《Web安全》由会员分享,可在线阅读,更多相关《Web安全(101页珍藏版)》请在金锄头文库上搜索。
1、Web安全目 录1.Web安全概述2.SSL3.SSL 程序设计4.Apache Web Server安全WebWeb安全概述安全概述Web安全威胁及对策Web安全的特点提供双向的服务,攻击防范能力脆弱 作为可视化窗口和商业交互平台,提供多种服务,事关声誉 底层软件庞大,如apache约10M,历来是漏洞之最,攻击手段最多 如果被攻破可能导致成为进入企业的跳板 配置比较复杂Web安全的组成部分Browser 安全 Web Server安全 Browser 与Web Server之间网络通信安全Web安全方案网络层:IPSec 传输层:SSL/TLS 应用层:SET/SHTTP目 录1.Web安
2、全概述2.SSL3.SSL 程序设计4.Apache Web Server安全Secure Sockets LayerSecure Sockets Layer (SSL)(SSL)SSL 设计目标 在Browser和Web Server之间提供敏感信息传输通道4 Social Security Number (SSN)4 Credit Card, etc 提供访问控制4 Open4 Closed SSL被设计用来使用TCP提供一个可靠的端到端安全服务,为两个通讯个体之间提供保密性和完整性(身份鉴别)SSL 历史 Netscape 公司于1994开发4 SSLv2 released in 199
3、54 SSL v3 also released in 1995 due to bugs in v2 1996年IETF成立4 Transport Layer Security (TLS) committee4 TLSv1 was based upon SSLv3 Netscape 、Microsoft 都支持 TLSv1SSL 功能 SSL 提供四个基本功能4 Authentication 4 Encryption 4 Integrity4 Key Exchange 采用两种加密技术4 非对称加密* 认证* 交换加密密钥4 对称加密:加密传输数据SSL 功能SSL 的结构nSSL是独立于各种协
4、议的n常用于HTTP协议,但也可用于别的协议,如 NNTP,TELNET等n建立在可靠的传输协议(如TCP)基础上n提供连接安全性4 保密性,使用了对称加密算法4 完整性,使用HMAC算法n用来封装高层的协议SSL 记录协议n客户和服务器之间相互鉴别n协商加密算法和密钥n提供连接安全性4 身份鉴别,至少对一方实现鉴别,也可以是双 向鉴别4 协商得到的共享密钥是安全的,中间人不能知道4 协商过程是可靠的SSL握手协议协议的使用SSL体系结构n连接n会话SSL基本概念n连接是能提供合适服务类型的传输(在OSI分 层模型中的定义)n对SSL,这样的连接是对等关系n连接是暂时的,每个连接都和一个会话相
5、关连接nSSL会话是指在客户机和服务器之间的关联n会话由握手协议创建n会话定义了一组可以被多个连接共用的密码安 全参数n对于每个连接,可以利用会话来避免对新的安 全参数进行代价昂贵的协商会话n在任意一对的双方之间,也许会有多个安全连 接n理论上,双方可以存在多个同时会话,但在实 践中并未用到这个特性连接 Vs 会话会话状态参数nsession identifier nAn arbitrary byte sequence chosen by the server to identify an active or resumable session state npeer certificate
6、nX509.v3X509 certificate of the peer. This element of the state may be null. ncompression method nThe algorithm used to compress data prior to encryption. ncipher spec nSpecifies the bulk data encryption algorithm (such as null, DES, etc.) and a MAC algorithm (such as MD5 or SHA). It also defines cr
7、yptographic attributes such as the hash_size. nmaster secret n48-byte secret shared between the client and server. nis resumable nA flag indicating whether the session can be used to initiate new connections. 会话状态参数连接状态各种参数nserver and client random nByte sequences that are chosen by the server and c
8、lient for each connection. nserver write MAC secret nThe secret used in MAC operations on data written by the server. nclient write MAC secret nThe secret used in MAC operations on data written by the client. nserver write key nThe bulk cipher key for data encrypted by the server and decrypted by th
9、e client. nclient write key nThe bulk cipher key for data encrypted by the client and decrypted by the server. ninitialization vectors nWhen a block cipher in CBC mode is used, an initialization vector (IV) is maintained for each key. This field is first initialized by the SSL handshake protocol. Th
10、ereafter the final ciphertext block from each record is preserved for use with the following record. nsequence numbers nEach party maintains separate sequence numbers for transmitted and received messages for each connection. When a party sends or receives a change cipher spec message, the appropria
11、te sequence number is set to zero. Sequence numbers are of type uint64 and may not exceed 264-1. 连接状态参数各种参数pre_master_secretmaster secretClient write MAC secretClient write secretClient write IVServer write MAC secretServer write secretServer write IVSSL HandshakeSSL HandshakeSSL握手协议报文格式ClientServer
12、一 建立安全能力Client HelloSSL ClientSSL ServerPort 4431. The Client Hello message is composed of a.SSL Version (highest) that is understood by the client. 4 TLSv1 else SSLv3 b. Key Exchange to identify the method of exchanging keys. 4RSA if not then D-H. c. Data Encryption to identify the encryption metho
13、ds available to the Client. 4TripleDes or else DES d. Message Digest for data integrity. 4 SHA or else MD5 e. Data Compression method for message exchange 4 PKZip or else gzip f. A Random number to compute the secret keyhttps:/www. SSL ClientSSL ServerServer Hello1. The Server Hello message is compo
14、sed of a.SSL Version (highest) that is understood by the client. 4 TLSv1 b. Key Exchange to identify the method of exchanging keys. 4RSA. c. Data Encryption to identify the encryption methods available to the Client. 4 DES d. Message Digest for data integrity. 4 MD5 e. Data Compression method for me
15、ssage exchange 4 PKZip f. A Random number to compute the secret key一 建立安全能力lData Encryption: 4RC2-40 4RC4-128 4DES 4DES 40 43DES 4 IDEA 4 FortezzalMessage Digest: 4MD5 4SHA.Cipher Suite AlternativeslKey Exchange. 4 RSA 4 Fixed Diffie-Hellman 4 Ephemeral Diffie-Hellman 4 Anonymous Diffie-Hellman 4 Fo
16、rtezzalData Compression: 4PKZip 4WinZip 4 gzip 4 StuffItSSL ClientSSL ServerServer Certificate1.The Server Certificate message is composed of a.The server Identifier informationb.A Digital Certificate of the sever information encrypted with the CAs Private Key. 4This contains the servers Public Key Client Certificate Request1.The Client Certificate Request message is composed of a.The Certificate type to indicate the type of public ke
