- losing your credientals
- losing sensitive data passwords, username, addresses (=database stolen from an organization)
- losing personal, sensitive information (e.g. tell that you are on a holiday, and all goods will be stolen from your home) (to put it simply: losing money)
- "false identity" --> using someones social security id / credit card
- govermental / municipal information might be sensitive: e.g. information on social welfare & medical records
- denial-of-service -attack --> service down
- social aspects of the web: misuse of public information
- losing your business!
- how to secure the information?
- securing the data
- data encryption: securing all the information stored in a server
- data backups(!)
- data replication --> performance, safety
- security threat: insecure user interface, user interaction
- form / input field validation
- firewall (!): inspecting and blocking the connections to the organization network
- HTTPS: HTTP secure
- encrypting the connection
- two parts you should know:
- who you are communicating with?
- certificates, provided certificate authority (CA)
- CA: third party for ensuring that website is known and really the one who it states to be
- how to communicate in secure way
- web cryptography
- public key infrastructure (PKI)
- public key + private key
- private key: your own secret
- public key: counterpart, shared public identifier for the private key
- SECRET MESSAGING (metaphor: public mailbox):
- encrypt message with public key
- encrypted message can be decrypted / opened ONLY with the corresponding private key
- DIGITAL SIGNATURE (hot wax for sealing an envelope):
- how to provide authenticity of a message?
- encrypt message with private key
- decrypt with public key
- if decryption is possible, message was sent by the one having the (corresponding) private key
- who you are communicating with?
Practical applications of the public-private key -framework
- authentication services
- central authentication service, CAS
- identity provider
- authorization: what information is given to other parties
- temporal access for resources, e.g. give a mashup a permission to access my instagram photos for a day
- protocol: OAuth