WEB APPLICATION SECURITY

WEB APPLICATION SECURITY

Learning Outcomes

Having completed this module you will be able to:

• Define cryptography and list the components of cryptography.
• Discuss public key infrastructure and digital certificates.
• Explain how to secure email and file encryption.
• Recognise common vulnerabilities in web applications.
• Explain web application security frameworks and best practices.
• State the various secure coding principles.
• Describe web application penetration testing.
• Outline the typical stages involved in web application penetration testing.
• Identify the security issues surrounding iOS and Android mobile operating systems.

 

Cryptography

This topic is intended to introduce you to cryptography.

Topics to Be Covered:

• Introduction to Cryptography and encryption algorithms.
• Public key infrastructure (PKI) and digital certificates.
• Cryptographic protocols.
• Secure email and file encryption.

 

Types of Cryptographic Algorithm

Cryptography involves various algorithms to perform the encryption and decryption processes. 

The main types include:

Symmetric-Key Cryptography:

With this approach, both sender and recipient share one secret key used to encrypt and decrypt their message, keeping their identities hidden from third parties.

A widely known example is Data Encryption Standard as well as its upgraded variant AES which use this technique.

 

Asymmetric-Key Cryptography:

More commonly referred to as public key cryptography, this approach utilises two keys - one public and the other private.

A sender uses their recipient's public key for encryption while their private key decrypts it; an algorithm such as Rivest-Shamir-Adleman can often be seen being utilised within this form.

Hash Functions:
Hash functions offer another alternative to encryption techniques that doesn't involve keys - instead generating a fixed length hash value from plaintext that makes retrieving its original message nearly impossible. MD5 and SHA-1 are two commonly-used hash functions.

 

Key Terms in Cryptography

• Cipher: An algorithm designed for performing encryption or decryption.
• Key: Information used by the cipher that only knows by the sender and recipient in order to encrypt and decrypt messages.
• Plaintext: The original, readable message.
• Ciphertext: The encrypted message which is not readable or understandable until it is decrypted.

 

Cryptography plays an integral part of modern data protection systems. While cryptography studies can be complex, they play an essential part in cybersecurity education and must be included as such in all student curriculums.

 

 

Public Key Infrastructure and Digital Certificates

What is Public Key Infrastructure (PKI)?

PKI refers to a set of roles, policies, hardware, software and procedures needed for creating, managing, distributing, using, storing and revoking digital certificates. Asymmetric cryptography relies on two keys for encryption and decryption - public for public key encryption while private for decryption.
PKI provides a framework that facilitates functions like digital signature, encryption and authentication - essential capabilities that verify data integrity and source, providing secure transactions and communications online.

Key Components of PKI:

• Digital Certificates: These are electronic 'passwords' that allow a party receiving certain information to decode content encrypted by the party who originally sent the info.
• Certificate Authorities (CAs): Certificate Authorities provide trusted third-party digital certificates by verifying identity and associating cryptographic keys to users who apply for them.
• Certificate Store: This is a storage space for digital certificates.
• Key Pair (Public and Private Keys): These mathematically related keys must remain secret, while their public counterpart can be freely made accessible for anyone to use.

What are Digital Certificates?

Digital certificates are electronic documents created using digital signature technology to link a public key with its identity, providing proof that an individual owns them.

Under most PKI schemes, a certificate authority (CA), often an organisation charged by customers to issue them certificates, is the issuer of certificates for them.

 

Digital Certificates typically contain:

• Owner's public key.
• Owner's name.
• Expiration date of the public key.
• Name of the issuer.
• Serial number of the Digital Certificate.
• Digital signature of the issuer.

 

Applications of PKI and Digital Certificates

1. Secure Email: PKI is used to secure email communication, providing assurance that the message came from a known sender and that it wasn’t tampered with.
2. Secure Network Access: PKI provides secure remote access to global information over untrusted networks.
3. Document Signing: Digital signatures use PKI technology to secure and authenticate the data.

Public Key Infrastructure and digital certificates play an vital role in secure online communication and transactions, enabling verification of authenticity and integrity for data sent over networks, thus becoming essential components of modern cybersecurity solutions.

Cryptographic Protocols

Now we will discuss cryptographic protocols like TLS/SSL and IPsec that facilitate secure communications over networks - fundamental elements in maintaining online security.

 

Cryptographic protocols, or security protocols, use cryptography to secure electronic communications over networks.

Such cryptographic protocols often offer key agreement, entity authentication, data integrity protection, confidentiality guarantees and non-repudiation to their clients.

 

ransport Layer Security, like its predecessor Secure Sockets Layer, are cryptographic protocols designed to provide communications security on computer networks. Websites use TLS in order to encrypt all communication between their server and web browsers and users of their site. Here's an outline of it function:
- Hello: The client and server establish a connection, and the client proposes encryption options.
- The server chooses the highest level of encryption both can manage and sends the client its public key certificate.
- Clients compare a server certificate against its list of trusted CAs; if a match exists, they generate a symmetric session key, encrypt it using its public key and send it back.
- A server decrypts its session key with its private key and sends back an acknowledgment encrypted with this session key to initiate an encrypted session.