a.1.Security and Privacy - Web Applications Engineering:...

Info iconThis preview shows pages 1–9. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Web Applications Engineering: Security and Privacy Service Oriented Computing Group, CSE, UNSW Week 10 H. Paik, S. Venugopal (CSE, UNSW) COMP9321, 11s1 Week 10 1 / 52 Part I Web Application Security H. Paik, S. Venugopal (CSE, UNSW) COMP9321, 11s1 Week 10 2 / 52 The security part of the lecture was prepared by: Halvard Skogsrud Senior Software Engineer Thoughtworks, Inc. Sydney, Australia Important Notice from Halvard During this lecture, I will show you how to break the security of badly protected Web applications and services. However, I do not encourage you to attack Web applications, nor do I condone such behaviour. Such actions are both a breach of the law in most countries, and of the CSE policy. Hence, by attempting any of the techniques presented in this lecture, you may be prosecuted by law enforcement and face expulsion from the university. The sole intention in presenting this material is to teach you how to make your own Web applications and services more secure. This way, you will not be at risk from the most common attacks. H. Paik, S. Venugopal (CSE, UNSW) COMP9321, 11s1 Week 10 3 / 52 How to Create Secure Web Applications or Services Creating a Web application is easy, but creating a secure Web application is hard and tedious. Because of the multi-tiered architecture, security flaws may appear at many levels. You need to secure your database, your server, your application, and your network. Result: To create a secure Web application, you need to examine every layer. H. Paik, S. Venugopal (CSE, UNSW) COMP9321, 11s1 Week 10 4 / 52 Security property basics Confidentiality: You want to keep information secret (e.g., your credit card number). Integrity: You want to know that a message has not been modified in transit. Authentication.: You want to know who you are communicating with. Non-repudiation: If someone has sent a message, it should be impossible to deny it later (legal implications). Note: Confidentiality does not mean privacy H. Paik, S. Venugopal (CSE, UNSW) COMP9321, 11s1 Week 10 5 / 52 Cryptography Basics Encryption: scrambles a message so it can only be read by the intended recipient. Ensures confidentiality. Signatures and hashes are checksums appended to the message that can be verified by the recipient. Ensures integrity and if done right can also be used for authentication and to provide a non-repudiation guarantee. H. Paik, S. Venugopal (CSE, UNSW) COMP9321, 11s1 Week 10 6 / 52 Cryptography Basics Shared Key Cryptography Shared key (symmetric) cryptography: Sender and recipient both know the secret key, which is used to encrypt and decrypt. Encryption function Decryption function Shared Key Message Encrypted message Message Encrypted message Shared Key Encryption Decryption provides confidentiality H. Paik, S. Venugopal (CSE, UNSW) COMP9321, 11s1 Week 10 7 / 52 Cryptography Basics Hashing Hashing (a.k.a. keyed hashing) computes a checksum of the message and the secret key....
View Full Document

Page1 / 52

a.1.Security and Privacy - Web Applications Engineering:...

This preview shows document pages 1 - 9. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online