need to be installed and configured on the

web server
If hosting with a third party, either certificate is sent to
them or, if possible, their certificate may be used.
www.mh2000.co.il
2000
47
E-Commerce
E-Commerce Solutions
3 E-Commerce Solutions:
Buy a ready-made solution. Examples:
Intershop 3.0 (http://www.intershop.com/products):
iCat Pro (www.icat.com)

IBM
Net.Commerce
(www.software.ibm.com/commerce). Mostly based on
MS Windows2000
Rent space in a network-based e-commerce solution.
Examples:
Yahoo Store (store.yahoo.com)
Intershop ePages (www.intershop.com/epages)
iCat Commerce Online (www.icat.com/services/store)
Build the system from scratch with components and parts.
write server side software using C, C++, Perl,
Microsoft ASP, PHP, allaire ColdFusion etc.
also see Intershop Enterprise Edition, Microsoft Site
Server Commerce Edition,
48
design databases from scratch and integrate tax,

shipping, and payment processing software modules
with the main application.
ASP and ColdFusion have been designed to work with
popular third-party solutions to help you streamline
transaction processing requirements
www.mh2000.co.il
2000
49
E-Commerce
Exercise
Build an internet store at yahoo:
go to store.yahoo.com
following the instructions, build your on store in the
internet (it's only a 10-day free test)
choose virtual products for selling
try building order forms
when finished, see your page at :
store.yahoo.com/<store-name>
Answer the following questions:
How secure is your store from unauthorized clients or
hackers?
How secure is your information when hosted at
yahoo?
(refer to the "Privacy Policy" at Yahoo site)
50
2000
www.mh2000.co.il
51
HTTP and Cookies
6. HTTP and Cookies

HTTP/1.1
HTTP/1.1 goal is saving packets. It allows for larger
average packet sizes, more packets per TCP connection,
and better use of TCP flow control.
HTTP/1.1 allows to buffer output:
With HTTP/1.0, the client sends a request to the
server. Then the server sends a response back to the
client. Then the client sends another request to the
server, and the server sends another response to the
client.
With HTTP/1.1, the client can send as many requests
as it wants in succession, and the server can send the
responses back in succession as well. Requests and
responses are pipelined:
52
The request-response sequence looks exactly the same as

it does in HTTP/1.0. The only difference is that all
communication happens on the same TCP connection
instead of a different connection for each request.
www.mh2000.co.il
2000
53
HTTP and Cookies
Improved Caching
HTTP/1.1 allows developers to decide which parts of a
page a proxy server should cache.
Can control items caching with the Vary: Accept
header. for example, 3 clients ask for a page from
server through a proxy:
GET /page
Accept: image/gif
Client 1
GET /page
Accept: image/gif
/page
Vary: Accept
Content-Type: image/gif
/page
GET /page
Accept: image/gif
Client 2
/page
GET /page
Accept: image / jpeg
Client 3
/page
Content-Type: image / jpeg
Proxy
Server
GET /page
Accept: image / jpeg
/page
Vary: Accept
Content-Type: image / jpeg
If the proxy already has /page cached and the Accept

header is the same, the request doesn't need to go to the
54
server again.
In the example above, the proxy has two versions of /page
cached - one of type image/gif, and one of type
image/jpeg. It serves the correct one according to the
Accept: header sent by the client.
www.mh2000.co.il
2000
55
HTTP and Cookies
Cookies
A cookie is a small piece of information that the server
sends to the browser - along with an HTML page.
When a cookie arrives, the browser generally saves this
information to your hard drive;
When returning to that site, some of the stored
information will be sent back to the Web server, along
with the new request.
Example: Shopping sites are a good example of cookies
in action:
You browse a series of Web pages for items to buy,
and when you find something you want, you "add it"
to your shopping cart by clicking a button on the page.
even though communicating through an "anonymous"
connection, the site always knows exactly what's in
your personal shopping cart.
Cookies work their magic by expanding the abilities of
HTTP. A normal HTTP response header looks something
like this:
HTTP/1.0 200 Found
Date: Wed, 30 Oct 1996 23:48:22 GMT
Server: Apache/1.3
Location: http://www.mh2000.co.il/
Content: text/html
The HTTP cookie is set by the server, mostly by
client-side script like JavaScript and VBScript. The form
of the cookies is a set of <name>=<value> pairs.
56
The server can deliver cookie information to the browser,

which then saves this information and sends it back to the
server at the next visit to the same site.
Through this system, a kind of "persistent state" can be
maintained, even though there's no ongoing
communication between your browser and the
cookie-setting server.
More usage examples:
Tracking the number of unique visitors over a period
of time can be make by a script that plants a cookie
during the first visit. At subsequent visits, the script
will see that the cookie is already there and will do
nothing.
Tracking user behavior over a period of time
How to read the cookie file?
In Netscape, there's a file named cookies.txt which
contains all the cookies on your system.
Internet Explorer maintains a folder named "cookies."
under the windows dir.
A cookie is always associated with a specific domain. The
browser will only return this cookie information to the
domain where the cookie originated.
Some cookies have expiration dates. When a cookie
expires, the browser will simply erase it from the hard
drive.
Depending on where it came from, a cookie may
expire tomorrow, next week, or the year 2000.
www.mh2000.co.il
2000
57
HTTP and Cookies
Cookies with an expiration date are generally known

as "persistent cookies,"
A cookie that doesn't contain an expiration date will
only last as long as the browser stays open. These are
called "session cookies."
The real meat of cookie data is stored in a series of
<name>=<value> pairs. The rest of the data just helps
with delivery;
Every cookie has a directory path on the Web site that
tells where it was set. A different path can tell the browser
to send a different set of variables, even on the same site.
In general, cookies are harmless. Many sites won't work
properly without cookies.
There may be certain cases when you'll want to reject
cookies, but these probably don't come up that often:
Visiting a site using a browser that isn't on your own
personal machine
Another rare case is when some secret or valuable
piece of information is being transferred via a cookie
(login authentication through HTTP cookies)
58

(1 HTTP # "
TELNET HTTP ,
.
/ .Telnet
( ,/ /# 80
.port
, GET HEAD #
% ,:
GET /file.html HTTP/1.0
: Windows Telnet
.echo
(2/ Cookies # / .
/ cookie % )
,(yahoo.com/ # ""
.
2000
www.mh2000.co.il
59
Computer Viruses
7. Computer Viruses
Viruses can be divided into classes according to the
following characteristics:
environment
Operating system (OS)
different algorithms of work
destructive capabilities
Not to forget: there exist also other "harmful" programs or
so called "malware", such as Trojan horses.
60
ENVIRONMENT
According to the ENVIRONMENT viruses can be divided
into:
file
boot
macro
network
File viruses either infect executables in various ways
(parasitic - the most common type of viruses), or create file
doubles (companion viruses), or use filesystem specific
features (link viruses).
Boot viruses either save themselves in disk boot sector, or
to the Master Boot Record, or change the pointer to an
active boot sector.
Macro viruses infect document files, electronic
spreadsheets and databases of several popular software
packages.
Network viruses use protocols and commands of computer
network or email to spread themselves.
There's is a large number of combinations - for example
file-boot viruses infecting both files and boot sectors on
disks.
Another example of the combo - network macro-virus, not
only infecting the documents which are being edited, but
also sending copies of itself by email.
www.mh2000.co.il
2000
61
Computer Viruses
Operating System
The target Operating System (namely the OS specific
objects prone to attack) is the second level of division of
viruses into classes:
Each file or network virus infects files of one particular or
several OS - DOS, Windows 3.xx, Windows95/NT, OS/2
etc.
Macro viruses infect the Word, Excel, Office97 format
files.
Boot viruses are also format oriented, each attacking one
particular format of system data in boot sectors of disks.
DOS Viruses: DOS reserves two legal ways of creating

resident modules:
by drivers in CONFIG.SYS,
with the help of the KEEP function (INT 21h, AH=31h or
INT 27h).
Windows Viruses : In order to insert executable code into
Windows memory one may use one of the three ways,
moreover, all three of them (except for Windows NT) have
already been used by various viruses:
The simplest way is to register the program is one of the
applications, working at present time. To do so the
program registers its task, which may be running in a
hidden window, registers its systems events handler, etc..
Another way is to reserve a system memory block with
62
the help of the DPMI calls and to copy own code into it
(the "Ph33r" virus).
The third way is to stay resident as a VxD driver
(Windows 3.xx and Windows95) or as a Windows NT
driver.
www.mh2000.co.il
2000
63
Computer Viruses
Algorithms
Among OPERATING ALGORITHMS the following
features stand out:
TSR capability
the use of Stealth algorithms
self encryption and polymorphic capability
the use of non-standard techniques
A TSR virus while infecting a computer leaves its resident
part in RAM, which then intercepts system calls to target
objects and incorporates into them.
Resident viruses reside in memory and are active until
power down or until operating system reboot.
Nonresident viruses do not infect computer memory
and are active for an limited time only.
Some viruses leave small resident parts in RAM
which do not spread the virus. such viruses are
considered nonresident.
Macro viruses can also be considered residents, because
they reside in computer memory during all the run time of
the infected editor program.
Here the editor plays the role of operating system, and
"system reboot" means the editor program termination.
In multitasking operating systems the lifetime of a resident
DOS virus can also be limited by the moment of closing of
the infected DOS window, the activity of boot viruses in
some operating systems is limited to the moment of
installation of OS disk drivers.
64
The use of Stealth algorithms allows viruses to completely

or partially cover their traces inside the OS:
The most common stealth algorithm is interception of
OS read/write calls to infected objects. In such cases
stealth viruses either temporarily cure them, or
"substitute" themselves with uninfected pieces of
information.
In case of macro viruses the most popular technique is
to disable the ViewMacro menu(s).
"Frodo" is one of the first file Stealth viruses; "Brain"
is the first boot Stealth virus.
Stealth viruses; "Brain" is the first boot Stealth virus.
SELF-ENCRYPTING and POLYMORPHIC capabilities
are used by virtually all kinds of viruses to make virus
detection procedure as complicated as possible:
Polymorphic viruses are really hard to detect; they
have no signatures, that is none of their code
fragments remain unchanged.
In most cases two samples of the polymorphic virus
will not have a single match when doing a byte
compare.
This may be achieved by encrypting of the main body
of the virus and making modifications to the
decryption routine.
NONSTANDARD TECHNIQUES are being used in
viruses to hide themselves as deep as possible in the OS
kernel (as in "3APA3A"), to protect its residents copy from
being detected ("TPVO", "Trout2"), make curing more
www.mh2000.co.il
2000
65
Computer Viruses
difficult (for example placing its copy into Flash BIOS)

etc..
66
Destructive Capabilities
On their DESTRUCTIVE CAPABILITIES viruses can be
divided as follows:
harmless, that is having no effect on computing (except
for some lowering of free disk space as a result of
propagation);
not dangerous, limiting their effect to lowering of free
disk space and a few graphical, sound or other FX);
dangerous viruses, which may seriously disrupt the
computer's work;
very dangerous, the operating algorithms of which
intentionally contain routines which may lead to losing
data, data destruction, erasure of vital information in
system areas, and even according to one of the
unconfirmed computer legends inflict damage to the
moving mechanical parts by causing resonance in some
kinds of HDDs.
www.mh2000.co.il
2000
67
Java Applets Security
8. Java Applets Security

Since the inception of Java technology, there has been
strong and growing interest around the security of the Java
platform as well as new security issues raised by the
deployment of Java technology.
From a technology provider's point of view, Java security
includes two aspects:
Provide the Java platform (primarily through JDK) as a
secure, ready-built platform on which to run Java-enabled
applications in a secure fashion.
Provide security tools and services implemented in the
Java programming language that enable a wider range of
security-sensitive applications, for example, in the
enterprise world.
68
The Original Sandbox Model

The original security model provided by the Java platform
is known as the sandbox model:
existed in order to provide a very restricted environment
in which to run untrusted code obtained from the open
network.
Local code is trusted to have full access to vital system
resources (such as the file system)
downloaded remote code (an applet) is not trusted and can
access only the limited resources provided inside the
sandbox.
The sandbox model was deployed through the Java

Development Kit (JDK), and was generally adopted by
applications built with JDK 1.0, including Java-enabled
web browsers.
Overall security is enforced through a number of
mechanisms:
The language is designed to be type-safe and easy to use.
Compilers and a bytecode verifier ensure that only
legitimate Java bytecodes are executed. The bytecode
www.mh2000.co.il
2000
69
verifier, together with the Java Virtual Machine,

guarantees language safety at run time.
a classloader defines a local name space, which can be
used to ensure that an untrusted applet cannot interfere
with the running of other programs.
access to crucial system resources is mediated by the Java
Virtual Machine and is checked in advance by a
SecurityManager class that restricts the actions of a piece
of untrusted code to the bare minimum.
70
Applets in JDK 1.1

JDK 1.1 introduced the concept of a "signed applet":
a correctly digitally signed applet is treated as if it is
trusted local code if the signature key is recognized as
trusted by the end system that receives the applet.
Signed applets, together with their signatures, are
delivered in the JAR (Java Archive) format.
In JDK 1.1, unsigned applets still run in the sandbox.
www.mh2000.co.il
2000
71
Applets in JDK 1.2

The new security architecture in JDK 1.2, illustrated in the
figure below, is introduced primarily for the following
purposes.
Fine-grained access control. This capability existed in the

JDK from the beginning, but to use it, the application
writer had to do substantial programming (e.g., by
subclassing and customizing the SecurityManager and
ClassLoader classes).
The HotJava browser 1.0 is such an application,
as it allows the browser user to choose from a
small number of different security levels.
However, such programming is extremely
security-sensitive and requires sophisticated skills
and in-depth knowledge of computer security.
The new architecture will make this exercise
simpler and safer.
Easily configurable security policy. Once again,
72
this capability existed previously in the JDK but

was not easy to use.
Moreover, writing security code is not
straightforward, so it is desirable to allow
application builders and users to configure
security policies without having to program.
Easily extensible access control structure.
Up to JDK 1.1, in order to create a new access
permission, you had to add a new check method
to the SecurityManager class.
The new architecture allows typed permissions
(each representing an access to a system resource)
and automatic handling of all permissions
(including yet-to-be-defined permissions) of the
correct type.
No new method in the SecurityManager class
needs to be created in most cases. (In fact, we
have so far not encountered a situation where a
new method must be created.)
Extension of security checks to all Java programs,
including applications as well as applets.
There is no longer a built-in concept that all local
code is trusted.
local code (e.g., non-system code, application
packages installed on the local file system) is
subjected to the same security control as applets,
although it is possible, if desired, to declare that
the policy on local code (or remote code) be the
www.mh2000.co.il
2000
73
most liberal, thus enabling such code to

effectively run as totally trusted.
The same principle applies to signed applets and
any Java application.
74
Applet Attacks
Packers (compressors)
Packers take Trojan executables and compress them so
they are unrecognizable to anti-virus software
Packers are programs that will do just this, effectively
rendering your anti-virus software useless at defending
against known Trojans.
Packers are compression tools that compress win32 .EXE
files, and actually change the binary signature of the
executable.
The resulting compressed executable can bypass any
static anti-virus scanning engine (because the virus
signature is compressed).
Binders
Binders are programs that allow hackers to "bind" two or
more executables together resulting in a single .EXE file.
These are useful tools as they easily allow a hacker to
insert Trojan executables into harmless .EXE animations,
e-greetings and other EXEs that are commonly passed
around as e-mail attachments.
There are several "point and click" binders available for
free download on the Web including Infector v2 (pictured
left), Exe-Maker, Exe-Joiner, Trojan Man, Elitewrap and
TOP.
www.mh2000.co.il
2000

23559568 אבטחת מידע

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

23559568 אבטחת מידע

Uploaded by

Copyright:

Available Formats

:

2. SSL - Secure Socket Layer

An Introduction To Key Cryptography

SSL - Secure Socket Layer

Using Public Key Cryptography For

Bob uses his private key to encrypt the message and

Alice receives this message and decrypts it by using

hello, are you bob?

SSL - Secure Socket Layer

Alice, This Is bob

When he uses this protocol, Bob knows what message he is

With this protocol, anybody can be Bob. All you need is a

SSL - Secure Socket Layer

key. Everybody knows the certificate issuer's public key

when Alice receives Bob's first message, she can examine

But M can't satisfy Alice in the final message. M doesn't

SSL - Secure Socket Layer

The only way to find the secret is by decrypting the above

The revised protocol:

How secret-key is computed is up to the protocol being

SSL - Secure Socket Layer

MAC (Message Authentication Code)

Hi, I'm Bob,

M passes the data through without modification until

Because M doesn't know the secret, he can't compute the

SSL - Secure Socket Layer

Now, M can garble messages all he wants, but the MAC

SSL and HTTPS

Internet Server Security

3. Internet Server Security

Automatic directory listings

Symbolic Link Following

Server Side Includes

Internet Server Security

Share the same document tree between ftp and

Internet Server Security

Protecting Confidential Documents

Restriction by IP address, subnet or domain

Internet Server Security

Restriction by host or domain name has the same risks as

Restriction by user name and password?

Proxies Contain extra logging or support for user

High-end proxy server gateways operate at the upper

The third type of firewall uses stateful inspection

Screening Router (Packet Filters)

Proxy Server Gateways

server, and the proxy server delivers those requests to the

Can also strip computer names to hide internal

Stateful Inspection Techniques

Accept the fact that you might need to completely

E-Commerce Usage (based on report from

Shopping & Purchasing Highlights:

55 million people shop online (researching and

Overall Top Shopping categories:

ICEC: International Center for Electronic Commerce

Paying in the internet

customers, then you let the banks know. The

Certificate need to be installed and configured on the

iCat Pro (www.icat.com)

design databases from scratch and integrate tax,

HTTP and Cookies

6. HTTP and Cookies

The request-response sequence looks exactly the same as