【導(dǎo)讀】unauthorizedaccess,use,alteration,ordestruction.alarms,fireproofdoors,securityfences,vaults.puterassets.threat.Highprobability,highimpact:Prevent. Lowprobability,lowimpact:Ignore. Physicalthreats. Logicalthreats. Secrecy. Integrity. Necessity. ideas.foundontheInter.

　　

【正文】 t are exchanged. ? Once the client and server have agreed to the security implementations that will be enforced between them, all subsequent messages are wrapped in a secure envelope. Establishing contact 64 ? The client and server can specify that a security feature is required, optional, or refused. ? When a feature is required it must be used or the connection will be terminated. ? Features: – Use of privatekey encryption – Server authentication – Client authentication – Message integrity Security techniques 65 ? It is difficult to prevent integrity violations, but techniques can enable integrity violations to be detected。 information can then be resent. ? The basic idea: – A hashing algorithm is applied to produce a message digest. – The message digest is encrypted to produce a digital signature. Transaction integrity 66 ? A hashing function is applied to the message. ? This produces a number that is based on the length and content of the message. Good hash algorithms have few collisions. ? The message digest is appended to the message. ? The receiver recalculates the message digest. ? If they two do not match, integrity is violated. Problem: What if an adversary changes both the message and the message digest? Message digest 67 ? The sender putes the digest, encrypts it using her private key, and then appends the encrypted digest onto the message. ? Only the sender could have created the digital signature. ? The merchant deciphers the digest, putes his own digest, and pares the two. If they match the integrity of the message was preserved. ? For added security, the digital signature and the message can be encrypted. Digital signature 68 Emerce security is best studied by examining the overall process, beginning with the consumer and ending with the merce server. This analysis produces a three part structure: 1. Client security 2. Communication channel security 3. Server security Emerce security 69 Server threats can be classified by the means used to obtain unauthorized access into the server: ? The Web server and its software ? Backend programs and servers such as ones for a database ? Common Gateway Interface (CGI) programs ? Other utility programs residing on the server Server threats 70 ? Web servers running on most machines can be set to run at various privilege levels. – The highest one allows access to any part of the system, including sensitive areas. – The lowest level provides a logical fence that prevents access to sensitive areas. – The rule is to use the lowest level needed to plete a given task. ? Setting up a Web server to run in high privilege mode can cause potential threats. Security levels 71 ? Web servers that require usernames and passwords can promise security by revealing them. ? Because the Web server needs the information as it moves from page to page, it may place that in a cookie on the client’s machine. ? The server must be careful not to request that the cookie be transmitted unprotected. Entering passwords 72 ? Web servers may keep files with username/password pairs to use for authentication. ? If these files are promised then the system can be attacked by people masquerading as others. ? Users who choose passwords badly also pose a threat to Web server security. Passwords that are easily guessed, such as birth dates, child or pet names, are poor choices. ? Administrators often run programs that attempt to guess users’ passwords as a preventative measure. Username/password pairs 73 ? Because databases hold valuable information, attacks on them are particularly troubling. ? Security features rely on usernames/passwords. ? Security is enforced using privileges. ? Databases that fail to store usernames/passwords in a secure manner or fail to enforce privileges can be promised. ? During an attack, information may be moved to a less protected level of the database, giving full access. Database threats 74 ? CGI implements the transfer of information from a Web server to another program. ? Like Web servers, CGI scripts can be set to run unconstrained (with high privilege). ? Defective or malicious CGI scripts can access or destroy sensitive information. ? Old CGI scripts that have been replaced can be loopholes for access into the system. ? CGI scripts can reside anywhere and are difficult to track. CGI threats 75 ? A buffer is an area of memory set aside to hold data read from a file or database. ? Buffers are necessary because I/O operations are much slower than CPU operations. ? Buffer overflows, either from a buggy program or as part of a deliberate attack, can result in: – A puter crash – Instructions for an attacking program being written into the return address save area causing it to be run by the Web server CPU Buffer overflows 76 ? Access control and authentication Controlling who and what has access to the server。 includes both users and other servers. ? Firewalls Inside: Network and machines protected by the firewall. Outside: All other works. Securing the server 77 ? Authentication via digital certificates and signatures. ? Usernames/passwords – Usernames are stored as clear text – Passwords are stored as encrypted text – A password entered is encrypted and pared against the encrypted password. ? An access control list gives the users that can access certain files and folders in the system. Read, write, and execute permissions may be set separately. Access control 78 ? All traffic from the outside must pass through it. ? Only authorized traffic is allowed to pass. ? The firewall should be immune to attack. ? Operates at the application layer. ? Trusted works are inside。 untrusted ones outside. ? Can