network security

Category: Entertainment

Presentation Description

ghfgjhgjjhgjtyeg hb


Presentation Transcript


NETWORK SECURITY SessionLock: Securing Web Sessions against Eavesdropping PAPER   SUBMITTED BY M.VANI                        MALIHA ANJUM


ABSTRACT:- Typical web sessions can be hijacked easily by a network eavesdropper in attacks that have come to be designated “side jacking.” Session Lock is easily implemented by web developers using only JavaScript and simple server-side logic. Its performance impact is negligible, and all major web browsers are supported. Interestingly, it is particularly easy to implement on single-page AJAX web applications, e.g. Gmail or Yahoo mail, with approximately 200 lines of JavaScript and 60 lines of server-side verification code.


INTRODUCTION :- The core component of the World Wide Web, HTTP began its life as a stateless protocol. In order to protect users’ security and privacy, the details of cookie handling have become quite intricate, but the basic functionality remains same. The basic functionality are: Web sessions are vulnerable to eavesdropping, Wi-fi networks make things wors, SSL is not for everyone, Better security without SSL, Getting Closer to User Intuition.


CURRENT PRACTICES:- Web Sessions:- web browsers support cookies , which allow a web server to send, in an HTTP response, a special header: Set-Cookie: session _id=8b3xdvdf3jg This header can also specify a number of additional fields, including: An expiration date, A secure flag, indicating whether this cookie should only be sent back over SSL, The path, so that different sections of a site, e.g. /foo/*and /bar/* can have different cookies.

Digest Authentication:-:

Digest Authentication:- HTTP offers protocol-level authentication, including the particularly interesting digest mode in digest auth, just like in plain auth, the web browser provides a distinct user interface to prompt the user for her username and password. Web services could use digest auth as a way to secure sessions against eavesdropping Unfortunately, by most web services for a number of reasons HTTP authentication, even in digest mode, is not likely to provide a deployable defense against eaves dropping.

Locking Sessions to IP Address:-:

Locking Sessions to IP Address :-


SSL SSL provides end-to-end encryption between the web server and browser, clearly foiling passive eavesdroppers. SSL requires more work on the server side and, more importantly, triggers a number of sub-optimal behaviors on the client side. In addition, an SSL server must deliver all resources, including static graphical layout elements that typically require no protection. SSL typically prohibits the use of latency-reducing, geography-based caching by content-delivery networks. In addition, web browsers behave differently under SSL.


BUILDING BLOCKS:- 1.Fragment Identifier:- URL specification defines the fragment identifier The, the portion of the URL that follows the # character. 2.Authenticating Web Requests with HMAC:- Simple message authentication between two parties with a shared secret is easily achievable using a Message Authentication Code (MAC) algorithm.


THE SESSION LOCK PROTOCOLS:- Generating the Secret Token Keeping the Session Secret Around Time stamping and HMAC Recovering From Failure


EXTENSIONS:- Optimizing Link Setup: If the web application is built with Session locking mind, then this click handler can be added explicitly in the HTML Local Browser Storage: In HTML5, the following JavaScript code stores data: global storage [‘example. com’]. Session _key =‘8xk3jsldf’; No SSL Whatsoever : We can implement Session Lock without any SSL, even on the login page

Effects of typical web user behavior:-:

Effects of typical web user behavior :- Page Reload: Page reload is explicitly supported by SessionLock Book marking: Book marking a page that uses Session Lock will include the timestamp and HMAC at the time of the book marking action Sending to a friend, social book marking: If a user sends a Session Lock-augmented link to a friend via email, or especially if she posts it to a social book marking site, she runs the risk of revealing her session secret.


LIMITATIONS:- JavaScript Required: SessionLock is entirely dependent on JavaScript: it simply cannot work without. No Defense against Active Attacks:sessionLock does notprotect against active network attacks .


CONCLUSION :- Using the existing HTTP fragment identifier feature to create a secure, client-side channel between HTTPS and HTTP It appears that Gmail HTTP sessions can be secured with minimal web-application-level code and negligible performance overhead. the appeal of solutions, like Session Lock, which use only web-application-level modifications Web stack will be informative to the improvement of the web browser as an extensible platform for security


REFERENCES:- Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory . Jesse James Garrett. Ajax: A New Approach to Web Applications Paul Johnston. A JavaScript implementation of the Secure Hash Algorithm. . Message Authentication Code.

authorStream Live Help