Tuesday, April 15, 2008

INT420 SSL Encryption and Certification

ALlow for hyphens make sure your regular expressions are valuable
Display the Format of what you would want in side your text boxes

When you make the user registration validate all the data being entered, is it a valid e-mail phone number, name, come up with the regular expressions to this.

Common security hold is cgi scripts,

Understand the dangers and what we can use perl to pervent this
its called Taint mode

When you get data from a script(a form) so you have to be careful what they
enter in


Run your perl script sin taint mode all you got to do is add a -T anything supplied by the user can not be used in a os system, it will not be allowed to be used for a system call.


if you need to use the data you need to figure it how to untaint it, is to make it its not supplied by the forum but produced by the script itself, the dangers things you can do with data is system calls, system function you're executing a os command

0Back quotes thats dangerous, opening a file through a pipe thats os interaction anything we are doing opening deleting or renameing files, anything we are going to do you must un taint that data
0
e00xample a form were we colelct an 00000000e-mail address, and we want to use the email to email it to the user it will not work in taint mode, cause it can be possible that they wrote in a command like deleting files or w.e they can do to the systemEncryption on the exam,

When we want to send and encrypt data securly, the basic process
take the original data and an encryption key, random string of
characters, random very large number

take the data and teh encryption key and put them into a encryption alogrithem or prgram
what you get out of that in encrypted data, in order to read that data

you take the encrpyted data and a decryption key put it through the same algorithem/program,
then you end up with the original data,

Two basic models

semitrical encryption - a shared secret

with semitrical encryption you have a single key, and you use the same key to encrypt and decrypt the data

asymetrical encryption - public/private key pairs

two keys, that are designed to work togeter, a public and a private key, in this encryption you encrypt with one or decrypt with the other, u must use the other part of the pair, en pri / de pub



Client Machine Alice
AB-----
Connected to the Net
----AB
Client Machin Bob

using this semitrical encryption alas would need a copy of the key and bob will need the copy of the same key

Its good cause its fast,
you can generate a new key for every process/
---_FAST SECURE__----
Problem how do they get the copy of the same key, especially over a line, the problem with session key how do you get the key on both sides


in the past, generate it on place and take it from one to the other and install but again thats a 1 kind operation. Asymtrical alias an encrypted connect4ion for bob, he has the public key B and a private key B the private key never leaves bob,

BOb takes his public key gives it to aliace, she encrypts the data with the public and encryps with the private key,

so the communicatiosn going back to alice are not secure, when we encrypt wioth the private anyone can read it

so its not good coming back in the opposite direction but it does have a purpose,

When he sends it to alice and has the private, what does this prove to us anyone can read what bob is sending, it can only have only come from bob. Because bob only has the private this is called a digital signature, anyone with the public key can read the private key but it must come from that source,

its use for authentication as a signature
Alice can gen4erat her own public/private send it to bob send it and she can use it, heres the problem its slow and alot of work, and somewhat more compicated then it needs to be, in the internet when we want to secure over the wweb we use

SSL ---- secure socet layer, you know this from https


SSL uses all the things that were discussed above, this is how it essentially works


Bob the server alice the client,

in order to facilite encrypted communication, bob needs a public and a private key for bob, now

the admin of bob wneeds a 3rd party company to create a certificate to tell the company this is the company, they take the public keye

they take the public key and send it to CERTIFICATE AUTHORITY, dozens of company's that do this
CERTIFICATE REQUEST, name server e-mail the FQDN all info about the orginations and the computer along with the public key,
the certificate authority preforms sum auth then creats a certificate contains all the info from the certificate request + bob public key then the certificate signs it with their private key, so its digitally signed through the CA.
SSL connection
Alice sends a httpds conn to bob then he says ok then sends the certificate and it contained the public key and the didtal sign of the CA alice reciuves the certificate alices browsers is already wiiht the key of all the private ca's auth, now we accept that public key as coming to bob
BOb has his private key and alice has his public key now alice generates a symettrical key thats only good for this session and encrypts using bob public key, bob is the only way he can use it cause he has a private key



Conenection to his web server his e-mail server it puts the https yellow bar and the pad lock
if you go to Tools page info

You look at the page info and you look at security it tells the identify has been varified by Equifax

View the certificate


In the LAB
Re-install apache to include SSL you need to isntall it into a diff directory you will install OPEN SSL, allows you to generate pub and private keys and request and authority, install apache fresh,
M
M
M
we use to for trust, and the mechinism for a public key then facilitae a session key, then they use that session key

No comments: