Professional Documents
Culture Documents
Outline
1
33
44
Nguyn Duy
Network Security
Outline
1
33
44
Nguyn Duy
Network Security
Overview HTTP
Web page consists of objects
Object can be HTML file, JPEG image, Java
applet, audio file,
Web page consists of base HTML-file which
includes several referenced objects
Each object is addressable by a URL
Example URL:
www.uit.edu.vn/someDept/pic.gif
host name
Nguyn Duy
path name
Network Security
Overview HTTP
HTTP: hypertext transfer protocol
Webs application layer protocol
Client/Server model
client: browser that requests, receives, displays
Web objects
server: Web server sends objects in response to
requests
Network Security
Overview HTTP
PC running
Explorer
Server
running
Apache Web
server
Mac running
Navigator
Nguyn Duy
Network Security
Overview HTTP
Use TCP
client initiates TCP connection (creates socket) to
server, port 80
server accepts TCP connection from client
HTTP messages (application-layer protocol messages)
exchanged between browser (HTTP client) and Web
server (HTTP server)
TCP connection closed
HTTP is stateless
Nguyn Duy
Network Security
HTTP Connection
Nonpersistent HTTP
Persistent HTTP
At most one object Multiple objects can
is sent over a TCP
be sent over single TCP
connection.
connection between
client and server.
HTTP/1.0 uses
nonpersistent HTTP HTTP/1.1 uses
persistent connections
in default mode
Nguyn Duy
Network Security
Non-persistent HTTP
(contains text,
references to 10
jpeg images)
www.uit.edu.vn/someDepartment/home.index
1a. HTTP client initiates TCP connection
to HTTP server (process) at
www.someSchool.edu on port 80
www.someSchool.edu waiting
for TCP connection at port 80.
accepts connection, notifying
client
time
Nguyn Duy
Network Security
Nguyn Duy
Network Security
10
Persistent HTTP
Nonpersistent HTTP issues:
requires 2 RTTs per object
OS overhead for each TCP
connection
browsers often open parallel TCP
connections to fetch referenced
objects
Persistent HTTP
server leaves connection open
after sending response
subsequent HTTP messages
between same client/server sent
over open connection
Nguyn Duy
Network Security
11
HTTP message
Two types of HTTP messages: request, response
HTTP request message:
request line
(GET, POST,
HEAD commands)
header
lines
Carriage return,
line feed
indicates end
of message
Nguyn Duy
Network Security
12
HTTP message
HTTP response message:
status line
(protocol
status code
status phrase)
header
lines
data, e.g.,
requested
HTML file
Nguyn Duy
HTTP/1.1 200 OK
Connection close
Date: Thu, 06 Aug 1998 12:00:15 GMT
Server: Apache/1.3.0 (Unix)
Last-Modified: Mon, 22 Jun 1998 ...
Content-Length: 6821
Content-Type: text/html
data data data data data ...
Network Security
13
Nguyn Duy
Network Security
14
Nguyn Duy
Network Security
15
Nguyn Duy
Network Security
16
Outline
1
Overview HTTP
33
44
Nguyn Duy
Network Security
17
Nguyn Duy
Network Security
18
Nguyn Duy
Network Security
19
Nguyn Duy
Network Security
20
Session Hijacking
33
SQL Injection
44
Denial of Service
35
Nguyn Duy
Network Security
21
Session Hijacking
33
SQL Injection
44
Denial of Service
35
Nguyn Duy
Network Security
22
Nguyn Duy
Network Security
23
Nguyn Duy
Network Security
24
Nguyn Duy
Network Security
25
Nguyn Duy
Network Security
26
Nguyn Duy
Network Security
27
Nguyn Duy
Network Security
28
Session Hijacking
33
SQL Injection
44
Denial of Service
35
Nguyn Duy
Network Security
29
Nguyn Duy
Network Security
30
Nguyn Duy
Network Security
31
Nguyn Duy
Network Security
32
Nguyn Duy
Network Security
33
Nguyn Duy
Network Security
34
Nguyn Duy
Network Security
35
Nguyn Duy
Network Security
36
Nguyn Duy
Network Security
37
Nguyn Duy
Network Security
38
Nguyn Duy
Network Security
39
Session Hijacking
33
SQL Injection
44
Denial of Service
35
Nguyn Duy
Network Security
40
Nguyn Duy
Network Security
41
Nguyn Duy
Network Security
42
Nguyn Duy
Network Security
43
Nguyn Duy
Network Security
44
Nguyn Duy
Network Security
45
Nguyn Duy
Network Security
46
Nguyn Duy
Network Security
47
Session Hijacking
33
SQL Injection
44
Denial of Service
35
Nguyn Duy
Network Security
48
Nguyn Duy
Network Security
49
Nguyn Duy
Network Security
50
Nguyn Duy
Network Security
51
Session Hijacking
33
SQL Injection
44
Denial of Service
35
Nguyn Duy
Network Security
52
Nguyn Duy
Network Security
53
Nguyn Duy
Network Security
54
Outline
1
Overview HTTP
33
44
Nguyn Duy
Network Security
55
Nguyn Duy
Network Security
56
SSL Architecture
Nguyn Duy
Network Security
57
Nguyn Duy
Network Security
58
Nguyn Duy
Network Security
59
Handshake Protocol
The most complex part of SSL.
Allows the server and client to authenticate
each other
Negotiate encryption, MAC algorithm and
cryptographic keys
Used before any application data are
transmitted
Nguyn Duy
Network Security
60
Nguyn Duy
Network Security
61
Outline
1
Overview HTTP
33
44
Nguyn Duy
Network Security
62
Nguyn Duy
Network Security
63
Question ???