Security for the global Internet

Security for the global Internet

Introduction

In this article I’ll move away from COM security to provide an overview about that vast subject generally referred as “Internet security”. As you will see, providing an effective and scalable security infrastructure in the Internet is a very challenging goal. No panic anyway, since sites like Amazon.com are up and running (hem .. well most times) a solution has been found. My hope is that, after you read this article, you’llbe among the 1% of the Internet users that know what solution hasactually been found.

Security in the LAN Environment

There is nothing such as a perfect security solution that can fit into any kind of environment. 
Each solution is based on some assumptions regarding the environment where it has to be deployed. If such assumptions do not hold, the solution will likely fail miserably. 
The approach used to provide authentication and data security on a “controlled” LAN environment basically lies on these basic facts:

* Spoofing is not possible (no man in the middle scenarios).
* Authentication is delegated to an authentication authority.

Under such assumptions the security mechanism used by NTLM or Kerberos work effectively.

Security on the WEB

Authentication in a LAN environment is focused on authenticating clients; authenticating servers is not an issue cause the LAN network is considered “secure” regarding spoofing; on the contrary, on the Web the focus is reversed; providing a way to protect clients from spoofed servers isof higher concern.

You still need some form of client authentication in some cases, but, as long as e-Commerce sites are concerned, the client Credit Card number vs. it’s billing address is enough: the problem is delegated to the credit card authority.
You could then think, well NTLM is all about authenticating clients, but Kerberos can provide server authentication, so where’s the problem?

The problem is that authentication authorities can be spoofed as well. If you try to deploy the security schema used in LAN environments into the Internet, an authentication authority should provide a mean to authenticate itself to everyone that’s asking for authentication services. 
This means that the authentication authority must meet everyone to share a secret: a different secret to everyone subscribed for authentication services. This is clearly not feasible, and even if it was, client and servers cannot delegate authentication to”authentication authorities” simply since it wouldn’t scale. 

In his article “Web Security” [1] Keith Brown goes deeper into showing how there is no way to modify in some way a security framework based on “sharing secrets” to have it working in a feasible and scalable way on the globalInternet, since you always end up with the need of meet for lunch to whispersecrets.

Public Key Cryptography

Internet security problems find an acceptable solution using a new security approach called “Public Key Cryptography”. 
Public Key Cryptography was invented in the mid-1970s by Whitfield Diffie. The idea is basically this: Instead of having a single secret key that’s used for authentication and encryption/decryption, you’ve a Public key that you share to everyone that wants to communicate in a secure way with you. You then have a corresponding Private key that you never share with anyone. 

If you encrypt some text with Key A, you can only decrypt the resulting encrypted text with Key B. Because two different keys must be used public key algorithms are also known as asymmetric algorithms. With public key you can achieve both authentication and data protection.

  • Authentication: Bob encrypt a message with his private key and send it. Anyone that has Bob’s public key can successfully decrypt the message. The receiver knows that If the message didn’t come from Bob the encrypted text would decrypt to complete gibberish.
  • Secure data transmission: Bob encrypt a message with Alice’s public key and send it to her. Only Alice can successfully decrypt the message. 

It’s pretty simple to put these two things together to get authentication and data protection. 

Alice encrypts her message using Bob’s public key; in this way she can achieve Bob authentication: only the one that owns the corresponding private key will be able to decrypt the message. 
Alice then, to prove her identity, will encrypt with her private key the message she has encrypted with Bob’s public key in the previous step. 
Bob will know that the message comes from Alice since he can successfully decrypt the message using Alice’s public key (and then using his private key).


There is still one problem here though; we didn’t mention how Bob and Alice came to pass each other their public keys. Since these are public keys you may think that public key exchange doesn’t need any protection; this is not true. 
If Fred intercepts the message where Bob sends Alice his public key, he can grab the key and pass Alice his own public key instead. Now Fred can sit in the middle, having hijacked a router, decrypting Alice messages and then encrypting the plain text back with Bob’s public Key. 

Humm .. it looks like we are back whispering. This time we are not whispering secrets but public keys.  You must note anyway that the situation is somewhat better. You don’t need to whisper a different secret to everyone. There are situations where whispering public keys is still feasible: This is the model used by Pretty Good Privacy (PGP).


A more general solution is to use a X.509 security model. This model asserts that there is a rigid hierarchy of authorities whose public key is “well known”. “Well known” means that the validity of their public key is out of question. In the real world there are several authorities whose public keys actually ship with Web browsers.  There are also companies that set up their own independent hierarchy of authorities. These authorities are called Certificate Authorities since their role is to provide certificates that guaranties secure public key exchange.


If Bob wants to communicate in a safe way with Alice, he must ask to a certification authority for a digital certificate for him (and pay for it). A digital certificate is an electronic envelope whose content is encrypted with the certification authority private key. The content of the envelope contains Bob’s Public key. Bob sends Alice the certificate. Alice uses the certification authority public key to open the envelope and get Bob’s public key. Done that, Alice and Bob can communicate in a safe and trusted way without resorting to the certification authority any more.

Secure Socket Layer SSL

Secure Socket Layer (SSL) is the de-facto standard protocol for encrypted communication over the Internet (HTTPS). SSL is authentication unaware; it deals only on encryption and decryption based on a session secret key. You will probably be thinking right now: what the hell? We have been talking about asymmetric algorithms as the only mean to set a proper secured communication! Why is a symmetric algorithmused instead? 


The reason why asymmetric encryption is not used is because symmetric algorithms are hundreds of times faster than asymmetric ones when it comes to exchange bulk data. Still asymmetric algorithms (in the form of Server Certificates) do have a basic and fundamental roleindeed here: during the initial handshake phase of theSSL communication certificates are used for authenticating the server (eventually the client as well) and establishing the secret sessionkey in a secure way. 
Done that, asymmetric encryption is out of the picture and you can happily shop at Amazon.

Conclusions

I hope I have provided a clear enough overview about Internet security issues. In my opinion this subject is quite overlooked during web application development, still it is fundamental to understand all the issues involved in order to make the proper choices among the different authentication options that IIS offers you. How you will authenticate Internet users is not a last minute choice, since it may heavily influence your COM application deployment choices. 
We will see in my next article the different security configurations that IIS offers and, specifically how certificate can be used in IIS to provide web server authentication to clients and how client certificates can be used for client authentication.

[1] Web Security, MSDN magazine -June 2000, Keith Brown


 

 

devx-admin

devx-admin

Share the Post:
Poland Energy Future

Westinghouse Builds Polish Power Plant

Westinghouse Electric Company and Bechtel have come together to establish a formal partnership in order to design and construct Poland’s inaugural nuclear power plant at

EV Labor Market

EV Industry Hurting For Skilled Labor

The United Auto Workers strike has highlighted the anticipated change towards a future dominated by electric vehicles (EVs), a shift which numerous people think will

Soaring EV Quotas

Soaring EV Quotas Spark Battle Against Time

Automakers are still expected to meet stringent electric vehicle (EV) sales quotas, despite the delayed ban on new petrol and diesel cars. Starting January 2023,

Affordable Electric Revolution

Tesla Rivals Make Bold Moves

Tesla, a name synonymous with EVs, has consistently been at the forefront of the automotive industry’s electric revolution. The products that Elon Musk has developed

Poland Energy Future

Westinghouse Builds Polish Power Plant

Westinghouse Electric Company and Bechtel have come together to establish a formal partnership in order to design and construct Poland’s inaugural nuclear power plant at the Lubiatowo-Kopalino site in Pomerania.

EV Labor Market

EV Industry Hurting For Skilled Labor

The United Auto Workers strike has highlighted the anticipated change towards a future dominated by electric vehicles (EVs), a shift which numerous people think will result in job losses. However,

Soaring EV Quotas

Soaring EV Quotas Spark Battle Against Time

Automakers are still expected to meet stringent electric vehicle (EV) sales quotas, despite the delayed ban on new petrol and diesel cars. Starting January 2023, more than one-fifth of automobiles

Affordable Electric Revolution

Tesla Rivals Make Bold Moves

Tesla, a name synonymous with EVs, has consistently been at the forefront of the automotive industry’s electric revolution. The products that Elon Musk has developed are at the forefront because

Sunsets' Technique

Inside the Climate Battle: Make Sunsets’ Technique

On February 12, 2023, Luke Iseman and Andrew Song from the solar geoengineering firm Make Sunsets showcased their technique for injecting sulfur dioxide (SO₂) into the stratosphere as a means

AI Adherence Prediction

AI Algorithm Predicts Treatment Adherence

Swoop, a prominent consumer health data company, has unveiled a cutting-edge algorithm capable of predicting adherence to treatment in people with Multiple Sclerosis (MS) and other health conditions. Utilizing artificial

Personalized UX

Here’s Why You Need to Use JavaScript and Cookies

In today’s increasingly digital world, websites often rely on JavaScript and cookies to provide users with a more seamless and personalized browsing experience. These key components allow websites to display

Geoengineering Methods

Scientists Dimming the Sun: It’s a Good Thing

Scientists at the University of Bern have been exploring geoengineering methods that could potentially slow down the melting of the West Antarctic ice sheet by reducing sunlight exposure. Among these

why startups succeed

The Top Reasons Why Startups Succeed

Everyone hears the stories. Apple was started in a garage. Musk slept in a rented office space while he was creating PayPal with his brother. Facebook was coded by a

Bold Evolution

Intel’s Bold Comeback

Intel, a leading figure in the semiconductor industry, has underperformed in the stock market over the past five years, with shares dropping by 4% as opposed to the 176% return

Semiconductor market

Semiconductor Slump: Rebound on the Horizon

In recent years, the semiconductor sector has faced a slump due to decreasing PC and smartphone sales, especially in 2022 and 2023. Nonetheless, as 2024 approaches, the industry seems to

Elevated Content Deals

Elevate Your Content Creation with Amazing Deals

The latest Tech Deals cater to creators of different levels and budgets, featuring a variety of computer accessories and tools designed specifically for content creation. Enhance your technological setup with

Learn Web Security

An Easy Way to Learn Web Security

The Web Security Academy has recently introduced new educational courses designed to offer a comprehensible and straightforward journey through the intricate realm of web security. These carefully designed learning courses

Military Drones Revolution

Military Drones: New Mobile Command Centers

The Air Force Special Operations Command (AFSOC) is currently working on a pioneering project that aims to transform MQ-9 Reaper drones into mobile command centers to better manage smaller unmanned

Tech Partnership

US and Vietnam: The Next Tech Leaders?

The US and Vietnam have entered into a series of multi-billion-dollar business deals, marking a significant leap forward in their cooperation in vital sectors like artificial intelligence (AI), semiconductors, and

Huge Savings

Score Massive Savings on Portable Gaming

This week in tech bargains, a well-known firm has considerably reduced the price of its portable gaming device, cutting costs by as much as 20 percent, which matches the lowest

Cloudfare Protection

Unbreakable: Cloudflare One Data Protection Suite

Recently, Cloudflare introduced its One Data Protection Suite, an extensive collection of sophisticated security tools designed to protect data in various environments, including web, private, and SaaS applications. The suite

Drone Revolution

Cool Drone Tech Unveiled at London Event

At the DSEI defense event in London, Israeli defense firms exhibited cutting-edge drone technology featuring vertical-takeoff-and-landing (VTOL) abilities while launching two innovative systems that have already been acquired by clients.

2D Semiconductor Revolution

Disrupting Electronics with 2D Semiconductors

The rapid development in electronic devices has created an increasing demand for advanced semiconductors. While silicon has traditionally been the go-to material for such applications, it suffers from certain limitations.

Cisco Growth

Cisco Cuts Jobs To Optimize Growth

Tech giant Cisco Systems Inc. recently unveiled plans to reduce its workforce in two Californian cities, with the goal of optimizing the company’s cost structure. The company has decided to

FAA Authorization

FAA Approves Drone Deliveries

In a significant development for the US drone industry, drone delivery company Zipline has gained Federal Aviation Administration (FAA) authorization, permitting them to operate drones beyond the visual line of

Mortgage Rate Challenges

Prop-Tech Firms Face Mortgage Rate Challenges

The surge in mortgage rates and a subsequent decrease in home buying have presented challenges for prop-tech firms like Divvy Homes, a rent-to-own start-up company. With a previous valuation of

Lighthouse Updates

Microsoft 365 Lighthouse: Powerful Updates

Microsoft has introduced a new update to Microsoft 365 Lighthouse, which includes support for alerts and notifications. This update is designed to give Managed Service Providers (MSPs) increased control and

Website Lock

Mysterious Website Blockage Sparks Concern

Recently, visitors of a well-known resource website encountered a message blocking their access, resulting in disappointment and frustration among its users. While the reason for this limitation remains uncertain, specialists