web运用的安全模式.pptVIP

Web应用的“外患”与“内忧” 谭晓阳 Txy@ 本讲内容 介绍基本的安全概念和基本的安全机制 Web环境下的安全机制 防火墙的工作原理 常用的安全措施 Web应用安全 “外患” “内忧” “外患” ? Aspects of Security ? Authentication and Encryption ? Internet Firewalls and Packet Filtering ? Virtual Private Networks ? Secure HTTP (SHTTP) and Secure Socket Layer (SSL) ? Securing your Site Main risks: 信息被非法窃听：未经认可的用户对数据的非法访问 假冒他人发送信息 信息被非法修改 拒绝服务 病毒 。。。 解决 Data Integrity: refers to protection from change: Is the data received exactly the same as the data that was sent? Data Availability: refers to protection against disruption of service: Does the data remain available for legitimate use? Data Confidentiality: refers to protection against unauthorized data access: Is data protected against unauthorized access? Privacy: refers to the ability of the sender to remain anonymous: Is the sender’s identity revealed? 完整性机制 防止偶然或故意破坏数据完整性的常用方法： 奇偶校验 （ parity bits) 校验和(checksum ) 循环冗余校验( cyclic redundancy checks ,CRC). 发送者以包的数据为函数计算出一个整数值。 接收者从接收到的数据中重新计算出这个整数，并比较二者的结果。 However, a attacker can create a valid checksum or CRC from the altered data. 完整性机制 Several mechanisms against malicious（恶意） intentional change of intercepted data exist： 用MAC (Message Authentication Code)来编码要发送的数据。 MAC基于无法破译或仿造的密码机制工作。 采用只有收发双方知道的secret key。 发送者用the secret key 来 scramble the data and the checksum or CRC 访问控制和口令 在传统的计算机系统中，简单的口令即足以保护对系统的访问。 Simple password mechanisms are vulnerable（易受攻击） on networks because they are susceptible to eavesdropping（偷听）. Wiretapping（搭线窃听） is easy especially that passwords on telnet, FTP or HTTP are clear text. “外患” ? Aspects of Security ? Authentication and Encryption ? Internet Firewalls and Packet Filtering ? Virtual Private Networks ? Secure HTTP (SHTTP) and Secure Socket Layer (SSL) ? Securing your Site 你是谁？ How do you know the customer is the customer he/she pretends to be? How do you know the server is the server it purports to be? Is it really the the web page I want to connect to? Is it really the company I want to make a trans