Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Lecture 6: CSCI E-1 Spring 2013

Lecture 6: CSCI E-1 Spring 2013

Tommy MacWilliam

April 10, 2013
Tweet

More Decks by Tommy MacWilliam

Other Decks in Education

Transcript

  1. Computer Science E-1
    Lecture 6: Security

    View Slide

  2. http://youtu.be/H542nLTTbu0

    View Slide

  3. http://bing.com

    View Slide

  4. http://vimeo.com/blog/post:564

    View Slide

  5. Security

    View Slide

  6. Authentication

    View Slide

  7. Cookies

    View Slide

  8. Sessions

    View Slide

  9. GET /home.php HTTP/1.1
    Host: www.facebook.com
    Cookie: PHPSESSID=5153d29ed84c4

    View Slide

  10. GET /home.php HTTP/1.1
    Host: www.facebook.com
    Cookie: PHPSESSID=5153d29ed84c4

    View Slide

  11. Session Hijacking

    View Slide

  12. View Slide

  13. HTTPS

    View Slide

  14. Cryptography

    View Slide

  15. GET /home.php HTTP/1.1
    Host: www.facebook.com Encrypt
    ehosn9745t987gnlkjab
    [email protected]@#

    View Slide

  16. GET /home.php HTTP/1.1
    Host: www.facebook.com Encrypt
    ehosn9745t987gnlkjab
    [email protected]@#
    ehosn9745t987gnlkjab
    [email protected]@#
    GET /home.php HTTP/1.1
    Host: www.facebook.com
    Decrypt

    View Slide

  17. Wi-Fi Security

    View Slide

  18. WEP, WPA, WPA2

    View Slide

  19. CSRF

    View Slide

  20. https://bank.com/money/transfer?
    to=67890&amount=100

    View Slide

  21. View Slide

  22. Ka-Boom.

    View Slide

  23. https://bank.com/money/transfer?
    to=67890&amount=100&
    token=8549ba93417cdef85

    View Slide

  24. name="csrfTokenHidden"
    value="12345" id="csrfTokenHidden">

    View Slide

  25. http://cse1.net/lecture6

    View Slide

  26. XSS

    View Slide

  27. Tommy

    View Slide

  28. View Slide

  29. Ka-Boom.

    View Slide

  30. http://cse1.net/lecture6

    View Slide

  31. Databases

    View Slide

  32. Name DOB Color Preference
    Shocked Cat 3/17/2010 white indoor
    Grumpy Cat 4/4/2012 white indoor
    Keyboard Cat 1/1/1984 orange outdoor

    View Slide

  33. SQL

    View Slide

  34. SELECT name FROM cats

    View Slide

  35. SELECT * from cats WHERE
    preference = ‘indoor’

    View Slide

  36. INSERT INTO cats
    (name, dob, color, preference)
    VALUES ('Maru', '2008-06-01', 'gray', 'indoor')

    View Slide

  37. UPDATE cats SET name =
    ‘shocked’ WHERE name = ‘Maru’

    View Slide

  38. DELETE FROM cats
    WHERE name = ‘Maru’

    View Slide

  39. CRUD

    View Slide

  40. Create
    Read
    Update
    Delete

    View Slide

  41. INSERT
    SELECT
    UPDATE
    DELETE

    View Slide

  42. SELECT * FROM profiles
    WHERE username = ‘zuck’

    View Slide

  43. I would like __ cheeseburgers
    cooked ____ and
    topped with ________.

    View Slide

  44. I would like 2 cheeseburgers
    cooked medium-well and
    topped with lettuce.

    View Slide

  45. I would like 2 cheeseburgers
    cooked and then thrown at the
    nearest customer’s head and
    topped with lettuce.

    View Slide

  46. Injection

    View Slide

  47. SELECT * FROM profiles
    WHERE username = ‘______’

    View Slide

  48. ‘ OR ‘1’ = ‘1

    View Slide

  49. SELECT * FROM profiles
    WHERE username = ‘’ OR ‘1’ = ‘1’

    View Slide

  50. Ka-Boom.

    View Slide

  51. Authentication

    View Slide

  52. SELECT * FROM users
    WHERE username = ‘_____’
    AND password = ‘_____’

    View Slide

  53. SELECT * FROM users
    WHERE username = ‘rj’
    AND password = ‘’ OR ‘1’ = ‘1’

    View Slide

  54. Ka-Boom.

    View Slide

  55. ’; DELETE FROM profiles; --

    View Slide

  56. SELECT * FROM profiles
    WHERE username = ‘’;
    DELETE FROM profiles; --’

    View Slide

  57. View Slide

  58. Sanitizing Input

    View Slide

  59. SELECT * FROM profiles WHERE
    username = '\' OR \'1\' = \'1'

    View Slide

  60. Permissions

    View Slide

  61. http://cse1.net/lecture6

    View Slide

  62. Encrypting Text

    View Slide

  63. Caesar Cipher

    View Slide

  64. ABCDEFGHIJKLMNOPQRSTUVWXYZ
    NOPQRSTUVWXYZABCDEFGHIJKLM

    View Slide

  65. ROT13

    View Slide

  66. banana

    View Slide

  67. onanan

    View Slide

  68. Brute-Force Attack

    View Slide

  69. ROT26

    View Slide

  70. Vigenère Cipher

    View Slide

  71. banana
    + 246246

    View Slide

  72. banana
    + 246246
    detcrg

    View Slide

  73. banana
    + cegceg
    detcrg

    View Slide

  74. Plaintext: computer
    Key: benrj

    View Slide

  75. computer
    + benrjben

    View Slide

  76. computer
    + benrjben
    dszgduie

    View Slide

  77. Symmetric-Key Cryptography

    View Slide

  78. View Slide

  79. Asymmetric-Key Cryptography

    View Slide

  80. Public/Private Keys

    View Slide

  81. View Slide

  82. Trapdoor One-Way Function

    View Slide

  83. 2459 * 8863 = 21794117

    View Slide

  84. Factor 21794117

    View Slide

  85. RSA

    View Slide

  86. Diffie-Hellman

    View Slide

  87. Computer Science E-1
    Lecture 6: Security

    View Slide