4/17/2014

1
Understanding Facets
of Commercial Web Apps
By
Joscelyn Dias
Need to Know for IT Manager about:
Hosting secured web application
Web Application Models
Major security concerns
Solutions for the security concerns
Technical Aspect of its implementation
Legal Aspect in Indian context
3 Facets of Secured Web Application
Secured
Web Application
Economic
Technical
Legal
What is Secured Web Application?
Different elements that make application
Development process models
People/Roles involved in making
application
Different Web Application Models
Online goods and services
Retail product sales
Marketplace services
Government to citizen for services
Hosting of web application
Registering domain name
InterNIC ICANN
Internet Corporation for Assigned Names and Numbers
Syntax , Labels
Rightmost : TLD, ccTLD (approx 250)
Domain name registrar admin organization to technically
maintain/service , Authorized to assign names
Registry to maintain database of names within
administered TLD it. Receive & publish registration
information using a special service
WHOIS protocol-(Registrant, name servers, expiration dates, etc.)
4/17/2014
2
Hosting of web application
Registering domain name (contd.)
Hierarchy of domains in name
descends from the right to the left label
label to the left specifies a subdivision (subdomain) of the
domain to the right.
Legal names
Labels separated by Period character (.)
ASCII character (a-z, A-Z, 0-9), case-insensitive.
Surrouned Hyphen (-) permitted
Situation of conflicts in domain names
Hosting of web application
Hosting the domain
DNS, e-mail
Uploading the content
FTP, HTTP
Enabling the payment gateway
Different Online Payment Options (Credit Card,
PayPal, Electronic bill presentment and payment,
Mobile payment, EFT, Bank Wire Transfer, Electronic
Money)
Compliance for legal issues
Terms of use
Privacy statement
Disclaimer
Security Concerns
End User
Data Privacy
Data Security (Confidentiality, Integrity)
Authenticity
Organization
Authenticity
Non-repudiation
Solutions for the concerns
Data Privacy Privacy statement and
Law support
Confidentiality Cryptography
Integrity Hashing
Authenticity Digital Signature and
Digital Signature Certificate
Non repudiation - Digital Signature and
Digital Signature Certificate
Cryptography - Basics
What is cryptography?
Basic Methods of cryptography
Substitution
Caeser Cipher Eg. ifmmp xpsme
Transposition E.g. 'ehlol owrdl'
Rail Fence
Columnar Transposition
Complex algorithm
Importance of key in cryptography
Cryptanalyst , Brute force attacks.
Size
H . . . O . . . L . . HOLELWRDLO!
. E . L . W . R . D .
. . L . . . O . . . !
Cryptography - Details
Cryptography mechanisms
Symmetric same key to encrypt / decrypt
Asymmetric - a public key and a private key
different but mathematically related keys
calculation of one key('private key') is computationally
infeasible from the other ('public key')
necessarily related. Instead, both keys are generated
secretly, as an interrelated pair.
Comparison of mechanisms
Distributing keys : Generation, transmission, storage of keys
Multiple key management
Speed advantage
Usage
Best of both mechanisms
4/17/2014
3
Hashing
What is hash?
a number given by a hash function from a message
How it is done?
This is a one way function, meaning impossible to get the
original message knowing the hash.
hash will drastically change even for the slightest modification
in the message.
extremely difficult to modify a message while keeping its
original hash.
Hashed text cannot be converted back to plain text
What purpose it serves?
ensuring that any message has not been tampered.
used in password mechanisms, in certifying that data
applications are original (MD5 sum)
Digital Signature
What is digital signature?
Asymmetric : A private key and a corresponding public key.
Output of a key generation algorithm that selects a private key uniformly at
random from a set of possible private keys.
Signing : Given message and a private key, digest (hash) is
encrypted -- signature.
Verification algorithm : given a message, public key and a
signature, either accepts or rejects the message's claim to
authenticity.
Properties
1. A signature generated from a fixed message and fixed private key
should verify the authenticity of that message by using the
corresponding public key.
2. It should be computationally infeasible to generate a valid signature
for a party who does not possess the private key.
Digital Signature How? Digital Signature Certificate
An electronic document that binds a public key
to a particular individual/organization
Public key of organization/person applied for the certificate
A hash to ensure certificate not tampered with.
Information : owner, certificate usage, validity duration, resource
location, web site address etc.
Also certificate ID of the person who certifies (signs) the
information.
Provides Authentication and Non-repudiation
SSL/HTTPS -Putting it together
Ensure secure transactions between web servers and browsers.
Uses a third party, a Certificate Authority (CA),
Identify one end or both end of the transactions.
1. A browser requests a secure page (usually https://).
2. The web server sends its public key with its certificate.
3. The browser checks that the certificate was issued by a trusted party (usually a
trusted root CA), that the certificate is still valid and that the certificate is related to the
site contacted.
4. The browser then uses the public key, to encrypt a random symmetric encryption key
and sends it to the server with encrypted URL required and other encrypted http data.
5. The web server decrypts the symmetric encryption key using its private key and uses
the symmetric key to decrypt the URL and http data.
6. The web server sends back the requested html document and http data encrypted
with the symmetric key.
7. The browser decrypts the http data and html document using the symmetric key and
displays the information.