PhD / CTO TailorDev
Graduated from IUT, ISIMA, Blaise Pascal University. Worked at:
Computer security is information security as applied to computers and networks.
Information security is the practice of defending information from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction.
Asymmetric encryption or public-key cryptography uses a separate key for encryption and decryption.
Anyone can use the encryption key (public key) to encrypt a message.
However, decryption keys (private keys) are secret.
The most common asymmetric encryption algorithm is RSA.
Symmetric encryption or pre-shared key encryption uses a single key to both encrypt and decrypt data.
Both the sender and the receiver need the same key to communicate.
The larger the key size, the harder the key is to crack.
Popular symmetric algorithms: Blowfish, AES, Twofish.
Protocol developed by Netscape Communications Corporation.
Provide security and privacy over the Internet.
Maintains the security and integrity of the transmission channel by using encryption, authentication and message authentication codes.
Use asymmetric encryption techniques to generate a shared secret key, which avoids the key distribution problem.
It's all about authentication, privacy, and integrity.
1.0developed by Netscape, never publicly released;
2.0released in February 1995, but contained some security flaws;
3.0released in 1996, RFC 6101.
During both client and server authentication there is a step that requires data to be encrypted with one of the keys in an asymmetric key pair and decrypted with the other key of the pair.
An entity that issues digital certificates.
It's a trusted third party that is trusted by both the subject (owner) of the certificate and the party relying upon the certificate.
When server presents certificate to client during SSL handshake, client will attempt to verify signature against a list of known good signers.
Web browsers normally come with lists of CAs that they will implicitly trust to identify hosts.
If the authority is not in the list, as with some sites that sign their own certificates, the browser will alert the user that the certificate is not signed by a recognized authority and ask the user if they wish to continue communications with unverified site.
Well-known Certificate Authorities: Comodo, GeoTrust, or VeriSign.
The SSL client and SSL server agree an encryption algorithm and a shared secret key to be used for one session only.
All messages transmitted between the SSL client and SSL server are encrypted using that algorithm and key, ensuring that the message remains private even if it is intercepted.
Symmetric algorithms supported in SSL are: DES, 3DES, ARCFOUR, AES, Camellia, RC2, IDEA, SEED, NULL (no encryption).
SSL provides data integrity by calculating a message digest (fingerprinting).
Message integrity refers to maintaining and assuring the accuracy and consistency of the message.
Cryptographic protocol that provides communication security over the Internet.
Internet Engineering Task Force (IETF) standard, described in RFC 5246, and based on SSL.
Implemented on top of the Transport Layer.
Composed of two layers:
Negotiate a private, reliable connection between the client and the server.
Use symmetric cryptography keys to ensure a private connection. This connection is secured through the use of hash functions generated by Message Authentication Code.
Allow the server and the client to speak the same language, with a determined encryption algorithm and determined encryption keys.
Use the same handshake protocol procedure as SSL.
TLS is the new name for SSL. Namely, SSL protocol got to version 3.0.
TLS 1.0 is "SSL 3.1".
The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library.
This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).
More information at: http://heartbleed.com/
The main idea of HTTPS is to create a secure channel over an insecure network.
HTTPS URLs begin with
https:// and use port
443 by default, whereas HTTP
URLs begin with
http:// and use port
80 by default.
HTTPS encrypts and decrypts user page requests as well as the pages that are returned by the web server. The use of HTTPS protects against eavesdropping and man-in-the-middle attacks:
Authentication is the mechanism whereby systems may securely identify their users.
Authentication systems provide an answers to the questions:
Authentication systems depend on some unique bit of information known only to the individual being authenticated and the authentication system: a shared secret.
In order to verify the identity of a user, the authenticating system typically challenges the user to provide his unique information.
If the authenticating system can verify that the shared secret was presented correctly, the user is considered authenticated.
The ways in which someone may be authenticated fall into three categories, based on what are known as the factors of authentication: something the user knows, something the user has, and something the user is.
Each authentication factor covers a range of elements used to authenticate or verify a person's identity.
The three classes are:
Something the user has.
Non exhaustive list:
Something the user knows.
Knowledge factors is the most common form of authentication used. In this form user is required to prove the knowledge of a secret in order to authenticate.
Something the user is.
Multi-factor authentication is an approach to authentication which requires the presentation of two or more of the three authentication factors: a knowledge factor ("something the user knows"), a possession factor ("something the user has"), and an inherence factor ("something the user is"). (Wikipedia)
Two-factor authentication is not a new concept, having been used throughout history. When a bank customer visits a local automated teller machine (ATM), one authentication factor is the physical ATM card the customer slides into the machine ("something the user has"). The second factor is the PIN the customer enters through the keypad ("something the user knows").
Amazon Web Services: AWS Multi-Factor Authentication
Dropbox: Two-Factor Verification
Facebook: Login approvals
Google Accounts: 2-step verification/Google Authenticator
Microsoft/Hotmail: Microsoft account Security Code
Paypal/eBay: Security Key
Weak authentication offers authentication without relying on trusted third parties.
Authentication with passwords is weak.
And generally speaking, everything that uses one authentication factor.