Module 8: Protecting Communication Privacy and Data Integrity v
How to Teach This Module
Begin this module with a discussion of the types of attacks that are possible on
the communication link between the browser and the Web server.
Lesson: Introduction to Cryptography
It is an interesting sidebar to mention the role that cryptographic code breaking
played in World War II. “Enigma,” “Purple,” and “Magic” are the code names
of some of the more well-known cryptographic systems. You can find more
information about cryptography during wartime by searching for “cryptography
World War II” on the Internet.
Mention that symmetric encryption is very fast and that it is the most efficient
way to transfer larger quantities of data securely.
By using asymmetric encryption, the recipient of the encrypted data can be
assured that the data came from the owner of the public key. Therefore, not
only can asymmetric encryption be used to encrypt the data, it also provides a
guarantee of the data’s origin.
Note that the key length plays an important role in the strength of the
encryption. If the key length is long enough, it is virtually impossible to guess.
Storing private keys is the most challenging aspect of encryption. For more
information about this topic, direct students to the book, Writing Secure Code,
by Michael Howard and David LaBlanc (Redmond: Microsoft Press
®
), 2002.
An important distinction between encryption and hashing is that encryption
scrambles the data such that it can be unscrambled, whereas hashing cannot be
reversed.
You can sign data without hashing it to guarantee that the data came from you;
however, this would not guarantee that the data was not changed en route to the
recipient.
After reviewing the answers to the practice, brainstorm with the students for
more scenarios of when cryptography could be used in Web applications.
Lesson: Working with Digital Certificates
Mention briefly that one of the reasons for obtaining a certificate (personal or
server) is to use SSL to communicate with a Web server. Students will learn
more about the SSL/TLS and IPSec protocols later in this module.
You can do the steps of this practice with the students and show the
nwtraders.msft certificate, which is the certificate from the London CA.
Students may ask about the process that is required to become a CA, such as
VeriSign. Although anyone who uses Certificate Services can generate
certificates, not everyone who generates certificates is a trusted CA. Trust is
based on many factors, including the length of time that the CA is in business,
the CA’s reputation, and the process that the CA uses to verify those who
request certificates.
What Is Cryptography?
How Does Symmetric
Encr
y
ption Work?
How Does Asymmetric
Encryption Work?
Exchanging and Storing
Ke
y
s
Verifying Data Integrity
with Hashes
Using Digital Signatures
Practice: Using
Cr
y
pto
g
raph
y
What Are Digital
Certificates?
Practice: Viewing Digital
Certificates
What Is a Certificate
Authorit
y
?
vi Module 8: Protecting Communication Privacy and Data Integrity
This animation provides an overview of the process of how certificates are
requested and granted from a CA, and then how those certificates are used to
communicate securely over SSL. You might consider postponing this animation
until the next lesson, which discusses SSL.
Note that the “random bits” referred to in the multimedia are the session key.
For certificates to be effective, they must be trusted. Certificate chains enable
users to trace a certificate back to the original CA.
If time permits, demonstrate the use of the Certificate Manager tool.
Discuss some of the reasons why a user would want to obtain a personal
certificate.
Note
The options for certificate templates offered by the Certificate Request
Wizard depend on how you installed the Microsoft Management Console
(MMC) Certificates snap-in:
!
If you installed the MMC Certificates snap-in to manage certificates for My
user account, as directed in the “Practice: Viewing Digital Certificates”
topic, you get Authenticated Session, Basic EFS, and User Signature
Only templates.
!
If you installed the MMC Certificates snap-in to manage certificates for
Computer account, you get Computer and IPSEC templates.
You will need to lead this practice and also get a personal certificate; make sure
to enter Research for your department, because this field will be used in the
client certificate mapping demonstration.
As the students submit their requests for personal certificates, you need to issue
the certificates. The issuing of certificates should be done with little explanation
and with the screen blanked so that the students do not get confused between
the request and issue processes.
!
To process the certificate requests with Microsoft Certificate Services
for Microsoft Windows
®
2000
1. On the Start menu, click Programs, click Administrative Tools, and then
click Certification Authority.
During setup, the instructor computer was set up with Certificate Services
and was created as a stand-alone root CA.
2. Expand the nwtraders.msft CA, and then click Pending Requests.
There will be one certificate request from each student.
3. To accept the request and issue a certificate, right-click the request, click All
Tasks, and then click Issue.
The request is moved from the Pending Requests node to the Issued
Certificates node.
Multimedia: Using
Digital Certificates
Certificate Chains and
Hierarchies
Certificate Stores
Obtaining a Personal
Certificate
Note
Instructor-Led Practice:
Obtaining a Personal
Certificate
Module 8: Protecting Communication Privacy and Data Integrity vii
Show how the SSL port, 443, is disabled by opening Internet Information
Services (IIS) and viewing the Web Site tab for the Mod08 folder of the
2300Demos Web application.
Explain to students that they will obtain a server certificate in the lab; therefore,
they can just watch the demonstration now, rather than performing the steps.
When processing the certificate request with Certification Services, do not
explain what is being done. This step occurs only because you are using
Certificate Services in the classroom.
Lab 8.1: Obtaining a Server Certificate
Both the TailspinToys and TailspinToysAdmin Web applications contain Web
pages that either request private information from users or deliver private
information to users. Before students can turn on SSL for these Web pages,
they need to obtain a server certificate for their Web servers.
Students will request the server certificates from the London CA. You will need
to approve the requests as they are made by the students.
!
To issue certificates by using Certificate Services
After students have submitted their requests for server certificates, you must
issue the certificates:
1. On the Start menu, click Programs, click Administrative Tools, and then
click Certification Authority.
2. Expand the nwtraders.msft CA, and then click Pending Requests.
There will be a certificate request from each student.
3. To accept a request and issue a certificate, right-click the request, click All
Tasks, and then click Issue.
The request is moved from the Pending Requests folder to the Issued
Certificates folder.
Lesson: Using the Secure Sockets Layer/Transport Layer Security
Protocols
Students may have heard of both SSL and TLS. It is important to note that TLS
is the most recent version of the protocol and that although SSL is the more
commonly referred-to protocol, it is most likely TLS that is being used.
Mention that SSL/TLS are the protocols that enable the secure communications
that are described in the animation “Using Digital Certificates.” You might
consider showing this animation here instead of in the previous lesson.
Mention the steps that are required before SSL can be enabled in IIS. You will
demonstrate the process of enabling SSL in the demonstration that follows this
topic.
Show how SSL is enabled in IIS. Discuss the various options that are available
for client certificates.
Obtaining a Server
Certificate
Demonstration:
Obtaining a Server
Certificate
Overview of Security
Protocols
How Does SSL/TLS
Work?
Enabling SSL for an IIS
Web Application
Demonstration:
Enabling SSL
viii Module 8: Protecting Communication Privacy and Data Integrity
Discuss both the Active Server Pages (ASP) method and the Microsoft
ASP.NET method of verifying the authenticity of client certificates.
Before students can view the pages in the practice, you must configure the
Mod08 folder of the 2300Demos Web application to require client certificates.
After students have accessed the WhoAmI.asp and ReadCertInfo.aspx pages in
the Mod08 folder of the 2300Demos Web application on the London computer,
examine the source code for the pages in Microsoft Visual Studio
®
.NET:
1. In Visual Studio .NET, open the WhoAmI.asp page in the Mod08 folder of
the 2300Demos project.
2. In Visual Studio .NET, open the ReadCertInfo.aspx page in the Mod08
folder of the 2300Demos project.
The page displays information from a client certificate by using the
HttpClientCertificate object.
Client certificate mapping is a powerful authentication method that allows IIS
to perform work on behalf of the client, based on the contents of a client
certificate. Emphasize IIS client certificate mapping. Information on
Active Directory
®
directory service mapping is provided for those students that
have previous experience with Active Directory.
Demonstrate how to enable many-to-one client certificate mapping in the
2300Demos Web application. Note that client certificate mapping is not used in
the labs.
SSL should be used only for those portions of the Web application that require
secure communications. There is a performance cost that is associated with
using SSL, and care should be taken to ensure that SSL is used only when
necessary. Discuss the guidelines for using SSL.
Run this practice as a group brainstorming session where students determine
which pages in the TailspinToys and TailspinToysAdmin Web applications
should be protected with SSL.
Lesson: Using Internet Protocol Security
Note that although IPSec is not commonly used for securing communications
between client computers and Web applications on the IIS Web server, IPSec
does have a role in protecting communications between the IIS Web server and
the other computers and resources that are on the organization’s network.
Briefly discuss the process of implementing IPSec.
Understanding how IPSec and SSL/TLS differ is important when deciding
where to apply each protocol. Discuss each difference between IPSec and
SSL/TLS.
Lab 8.2: Protecting Communication Privacy and Data Integrity
In Lab 8.2, students will turn on SSL for portions of the TailspinToys and
TailspinToysAdmin Web applications.
Verifying the
Authenticity of Client
Certificates
Instructor-Led Practice:
Verifying the
Authenticity of Client
Certificates
Using Client Certificate
Mappin
g
Demonstration: Client
Certificate Mapping
Guidelines for Using
SSL/TLS
Practice: Requiring SSL
for Web Application
Pages
Overview of IPSec
Implementing IPSec
Comparing IPSec and
SSL/TLS
Module 8: Protecting Communication Privacy and Data Integrity ix
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
Lab Setup
To complete this lab, the WebUser login and the InternetStoredProcs and
IntranetStoredProcs roles must be added to Microsoft SQL Server
™
on the
Glasgow computer.
!
Configure SQL Server on the Glasgow computer
• If you did not perform the “Adding Roles and Logins to SQL Server”
demonstration in Module 7, “Securing Microsoft SQL Server,” in Course
2300, Developing Secure Web Applications, you must do it now.
To complete this lab, students can continue working in the Tailspin Toys
Visual Studio .NET projects that they used in previous labs, or they can start
with new files.
To start with new files, students must complete the following steps.
!
Create the Web applications for the ASP exercises
1. Copy all of the contents of the ASP starter folder install_folder\Labfiles\
Lab08_2\ASP\Starter\TailspinToys to the TailspinToys IIS virtual directory
at C:\Inetpub\wwwroot\TailspinToys.
2. Copy all of the contents of the ASP starter folder install_folder\Labfiles\
Lab08_2\ASP\Starter\TailspinToysAdmin to the TailspinToys IIS virtual
directory at C:\Inetpub\wwwroot\TailspinToysAdmin.
!
Create the Web applications for the ASP.NET exercises
1. Copy all of the contents of the ASP.NET folder install_folder\Labfiles\
Lab08_2\ASPXVB\Starter\TailspinToys.NET to the TailspinToys.NET IIS
virtual directory at C:\Inetpub\wwwroot\TailspinToys.NET.
2. Copy all of the contents of the ASP.NET folder install_folder\Labfiles\
Lab08_2\ASPXVB\Starter\TailspinToysAdmin.NET to the
TailspinToysAdmin.NET IIS virtual directory at C:\Inetpub\wwwroot\
TailspinToysAdmin.NET.
3. Edit the file c:\Inetpub\wwwroot\TailspinToysAdmin.NET\Web.config and
change the <allow roles="London\TailspinAdmins"/> tag to be <allow
roles="machineName\TailspinAdmins"/>, where machineName is the name
of your computer.
x Module 8: Protecting Communication Privacy and Data Integrity
!
Configure IIS authentication
1. Run the IIS administrative tool.
2. Expand the computer node and the Default Web Site node in the tree.
3. Right-click the TailspinToysAdmin virtual directory, and then click
Properties.
4. Click Directory Security.
5. In the Anonymous access and authentication control group, click Edit.
6. Clear the Anonymous access check box.
7. Click OK twice to save your changes.
8. Right-click the TailspinToysAdmin.NET virtual directory, and then click
Properties.
9. Click Directory Security.
10. In the Anonymous access and authentication control group, click Edit.
11. Clear the Anonymous access check box.
12. Click OK twice to save your changes.
Lab Results
Performing the labs in this module introduces the following configuration
changes:
!
The Login.asp and ChangePassword.asp pages are moved into a private
folder in the TailspinToys Web application.
!
The Login.aspx and ChangePassword.aspx pages are moved into a private
folder in the TailspinToys.NET Web application.
!
The private folder in each of the following Web applications is configured
in IIS to require SSL:
• TailspinToys
• TailspinToys.NET
• TailspinToysAdmin
• TailspinToysAdmin.NET
Module 8: Protecting Communication Privacy and Data Integrity 1
Overview
!
Introduction to Cryptography
!
Working with Digital Certificates
!
Using the Secure Sockets Layer/Transport Layer
Security Protocols
!
Using Internet Protocol Security
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
By using Internet Information Services (IIS), you can validate user and resource
identities, as well as protect data and communications between the Web
browser and the Web server. The communication link between the browser and
the server is susceptible to a number of security-related attacks, including:
!
Network monitoring. An attacker can use a network monitoring application
or device to observe and read network packets. If the packets are not
encrypted, a network-monitoring tool provides a full view of the data that is
inside the packet. Such applications and devices are useful for diagnostic
purposes, but they can be misused to obtain unauthorized access to data.
Network Monitor is an example of a network-monitoring tool.
!
Data modification. An attacker can modify a packet in transit and send
counterfeit data, which can prevent the receiver from receiving the correct
information or can allow the attacker to obtain secure information.
!
Passwords. An attacker can use a stolen password or key, or can attempt to
decipher the password if it is a simple password.
!
Address spoofing. An attacker can use special programs to construct Internet
Protocol (IP) packets that appear to originate from valid IP addresses that
come from inside the trusted network.
!
Man-in-the-middle. An attacker can actively monitor, capture, and control
the data that passes between two communicating computers without the
knowledge of the affected parties (for example, the attacker can reroute a
data exchange).
The code samples in this module are provided in both Microsoft
®
Visual Basic
®
.NET and C#.
Introduction
Note
2 Module 8: Protecting Communication Privacy and Data Integrity
After completing this module, you will be able to:
!
Define the basic elements of cryptography.
!
Describe the purpose of digital certificates and obtain one through a
Certificate Authority (CA).
!
Validate user and Web server identity through the use of Secure Sockets
Layer (SSL)/Transport Layer Security (TLS).
!
Protect communications between Web application resources through the use
of Internet Protocol security (IPSec).
Objectives
Module 8: Protecting Communication Privacy and Data Integrity 3
Lesson: Introduction to Cryptography
!
What Is Cryptography?
!
How Does Symmetric Encryption Work?
!
How Does Asymmetric Encryption Work?
!
Exchanging and Storing Keys
!
Verifying Data Integrity with Hashes
!
Using Digital Signatures
!
Practice: Using Cryptography
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Because cryptography permeates many security-related technologies, a general
understanding of what cryptography is and how it works is valuable when
developing secure Web applications.
This lesson provides an overview of cryptography, including a description of
the functional aspects of, and the differences between, public key cryptography,
private key cryptography, hashing (digests), data signing, and digital
certificates.
After completing this lesson, you will be able to:
!
Describe the purpose and uses of cryptography.
!
Describe how symmetric (or private key) encryption works.
!
Describe how asymmetric (or public key) encryption works.
!
Describe how session keys are typically exchanged between users.
!
Explain the purpose of hashing and digital signing.
Introduction
Lesson objectives
4 Module 8: Protecting Communication Privacy and Data Integrity
What Is Cryptography?
!
Cryptography is the science of protecting data
" Protects a user's identity or data from being read
" Protects data from being altered
" Verifies that data originates from a particular user
!
Encryption is the process of scrambling data
!
Encryption is only as strong as the key
Data
Data
Encryption algorithm
Encryption algorithm
Key
Key
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Cryptography, the practice and study of encryption and decryption, provides the
foundation of secure communications in a Web application.
Cryptography is a mathematical science that was originally developed for
military communications with the intention of keeping secrets from the enemy
in times of war. More recently, cryptography has also been used in the
information technology (IT) industry to aid in securely authenticating users on a
network, protecting a user's identity, protecting data from being read or altered,
or verifying that the data originates from a particular user. Two forms of
cryptography are symmetric and asymmetric encryption.
Cryptography is put into practice through the use of encryption, which is the
process of scrambling data by applying an algorithm to it. By encrypting data,
you can make it difficult and time consuming, if not impossible, for an attacker
to decipher the data.
Encryption is often used in the following types of transactions:
!
E-mail
!
E-commerce
!
File storage
!
Database connections
!
Web client authentication
Introduction
What is cr
y
pto
g
raph
y
?
What is encryption?
Không có nhận xét nào:
Đăng nhận xét