ICS 325
Secure Transactions
No
system is impenetrable
Cost
to compromise the system vs. cost to protect it
Input
-- the user’s machine and browser
Transmission
– the Internet
Storage
– the server
The User’s Machine
Browser features can be disabled – Java, cookies,
JavaScript
Cookies can be deleted or modified by a user
Browser incompatibilities
PHP can be compatible with any browser
JavaScript is less compatible
PHP can be used to hide data validation
The Internet
Inherently insecure – others can view or alter
transmitted data
Possible approaches
·
Transmit even
though you know data may not remain private
·
Encrypt the data
·
Sign the data
·
Find another way
to distribute the data
Internet
is anonymous – difficult to know who you are dealing with
Your Server
Update frequently
Watch for security advisories
Use SSL
Register for a digital certificate – certifies your
server and provides a public key
Check the data entered by users for embedded tags and
buffer overruns
Store data securely
·
Encrypt
·
Store data in
directories that are not visible from the Internet
SSL
Short
for Secure Sockets Layer, a protocol developed by Netscape for transmitting private
documents via the Internet. SSL works
by using a private key to encrypt data that's transferred over the
SSL connection. Both Netscape Navigator
and Internet Explorer
support SSL, and many Web sites use the
protocol to obtain confidential user information, such as credit card numbers.
By convention, URLs that require
an SSL connection start with https: instead of http:. (http://www.webopedia.com/TERM/S/SSL.html)
Secure HHTP
Another protocol for
transmitting data securely over the World Wide Web is Secure HTTP (S-HTTP). Whereas SSL
creates a secure connection between a client and a server, over which any amount of data can
be sent securely, S-HTTP is designed to transmit individual messages securely.
SSL and S-HTTP, therefore, can be seen as complementary rather than competing
technologies. Both protocols have been approved by the Internet Engineering Task Force (IETF) as
a standard. (http://www.webopedia.com/TERM/S/SSL.html)
Protocol Stack
See page 320
Setting up the SSL Protocol
1.
Browser connects
to SSL-enabled server. Browser asks
server to authenticate itself.
2.
Server responds
with its digital signature
3.
Browser sends a
list of supported encryption algorithms.
4.
Server selects
the strongest one it supports.
5.
Browser and
server generate session keys
a.
Browser gets
server’s public key from digital certificate
b.
Browser encrypts
a randomly generated number
c.
Server responds
with more randomly generated data
d.
Encryption keys
for this session are generated from the random data
Transmitting Data using SSL – see page
322
1.
Data is
packetized
2.
Packets are
compressed
3.
A message
authentication code is calculated using a hashing function
4.
The message
authentication code and compressed data are combined and encrypted
5.
Encrypted
packets are combined with header information and sent to the network
Secure Storage
Types of stored data
·
script files
(HTML, PHP) – executable content, read-only files and directories; use .php
extension
·
script-related
data (flat files) – place in directories not directly accessible from web to
avoid malicious scripts
·
database data
Don’t store one-time transactions
Do not store on web server at all
HTTP is a stateless protocol – cannot tell the difference
between request from different users
Sessions can be used to track a single user during their
visit to a website
A session is a large random number that is stored on the
client’s computer
Session variables are stored on the server
A
session is only active as long as the current client’s browser is open
A
cookie is similar to a session, except data is stored on the client’s computer.
Being
that the data is stored on the client’s computer the data becomes persistent.
The
cookie can be programmed to exist as long as the web developer wishes
When
a URL is requested the clients browser checks to see if there is a cookie
relevant for the requested URL
Cookies
are commonly used to implement shopping carts
Use
the setcookie() function to set a cookie using php.
This
function must come before any output to the browser; this includes white space.
boolean
setcookie ( string name [, string value [, int expire [, string path [, string
domain [, int secure]]]]])
name The name of the cookie.
value The value of the cookie.
expire The time the cookie expires.
path The path on the server in which
the cookie will be available on.
domain The domain that the cookie is
available.
secure Indicates that the cookie should
only be transmitted over a secure HTTPS connection.
There are three ways to access a stored cookie
$HTTP_COOKIE_VARS[“cookieName”], $_COOKIE[“cookieName”], or $cookieName;
Cookies can be stored as arrays
Disable a cookie by setting the expiration time to a
previous time.
To view all stored cookies
echo $_COOKIES;
Steps
1. Start a session
2. Register session variables
3. Use session variables
4. Deregister variables and destroy the session
Before using sessions in PHP you must start the sessions.
Sessions must be started on every page, in which you wish
to access session variables.
Start sessions using the session_start() function
This
function must come before any output to the browser; this includes white space.
J Microsoft Interment Explorer Problem J
After submitting a form from a page
that uses sessions that page becomes expired when trying to go back
PHP has created a function to deal with this
issue
header("Cache-control:
private");
Insert this line of code after the
session_start() line.
J Microsoft Interment Explorer Problem J
To
register a variable as a session use the session_register() function.
Sessions
can be registered in series
Session_register(“session1”,”session2”);
Then
call or set the session variable as you would with any other variable.
$sessionName
= “This is a session”;
To kill a session off use session_destroy()
Authentication\Site Security is often implemented using
Sessions. See pp. 423-427 for example.
session_is_registered()
Returns TRUE if the session variable
being checked is registered.
session_unregister() Unregisters a session value.
session_id()
Returns the
session id for the current session.
For
More Functions See PHP.NET