Application Security

1
Application Security

• The idea of system security is to prevent
  unauthorized access to the system as a whole.
• Application security measures essentially repeat
  the systems security measures for each existing
  application.
• Primary focus on authentication and
  authorization.
• Become familiar with two terms application
  security gateway and application shield.
• Both refer to security inspection tools that
  focus on a single application (or small sets of
  applications), as opposed to firewalls.
• Distinction between the two
• Application security gateway addresses almost all
  security functions for an application.
• From network-level port/protocol filtering,
  including encryption and potentially even
  intrusion detection, up to application-level
  proxies and inspection)
• Application shield provides only
  application-level security capabilities and
  relies on an external firewall.

2
Email Spoofing

• Misleading email alias

3
Email Spoofing (continued)

• Sending a spoofy email
• Spoofy email can be sent through a TCP connection
  at port 25
• Example
• telnet smtp_mail_server 25helomail from
  spoofy_mail_addressrcpt to The_recipientdataltR
  FC 822 messagegt. (This is a dot)
• Protection against email spoofing
• Security policy for email account
• Ex work-related activities has to use work
  email.
• The best method to counter email spoofing
• Signed email with public key certificate

4
MIME

• Multipurpose Internet Mail Extensions
• An extension to the RFC 822
• RFC 2045, , RFC 2049
• SMTP and RFC822
• SMTPSimple Mail Transfer Protocol
• A ASCII protocol that is suitable for deliver
  RFC822 message
• Limitations
• Cannot transfer binary files
• Limited to 7-bit ASCII
• SMTP server may reject large mail message
• SMTP gateway translation problem
• ASCII ? EBCDIC
• SMTP gateway to X.400 email networks
• Connate handle contextual data in X.400 messages

5
MIME (continued)

• MIME overview
• Five new message header fields are defined
• Header fields in MIME
• MIME-Version
• MIME-Version 1.0
• Content-Type
• Content-Transfer-Encoding
• Content-ID
• Content-Description
• Content formats are defined
• Standards for multimedia email
• Ex. Text, Multipart
• Transfer encodings are defined
• Ex. Base64
• Example of MIME Message Structure (from RFC1521
  appendix C, page 66)

6
S/MIME

• S/MIME will emerge as internet standard for
  commercial and organizational secure email
• RFC 822
• Standard for format of text content of email
• Standard for the format of ARPA Internet text
  messages
• Only 7-bit ASCII characters can be used
• The email content format
• The headers (Header lines)
• Blank line
• The body (unrestricted text)
• keyword1 arguments
• keywordN arguments
• Body text

7
S/MIME (continued)

• Functions provided by S/MIME
• Enveloped data
• Encrypted content of any type
• Encryption keys of encrypted-content
• Signed data
• Message plus signed message digest encrypted by
  private key (a.k.a. digital signature)
• Encoded by base64 encoding
• It can only be viewed with S/MIME
• Clear-signed data
• It has separate two parts Clear content and
  digital signature
• Only signature is encoded by base64 encoding
• It can be viewed without S/MIME, and the
  signature will an attachment then
• Signed and enveloped data
• Signed data in enveloped data, or
• Enveloped data in signed data

8
S/MIME (continued)

• Cryptographic Algorithm
• Digital signature DSS, RSA
• Encrypting session key ElGamal, RSA
• ElGamal a variant of Diffie-Hellman
• Hash function 160-bit SHA-1, 128-bit MD5
• Encryption triple DES, 40-bit RC2
• Sending software must determine if the receiving
  software is capable of decrypting using a given
  encryption algorithm
• A sending agent may announce its decrypting
  capabilities
• The very first email sent to a particular
  receiver can only be a clear signed email
• A receiving agent may store the information for
  future use

9
S/MIME (continued)

• S/MIME messages
• Securing a MIME entity
• PKCS object
• Produced by S/MIME
• It is a MIME entity plus some security-related
  data, such as algorithm identifiers and
  certificates
• Treated as message content and wrapped in MIME
• Enveloped Data
• Preparing for an enveloped-data
• Generate a pseudorandom session key
• Encrypt session key with recipient's public key
• Prepare RecipientInfo
• RecipientInfo sender's public-key certificate,
  algorithm ID of session key, encrypted session
  key
• Encrypt the message content with the session key
• Ex. envelopedData

10
S/MIME (continued)

• SignedData
• Preparing a signedData
• Select a message digest algorithm
• Compute the message digest
• Encrypt the message digest with the signer's
  private key
• i.e., Generate signature
• Prepare SignerInfo
• SignerInfo signer's public-key certificate,
  digest algorithm ID, encryption algorithm ID, and
  the encrypted message digest (aka, signature)
• Ex. SignedData
• Clear Signing
• Two part of "multipart/signed"
• message is in the clear (may encoding in base64)
• SignedData
• Ex. Clear signed email

11
S/MIME (continued)

• S/MIME certificate processing
• S/MIME uses public-key certificate X.509 v3
• User software
• Key generation the user must be capable of
  generating Diffie-Hellman and DSS key pair and
  should capable of generating RSA key pairs
• Registration A user's public key must be
  registered with a CA
• Certificate storage and retrieval The user has
  access to a local list of certificate, which is
  maintained by the user

12
Web Security

• Deals with security risks that affect Web
  servers, the local area networks that host Web
  sites, and even innocent users of Web browsers.
• Web security policy lay out organization's
  policies with regard to
• who is allowed to use the system
• when they are allowed to use it
• what they are allowed to do (different groups may
  be granted different levels of access)
• procedures for granting access to the system
• procedures for revoking access (e.g. when an
  employee leaves)
• what constitutes acceptable use of the system
• remote and local login methods
• system monitoring procedures
• protocols for responding to suspected security
  breaches
• Primarily focused on authentication,
  authorization, and auditing.

13
Web Security SSL and TLS

• SSL (Secure Socket Layer) was originated by
  Netscape
• SSL 3.0 was published as an Internet draft in
  March 1996
• TLS (Transport Layer Security)
• Proposed as internet standard by IETF TLS working
  group
• TLS 1.0 is a derivative of SSL 3.0
• Essentially SSL 3.1

14
SSL/TLS Setup

• Steps in a typical SSL/TLS setup
• ClientHello ----gt
• Client's random number and the ciphers that it is
  prepared to use
• lt---- ServerHello
• Server's random number and the cipher that will
  be used
• lt---- Certificate
• Server's public key certificate
• lt---- ServerHelloDone
• Nothing much

15
SSL/TLS Setup

• ClientKeyExchange ----gt
• A session key, chosen by the client, for a
  symmetric-key cipher. Encrypted with the server's
  public key.
• ChangeCipherSpec ----gt
• "Ready to go encrypted".
• Finished ----gt
• Handshake to verify that the encrypted session is
  working.
• lt---- Finished
• Handshake to verify that the encrypted session is
  working.
• After this, SSL Record Protocol transmit the
  actual data. The data (and a hash of the data)
  are encrypted with the cipher and session key
  previously determined.
• Client-side authentication is also possible.

16

• SSL Record Protocol Operation

17
SSL Virtual Private Network Taxonomy

• Client Side
• Browser-only client
• Most solutions support basic functionality
  without requiring any client software.
• Client limitation typically is associated with
  Web proxy-only technology and some translational
  proxies.
• Applet client
• Many vendors support downloadable Java applets
  and similar mobile code technology.
• For some, this code enables limited client/server
  application support through the SSL session
• Representative vendors include Aventail and
  Neoteris.
• Full Windows client
• Some vendors support full client technology.
• No conflict with IPSec clients.
• Full clients allow complete client/server
  application communication, often using other
  protocols within SSL sessions.
• Aventail is the primary provider of this type of
  solution.

18
SSL Virtual Private Network Taxonomy (continued)

• Server Side
• Web proxies
• Similar to reverse proxies.
• Web proxy systems grant access to Web-only
  content, often including dynamic re-writing of
  URLs.
• Safely externalizes internal Web applications.
• Current solutions from Check Point and Nortel fit
  into this category.
• Translational proxies
• These proxies function similarly to Web proxies
  described above
• Include capability to represent and translate
  protocols into HTTP, making it possible to expose
  file-sharing servers, FTP, SMTP, and other
  applications.
• Some versions require no client software other
  than a browser.
• Others require a Java applet or similar to
  connect any client software (such as Outlook or
  Notes e-mail clients).
• Aventail, Neoteris, SafeWeb, and uRoam support
  this model.

19
SSL Virtual Private Network Taxonomy (continued)

• Server Side
• Proxy-based VPN
• Much closer to a traditional IPSec virtual
  private network, proxy-based VPNs.
• Requires client software and use a protocol such
  as SOCKS (within an SSL session) to provide
  access.
• Application support is usually quite good.
• Tradeoff is a full client install.
• Screen scraper/terminal server
• These technologies do not rely on strict
  proxying.
• Instead push the presentation layer out to the
  client.
• Execution remains on the server.
• In some cases, the terminal service is presented
  via a translational proxy (as noted above).
• Primary example is from Netilla.

20
What is a Web Service?

• Exposes business functions and business processes
  over the web
• Combines component-based development and the web
• New breed of web application
• All of the above!

21
What is a Web Service?

• When considering
• Web Services..
• think Distributed Application Services!

22
Evolving Trends Web Services

• A Web Service is programmable application logic
  accessible via the Web.
• - Microsoft
• Web Services are a new breed of Web application.
  They are self-contained, self-describing, modular
  applications that can be published, located, and
  invoked across the Web. Web services perform
  functions, which can be anything from simple
  requests to complicated business processes. Once
  a Web service is deployed, other applications (
  other Web services) can discover and invoke the
  deployed service.
• IBM
• Web services is nothing more than a moniker
  for big honking API.. Web services provide a
  standard way to discretely package anything (a
  DB, a specific query, some business logic), and
  make it accessible to anything else (another DB,
  a WAP-enabled phone, or an external business
  partners business logic).
• - Gartner

23
Joint IBM Microsoft Definition for Web Services
Web service -- The term "Web service" is broadly
applicable to a wide variety of network based
application topologies. In this document, we use
the term "Web service" to describe application
components whose functionality and interfaces are
exposed to potential users through the
application of existing and emerging Web
technology standards including XML, SOAP, WSDL,
and HTTP. In contrast to Web sites,
browser-based interactions or platform-dependent
technologies, Web services are services offered
computer-to-computer, via defined formats and
protocols, in a platform-independent and
language-neutral manner.
24
Evolution From Application Services to Web
Services
25
Web Services The Next Phase of the Internet
1995
2004
Concept
Communicating Web Services
Hyperlinked Web Pages
Requester Application
Provider Application
Requesting Page
Requested Page
Model
Standards
Flow of Information
Flow of Transactions
Enables
Result
World Wide Web
Worldwide Digital Economy
26
Web Services Key Technologies Basic Requirements

• Key specifications and technologies when
  building or consuming Web Services addressing
  four basic requirements
• A standard way to represent data XML.
• A common, extensible, message format SOAP.
• A common, extensible, service description
  language WSDL.
• A way to discover service providers UDDI.

27
Web Service Standards

• XML format for data exchange and description
• SOAP protocol for calling web services
• WSDL format for describing web services
• UDDI repository for registering and finding web
  services

28
Web Services Key Technologies - Expanded

• XML (Extensible Markup Language) - mechanism for
  creating distributed processing web services.
• SOAP (Simple Open Access Protocol) - protocols
  for document interchange.
• UDDI (Universal Description, Discovery,
  Integration) phonebook for discovering
  available Web Services. Variants include the
  following
• DISCO (Discovery of Web services) MS current
  thinking about discovery of SOAP/web services
  proposes a way that information about web
  services might be embedded in documents and
  recovered by a user agent.
• ADS (Advertisement and Discovery of Services) -
  IBM current thinking to allow web service
  providers to advertise the availability of their
  services.
• WSDL (Web Services Description Language) -
  provides the contract or the definition of Web
  Service objects schema.

29
Web Services Foundations
30
Consuming Registering a Web Service
31
Instead of Web Services, Why Not Traditional
Middleware?

• No middleware product is the clear winner.
• Require compatible architectures.
• Require object-model specific protocols .
• Difficulty in getting through firewalls.
• All major vendors support web services, whereas
  with middleware it is hit or miss.

32
The Promise of Web Services

• Allow pieces of software written in different
  languages, or running on different operating
  systems, to talk to one another cheaply and
  easily.
• Allow applications running in different parts of
  an organization, or in different organizations,
  to talk to one another and/or exchange data
  easily and cheaply.
• Use universal and non-proprietary data standards
  so that integration between new pieces of
  software and legacy systems will be simple.

33
Web Services Benefits

• Relies on ubiquitous web infrastructure
• Everyone is connected to the Net
• Uses commodity software
• Broad industry support
• High levels of abstraction
• Maps to any existing technology or platform
• Service-oriented architecture
• Integrate supply chains
• Eliminate duplicate data entry
• Direct connection to trading partner IT systems

34
Web Services Could Lower Costs

• By lowering the cost of software integration
  between systems, Web Services offers a way to
  maintain and integrate legacy IT systems at a
  lower cost than typical Enterprise Application
  Integration (EAI) efforts.
• By allowing software running on different
  platforms to communicate, Web Services reduces
  the cost and headaches of multiple platforms
  running on everything from mainframes to servers
  to desktops to PDAs.
• By employing universal, non-proprietary
  standards, Web Services dramatically lowers the
  IT costs of collaborating with external partners,
  vendors or clients.

35
Caveats Regarding Web Services

• Web Services is not a panacea.
• Web Services will be valuable, but implementing
  them won't be easy.
• No magic bullet here.
• Web Services require clear goals, careful
  planning detailed execution.
• Standards are still in flux.
• Interoperability isn't automatic.
• Besides universally adopted XML, higher-level
  standards are required to make Web Services work.
  
• For example, two banks that want to communicate
  need more than XML.
• Might agree on a higher-level standard such as
  OFX (Open Financial Exchange).
• Achieving coordination agreement on high-level
  data standards is the single biggest difficulty
  Web Services faces over the near term.
• Expect Web Services to be adopted within
  enterprises first
• Coordination issues can be simpler in-house than
  those between organizations.

36
Web Services Security Requirements

• Web Services Security means that a message
  recipient will be able to do some or all of the
  following.
• Verify the integrity of a message, i.e., that it
  is unmodified.
• Receive a message confidentially, so that
  unauthorized parties can't see it.
• Determine the identity of the sender --
  authenticating them.
• Determine if the sender is authorized to perform
  the operation requested (explicitly or
  implicitly) by the message.
• In a distributed environment Cryptography is
  crtitical to meeting these requirements.
• Signing and encrypting, can directly meet the
  first two needs.
• The other two requirements are built on top of
  those operations.

37
Web Services Security Threats

• Denial of service.
• Bugs, viruses and private data corruption.
• Spoofing and bot-nets (i.e., losing control of
  processors to malicious users).

38
Web Services Vulnerabilities

• Buffer overrun in applications and services.
• Can expose systems malicious code
• Can compromise confidential data.
• Bogus certificates, URL spoofing and IP spoofing.
• Can mask true identity of the server or web site
  at the other end of a network connection. 
• Flawed logic in the processing of XML content by
  a web browser.
• Can expose security holes.

39
Next Session Highlights

• Web Service Security Considerations (continued)
• Password Security
• Viruses
• Hacking Practices