Week 3 Reading: Secure HTTP - savannahc502/SavC-TechJournal-SEC260 GitHub Wiki

Gourley, David, and Brian Totty. HTTP: The Definitive Guide. O’Reilly, 2002.

Notes from Chapter 14: Secure HTTP

Making HTTP Safe

  • HTTPS provides: server authentication, client authentication, integrity, encryption, efficiency, ubiquity, administrative scalability, adaptability, and social viability.
    • HTTPS is the most popular form of HTTP for such reasons
  • In HTTPS, all request/response data is encrypted before being sent
    • HTTPS does this by "providing a transport-level cryptographic security layer—using either the Secure Sockets Layer (SSL) or its successor, Transport Layer Security (TLS)—underneath HTTP" (Gourley).
    • Both TLS and SSL are very similar and thus sometimes are used interchangeably (in a vocabulary sense)

image

Digital Cryptography

NET-215 Notes on Cryptography and TLS

SEC-250 Notes on Symmetric vs. Asymmetric Keys

  • Cryptography: art/science of encoding and decoding messages
    • Can be used for data integrity and authentication
  • Ciphers: Algorithms for encoding
  • Keys: Numeric parameters for ciphers
  • Symmetric Key vs Asymmetric Key
  • Public-Keys
  • Digital Signatures

Ciphers

  • Cipher has a way to encode and decode a message
    • Plaintext > ciphertext > plaintext
  • Rotating the alphabet by three, for example, would be called a Caesar Cipher rot3 (rotation three).

Cipher Machines

  • Instead of simple cipher rotations (which are easily decipherable), machines can come up with much more complex cipher machines

Keyed Ciphers

  • Most cipher machines have keys (cipher parameters) that a required to encode/decode messages

image

  • The algorithm is the "1 + N rotation" and the key is the value of N

Digital Ciphers

  • Now we get into the digital computation of encoding/decoding cryptography
    • "It became possible to support very large keys, so that a single cipher algorithm could yield trillions of virtual cipher algorithms, each differing by the value of the key. The longer the key, the more combinations of encodings are possible, and the harder it is to crack the code by randomly guessing keys."

Symmetric-Key Cryptography

  • "Many digital cipher algorithms are called symmetric-key ciphers, because they use the same key value for encoding as they do for decoding" (Gourley)
    • Both sender and receiver need the same key
      • Examples: DES, Triple-DES, RC2, and RC4

Key Length and Enumeration Attacks

  • Trying all key values by brute force is called an enumeration attack
  • Longer the key, the longer a computer takes to brute force attack

Establishing Shared Keys

  • Disadvantage: symmetric-key ciphers have to be shared with both the sender and receiver
    • Also different symmetric key pairs for each person you talk to.
      • Admin nightmare
    • No authentication

Public-Key Cryptography

  • Private/Public Key pairs are more secure, and everyone can use the same public key for a particular host
  • Keys are often encrypted to protect messages, often with RSA algorithms
  • "Asymmetric, public-key cryptography is nifty, because anyone can send secure messages to a public server, just by knowing its public key" (Gourley)

"it is common to use public-key cryptography to conveniently set up secure communication between nodes but then to use that secure channel to generate and communicate a temporary, random symmetric key to encrypt the rest of the data through faster, symmetric cryptography."(Gourley)

Digital Signatures

  • Cryptography can be used for symmetric encryption keys, asymmetric encryption keys, and signing messages aka digital signatures.
    • Signatures prove authenticity of author -- only the author can create checksums that is then decoded with a matching public one
    • Prove integrity of data -- tampered data will have a different checksum than the original one

Public/Private key pairs are often done to accomplish this. See Week 4: Digital Certificates to learn more about its implications with Digital Certificates

Digital Certificates

  • Digital certificates have a set of information about a server that is digitally signed by an official certificate authority (CA).
    • Information includes: subject name, dates, issuer, and digital signature of issuer
  • No standard for digital certificates, but most use the X.509 v3 certificate structure

"When you establish a secure web transaction through HTTPS, modern browsers automatically fetch the digital certificate for the server being connected to. If the server does not have a certificate, the secure connection fails... When the browser receives the certificate, it checks the signing authority. If it is a public, well-respected signing authority, the browser will already know its public key (browsers ship with certificates of many signing authorities preinstalled), so it can verify the signature... If the signing authority is unknown, the browser isn’t sure if it should trust the signing authority and usually displays a dialog box for the user to read and see if he trusts the signer. The signer might be the local IT department, or a software vendor" (Gourley).

HTTPS: The Details

  • HTTPS is HTTP over a secure transport layer, like SSL or TLS (which are very similar and often referred to as interchangeable terms)

image

HTTPS Schemes

  • http scheme = port 80 default, http commands
  • https = port 443 default, handshakes with server before http commands with SSL security parameters
    • SSL traffic is binary and is carried on a different port than http, usually port 443

SSL: Secure Transport Setup

image

  • One TCP connection is established, the server initiates the SSL layer and negotiates the cryptographic parameters and the exchanging of keys with a SSL Handshake. When the handshake is done, the request messages are sent

SSL Handshake

During the handshake, the client and server:

  • "Exchange protocol version numbers
  • Select a cipher that each side knows
  • Authenticate the identity of each side
  • Generate temporary session keys to encrypt the channel" (Gourley).

image

  • HTTPS certificates are X.509 certificates with site information

OpenSSL

OpenSSL is the most popular open-source tool for SSL/TLS key exchanges and certificate creations

OpenSSL Lab

Tunneling Secure Traffic Through Proxies

"Clients often use web proxy servers to access web servers on their behalf... The proxy is the only device permitted by the firewall routers to exchange HTTP traffic, and it may employ virus checking or other content controls" (Gourley).

  • This posses an issue because once encryption occurs, the proxy will not be able to read the HTTP header and direct the packet to the correct location
    • This is where HTTPS with proxies need to utilize additional methods, like an HTTPS SSL tunneling protocol or CONNECT