Lecture 6: CSCI E-1 Spring 2013

Transcript

1. Computer Science E-1 Lecture 6: Security

2. http://youtu.be/H542nLTTbu0

3. http://bing.com

4. http://vimeo.com/blog/post:564

5. Security

6. Authentication

7. Cookies

8. Sessions

9. GET /home.php HTTP/1.1 Host: www.facebook.com Cookie: PHPSESSID=5153d29ed84c4

10. GET /home.php HTTP/1.1 Host: www.facebook.com Cookie: PHPSESSID=5153d29ed84c4

11. Session Hijacking

12. None

13. HTTPS

14. Cryptography

15. GET /home.php HTTP/1.1 Host: www.facebook.com Encrypt ehosn9745t987gnlkjab 7@5uejfnjasdbfxb98@#

16. GET /home.php HTTP/1.1 Host: www.facebook.com Encrypt ehosn9745t987gnlkjab 7@5uejfnjasdbfxb98@# ehosn9745t987gnlkjab 7@5uejfnjasdbfxb98@#

    GET /home.php HTTP/1.1 Host: www.facebook.com Decrypt

17. Wi-Fi Security

18. WEP, WPA, WPA2

19. CSRF

20. https://bank.com/money/transfer? to=67890&amount=100

21. None

22. Ka-Boom.

23. https://bank.com/money/transfer? to=67890&amount=100& token=8549ba93417cdef85

24. <input type="hidden" name="csrfTokenHidden" value="12345" id="csrfTokenHidden">

25. http://cse1.net/lecture6

26. XSS

27. <h1>Tommy</h1>

28. None

29. Ka-Boom.

30. http://cse1.net/lecture6

31. Databases

32. Name DOB Color Preference Shocked Cat 3/17/2010 white indoor Grumpy

    Cat 4/4/2012 white indoor Keyboard Cat 1/1/1984 orange outdoor

33. SQL

34. SELECT name FROM cats

35. SELECT * from cats WHERE preference = ‘indoor’

36. INSERT INTO cats (name, dob, color, preference) VALUES ('Maru', '2008-06-01',

    'gray', 'indoor')

37. UPDATE cats SET name = ‘shocked’ WHERE name = ‘Maru’

38. DELETE FROM cats WHERE name = ‘Maru’

39. CRUD

40. Create Read Update Delete

41. INSERT SELECT UPDATE DELETE

42. SELECT * FROM profiles WHERE username = ‘zuck’

43. I would like __ cheeseburgers cooked ____ and topped with

    ________.

44. I would like 2 cheeseburgers cooked medium-well and topped with

    lettuce.

45. I would like 2 cheeseburgers cooked and then thrown at

    the nearest customer’s head and topped with lettuce.

46. Injection

47. SELECT * FROM profiles WHERE username = ‘______’

48. ‘ OR ‘1’ = ‘1

49. SELECT * FROM profiles WHERE username = ‘’ OR ‘1’

    = ‘1’

50. Ka-Boom.

51. Authentication

52. SELECT * FROM users WHERE username = ‘_____’ AND password

    = ‘_____’

53. SELECT * FROM users WHERE username = ‘rj’ AND password

    = ‘’ OR ‘1’ = ‘1’

54. Ka-Boom.

55. ’; DELETE FROM profiles; --

56. SELECT * FROM profiles WHERE username = ‘’; DELETE FROM

    profiles; --’
57. None

58. Sanitizing Input

59. SELECT * FROM profiles WHERE username = '\' OR \'1\'

    = \'1'

60. Permissions

61. http://cse1.net/lecture6

62. Encrypting Text

63. Caesar Cipher

64. ABCDEFGHIJKLMNOPQRSTUVWXYZ NOPQRSTUVWXYZABCDEFGHIJKLM

65. ROT13

66. banana

67. onanan

68. Brute-Force Attack

69. ROT26

70. Vigenère Cipher

71. banana + 246246

72. banana + 246246 detcrg

73. banana + cegceg detcrg

74. Plaintext: computer Key: benrj

75. computer + benrjben

76. computer + benrjben dszgduie

77. Symmetric-Key Cryptography

78. None

79. Asymmetric-Key Cryptography

80. Public/Private Keys

81. None

82. Trapdoor One-Way Function

83. 2459 * 8863 = 21794117

84. Factor 21794117

85. RSA

86. Diffie-Hellman

87. Computer Science E-1 Lecture 6: Security