WEB的安全性PPT课件下载推荐.ppt

WEB的安全性PPT课件下载推荐.ppt

《WEB的安全性PPT课件下载推荐.ppt》由会员分享，可在线阅读，更多相关《WEB的安全性PPT课件下载推荐.ppt（89页珍藏版）》请在冰豆网上搜索。

Web安全性,目录Web安全概述SSLSSL程序设计ApacheWebServer安全,Web安全概述,Web安全威胁及对策,Web安全的特点,提供双向的服务，攻击防范能力脆弱作为可视化窗口和商业交互平台，提供多种服务，事关声誉底层软件庞大，如apache约10M，历来是漏洞之最，攻击手段最多如果被攻破可能导致成为进入企业的跳板配置比较复杂,Web安全的组成部分,Browser安全WebServer安全Browser与WebServer之间网络通信安全,Web安全方案,网络层：

@#@IPSec传输层：

@#@SSL/TLS应用层：

@#@SET/SHTTP,目录Web安全概述SSLSSL程序设计ApacheWebServer安全,SecureSocketsLayer（SSL）,SSL设计目标,在Browser和WebServer之间提供敏感信息传输通道SocialSecurityNumber（SSN）CreditCard,etc提供访问控制OpenClosedSSL被设计用来使用TCP提供一个可靠的端到端安全服务，为两个通讯个体之间提供保密性和完整性（身份鉴别）,SSL历史,Netscape公司于1994开发SSLv2releasedin1995SSLv3alsoreleasedin1995duetobugsinv21996年IETF成立TransportLayerSecurity（TLS）committeeTLSv1wasbaseduponSSLv3Netscape、Microsoft都支持TLSv1,SSL功能,SSL提供四个基本功能AuthenticationEncryptionIntegrityKeyExchange,采用两种加密技术非对称加密认证交换加密密钥对称加密：

@#@加密传输数据,SSL功能,SSL的结构,SSL是独立于各种协议的常用于HTTP协议，但也可用于别的协议，如NNTP，TELNET等,建立在可靠的传输协议（如TCP）基础上提供连接安全性保密性，使用了对称加密算法完整性，使用HMAC算法用来封装高层的协议,SSL记录协议,客户和服务器之间相互鉴别协商加密算法和密钥提供连接安全性身份鉴别，至少对一方实现鉴别，也可以是双向鉴别协商得到的共享密钥是安全的，中间人不能知道协商过程是可靠的,SSL握手协议,协议的使用,SSL体系结构,连接会话,SSL基本概念,连接是能提供合适服务类型的传输（在OSI分层模型中的定义）对SSL，这样的连接是对等关系连接是暂时的，每个连接都和一个会话相关,连接,SSL会话是指在客户机和服务器之间的关联会话由握手协议创建会话定义了一组可以被多个连接共用的密码安全参数对于每个连接，可以利用会话来避免对新的安全参数进行代价昂贵的协商,会话,在任意一对的双方之间，也许会有多个安全连接理论上，双方可以存在多个同时会话，但在实践中并未用到这个特性,连接Vs会话,会话状态参数,连接状态参数,各种密钥,pre_master_secret,SSLHandshake,SSL握手协议报文格式,一建立安全能力,ClientHello,SSLClient,SSLServer,Port443,TheClientHellomessageiscomposedofSSLVersion（highest）thatisunderstoodbytheclient.TLSv1elseSSLv3b.KeyExchangetoidentifythemethodofexchangingkeys.RSAifnotthenD-H.c.DataEncryptiontoidentifytheencryptionmethodsavailabletotheClient.TripleDesorelseDESd.MessageDigestfordataintegrity.SHAorelseMD5e.DataCompressionmethodformessageexchangePKZiporelsegzipf.ARandomnumbertocomputethesecretkey,https:

@#@/www.,SSLClient,SSLServer,ServerHello,TheServerHellomessageiscomposedofSSLVersion（highest）thatisunderstoodbytheclient.TLSv1b.KeyExchangetoidentifythemethodofexchangingkeys.RSA.c.DataEncryptiontoidentifytheencryptionmethodsavailabletotheClient.DESd.MessageDigestfordataintegrity.MD5e.DataCompressionmethodformessageexchangePKZipf.ARandomnumbertocomputethesecretkey,一建立安全能力,DataEncryption:

@#@RC2-40RC4-128DESDES403DESIDEAFortezzaMessageDigest:

@#@MD5SHA.,CipherSuiteAlternatives,KeyExchange.RSAFixedDiffie-HellmanEphemeralDiffie-HellmanAnonymousDiffie-HellmanFortezzaDataCompression:

@#@PKZipWinZipgzipStuffIt,SSLClient,SSLServer,ServerCertificate,TheServerCertificatemessageiscomposedofTheserverIdentifierinformationADigitalCertificateoftheseverinformationencryptedwiththeCAsPrivateKey.ThiscontainstheserversPublicKey,ClientCertificateRequest,TheClientCertificateRequestmessageiscomposedofTheCertificatetypetoindicatethetypeofpublickeyTheCertificateAuthorityisalistofdistinguishednamesofCertificateAuthoritiesacceptabletotheServer,ServerDoneMessage,ThisServerDonemessagehasnoparameters.,二服务器鉴别和密钥交换,SSLClient,SSLServer,ClientCertificate,TheClientCertificatemessageiscomposedofTheserverIdentifierinformationADigitalCertificateoftheclientinformationencryptedwiththeCAsPrivateKey,TheClientAuthenticatestheServerwiththeCA.a.ExtractsthepublickeyoftherootsignedcertificatethatcameinstalledwiththeclientandComputesaMDoftheservercertificateinformation.b.Decryptstheservercertificate（thatwasissuedbytherootCA）thatcontainsthehashcomputedbytheCAPrivateKeyc.ComparesthecomputedhashwiththehashcontainedintheserverDigitalCertificate.Generatesasessionkey（psuedo-randomnumber）touseasaPre-MasterKeythen3.Encryptsthesessionkeywiththeserverspublickey.,三客户机验证和密钥交换,SSLClient,SSLServer,ClientKeyExchange,TheClientKeyExchangemessageiscomposedofTheencryptedsessionkeywhichwillserveasapre-mastersecretkeyencryptedwiththeserverspublickey.,Boththeclientandtheserverusethepre-mastersecretkeytocomputethreeidenticalsetsofsecretkeypairsThefirstpair（i.e.DES）isusedtoencryptoutgoingtrafficfromtheclienttotheserverandtodecryptincomingtraffictotheserverwhileThesecondpair（i.e.HMAC）isusedtoencryptoutgoingtrafficfromtheserverandtodecryptincomingtraffictotheclientc.ThethirdpairisusedtoinitializethecipherIV（InitializationVector）,Note:

@#@BoththeClientandtheServereachgeneratethreesetsofkeys,三客户机验证和密钥交换,SSLClient,SSLServer,CS,SC,CS,SC,Encryption,MAC,IV,Encryption,MAC,IV,密钥交换结果,TheClientFinishmessageiscomposedofTheclientauthenticatestheserverwithamessageencryptedwiththenewlygeneratedsharedkeys.Thisvalidatestotheserverthatasecureconnectionhasbeencreated.,SSLClient,SSLServer,ClientFinish,ServerFinish,TheServerFinishmessageiscomposedofTheserverauthenticatestheclientwithamessageencryp