00:00:00

Security

Notes

Who Is Speaking?

Notes

William DURAND

PhD / CTO TailorDev

Graduated from IUT, ISIMA, Blaise Pascal University. Worked at:

Open-Source evangelist:

twitter.com/couac  |  github.com/willdurand  |  williamdurand.fr

Notes

What Is Security?

Computer security is information security as applied to computers and networks.

Information security is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.

Agenda

  • Securing The Web
  • Authentication
  • Authentication Mechanisms
  • Authorization
  • Web Security 101
  • IP tracking

Notes

Securing The Web

Notes

Agenda

  • Secure Sockets Layer (SSL)
  • Transport Layer Security (TLS)
  • HTTPS

Notes

What Is Encryption?

Notes

Asymmetric Encryption

Asymmetric encryption or public-key cryptography uses a separate key for encryption and decryption.

Anyone can use the encryption key (public key) to encrypt a message.

However, decryption keys (private keys) are secret.

The most common asymmetric encryption algorithm is RSA.

Notes

Symmetric Encryption

Symmetric encryption or pre-shared key encryption uses a single key to both encrypt and decrypt data.

Both the sender and the receiver need the same key to communicate.

The larger the key size, the harder the key is to crack.

Popular symmetric algorithms: Blowfish, AES, Twofish.

Notes

SSL

Notes

Secure Socket Layer (SSL)

Protocol developed by Netscape Communications Corporation.

Provide security and privacy over the Internet.

Maintains the security and integrity of the transmission channel by using encryption, authentication and message authentication codes.

Use asymmetric encryption techniques to generate a shared secret key, which avoids the key distribution problem.

It's all about authentication, privacy, and integrity.

Versions

  • 1.0 developed by Netscape, never publicly released;
  • 2.0 released in February 1995, but contained some security flaws;
  • 3.0 released in 1996, RFC 6101.

Notes

Authentication

During both client and server authentication there is a step that requires data to be encrypted with one of the keys in an asymmetric key pair and decrypted with the other key of the pair.

In a nutshell

  1. Generate a key pair (public and private key)
  2. Use a X.509 certificate to wrap public key
  3. Exchange CA-signed public keys

Notes

Certificate Authority (CA)

An entity that issues digital certificates.

It's a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate.

When server presents certificate to client during SSL handshake, client will attempt to verify signature against a list of known good signers.

Web browsers normally come with lists of CAs that they will implicitly trust to identify hosts.

If the authority is not in the list, as with some sites that sign their own certificates, the browser will alert the user that the certificate is not signed by a recognized authority and ask the user if they wish to continue communications with unverified site.

Well-known Certificate Authorities: Comodo, GeoTrust, or VeriSign.

Notes

Privacy

The SSL client and SSL server agree an encryption algorithm and a shared secret key to be used for one session only.

All messages transmitted between the SSL client and SSL server are encrypted using that algorithm and key, ensuring that the message remains private even if it is intercepted.

Symmetric algorithms supported in SSL are: DES, 3DES, ARCFOUR, AES, Camellia, RC2, IDEA, SEED, NULL (no encryption).

Notes

Integrity

SSL provides data integrity by calculating a message digest (fingerprinting).

Message integrity refers to maintaining and assuring the accuracy and consistency of the message.

Notes

SSL Handshake

Source: An overview of the SSL handshake

Notes

TLS

Notes

Transport Layer Security (TLS)

Cryptographic protocol that provides communication security over the Internet.

Internet Engineering Task Force (IETF) standard, described in RFC 5246, and based on SSL.

Implemented on top of the Transport Layer.

Composed of two layers:

  • the TLS Record Protocol;
  • the TLS Handshake Protocol.

Versions

Notes

Transport Layer Security (TLS)

TLS Record Protocol

Negotiate a private, reliable connection between the client and the server.

Use symmetric cryptography keys to ensure a private connection. This connection is secured through the use of hash functions generated by Message Authentication Code.

TLS Handshake Protocol

Allow the server and the client to speak the same language, with a determined encryption algorithm and determined encryption keys.

Use the same handshake protocol procedure as SSL.

SSL vs TLS

TLS is the new name for SSL. Namely, SSL protocol got to version 3.0.

TLS 1.0 is "SSL 3.1".

Notes

Notes

The Heartbleed Bug

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library.

This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

More information at: http://heartbleed.com/

Notes

HTTPS

Notes

HTTP + SSL/TLS = HTTPS

Notes

Hypertext Transfer Protocol Secure

The main idea of HTTPS is to create a secure channel over an insecure network.

HTTPS URLs begin with https:// and use port 443 by default, whereas HTTP URLs begin with http:// and use port 80 by default.

HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the web server. The use of HTTPS protects against eavesdropping and man-in-the-middle attacks:

Notes

HTTPS: The Big Picture

Notes

No Excuse Not To Use HTTPS!





Notes

Authentication

Notes

Agenda

  • Authentication Factors
  • Two-Factor Authentication
  • Weak Authentication
  • Strong Authentication

Notes

Authentication

Authentication is the mechanism whereby systems may securely identify their users.

Authentication systems provide an answers to the questions:

  • Who is the user?
  • Is the user really who he/she represents himself to be?

Authentication systems depend on some unique bit of information known only to the individual being authenticated and the authentication system: a shared secret.

In order to verify the identity of a user, the authenticating system typically challenges the user to provide his unique information.

If the authenticating system can verify that the shared secret was presented correctly, the user is considered authenticated.

Notes

Authentication Factors

The ways in which someone may be authenticated fall into three categories, based on what are known as the factors of authentication: something the user knows, something the user has, and something the user is.

Each authentication factor covers a range of elements used to authenticate or verify a person's identity.

The three classes are:

  • the ownership/possession factors: something the user has;
  • the knowledge factors: something the user knows;
  • the inherence factors: something the user is or does.

Notes

Possession Factors

Something the user has.

Security Tokens

Dallas iButton

Notes

More Possession Factors

Non exhaustive list:

  • Cell Phones
  • Connected tokens
  • Magnetic stripe cards
  • Software tokens
  • USB tokens
  • Wireless

Notes

Knowledge Factors

Something the user knows.

Knowledge factors is the most common form of authentication used. In this form user is required to prove the knowledge of a secret in order to authenticate.

  • Challenge Question
  • Password
  • Pass Phrase
  • Pattern (on Android devices for instance)
  • Personal Identification Number (PIN)

Notes

Inherence Factors

Something the user is.

  • Fingerprint
  • Retinal Pattern
  • DNA sequence
  • Signature
  • Face
  • Voice

Notes

Two-Factor Authentication

Notes

Two-Factor Authentication

Definition

Multi-factor authentication is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something the user knows"), a possession factor ("something the user has"), and an inherence factor ("something the user is"). (Wikipedia)


Two-factor authentication is not a new concept, having been used throughout history. When a bank customer visits a local automated teller machine (ATM), one authentication factor is the physical ATM card the customer slides into the machine ("something the user has"). The second factor is the PIN the customer enters through the keypad ("something the user knows").

Notes

Two-Factor Authentication Process


Notes

Examples

Amazon Web Services: AWS Multi-Factor Authentication

Dropbox: Two-Factor Verification

Facebook: Login approvals

Google Accounts: 2-step verification/Google Authenticator

Microsoft/Hotmail: Microsoft account Security Code

Paypal/eBay: Security Key

Notes

Weak Authentication

Notes

Weak Authentication

Weak authentication offers authentication without relying on trusted third parties.

Authentication with passwords is weak.

Examples

  • Passwords
  • Challenge Questions
  • PIN

And generally speaking, everything that uses one authentication factor.

Notes

On Passwords


Notes

I Have Been Pwned?