http://wiki.cas.mcmaster.ca/index.php?feed=atom&target=Manselnj&title=Special%3AContributionsComputing and Software Wiki - User contributions [en]2026-04-15T01:23:49ZFrom Computing and Software WikiMediaWiki 1.15.1http://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-14T02:52:23Z<p>Manselnj: </p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
=Security=<br />
There are several ways in which security is a major concern when using the X Windowing system. These can concerns can be broken up into two major categories: interception of communications between the X client and X host, and having a malignant client connect to your host. The communication security can be handled by tunneling the communication between the X host and X client through a more secure protocol such as ssh. The malignant client concern can be handled by using tools distributed with the X Windowing system: XAuth and XHosts.<br />
==Communication Security and Tunneling Through SSH==<br />
Depending on how an X Client connects to an X Host, there can be some major security issues. When used by itself through a non-secure connection, the X Windowing system will send all of it's data unencrypted across the network you are using. Depending how many people have access to the network, this can be a huge security issue. Everything from passwords to possibly confidential documents are sent essentially unencrypted across the network which allows anyone to view them. <br />
<BR> One possible solution to this problem is to tunnel through a more secure communication medium, such as ssh. By embedding X Window messages in SSH datagrams, the X Window messages will then be encrypted within the SSH message. To see more on tunneling, please see one of the following articles: [[Applications_of_SSH#SSH_Tunneling | Applications of SSH]], [[SSH Tunneling]]<br />
<br />
==XAuth==<br />
One utility to help with security which comes with the X Windowing system is xauth. This tool operates works with MIT Magic Cookies. The way it works is when you start up an X Windowing host, it will create a Magic Cookie which is just a hexidecimal string. This cookie is stored in the file $HOME/.Xauthority of the client machine. This file contains a list of hosts, displays and magic cookies. When the client connects to the host on a specific display, it sends the corresponding Magic Cookie. If the Magic Cookie matches the host's cookie, then the host accepts the connection.<br />
<br />
==XHosts==<br />
Another utility to help with security of the X Windowing system is the xhost tool. This tool operates in two modes called plus(+) and minus (-). Plus mode will allow any X Client to connect to the X Host. Obviously this is a very insecure mode. A more secure mode is the minus mode. Using this mode, only hosts on the trusted list are allowed to connect. Hosts can be added and removed from the trusted list through xauth +/-<host name>. <br />
<br />
= References =<br />
# [http://www.javvin.com/protocolXWindow.html http://www.javvin.com/protocolXWindow.html]<br />
# [http://www.xfree86.org/4.4.0/xauth.1.html http://www.xfree86.org/4.4.0/xauth.1.html]<br />
# [http://www.xfree86.org/current/xhost.1.html http://www.xfree86.org/current/xhost.1.html]<br />
# [http://ptolemy.eecs.berkeley.edu/~cxh/sapub/Xsecurity.html http://ptolemy.eecs.berkeley.edu/~cxh/sapub/Xsecurity.html]<br />
# [http://www.xfree86.org/current/Xsecurity.7.html http://www.xfree86.org/current/Xsecurity.7.html]<br />
<br />
=External Links=<br />
* [http://www.xfree86.org/ http://www.xfree86.org/]<br />
* [http://www.x.org/wiki/ http://www.x.org/wiki/]<br />
<br />
= See Also =<br />
* [[Applications of SSH]]<br />
* [[SSH Tunneling]]<br />
<br />
----<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-14T02:50:02Z<p>Manselnj: /* XHosts */</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
=Security=<br />
There are several ways in which security is a major concern when using the X Windowing system. These can concerns can be broken up into two major categories: interception of communications between the X client and X host, and having a malignant client connect to your host. The communication security can be handled by tunneling the communication between the X host and X client through a more secure protocol such as ssh. The malignant client concern can be handled by using tools distributed with the X Windowing system: XAuth and XHosts.<br />
==Communication Security and Tunneling Through SSH==<br />
Depending on how an X Client connects to an X Host, there can be some major security issues. When used by itself through a non-secure connection, the X Windowing system will send all of it's data unencrypted across the network you are using. Depending how many people have access to the network, this can be a huge security issue. Everything from passwords to possibly confidential documents are sent essentially unencrypted across the network which allows anyone to view them. <br />
<BR> One possible solution to this problem is to tunnel through a more secure communication medium, such as ssh. By embedding X Window messages in SSH datagrams, the X Window messages will then be encrypted within the SSH message. To see more on tunneling, please see one of the following articles: [[Applications_of_SSH#SSH_Tunneling | Applications of SSH]], [[SSH Tunneling]]<br />
<br />
==XAuth==<br />
One utility to help with security which comes with the X Windowing system is xauth. This tool operates works with MIT Magic Cookies. The way it works is when you start up an X Windowing host, it will create a Magic Cookie which is just a hexidecimal string. This cookie is stored in the file $HOME/.Xauthority of the client machine. This file contains a list of hosts, displays and magic cookies. When the client connects to the host on a specific display, it sends the corresponding Magic Cookie. If the Magic Cookie matches the host's cookie, then the host accepts the connection.<br />
<br />
==XHosts==<br />
Another utility to help with security of the X Windowing system is the xhost tool. This tool operates in two modes called plus(+) and minus (-). Plus mode will<br />
<br />
= References =<br />
# [http://www.javvin.com/protocolXWindow.html http://www.javvin.com/protocolXWindow.html]<br />
# [http://www.xfree86.org/4.4.0/xauth.1.html http://www.xfree86.org/4.4.0/xauth.1.html]<br />
# [http://www.xfree86.org/current/xhost.1.html http://www.xfree86.org/current/xhost.1.html]<br />
# [http://ptolemy.eecs.berkeley.edu/~cxh/sapub/Xsecurity.html http://ptolemy.eecs.berkeley.edu/~cxh/sapub/Xsecurity.html]<br />
# [http://www.xfree86.org/current/Xsecurity.7.html http://www.xfree86.org/current/Xsecurity.7.html]<br />
<br />
=External Links=<br />
* [http://www.xfree86.org/ http://www.xfree86.org/]<br />
* [http://www.x.org/wiki/ http://www.x.org/wiki/]<br />
<br />
= See Also =<br />
* [[Applications of SSH]]<br />
* [[SSH Tunneling]]<br />
<br />
----<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-14T02:15:42Z<p>Manselnj: /* XAuth */</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
=Security=<br />
There are several ways in which security is a major concern when using the X Windowing system. These can concerns can be broken up into two major categories: interception of communications between the X client and X host, and having a malignant client connect to your host. The communication security can be handled by tunneling the communication between the X host and X client through a more secure protocol such as ssh. The malignant client concern can be handled by using tools distributed with the X Windowing system: XAuth and XHosts.<br />
==Communication Security and Tunneling Through SSH==<br />
Depending on how an X Client connects to an X Host, there can be some major security issues. When used by itself through a non-secure connection, the X Windowing system will send all of it's data unencrypted across the network you are using. Depending how many people have access to the network, this can be a huge security issue. Everything from passwords to possibly confidential documents are sent essentially unencrypted across the network which allows anyone to view them. <br />
<BR> One possible solution to this problem is to tunnel through a more secure communication medium, such as ssh. By embedding X Window messages in SSH datagrams, the X Window messages will then be encrypted within the SSH message. To see more on tunneling, please see one of the following articles: [[Applications_of_SSH#SSH_Tunneling | Applications of SSH]], [[SSH Tunneling]]<br />
<br />
==XAuth==<br />
One utility to help with security which comes with the X Windowing system is xauth. This tool operates works with MIT Magic Cookies. The way it works is when you start up an X Windowing host, it will create a Magic Cookie which is just a hexidecimal string. This cookie is stored in the file $HOME/.Xauthority of the client machine. This file contains a list of hosts, displays and magic cookies. When the client connects to the host on a specific display, it sends the corresponding Magic Cookie. If the Magic Cookie matches the host's cookie, then the host accepts the connection.<br />
<br />
==XHosts==<br />
<br />
= References =<br />
# [http://www.javvin.com/protocolXWindow.html http://www.javvin.com/protocolXWindow.html]<br />
# [http://www.xfree86.org/4.4.0/xauth.1.html http://www.xfree86.org/4.4.0/xauth.1.html]<br />
# [http://www.xfree86.org/current/xhost.1.html http://www.xfree86.org/current/xhost.1.html]<br />
# [http://ptolemy.eecs.berkeley.edu/~cxh/sapub/Xsecurity.html http://ptolemy.eecs.berkeley.edu/~cxh/sapub/Xsecurity.html]<br />
# [http://www.xfree86.org/current/Xsecurity.7.html http://www.xfree86.org/current/Xsecurity.7.html]<br />
<br />
=External Links=<br />
* [http://www.xfree86.org/ http://www.xfree86.org/]<br />
* [http://www.x.org/wiki/ http://www.x.org/wiki/]<br />
<br />
= See Also =<br />
* [[Applications of SSH]]<br />
* [[SSH Tunneling]]<br />
<br />
----<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-14T01:34:49Z<p>Manselnj: /* XAuth */</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
=Security=<br />
There are several ways in which security is a major concern when using the X Windowing system. These can concerns can be broken up into two major categories: interception of communications between the X client and X host, and having a malignant client connect to your host. The communication security can be handled by tunneling the communication between the X host and X client through a more secure protocol such as ssh. The malignant client concern can be handled by using tools distributed with the X Windowing system: XAuth and XHosts.<br />
==Communication Security and Tunneling Through SSH==<br />
Depending on how an X Client connects to an X Host, there can be some major security issues. When used by itself through a non-secure connection, the X Windowing system will send all of it's data unencrypted across the network you are using. Depending how many people have access to the network, this can be a huge security issue. Everything from passwords to possibly confidential documents are sent essentially unencrypted across the network which allows anyone to view them. <br />
<BR> One possible solution to this problem is to tunnel through a more secure communication medium, such as ssh. By embedding X Window messages in SSH datagrams, the X Window messages will then be encrypted within the SSH message. To see more on tunneling, please see one of the following articles: [[Applications_of_SSH#SSH_Tunneling | Applications of SSH]], [[SSH Tunneling]]<br />
<br />
==XAuth==<br />
One utility to help with security which comes with the X Windowing system is xauth. This tool operates works with MIT Magic Cookies. The way it works is when you start up an X Windowing host, it will create a Magic Cookie which is just a hexidecimal string. This cookie is stored in the<br />
<br />
==XHosts==<br />
<br />
= References =<br />
# [http://www.javvin.com/protocolXWindow.html http://www.javvin.com/protocolXWindow.html]<br />
# [http://www.xfree86.org/4.4.0/xauth.1.html http://www.xfree86.org/4.4.0/xauth.1.html]<br />
# [http://www.xfree86.org/current/xhost.1.html http://www.xfree86.org/current/xhost.1.html]<br />
# [http://ptolemy.eecs.berkeley.edu/~cxh/sapub/Xsecurity.html http://ptolemy.eecs.berkeley.edu/~cxh/sapub/Xsecurity.html]<br />
# [http://www.xfree86.org/current/Xsecurity.7.html http://www.xfree86.org/current/Xsecurity.7.html]<br />
<br />
=External Links=<br />
* [http://www.xfree86.org/ http://www.xfree86.org/]<br />
* [http://www.x.org/wiki/ http://www.x.org/wiki/]<br />
<br />
= See Also =<br />
* [[Applications of SSH]]<br />
* [[SSH Tunneling]]<br />
<br />
----<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-14T01:31:30Z<p>Manselnj: </p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
=Security=<br />
There are several ways in which security is a major concern when using the X Windowing system. These can concerns can be broken up into two major categories: interception of communications between the X client and X host, and having a malignant client connect to your host. The communication security can be handled by tunneling the communication between the X host and X client through a more secure protocol such as ssh. The malignant client concern can be handled by using tools distributed with the X Windowing system: XAuth and XHosts.<br />
==Communication Security and Tunneling Through SSH==<br />
Depending on how an X Client connects to an X Host, there can be some major security issues. When used by itself through a non-secure connection, the X Windowing system will send all of it's data unencrypted across the network you are using. Depending how many people have access to the network, this can be a huge security issue. Everything from passwords to possibly confidential documents are sent essentially unencrypted across the network which allows anyone to view them. <br />
<BR> One possible solution to this problem is to tunnel through a more secure communication medium, such as ssh. By embedding X Window messages in SSH datagrams, the X Window messages will then be encrypted within the SSH message. To see more on tunneling, please see one of the following articles: [[Applications_of_SSH#SSH_Tunneling | Applications of SSH]], [[SSH Tunneling]]<br />
<br />
==XAuth==<br />
<br />
==XHosts==<br />
<br />
= References =<br />
# [http://www.javvin.com/protocolXWindow.html http://www.javvin.com/protocolXWindow.html]<br />
# [http://www.xfree86.org/4.4.0/xauth.1.html http://www.xfree86.org/4.4.0/xauth.1.html]<br />
# [http://www.xfree86.org/current/xhost.1.html http://www.xfree86.org/current/xhost.1.html]<br />
# [http://ptolemy.eecs.berkeley.edu/~cxh/sapub/Xsecurity.html http://ptolemy.eecs.berkeley.edu/~cxh/sapub/Xsecurity.html]<br />
# [http://www.xfree86.org/current/Xsecurity.7.html http://www.xfree86.org/current/Xsecurity.7.html]<br />
<br />
=External Links=<br />
* [http://www.xfree86.org/ http://www.xfree86.org/]<br />
* [http://www.x.org/wiki/ http://www.x.org/wiki/]<br />
<br />
= See Also =<br />
* [[Applications of SSH]]<br />
* [[SSH Tunneling]]<br />
<br />
----<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-14T01:31:10Z<p>Manselnj: /* External Links */</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
=== Authorization Protocols ===<br />
====MIT Magic-Cookie-1====<br />
====XDM Authorization====<br />
=Security=<br />
There are several ways in which security is a major concern when using the X Windowing system. These can concerns can be broken up into two major categories: interception of communications between the X client and X host, and having a malignant client connect to your host. The communication security can be handled by tunneling the communication between the X host and X client through a more secure protocol such as ssh. The malignant client concern can be handled by using tools distributed with the X Windowing system: XAuth and XHosts.<br />
==Communication Security and Tunneling Through SSH==<br />
Depending on how an X Client connects to an X Host, there can be some major security issues. When used by itself through a non-secure connection, the X Windowing system will send all of it's data unencrypted across the network you are using. Depending how many people have access to the network, this can be a huge security issue. Everything from passwords to possibly confidential documents are sent essentially unencrypted across the network which allows anyone to view them. <br />
<BR> One possible solution to this problem is to tunnel through a more secure communication medium, such as ssh. By embedding X Window messages in SSH datagrams, the X Window messages will then be encrypted within the SSH message. To see more on tunneling, please see one of the following articles: [[Applications_of_SSH#SSH_Tunneling | Applications of SSH]], [[SSH Tunneling]]<br />
<br />
==XAuth==<br />
<br />
==XHosts==<br />
<br />
= References =<br />
# [http://www.javvin.com/protocolXWindow.html http://www.javvin.com/protocolXWindow.html]<br />
# [http://www.xfree86.org/4.4.0/xauth.1.html http://www.xfree86.org/4.4.0/xauth.1.html]<br />
# [http://www.xfree86.org/current/xhost.1.html http://www.xfree86.org/current/xhost.1.html]<br />
# [http://ptolemy.eecs.berkeley.edu/~cxh/sapub/Xsecurity.html http://ptolemy.eecs.berkeley.edu/~cxh/sapub/Xsecurity.html]<br />
# [http://www.xfree86.org/current/Xsecurity.7.html http://www.xfree86.org/current/Xsecurity.7.html]<br />
<br />
=External Links=<br />
* [http://www.xfree86.org/ http://www.xfree86.org/]<br />
* [http://www.x.org/wiki/ http://www.x.org/wiki/]<br />
<br />
= See Also =<br />
* [[Applications of SSH]]<br />
* [[SSH Tunneling]]<br />
<br />
----<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-14T01:30:28Z<p>Manselnj: /* External Links */</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
=== Authorization Protocols ===<br />
====MIT Magic-Cookie-1====<br />
====XDM Authorization====<br />
=Security=<br />
There are several ways in which security is a major concern when using the X Windowing system. These can concerns can be broken up into two major categories: interception of communications between the X client and X host, and having a malignant client connect to your host. The communication security can be handled by tunneling the communication between the X host and X client through a more secure protocol such as ssh. The malignant client concern can be handled by using tools distributed with the X Windowing system: XAuth and XHosts.<br />
==Communication Security and Tunneling Through SSH==<br />
Depending on how an X Client connects to an X Host, there can be some major security issues. When used by itself through a non-secure connection, the X Windowing system will send all of it's data unencrypted across the network you are using. Depending how many people have access to the network, this can be a huge security issue. Everything from passwords to possibly confidential documents are sent essentially unencrypted across the network which allows anyone to view them. <br />
<BR> One possible solution to this problem is to tunnel through a more secure communication medium, such as ssh. By embedding X Window messages in SSH datagrams, the X Window messages will then be encrypted within the SSH message. To see more on tunneling, please see one of the following articles: [[Applications_of_SSH#SSH_Tunneling | Applications of SSH]], [[SSH Tunneling]]<br />
<br />
==XAuth==<br />
<br />
==XHosts==<br />
<br />
= References =<br />
# [http://www.javvin.com/protocolXWindow.html http://www.javvin.com/protocolXWindow.html]<br />
# [http://www.xfree86.org/4.4.0/xauth.1.html http://www.xfree86.org/4.4.0/xauth.1.html]<br />
# [http://www.xfree86.org/current/xhost.1.html http://www.xfree86.org/current/xhost.1.html]<br />
# [http://ptolemy.eecs.berkeley.edu/~cxh/sapub/Xsecurity.html http://ptolemy.eecs.berkeley.edu/~cxh/sapub/Xsecurity.html]<br />
# [http://www.xfree86.org/current/Xsecurity.7.html http://www.xfree86.org/current/Xsecurity.7.html]<br />
<br />
=External Links=<br />
* [http://www.xfree86.org/ http://www.xfree86.org/]<br />
<br />
= See Also =<br />
* [[Applications of SSH]]<br />
* [[SSH Tunneling]]<br />
<br />
----<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-14T01:29:40Z<p>Manselnj: /* References */</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
=== Authorization Protocols ===<br />
====MIT Magic-Cookie-1====<br />
====XDM Authorization====<br />
=Security=<br />
There are several ways in which security is a major concern when using the X Windowing system. These can concerns can be broken up into two major categories: interception of communications between the X client and X host, and having a malignant client connect to your host. The communication security can be handled by tunneling the communication between the X host and X client through a more secure protocol such as ssh. The malignant client concern can be handled by using tools distributed with the X Windowing system: XAuth and XHosts.<br />
==Communication Security and Tunneling Through SSH==<br />
Depending on how an X Client connects to an X Host, there can be some major security issues. When used by itself through a non-secure connection, the X Windowing system will send all of it's data unencrypted across the network you are using. Depending how many people have access to the network, this can be a huge security issue. Everything from passwords to possibly confidential documents are sent essentially unencrypted across the network which allows anyone to view them. <br />
<BR> One possible solution to this problem is to tunnel through a more secure communication medium, such as ssh. By embedding X Window messages in SSH datagrams, the X Window messages will then be encrypted within the SSH message. To see more on tunneling, please see one of the following articles: [[Applications_of_SSH#SSH_Tunneling | Applications of SSH]], [[SSH Tunneling]]<br />
<br />
==XAuth==<br />
<br />
==XHosts==<br />
<br />
= References =<br />
# [http://www.javvin.com/protocolXWindow.html http://www.javvin.com/protocolXWindow.html]<br />
# [http://www.xfree86.org/4.4.0/xauth.1.html http://www.xfree86.org/4.4.0/xauth.1.html]<br />
# [http://www.xfree86.org/current/xhost.1.html http://www.xfree86.org/current/xhost.1.html]<br />
# [http://ptolemy.eecs.berkeley.edu/~cxh/sapub/Xsecurity.html http://ptolemy.eecs.berkeley.edu/~cxh/sapub/Xsecurity.html]<br />
# [http://www.xfree86.org/current/Xsecurity.7.html http://www.xfree86.org/current/Xsecurity.7.html]<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
* [[Applications of SSH]]<br />
* [[SSH Tunneling]]<br />
<br />
----<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-14T01:28:57Z<p>Manselnj: /* References */</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
=== Authorization Protocols ===<br />
====MIT Magic-Cookie-1====<br />
====XDM Authorization====<br />
=Security=<br />
There are several ways in which security is a major concern when using the X Windowing system. These can concerns can be broken up into two major categories: interception of communications between the X client and X host, and having a malignant client connect to your host. The communication security can be handled by tunneling the communication between the X host and X client through a more secure protocol such as ssh. The malignant client concern can be handled by using tools distributed with the X Windowing system: XAuth and XHosts.<br />
==Communication Security and Tunneling Through SSH==<br />
Depending on how an X Client connects to an X Host, there can be some major security issues. When used by itself through a non-secure connection, the X Windowing system will send all of it's data unencrypted across the network you are using. Depending how many people have access to the network, this can be a huge security issue. Everything from passwords to possibly confidential documents are sent essentially unencrypted across the network which allows anyone to view them. <br />
<BR> One possible solution to this problem is to tunnel through a more secure communication medium, such as ssh. By embedding X Window messages in SSH datagrams, the X Window messages will then be encrypted within the SSH message. To see more on tunneling, please see one of the following articles: [[Applications_of_SSH#SSH_Tunneling | Applications of SSH]], [[SSH Tunneling]]<br />
<br />
==XAuth==<br />
<br />
==XHosts==<br />
<br />
= References =<br />
# [http://www.javvin.com/protocolXWindow.html http://www.javvin.com/protocolXWindow.html]<br />
# [http://www.xfree86.org/4.4.0/xauth.1.html]<br />
# [http://www.xfree86.org/current/xhost.1.html]<br />
# [http://ptolemy.eecs.berkeley.edu/~cxh/sapub/Xsecurity.html]<br />
# [http://www.xfree86.org/current/Xsecurity.7.html]<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
* [[Applications of SSH]]<br />
* [[SSH Tunneling]]<br />
<br />
----<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-14T01:15:16Z<p>Manselnj: /* Communication Security and Tunneling Through SSH */</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
=== Authorization Protocols ===<br />
====MIT Magic-Cookie-1====<br />
====XDM Authorization====<br />
=Security=<br />
There are several ways in which security is a major concern when using the X Windowing system. These can concerns can be broken up into two major categories: interception of communications between the X client and X host, and having a malignant client connect to your host. The communication security can be handled by tunneling the communication between the X host and X client through a more secure protocol such as ssh. The malignant client concern can be handled by using tools distributed with the X Windowing system: XAuth and XHosts.<br />
==Communication Security and Tunneling Through SSH==<br />
Depending on how an X Client connects to an X Host, there can be some major security issues. When used by itself through a non-secure connection, the X Windowing system will send all of it's data unencrypted across the network you are using. Depending how many people have access to the network, this can be a huge security issue. Everything from passwords to possibly confidential documents are sent essentially unencrypted across the network which allows anyone to view them. <br />
<BR> One possible solution to this problem is to tunnel through a more secure communication medium, such as ssh. By embedding X Window messages in SSH datagrams, the X Window messages will then be encrypted within the SSH message. To see more on tunneling, please see one of the following articles: [[Applications_of_SSH#SSH_Tunneling | Applications of SSH]], [[SSH Tunneling]]<br />
<br />
==XAuth==<br />
<br />
==XHosts==<br />
<br />
= References =<br />
# [http://www.javvin.com/protocolXWindow.html http://www.javvin.com/protocolXWindow.html]<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
* [[Applications of SSH]]<br />
* [[SSH Tunneling]]<br />
<br />
----<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-14T01:14:02Z<p>Manselnj: /* Communication Security and Tunneling Through SSH */</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
=== Authorization Protocols ===<br />
====MIT Magic-Cookie-1====<br />
====XDM Authorization====<br />
=Security=<br />
There are several ways in which security is a major concern when using the X Windowing system. These can concerns can be broken up into two major categories: interception of communications between the X client and X host, and having a malignant client connect to your host. The communication security can be handled by tunneling the communication between the X host and X client through a more secure protocol such as ssh. The malignant client concern can be handled by using tools distributed with the X Windowing system: XAuth and XHosts.<br />
==Communication Security and Tunneling Through SSH==<br />
Depending on how an X Client connects to an X Host, there can be some major security issues. When used by itself through a non-secure connection, the X Windowing system will send all of it's data unencrypted across the network you are using. Depending how many people have access to the network, this can be a huge security issue. Everything from passwords to possibly confidential documents are sent essentially unencrypted across the network which allows anyone to view them. <br />
<BR> One possible solution to this problem is to tunnel through a more secure communication medium, such as ssh. To see more on tunneling, please see one of the following articles: [[Applications_of_SSH#SSH_Tunneling | Applications of SSH]], [[SSH Tunneling]]<br />
<br />
==XAuth==<br />
<br />
==XHosts==<br />
<br />
= References =<br />
# [http://www.javvin.com/protocolXWindow.html http://www.javvin.com/protocolXWindow.html]<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
* [[Applications of SSH]]<br />
* [[SSH Tunneling]]<br />
<br />
----<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-14T01:13:51Z<p>Manselnj: /* Communication Security and Tunneling Through SSH */</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
=== Authorization Protocols ===<br />
====MIT Magic-Cookie-1====<br />
====XDM Authorization====<br />
=Security=<br />
There are several ways in which security is a major concern when using the X Windowing system. These can concerns can be broken up into two major categories: interception of communications between the X client and X host, and having a malignant client connect to your host. The communication security can be handled by tunneling the communication between the X host and X client through a more secure protocol such as ssh. The malignant client concern can be handled by using tools distributed with the X Windowing system: XAuth and XHosts.<br />
==Communication Security and Tunneling Through SSH==<br />
<P> Depending on how an X Client connects to an X Host, there can be some major security issues. When used by itself through a non-secure connection, the X Windowing system will send all of it's data unencrypted across the network you are using. Depending how many people have access to the network, this can be a huge security issue. Everything from passwords to possibly confidential documents are sent essentially unencrypted across the network which allows anyone to view them. <br />
<P> One possible solution to this problem is to tunnel through a more secure communication medium, such as ssh. To see more on tunneling, please see one of the following articles: [[Applications_of_SSH#SSH_Tunneling | Applications of SSH]], [[SSH Tunneling]]<br />
<br />
==XAuth==<br />
<br />
==XHosts==<br />
<br />
= References =<br />
# [http://www.javvin.com/protocolXWindow.html http://www.javvin.com/protocolXWindow.html]<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
* [[Applications of SSH]]<br />
* [[SSH Tunneling]]<br />
<br />
----<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-14T01:13:18Z<p>Manselnj: /* Communication Security and Tunneling Through SSH */</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
=== Authorization Protocols ===<br />
====MIT Magic-Cookie-1====<br />
====XDM Authorization====<br />
=Security=<br />
There are several ways in which security is a major concern when using the X Windowing system. These can concerns can be broken up into two major categories: interception of communications between the X client and X host, and having a malignant client connect to your host. The communication security can be handled by tunneling the communication between the X host and X client through a more secure protocol such as ssh. The malignant client concern can be handled by using tools distributed with the X Windowing system: XAuth and XHosts.<br />
==Communication Security and Tunneling Through SSH==<br />
<P>Depending on how an X Client connects to an X Host, there can be some major security issues. When used by itself through a non-secure connection, the X Windowing system will send all of it's data unencrypted across the network you are using. Depending how many people have access to the network, this can be a huge security issue. Everything from passwords to possibly confidential documents are sent essentially unencrypted across the network which allows anyone to view them. <br />
<P>One possible solution to this problem is to tunnel through a more secure communication medium, such as ssh. To see more on tunneling, please see one of the following articles: [[Applications_of_SSH#SSH_Tunneling | Applications of SSH]], [[SSH Tunneling]]<br />
<br />
==XAuth==<br />
<br />
==XHosts==<br />
<br />
= References =<br />
# [http://www.javvin.com/protocolXWindow.html http://www.javvin.com/protocolXWindow.html]<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
* [[Applications of SSH]]<br />
* [[SSH Tunneling]]<br />
<br />
----<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-14T01:12:53Z<p>Manselnj: /* Communication Security and Tunneling Through SSH */</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
=== Authorization Protocols ===<br />
====MIT Magic-Cookie-1====<br />
====XDM Authorization====<br />
=Security=<br />
There are several ways in which security is a major concern when using the X Windowing system. These can concerns can be broken up into two major categories: interception of communications between the X client and X host, and having a malignant client connect to your host. The communication security can be handled by tunneling the communication between the X host and X client through a more secure protocol such as ssh. The malignant client concern can be handled by using tools distributed with the X Windowing system: XAuth and XHosts.<br />
==Communication Security and Tunneling Through SSH==<br />
<P>Depending on how an X Client connects to an X Host, there can be some major security issues. When used by itself through a non-secure connection, the X Windowing system will send all of it's data unencrypted across the network you are using. Depending how many people have access to the network, this can be a huge security issue. Everything from passwords to possibly confidential documents are sent essentially unencrypted across the network which allows anyone to view them. <br />
<P>One possible solution to this problem is to tunnel through a more secure communication medium, such as ssh. To see more on tunneling, please see one of the following articles: [[Applications of SSH | Applications_of_SSH#SSH_Tunneling]], [[SSH Tunneling]]<br />
<br />
==XAuth==<br />
<br />
==XHosts==<br />
<br />
= References =<br />
# [http://www.javvin.com/protocolXWindow.html http://www.javvin.com/protocolXWindow.html]<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
* [[Applications of SSH]]<br />
* [[SSH Tunneling]]<br />
<br />
----<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-14T01:12:38Z<p>Manselnj: /* Communication Security and Tunneling Through SSH */</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
=== Authorization Protocols ===<br />
====MIT Magic-Cookie-1====<br />
====XDM Authorization====<br />
=Security=<br />
There are several ways in which security is a major concern when using the X Windowing system. These can concerns can be broken up into two major categories: interception of communications between the X client and X host, and having a malignant client connect to your host. The communication security can be handled by tunneling the communication between the X host and X client through a more secure protocol such as ssh. The malignant client concern can be handled by using tools distributed with the X Windowing system: XAuth and XHosts.<br />
==Communication Security and Tunneling Through SSH==<br />
<P>Depending on how an X Client connects to an X Host, there can be some major security issues. When used by itself through a non-secure connection, the X Windowing system will send all of it's data unencrypted across the network you are using. Depending how many people have access to the network, this can be a huge security issue. Everything from passwords to possibly confidential documents are sent essentially unencrypted across the network which allows anyone to view them. <br />
<P>One possible solution to this problem is to tunnel through a more secure communication medium, such as ssh. To see more on tunneling, please see one of the following articles: [[Applications of SSH Applications_of_SSH#SSH_Tunneling]], [[SSH Tunneling]]<br />
<br />
==XAuth==<br />
<br />
==XHosts==<br />
<br />
= References =<br />
# [http://www.javvin.com/protocolXWindow.html http://www.javvin.com/protocolXWindow.html]<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
* [[Applications of SSH]]<br />
* [[SSH Tunneling]]<br />
<br />
----<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-14T01:12:08Z<p>Manselnj: /* Communication Security and Tunneling Through SSH */</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
=== Authorization Protocols ===<br />
====MIT Magic-Cookie-1====<br />
====XDM Authorization====<br />
=Security=<br />
There are several ways in which security is a major concern when using the X Windowing system. These can concerns can be broken up into two major categories: interception of communications between the X client and X host, and having a malignant client connect to your host. The communication security can be handled by tunneling the communication between the X host and X client through a more secure protocol such as ssh. The malignant client concern can be handled by using tools distributed with the X Windowing system: XAuth and XHosts.<br />
==Communication Security and Tunneling Through SSH==<br />
<P>Depending on how an X Client connects to an X Host, there can be some major security issues. When used by itself through a non-secure connection, the X Windowing system will send all of it's data unencrypted across the network you are using. Depending how many people have access to the network, this can be a huge security issue. Everything from passwords to possibly confidential documents are sent essentially unencrypted across the network which allows anyone to view them. <br />
<P>One possible solution to this problem is to tunnel through a more secure communication medium, such as ssh. To see more on tunneling, please see one of the following articles: [[Applications_of_SSH#SSH_Tunneling]], [[SSH Tunneling]<br />
<br />
==XAuth==<br />
<br />
==XHosts==<br />
<br />
= References =<br />
# [http://www.javvin.com/protocolXWindow.html http://www.javvin.com/protocolXWindow.html]<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
* [[Applications of SSH]]<br />
* [[SSH Tunneling]]<br />
<br />
----<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T23:48:29Z<p>Manselnj: /* Security */</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
=== Authorization Protocols ===<br />
====MIT Magic-Cookie-1====<br />
====XDM Authorization====<br />
=Security=<br />
There are several ways in which security is a major concern when using the X Windowing system. These can concerns can be broken up into two major categories: interception of communications between the X client and X host, and having a malignant client connect to your host. The communication security can be handled by tunneling the communication between the X host and X client through a more secure protocol such as ssh. The malignant client concern can be handled by using tools distributed with the X Windowing system: XAuth and XHosts.<br />
==Communication Security and Tunneling Through SSH==<br />
<br />
==XAuth==<br />
<br />
==XHosts==<br />
<br />
= References =<br />
# [http://www.javvin.com/protocolXWindow.html http://www.javvin.com/protocolXWindow.html]<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
* [[Applications of SSH]]<br />
* [[SSH Tunneling]]<br />
<br />
----<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T23:43:42Z<p>Manselnj: /* Communication Security and Tunneling through SSH */</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
=== Authorization Protocols ===<br />
====MIT Magic-Cookie-1====<br />
====XDM Authorization====<br />
=Security=<br />
==Communication Security and Tunneling Through SSH==<br />
<br />
==XAuth==<br />
==XHosts==<br />
<br />
= References =<br />
# [http://www.javvin.com/protocolXWindow.html http://www.javvin.com/protocolXWindow.html]<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
* [[Applications of SSH]]<br />
* [[SSH Tunneling]]<br />
<br />
----<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T23:42:12Z<p>Manselnj: /* See Also */</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
=== Authorization Protocols ===<br />
====MIT Magic-Cookie-1====<br />
====XDM Authorization====<br />
=Security=<br />
==Communication Security and Tunneling through SSH==<br />
==XAuth==<br />
==XHosts==<br />
<br />
= References =<br />
# [http://www.javvin.com/protocolXWindow.html http://www.javvin.com/protocolXWindow.html]<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
* [[Applications of SSH]]<br />
* [[SSH Tunneling]]<br />
<br />
----<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T23:40:28Z<p>Manselnj: /* See Also */</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
=== Authorization Protocols ===<br />
====MIT Magic-Cookie-1====<br />
====XDM Authorization====<br />
=Security=<br />
==Communication Security and Tunneling through SSH==<br />
==XAuth==<br />
==XHosts==<br />
<br />
= References =<br />
# [http://www.javvin.com/protocolXWindow.html http://www.javvin.com/protocolXWindow.html]<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
[Applications of SSH]<br />
<br />
----<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T23:20:22Z<p>Manselnj: </p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
=== Authorization Protocols ===<br />
====MIT Magic-Cookie-1====<br />
====XDM Authorization====<br />
=Security=<br />
==Communication Security and Tunneling through SSH==<br />
==XAuth==<br />
==XHosts==<br />
<br />
= References =<br />
# [http://www.javvin.com/protocolXWindow.html http://www.javvin.com/protocolXWindow.html]<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T23:18:38Z<p>Manselnj: /* References */</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
----<br />
=== Authorization Protocols ===<br />
----<br />
<br />
= References =<br />
# [http://www.javvin.com/protocolXWindow.html http://www.javvin.com/protocolXWindow.html]<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T23:17:56Z<p>Manselnj: </p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
----<br />
=== Authorization Protocols ===<br />
----<br />
<br />
= References =<br />
# [http://www.x.org/wiki/XSessionManagementProtocol http://www.x.org/wiki/XSessionManagementProtocol]<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T23:17:42Z<p>Manselnj: </p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
----<br />
= Client Server Relationship =<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
----<br />
=== Authorization Protocols ===<br />
----<br />
<br />
= References =<br />
# [http://www.x.org/wiki/XSessionManagementProtocol http://www.x.org/wiki/XSessionManagementProtocol]<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T23:17:06Z<p>Manselnj: </p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
The X Windowing system is a windowing system which has been around since the mid-80’s. Being designed mainly for a UNIX environment, the X Windowing System lends itself to work in a client/server environment. This means that applications themselves may reside on a foreign host machine while the display is being taken care of by a local client. When X was first developed, CPU power was expensive. It was a lot more common for people to be working at client terminals logged into a powerful host where they did their work. X allowed them to run a GUI on their local machine while still taking advantage of the processing power of the server machine. This meant that the server could “focus” on processing while their local machines would take care of the graphical part of the application.<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= How to use the X Windowing System =<br />
<br />
<br />
----<br />
= Client Server Relationship =<br />
<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
----<br />
=== Authorization Protocols ===<br />
----<br />
<br />
= References =<br />
# [http://www.x.org/wiki/XSessionManagementProtocol http://www.x.org/wiki/XSessionManagementProtocol]<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T23:02:16Z<p>Manselnj: /* Communication Protocols */</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= How to use the X Windowing System =<br />
<br />
<br />
----<br />
= Client Server Relationship =<br />
<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
----<br />
=== Authorization Protocols ===<br />
----<br />
<br />
= References =<br />
# [http://www.x.org/wiki/XSessionManagementProtocol http://www.x.org/wiki/XSessionManagementProtocol]<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T23:01:02Z<p>Manselnj: /* References */</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= How to use the X Windowing System =<br />
<br />
<br />
----<br />
= Client Server Relationship =<br />
<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
<br />
----<br />
<br />
= References =<br />
# [http://www.x.org/wiki/XSessionManagementProtocol http://www.x.org/wiki/XSessionManagementProtocol]<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T22:59:22Z<p>Manselnj: /* Communication Protocols<ref>Gould, Ted (2008). X Session Management Protocol. Retrieved April 3, 2008, from X.org Web site: http://www.x.org/wiki/XSessionManagementProtocol?highlight=%28protocol%29</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= How to use the X Windowing System =<br />
<br />
<br />
----<br />
= Client Server Relationship =<br />
<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
<br />
----<br />
<br />
= References =<br />
#<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T22:58:18Z<p>Manselnj: </p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= How to use the X Windowing System =<br />
<br />
<br />
----<br />
= Client Server Relationship =<br />
<br />
== Communication Protocols<ref>Gould, Ted (2008). X Session Management Protocol. Retrieved April 3, 2008, from X.org Web site: http://www.x.org/wiki/XSessionManagementProtocol?highlight=%28protocol%29#head-3468bf993138d6615cde00017beb573b087b3448</ref> ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
<br />
----<br />
<br />
= References =<br />
#<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T22:49:14Z<p>Manselnj: /* Definitions */</p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
<br />
=Definitions=<br />
*'''Host''': The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
*'''Client''': The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
= How to use the X Windowing System =<br />
<br />
<br />
----<br />
= Client Server Relationship =<br />
<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
<br />
----<br />
<br />
= References =<br />
#<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T22:48:54Z<p>Manselnj: </p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
= What is the X Windowing System? =<br />
<br />
=Definitions=<br />
Host: The machine which is displaying the X Windowing application. The host must be listening for client X Windowing application requests.<br />
Client: The machine which is running the logic of the X Windowing application. The client must send a request to the host in order to display an X Windowing application on it.<br />
<br />
<br />
= How to use the X Windowing System =<br />
<br />
<br />
----<br />
= Client Server Relationship =<br />
<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
<br />
----<br />
<br />
= References =<br />
#<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T22:48:15Z<p>Manselnj: </p>
<hr />
<div>The X Windowing System’s main purpose is to provide an interface between a client application (such as a desktop environment), which can take advantage of the client CPU’s power, and a host, which takes advantage of the host’s native system’s display hardware. It provides basic functionality like… in a standardized API which allows developers to relatively easily create GUI applications. In short, the X Windowing System will run all the logic behind an application on one client machine while displaying the results on and poling for input from another host machine. This leads to some major security concerns about the communications between the client and host themselves and also how to run an X Windowing host in such a way that does not open a huge security hole in your system. Today, the client machine can be, and often is, the same machine as the host machine. However, the focus of this article will be on the networking side of the X Windowing System.<br />
<br />
== What is the X Windowing System? ==<br />
<br />
<br />
== How to use the X Windowing System ==<br />
<br />
<br />
----<br />
= Client Server Relationship =<br />
<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
<br />
----<br />
<br />
= References =<br />
#<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T22:47:52Z<p>Manselnj: </p>
<hr />
<div>== What is the X Windowing System? ==<br />
<br />
<br />
== How to use the X Windowing System ==<br />
<br />
<br />
----<br />
= Client Server Relationship =<br />
<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
<br />
----<br />
<br />
= References =<br />
#<br />
<br />
=External Links=<br />
*<br />
<br />
= See Also =<br />
<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T22:47:13Z<p>Manselnj: /* See Also */</p>
<hr />
<div>== What is the X Windowing System? ==<br />
<br />
<br />
== How to use the X Windowing System ==<br />
<br />
<br />
----<br />
= Client Server Relationship =<br />
<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
<br />
----<br />
<br />
=== Designing an X Window Application===<br />
<br />
== References ==<br />
#<br />
<br />
==External Links==<br />
*<br />
<br />
== See Also ==<br />
<br />
[[User:Manselnj|Manselnj]] 18:47, 13 April 2008 (EDT)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T22:43:55Z<p>Manselnj: /* Basic Protocols */</p>
<hr />
<div>== What is the X Windowing System? ==<br />
<br />
<br />
== How to use the X Windowing System ==<br />
<br />
<br />
----<br />
= Client Server Relationship =<br />
<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
<br />
----<br />
<br />
=== Designing an X Window Application===<br />
<br />
== References ==<br />
#<br />
<br />
==External Links==<br />
*<br />
<br />
== See Also ==<br />
<br />
<br />
[[User:Manselnj|Manselnj]]</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T22:43:28Z<p>Manselnj: /* Communication Protocols */</p>
<hr />
<div>== What is the X Windowing System? ==<br />
<br />
<br />
== How to use the X Windowing System ==<br />
<br />
<br />
----<br />
= Client Server Relationship =<br />
<br />
== Communication Protocols ==<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
[[Image:Protocols.GIF|frame|left|Figure 1: Communication Between an X Host and X Client]]<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
<br />
----<br />
<br />
=== Designing an X Window Application===<br />
<br />
== References ==<br />
#<br />
<br />
==External Links==<br />
*<br />
<br />
== See Also ==<br />
<br />
<br />
[[User:Manselnj|Manselnj]]</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T22:43:10Z<p>Manselnj: /* Communication Protocols */</p>
<hr />
<div>== What is the X Windowing System? ==<br />
<br />
<br />
== How to use the X Windowing System ==<br />
<br />
<br />
----<br />
= Client Server Relationship =<br />
<br />
== Communication Protocols ==<br />
[[Image:Protocols.GIF|frame|left|Figure 1: Communication Between an X Host and X Client]]<br />
<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
<br />
----<br />
<br />
=== Designing an X Window Application===<br />
<br />
== References ==<br />
#<br />
<br />
==External Links==<br />
*<br />
<br />
== See Also ==<br />
<br />
<br />
[[User:Manselnj|Manselnj]]</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T22:42:59Z<p>Manselnj: /* Communication Protocols */</p>
<hr />
<div>== What is the X Windowing System? ==<br />
<br />
<br />
== How to use the X Windowing System ==<br />
<br />
<br />
----<br />
= Client Server Relationship =<br />
<br />
== Communication Protocols ==<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
<br />
----<br />
<br />
=== Designing an X Window Application===<br />
<br />
== References ==<br />
#<br />
<br />
==External Links==<br />
*<br />
<br />
== See Also ==<br />
<br />
<br />
[[User:Manselnj|Manselnj]]</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T22:42:42Z<p>Manselnj: /* Basic Protocols */</p>
<hr />
<div>== What is the X Windowing System? ==<br />
<br />
<br />
== How to use the X Windowing System ==<br />
<br />
<br />
----<br />
= Client Server Relationship =<br />
<br />
== Communication Protocols ==<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
----<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
----<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
<br />
----<br />
<br />
=== Designing an X Window Application===<br />
<br />
<br />
<br />
== References ==<br />
#<br />
<br />
==External Links==<br />
*<br />
<br />
== See Also ==<br />
<br />
<br />
[[User:Manselnj|Manselnj]]</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T22:41:16Z<p>Manselnj: </p>
<hr />
<div>== What is the X Windowing System? ==<br />
<br />
<br />
== How to use the X Windowing System ==<br />
<br />
<br />
----<br />
= Client Server Relationship =<br />
<br />
== Communication Protocols ==<br />
[[Image:Protocols.GIF|frame|right|Figure 1: Communication Between an X Host and X Client]]<br />
<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
<br />
----<br />
=== Designing an X Window Application===<br />
<br />
<br />
<br />
== References ==<br />
#<br />
<br />
==External Links==<br />
*<br />
<br />
== See Also ==<br />
<br />
<br />
[[User:Manselnj|Manselnj]]</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T22:39:50Z<p>Manselnj: </p>
<hr />
<div><br />
== What is the X Windowing System? ==<br />
<br />
<br />
== How to use the X Windowing System ==<br />
<br />
<br />
----<br />
= Client Server Relationship =<br />
<br />
== Communication Protocols ==<br />
[[Image:Protocols.GIF]]<br />
<br />
The basic idea behind the communication protocols between clients running the logic of the application and hosts displaying the application is to provide a way for the client to send information about what needs to be displayed on the host to the host while the host will send any input from the user, such as mouse clicks and keyboard strokes, back to the client for the client to interpret. <br />
=== Basic Protocols ===<br />
* The X client makes a request, which is 4 bytes long, for a certain event to happen on the host. This event can be anything from creating a window to changing what’s being displayed in a window to closing the window. In order to make this process more efficient, there is no response sent from the host to the client saying that the request has been successfully executed. It is left to the network layer, which can be unreliable, and is assumed to get the packets to the host. Some updates will not make it from the client to the host and hence there can be some strange screen artifacts which occur as some requests are processed and others aren’t.<br />
* There are some requests for which the X host must respond to the client, also in multiples of 4 bytes, with information. When an expected event occurs, such as a mouse click or key stroke, the X host must send information about that event back to the client. Again, in order to keep network traffic to a minimum, the X host will only send information back to the client about expected events. However, the expected event which occurred may have been on a different part of the X Windowing hosts screen. This can lead to some major security breaches which the user of the X Windowing system could be unaware of. For example, if the user is expected to enter a password in one application that’s running on the user’s host, the keystrokes of that password could be “intercepted” by another application running on the host which would then be sent back to whatever client machine is running the other application.<br />
* There is one last message which is sent between X clients and X hosts. If there is any error on the X host, there needs to be a way for the host to tell the client that the error occurred. This is taken care of by the error response message. This message is the same size as a normal event response message, but is sent to the error handling routine of the X client.<br />
<br />
<br />
----<br />
=== Designing an X Window Application===<br />
<br />
<br />
<br />
== References ==<br />
#<br />
<br />
==External Links==<br />
*<br />
<br />
== See Also ==<br />
<br />
<br />
[[User:Manselnj|Manselnj]]</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/File:Protocols.GIFFile:Protocols.GIF2008-04-13T22:37:48Z<p>Manselnj: </p>
<hr />
<div></div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/The_X_Windowing_SystemThe X Windowing System2008-04-13T18:28:03Z<p>Manselnj: New page: == What is the X Windowing System? == == How to use the X Windowing System == == Client Server Relationship == ---- === Protocols === ---- === Designing an X Window Application=== ...</p>
<hr />
<div><br />
<br />
== What is the X Windowing System? ==<br />
<br />
<br />
== How to use the X Windowing System ==<br />
<br />
<br />
== Client Server Relationship ==<br />
<br />
----<br />
=== Protocols ===<br />
<br />
----<br />
=== Designing an X Window Application===<br />
<br />
<br />
<br />
== References ==<br />
#<br />
<br />
==External Links==<br />
*<br />
<br />
== See Also ==<br />
<br />
<br />
[[User:Manselnj|Manselnj]]</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/Payment_Card_Industry_Data_Security_StandardPayment Card Industry Data Security Standard2007-12-06T18:18:38Z<p>Manselnj: /* T.J. Maxx */</p>
<hr />
<div>The Payment Card Industry Data Security Standard (PCI DSS) is a security document created by the Payment Card Industry Security Standards Council (PCI SSC) in order to unify the security requirements of the Payment Card Industry. In order to tie this in with what was taught in [http://www.cas.mcmaster.ca/~wmfarmer/CS-3IS3-07 Comp Sci 3IS3] (taught at [http://www.mcmaster.ca McMaster University]), the PCI DSS will be presented as an Industry Wide Security Policy and as such will be evaluated by tracing its development through the Security Life Cycle. The first step in the Security Life Cycle is to identify threats. The main threat to the PCI is that of Card Holder data being stolen. The next step is Policy Creation. In order to create one coherent document for Merchants to follow, the five major brands of the PCI (Visa, Mastercard, American Express, Discover and JCB) formed the Payment Card Industry Security Standards Council (PCI SSC). Next comes the requirements specifications. The PCI SSC created a detailed document of 12 major requirements for Merchants and any company which deals with Card Holder data to comply with. These requirements focused on the ability of the Merchant to protect Card Holder data, in both electronic and physical form. The next phase includes the design and implementation of a security system to enforce the afore stated requirements. For a company wide security policy, this is possible. However, for an industry wide security policy it does not make sense to specify implementation because of varying Merchant sizes. Finally comes the Operation and Maintenance phase. The operation of each Merchants security system depends on their implementation of the requirements stated in the PCI DSS. These operations can be assured to be PCI DSS compliant through the use of QSA's and ASV's. The important part of this phase is the Maintenance part. The PCI DSS has gone through a few updates since it's creation as direct results of problems with the first version of it or new security issues that may have arisen.<br />
<br />
== Terms Used In This Article ==<br />
* '''PCI''' ('''P'''ayment '''C'''ard '''I'''ndustry): A Payment Card is any "card" form of payment. This can cover everything from credit cards to debit cards. The Payment Card Industry consists of all the companies which make up the many different brands of payment cards in use today. (ie Visa, Mastercard, ect..)<br />
* '''PCI SSC''' ('''P'''ayment '''C'''ard '''I'''ndustry '''S'''ecurity '''S'''tandards '''C'''ouncil): A council made up of Visa, Mastercard, American Express, Discover and JCB (Japan Credit Bureau) created in order to align their individual security goals into one document - the PCI DSS.<br />
* '''PCI DSS''' ('''P'''ayment '''C'''ard '''I'''ndustry '''D'''ata '''S'''ecurity '''S'''tandard): The document created by the PCI SSC in order to align each companies security goals.<br />
* '''Card Holder''': Any customer of a Payment Card company.<br />
* '''Merchant''': Any company which accepts Payment Cards as a form of payment. The definition also includes any other companies which may deal with Card Holder data without necessarily dealing directly with the Card Holder.<br />
<br />
== What is a Security Policy? ==<br />
A Security Policy is a statement that partitions the states of a system into sets of authorized, or secure, states and a set of unauthorized, or nonsecure, states. <SUP>[ [[Payment Card Industry Data Security Standard #References|1]] ]</SUP> A security policy is the bases on which all the rest of a companies security mechanisms are based on. Obviously, having a good company wide security policy is important. The next logical step is to incorporate an industry wide security policy. The Payment Card Industry Data Security Standard could be viewed as an example of an industry wide security policy.<br />
<br />
== Security Life Cycle ==<br />
<BR><br />
[[Image:SecurityLifyCycle.GIF|frame|right|Figure 1: The Security Life Cycle<SUP>[1]</SUP>]]<br />
The Security Life Cycle consists of the following phases: Threats, Policy, Specification, Design, Implementation and Operation and Maintenance (See Figure 1). As you can see, the security life cycle relies heavily upon later phases giving input to previous phases so that they can be updated. This keeps the security system up to date and hence keeps what the security system is protecting more secure too.<br />
----<br />
=== Identify Threats ===<br />
<P>The main threat to the Payment Card Industry as a whole is more of a threat to the Card Holders than the industry itself. The Card Holders are taking a chance every time they use their credit cards to make a purchase. This threat is not only present when purchasing online, but also when purchasing in stores (or at the "point of purchase"). The threat originates from a lack of industry wide standards on how card holder information should be stored, processed or transmitted.</P><br />
<br />
<P>This security threat directly affects the Payment Card Industry because if cardholders don't trust that their information is secure, then they will not use their credit cards and hence the payment card vendors loose business. This is why the Payment Card Industry is moving forward with their industry wide standard for security, the Payment Card Industry Data Security Standard.</P><br />
<BR><br />
[[Image:PCICouncil.JPG|frame|right|Figure 2: Formation of the PCI SSC]]<br />
----<br />
=== Policy Creation===<br />
<P>Before December 14th 2004, the 5 major Payment Card companies (Visa, Mastercard, American Express, Discover and JCB (Japan Credit Bureau)) each had their own set of Information Security Standards. This meant that retailers had 5 different security policies to comply with. After December 14th 2004, these 5 brands of cards collaborated to create the Payment Card Industry Security Standards Council (PCI SSC). The purpose of this council is to align the goals of each of the Payment Card companies in an industry wide security policy for merchants to follow.</P><br />
----<br />
=== Requirements Specifications ===<br />
An overview of the list of requirements needed to maintain Payment Card Industry Data Security Standard (PCI DSS) compliance is available here [https://www.pcisecuritystandards.org/tech/index.htm About the PCI Data Security Standard (PCI DSS)]. The full list of requirements is available here: [https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm Download the PCI DSS]. Below is the summarized list and an explanation of what each item means. There are 12 major requirements which can be broken up into 6 categories.<br />
<BR><br />
<br />
''Build and Maintain a Secure Network''<BR><br />
1.)Install and maintain a firewall configuration to protect cardholders' data<BR><br />
2.)Do not use vendor-supplied defaults for system password and other security parameters<BR><br />
* This set of requirements is meant to keep any network of computers which contain Card Holder information in a secure state<BR><br />
<BR><br />
<br />
''Protect Card Holder Data''<BR><br />
3.)Protect stored Card Holder data<BR><br />
* This requirement is meant to protect the card holder data while it is stored on merchant computers<BR><br />
4.)Encrypt transmission of Card Holder data across open, public networks<BR><br />
* This requirement is meant to protect Card Holder data when it might be necessary to transmit it across a public network (ie when contacting the Payment Card server)<BR><br />
<BR><br />
<br />
''Maintain a Vulnerability Management Program''<BR><br />
5.)Use and regularly update anti-virus software<BR><br />
* This requirement is meant to ensure that all merchants do take advantage of some form of anti-virus software.<BR><br />
6.)Develop and maintain secure systems and applications<BR><br />
* This requirement is meant to put security as a priority during the development of software. This is an important requirement because many times when software is being designed, security is tacked on as an afterthought. By at least making developers aware of security as being a requirement of their software, this ensures better quality of any security mechanisms built into the software.<BR><br />
<BR><br />
<br />
''Implement Strong Access Control Measures''<BR><br />
7.)Restrict access to Card Holder data by business need-to-know<BR><br />
* This requirement is meant to ensure that only people who need to know about Card Holder data have access to it. This is similar to the principle of least privilege. <BR><br />
8.)Assign a unique ID to each person with computer access<BR><br />
* This requirement is meant to add a level of accountability to all users on the system. If each user has their own unique ID on the merchant's system, then actions can be tracked on linked to the person who did them.<BR><br />
9.)Restrict physical access to Card Holder data<BR><br />
* This requirement is meant to extend the coverage of the PCI DSS to any form of Card Holder data which may not be on a computer. Hence, the PCI DSS is extended to cover not only digital information but also physical copies of the information. However, this does not prevent the threat of customer data being stolen entirely. There is nothing to prevent an employee from copying down information with a pencil and paper. Though this is a problem, it is partially alleviated by requirement 7: Restrict access to Card Holder data by business need-to-know. If only a small number of employees can access the Card Holder data, then it is much easier to track down who may have stolen Card Holder data if there is a security breech from the inside.<BR><br />
<BR><br />
<br />
''Regularly Monitor and Test Networks''<BR><br />
10.) Track and monitor all access to network resources and Card Holder data<BR><br />
* This requirement is designed to catch any unauthorized accesses to Card Holder data. If an anomaly is detected, then the system should be able to detect it and steps should be taken to fix the problem<BR><br />
11.) Regularly test security systems and processes<BR><br />
* This requirement is meant to ensure that merchants don't just set and forget their security systems. It reminds them that security is a full time job and must constantly be maintained.<BR><br />
<BR><br />
''Maintain an Information Security Policy''<BR><br />
12.) Maintain a policy that addresses information security<BR><br />
* Though this may seem a bit redundant, this is an important requirement. It means that every merchant that deals with Cardholder Data must have their own security policy as well in order to protect Card Holder data.<BR><br />
<BR><br />
<br />
----<br />
<br />
=== Design/Implementation ===<br />
<br />
<P>There is no design or implementation specified in the PCI DSS. This is because the application of this security policy is so broad that it is impossible to have one design that will work for every company. For example Soney, which may handle millions of transactions a year, will need a different implementation than a small "mom and pop" company, who may handle only a few hundred transactions a year. However, requirements must still be met to some degree depending on the volume of Payment Card transactions which occur per given merchant. This makes the PCI DSS sound rather weak. However, there is a way which the Payment Card Industry Security Standards Council can keep track of whether or not the requirements are being met. This is through the use of QSA's and ASV's.</P><br />
*[https://www.pcisecuritystandards.org/programs/qsa_program.htm Qualified Security Assessors (QSA's)] are companies who have been approved by the PCI Security Standards Council to assess the compliance of merchants to the PCI DSS. The way the PCI Security Standards Council does this is through a certification program. This requires not only the company to be certified, but also all of it's employees to be certified on a yearly bases.<br />
*[https://www.pcisecuritystandards.org/programs/asv_program.htm Approved Scanning Vendors (ASV's)] are companies who are approved by the PCI Security Standards Council to assess merchants' networks for security vulnerabilities. They accomplish this by simulating both normal and abnormal processes on the merchants networks. Again, ASV's must also be certified by the PCI Security Standards Council on a yearly basis.<br />
<BR><br />
<br />
----<br />
<br />
=== Operation and Maintenance ===<br />
The final step of the Security Life Cycle is Operation and Maintenance. Though this is the final step, it is by far not the least and the life cycle does not end here. This step requires that any time a security breach is detected, steps must be taken to improve the security system. The PCI DSS has definately entered this phase. There are two examples of such maintenance and updating occuring in the PCI DSS:<br />
* Version 1.1<br />
* TJ Max<br />
<br />
====Version 1.1====<br />
Version 1.1 of the PCI DSS was releases on September 2006. This was only a year and a half after the release of the version 1.0 of the PCI DSS, which is pretty fast considering the PCI DSS is meant to be a security wide standard. Version 1.1 clarified many of the requirements and wording of Version 1.0 and also included suggestions on how to achieve compliance. A full summary of the changes between PCI DSS Version 1.1 and PCI DSS Version 1.0 are available[[http://www.procheckup.com/PDFs/ProCheckUp_PCIDSS_SummaryOfChanges.pdf|here]].<br />
<br />
====T.J. Maxx====<br />
In Mid-December of 2006, the company computer systems were compromised and customer data was stolen. Everything from credit card numbers to street addresses were stolen from 45.7 million customers<SUP>[3]</SUP>. The attack did not come from the internet, but rather from an inadequate secure wireless network. As you can see from the screen shot of the [http://www.tjmaxx.com/index.asp T.J.Maxx website] figure 3, this even it still affecting the company today, December of 2007. The highlighted link links to an explanation to the customers about what happened, why it happened and what steps are being taken to fix the problem. <br />
<BR><br />
As a direct result of this, the PCI DSS was updated to included better guidelines about wireless networks. Specifically, section 4.1.1 added specifications about implementing Wireless Encryption Protocol Correctly and provided better guidelines for key rotation. For Specifics, see https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf.<br />
[[Image:TJMaxxCustAlert.jpg|frame|center|Figure 3: Notice to T.J.Maxx customers]]<br />
<br />
== References ==<br />
# Bishop, Matt. ''Introduction to Computer Security''. Boston: Addison-Wesley, 2006.<br />
# (2007). About the PCI DSS - PCI Security Standards Council. Retrieved December 2, 2007, Web site: https://www.pcisecuritystandards.org/tech/index.htm <br />
# T.J. Maxx. (2007). In ''Wikipedia'' [Web]. Retrieved December 2, 2007, from http://en.wikipedia.org/wiki/T.J._Maxx <br />
# PCI DSS. (2007). In ''Wikipedia'' [Web]. Retrieved December 2, 2007, from http://en.wikipedia.org/wiki/PCI_DSS <br />
# PCI DSS Compliance Demystified. Retrieved December 2, 2007, Web site: http://pcianswers.com/ <br />
# PCI DSS Compliance, Payment Card Industry Data Security Standard and Credit Card Security. Retrieved December 2, 2007, from PCI Data Security Standard Web site: http://www.itgovernance.co.uk/pci_dss.aspx<br />
<br />
==External Links==<br />
* https://www.pcisecuritystandards.org/<br />
* http://en.wikipedia.org/wiki/PCI_DSS<br />
* http://pcianswers.com/<br />
* http://www.itgovernance.co.uk/pci_dss.aspx<br />
<br />
== See Also ==<br />
[[Random Number Generators and Information Security]]<BR><br />
[[Security and Storage Mediums]]<BR><br />
[[Piggybacking]]<BR><br />
[[Honeypot]]<BR><br />
[[Biometric Systems Regarding Security Design Principle]]<BR><br />
[[Phishing]]<BR><br />
[[Email Security]]<BR><br />
[[Biometrics in Information Security]]<BR><br />
[[Smart Card Technology to Prevent Fraud]]<BR><br />
[[Electronic Voting Systems]]<BR><br />
[[Anti-spam systems and techniques]]<BR><br />
[[The Mitnick Attack]]<BR><br />
[[Operating Systems Security]]<BR><br />
[[Autocomplete]]<BR><br />
[[Internet Cookies and Confidentiality]]<BR><br />
[[Social Engineering]]<BR><br />
[[Identity Theft]]<BR><br />
[[Information Security Awareness]]<br />
<br />
[[User:Manselnj|Manselnj]] 11:54, 5 December 2007 (EST)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/Payment_Card_Industry_Data_Security_StandardPayment Card Industry Data Security Standard2007-12-06T18:18:02Z<p>Manselnj: /* T.J. Maxx */</p>
<hr />
<div>The Payment Card Industry Data Security Standard (PCI DSS) is a security document created by the Payment Card Industry Security Standards Council (PCI SSC) in order to unify the security requirements of the Payment Card Industry. In order to tie this in with what was taught in [http://www.cas.mcmaster.ca/~wmfarmer/CS-3IS3-07 Comp Sci 3IS3] (taught at [http://www.mcmaster.ca McMaster University]), the PCI DSS will be presented as an Industry Wide Security Policy and as such will be evaluated by tracing its development through the Security Life Cycle. The first step in the Security Life Cycle is to identify threats. The main threat to the PCI is that of Card Holder data being stolen. The next step is Policy Creation. In order to create one coherent document for Merchants to follow, the five major brands of the PCI (Visa, Mastercard, American Express, Discover and JCB) formed the Payment Card Industry Security Standards Council (PCI SSC). Next comes the requirements specifications. The PCI SSC created a detailed document of 12 major requirements for Merchants and any company which deals with Card Holder data to comply with. These requirements focused on the ability of the Merchant to protect Card Holder data, in both electronic and physical form. The next phase includes the design and implementation of a security system to enforce the afore stated requirements. For a company wide security policy, this is possible. However, for an industry wide security policy it does not make sense to specify implementation because of varying Merchant sizes. Finally comes the Operation and Maintenance phase. The operation of each Merchants security system depends on their implementation of the requirements stated in the PCI DSS. These operations can be assured to be PCI DSS compliant through the use of QSA's and ASV's. The important part of this phase is the Maintenance part. The PCI DSS has gone through a few updates since it's creation as direct results of problems with the first version of it or new security issues that may have arisen.<br />
<br />
== Terms Used In This Article ==<br />
* '''PCI''' ('''P'''ayment '''C'''ard '''I'''ndustry): A Payment Card is any "card" form of payment. This can cover everything from credit cards to debit cards. The Payment Card Industry consists of all the companies which make up the many different brands of payment cards in use today. (ie Visa, Mastercard, ect..)<br />
* '''PCI SSC''' ('''P'''ayment '''C'''ard '''I'''ndustry '''S'''ecurity '''S'''tandards '''C'''ouncil): A council made up of Visa, Mastercard, American Express, Discover and JCB (Japan Credit Bureau) created in order to align their individual security goals into one document - the PCI DSS.<br />
* '''PCI DSS''' ('''P'''ayment '''C'''ard '''I'''ndustry '''D'''ata '''S'''ecurity '''S'''tandard): The document created by the PCI SSC in order to align each companies security goals.<br />
* '''Card Holder''': Any customer of a Payment Card company.<br />
* '''Merchant''': Any company which accepts Payment Cards as a form of payment. The definition also includes any other companies which may deal with Card Holder data without necessarily dealing directly with the Card Holder.<br />
<br />
== What is a Security Policy? ==<br />
A Security Policy is a statement that partitions the states of a system into sets of authorized, or secure, states and a set of unauthorized, or nonsecure, states. <SUP>[ [[Payment Card Industry Data Security Standard #References|1]] ]</SUP> A security policy is the bases on which all the rest of a companies security mechanisms are based on. Obviously, having a good company wide security policy is important. The next logical step is to incorporate an industry wide security policy. The Payment Card Industry Data Security Standard could be viewed as an example of an industry wide security policy.<br />
<br />
== Security Life Cycle ==<br />
<BR><br />
[[Image:SecurityLifyCycle.GIF|frame|right|Figure 1: The Security Life Cycle<SUP>[1]</SUP>]]<br />
The Security Life Cycle consists of the following phases: Threats, Policy, Specification, Design, Implementation and Operation and Maintenance (See Figure 1). As you can see, the security life cycle relies heavily upon later phases giving input to previous phases so that they can be updated. This keeps the security system up to date and hence keeps what the security system is protecting more secure too.<br />
----<br />
=== Identify Threats ===<br />
<P>The main threat to the Payment Card Industry as a whole is more of a threat to the Card Holders than the industry itself. The Card Holders are taking a chance every time they use their credit cards to make a purchase. This threat is not only present when purchasing online, but also when purchasing in stores (or at the "point of purchase"). The threat originates from a lack of industry wide standards on how card holder information should be stored, processed or transmitted.</P><br />
<br />
<P>This security threat directly affects the Payment Card Industry because if cardholders don't trust that their information is secure, then they will not use their credit cards and hence the payment card vendors loose business. This is why the Payment Card Industry is moving forward with their industry wide standard for security, the Payment Card Industry Data Security Standard.</P><br />
<BR><br />
[[Image:PCICouncil.JPG|frame|right|Figure 2: Formation of the PCI SSC]]<br />
----<br />
=== Policy Creation===<br />
<P>Before December 14th 2004, the 5 major Payment Card companies (Visa, Mastercard, American Express, Discover and JCB (Japan Credit Bureau)) each had their own set of Information Security Standards. This meant that retailers had 5 different security policies to comply with. After December 14th 2004, these 5 brands of cards collaborated to create the Payment Card Industry Security Standards Council (PCI SSC). The purpose of this council is to align the goals of each of the Payment Card companies in an industry wide security policy for merchants to follow.</P><br />
----<br />
=== Requirements Specifications ===<br />
An overview of the list of requirements needed to maintain Payment Card Industry Data Security Standard (PCI DSS) compliance is available here [https://www.pcisecuritystandards.org/tech/index.htm About the PCI Data Security Standard (PCI DSS)]. The full list of requirements is available here: [https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm Download the PCI DSS]. Below is the summarized list and an explanation of what each item means. There are 12 major requirements which can be broken up into 6 categories.<br />
<BR><br />
<br />
''Build and Maintain a Secure Network''<BR><br />
1.)Install and maintain a firewall configuration to protect cardholders' data<BR><br />
2.)Do not use vendor-supplied defaults for system password and other security parameters<BR><br />
* This set of requirements is meant to keep any network of computers which contain Card Holder information in a secure state<BR><br />
<BR><br />
<br />
''Protect Card Holder Data''<BR><br />
3.)Protect stored Card Holder data<BR><br />
* This requirement is meant to protect the card holder data while it is stored on merchant computers<BR><br />
4.)Encrypt transmission of Card Holder data across open, public networks<BR><br />
* This requirement is meant to protect Card Holder data when it might be necessary to transmit it across a public network (ie when contacting the Payment Card server)<BR><br />
<BR><br />
<br />
''Maintain a Vulnerability Management Program''<BR><br />
5.)Use and regularly update anti-virus software<BR><br />
* This requirement is meant to ensure that all merchants do take advantage of some form of anti-virus software.<BR><br />
6.)Develop and maintain secure systems and applications<BR><br />
* This requirement is meant to put security as a priority during the development of software. This is an important requirement because many times when software is being designed, security is tacked on as an afterthought. By at least making developers aware of security as being a requirement of their software, this ensures better quality of any security mechanisms built into the software.<BR><br />
<BR><br />
<br />
''Implement Strong Access Control Measures''<BR><br />
7.)Restrict access to Card Holder data by business need-to-know<BR><br />
* This requirement is meant to ensure that only people who need to know about Card Holder data have access to it. This is similar to the principle of least privilege. <BR><br />
8.)Assign a unique ID to each person with computer access<BR><br />
* This requirement is meant to add a level of accountability to all users on the system. If each user has their own unique ID on the merchant's system, then actions can be tracked on linked to the person who did them.<BR><br />
9.)Restrict physical access to Card Holder data<BR><br />
* This requirement is meant to extend the coverage of the PCI DSS to any form of Card Holder data which may not be on a computer. Hence, the PCI DSS is extended to cover not only digital information but also physical copies of the information. However, this does not prevent the threat of customer data being stolen entirely. There is nothing to prevent an employee from copying down information with a pencil and paper. Though this is a problem, it is partially alleviated by requirement 7: Restrict access to Card Holder data by business need-to-know. If only a small number of employees can access the Card Holder data, then it is much easier to track down who may have stolen Card Holder data if there is a security breech from the inside.<BR><br />
<BR><br />
<br />
''Regularly Monitor and Test Networks''<BR><br />
10.) Track and monitor all access to network resources and Card Holder data<BR><br />
* This requirement is designed to catch any unauthorized accesses to Card Holder data. If an anomaly is detected, then the system should be able to detect it and steps should be taken to fix the problem<BR><br />
11.) Regularly test security systems and processes<BR><br />
* This requirement is meant to ensure that merchants don't just set and forget their security systems. It reminds them that security is a full time job and must constantly be maintained.<BR><br />
<BR><br />
''Maintain an Information Security Policy''<BR><br />
12.) Maintain a policy that addresses information security<BR><br />
* Though this may seem a bit redundant, this is an important requirement. It means that every merchant that deals with Cardholder Data must have their own security policy as well in order to protect Card Holder data.<BR><br />
<BR><br />
<br />
----<br />
<br />
=== Design/Implementation ===<br />
<br />
<P>There is no design or implementation specified in the PCI DSS. This is because the application of this security policy is so broad that it is impossible to have one design that will work for every company. For example Soney, which may handle millions of transactions a year, will need a different implementation than a small "mom and pop" company, who may handle only a few hundred transactions a year. However, requirements must still be met to some degree depending on the volume of Payment Card transactions which occur per given merchant. This makes the PCI DSS sound rather weak. However, there is a way which the Payment Card Industry Security Standards Council can keep track of whether or not the requirements are being met. This is through the use of QSA's and ASV's.</P><br />
*[https://www.pcisecuritystandards.org/programs/qsa_program.htm Qualified Security Assessors (QSA's)] are companies who have been approved by the PCI Security Standards Council to assess the compliance of merchants to the PCI DSS. The way the PCI Security Standards Council does this is through a certification program. This requires not only the company to be certified, but also all of it's employees to be certified on a yearly bases.<br />
*[https://www.pcisecuritystandards.org/programs/asv_program.htm Approved Scanning Vendors (ASV's)] are companies who are approved by the PCI Security Standards Council to assess merchants' networks for security vulnerabilities. They accomplish this by simulating both normal and abnormal processes on the merchants networks. Again, ASV's must also be certified by the PCI Security Standards Council on a yearly basis.<br />
<BR><br />
<br />
----<br />
<br />
=== Operation and Maintenance ===<br />
The final step of the Security Life Cycle is Operation and Maintenance. Though this is the final step, it is by far not the least and the life cycle does not end here. This step requires that any time a security breach is detected, steps must be taken to improve the security system. The PCI DSS has definately entered this phase. There are two examples of such maintenance and updating occuring in the PCI DSS:<br />
* Version 1.1<br />
* TJ Max<br />
<br />
====Version 1.1====<br />
Version 1.1 of the PCI DSS was releases on September 2006. This was only a year and a half after the release of the version 1.0 of the PCI DSS, which is pretty fast considering the PCI DSS is meant to be a security wide standard. Version 1.1 clarified many of the requirements and wording of Version 1.0 and also included suggestions on how to achieve compliance. A full summary of the changes between PCI DSS Version 1.1 and PCI DSS Version 1.0 are available[[http://www.procheckup.com/PDFs/ProCheckUp_PCIDSS_SummaryOfChanges.pdf|here]].<br />
<br />
====T.J. Maxx====<br />
[[Image:TJMaxxCustAlert.jpg|frame|center|Figure 3: Notice to T.J.Maxx customers]]<br />
In Mid-December of 2006, the company computer systems were compromised and customer data was stolen. Everything from credit card numbers to street addresses were stolen from 45.7 million customers<SUP>[3]</SUP>. The attack did not come from the internet, but rather from an inadequate secure wireless network. As you can see from the screen shot of the [http://www.tjmaxx.com/index.asp T.J.Maxx website] figure 3, this even it still affecting the company today, December of 2007. The highlighted link links to an explanation to the customers about what happened, why it happened and what steps are being taken to fix the problem. <br />
<BR><br />
As a direct result of this, the PCI DSS was updated to included better guidelines about wireless networks. Specifically, section 4.1.1 added specifications about implementing Wireless Encryption Protocol Correctly and provided better guidelines for key rotation. For Specifics, see https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf.<br />
<br />
== References ==<br />
# Bishop, Matt. ''Introduction to Computer Security''. Boston: Addison-Wesley, 2006.<br />
# (2007). About the PCI DSS - PCI Security Standards Council. Retrieved December 2, 2007, Web site: https://www.pcisecuritystandards.org/tech/index.htm <br />
# T.J. Maxx. (2007). In ''Wikipedia'' [Web]. Retrieved December 2, 2007, from http://en.wikipedia.org/wiki/T.J._Maxx <br />
# PCI DSS. (2007). In ''Wikipedia'' [Web]. Retrieved December 2, 2007, from http://en.wikipedia.org/wiki/PCI_DSS <br />
# PCI DSS Compliance Demystified. Retrieved December 2, 2007, Web site: http://pcianswers.com/ <br />
# PCI DSS Compliance, Payment Card Industry Data Security Standard and Credit Card Security. Retrieved December 2, 2007, from PCI Data Security Standard Web site: http://www.itgovernance.co.uk/pci_dss.aspx<br />
<br />
==External Links==<br />
* https://www.pcisecuritystandards.org/<br />
* http://en.wikipedia.org/wiki/PCI_DSS<br />
* http://pcianswers.com/<br />
* http://www.itgovernance.co.uk/pci_dss.aspx<br />
<br />
== See Also ==<br />
[[Random Number Generators and Information Security]]<BR><br />
[[Security and Storage Mediums]]<BR><br />
[[Piggybacking]]<BR><br />
[[Honeypot]]<BR><br />
[[Biometric Systems Regarding Security Design Principle]]<BR><br />
[[Phishing]]<BR><br />
[[Email Security]]<BR><br />
[[Biometrics in Information Security]]<BR><br />
[[Smart Card Technology to Prevent Fraud]]<BR><br />
[[Electronic Voting Systems]]<BR><br />
[[Anti-spam systems and techniques]]<BR><br />
[[The Mitnick Attack]]<BR><br />
[[Operating Systems Security]]<BR><br />
[[Autocomplete]]<BR><br />
[[Internet Cookies and Confidentiality]]<BR><br />
[[Social Engineering]]<BR><br />
[[Identity Theft]]<BR><br />
[[Information Security Awareness]]<br />
<br />
[[User:Manselnj|Manselnj]] 11:54, 5 December 2007 (EST)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/Payment_Card_Industry_Data_Security_StandardPayment Card Industry Data Security Standard2007-12-06T18:17:44Z<p>Manselnj: </p>
<hr />
<div>The Payment Card Industry Data Security Standard (PCI DSS) is a security document created by the Payment Card Industry Security Standards Council (PCI SSC) in order to unify the security requirements of the Payment Card Industry. In order to tie this in with what was taught in [http://www.cas.mcmaster.ca/~wmfarmer/CS-3IS3-07 Comp Sci 3IS3] (taught at [http://www.mcmaster.ca McMaster University]), the PCI DSS will be presented as an Industry Wide Security Policy and as such will be evaluated by tracing its development through the Security Life Cycle. The first step in the Security Life Cycle is to identify threats. The main threat to the PCI is that of Card Holder data being stolen. The next step is Policy Creation. In order to create one coherent document for Merchants to follow, the five major brands of the PCI (Visa, Mastercard, American Express, Discover and JCB) formed the Payment Card Industry Security Standards Council (PCI SSC). Next comes the requirements specifications. The PCI SSC created a detailed document of 12 major requirements for Merchants and any company which deals with Card Holder data to comply with. These requirements focused on the ability of the Merchant to protect Card Holder data, in both electronic and physical form. The next phase includes the design and implementation of a security system to enforce the afore stated requirements. For a company wide security policy, this is possible. However, for an industry wide security policy it does not make sense to specify implementation because of varying Merchant sizes. Finally comes the Operation and Maintenance phase. The operation of each Merchants security system depends on their implementation of the requirements stated in the PCI DSS. These operations can be assured to be PCI DSS compliant through the use of QSA's and ASV's. The important part of this phase is the Maintenance part. The PCI DSS has gone through a few updates since it's creation as direct results of problems with the first version of it or new security issues that may have arisen.<br />
<br />
== Terms Used In This Article ==<br />
* '''PCI''' ('''P'''ayment '''C'''ard '''I'''ndustry): A Payment Card is any "card" form of payment. This can cover everything from credit cards to debit cards. The Payment Card Industry consists of all the companies which make up the many different brands of payment cards in use today. (ie Visa, Mastercard, ect..)<br />
* '''PCI SSC''' ('''P'''ayment '''C'''ard '''I'''ndustry '''S'''ecurity '''S'''tandards '''C'''ouncil): A council made up of Visa, Mastercard, American Express, Discover and JCB (Japan Credit Bureau) created in order to align their individual security goals into one document - the PCI DSS.<br />
* '''PCI DSS''' ('''P'''ayment '''C'''ard '''I'''ndustry '''D'''ata '''S'''ecurity '''S'''tandard): The document created by the PCI SSC in order to align each companies security goals.<br />
* '''Card Holder''': Any customer of a Payment Card company.<br />
* '''Merchant''': Any company which accepts Payment Cards as a form of payment. The definition also includes any other companies which may deal with Card Holder data without necessarily dealing directly with the Card Holder.<br />
<br />
== What is a Security Policy? ==<br />
A Security Policy is a statement that partitions the states of a system into sets of authorized, or secure, states and a set of unauthorized, or nonsecure, states. <SUP>[ [[Payment Card Industry Data Security Standard #References|1]] ]</SUP> A security policy is the bases on which all the rest of a companies security mechanisms are based on. Obviously, having a good company wide security policy is important. The next logical step is to incorporate an industry wide security policy. The Payment Card Industry Data Security Standard could be viewed as an example of an industry wide security policy.<br />
<br />
== Security Life Cycle ==<br />
<BR><br />
[[Image:SecurityLifyCycle.GIF|frame|right|Figure 1: The Security Life Cycle<SUP>[1]</SUP>]]<br />
The Security Life Cycle consists of the following phases: Threats, Policy, Specification, Design, Implementation and Operation and Maintenance (See Figure 1). As you can see, the security life cycle relies heavily upon later phases giving input to previous phases so that they can be updated. This keeps the security system up to date and hence keeps what the security system is protecting more secure too.<br />
----<br />
=== Identify Threats ===<br />
<P>The main threat to the Payment Card Industry as a whole is more of a threat to the Card Holders than the industry itself. The Card Holders are taking a chance every time they use their credit cards to make a purchase. This threat is not only present when purchasing online, but also when purchasing in stores (or at the "point of purchase"). The threat originates from a lack of industry wide standards on how card holder information should be stored, processed or transmitted.</P><br />
<br />
<P>This security threat directly affects the Payment Card Industry because if cardholders don't trust that their information is secure, then they will not use their credit cards and hence the payment card vendors loose business. This is why the Payment Card Industry is moving forward with their industry wide standard for security, the Payment Card Industry Data Security Standard.</P><br />
<BR><br />
[[Image:PCICouncil.JPG|frame|right|Figure 2: Formation of the PCI SSC]]<br />
----<br />
=== Policy Creation===<br />
<P>Before December 14th 2004, the 5 major Payment Card companies (Visa, Mastercard, American Express, Discover and JCB (Japan Credit Bureau)) each had their own set of Information Security Standards. This meant that retailers had 5 different security policies to comply with. After December 14th 2004, these 5 brands of cards collaborated to create the Payment Card Industry Security Standards Council (PCI SSC). The purpose of this council is to align the goals of each of the Payment Card companies in an industry wide security policy for merchants to follow.</P><br />
----<br />
=== Requirements Specifications ===<br />
An overview of the list of requirements needed to maintain Payment Card Industry Data Security Standard (PCI DSS) compliance is available here [https://www.pcisecuritystandards.org/tech/index.htm About the PCI Data Security Standard (PCI DSS)]. The full list of requirements is available here: [https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm Download the PCI DSS]. Below is the summarized list and an explanation of what each item means. There are 12 major requirements which can be broken up into 6 categories.<br />
<BR><br />
<br />
''Build and Maintain a Secure Network''<BR><br />
1.)Install and maintain a firewall configuration to protect cardholders' data<BR><br />
2.)Do not use vendor-supplied defaults for system password and other security parameters<BR><br />
* This set of requirements is meant to keep any network of computers which contain Card Holder information in a secure state<BR><br />
<BR><br />
<br />
''Protect Card Holder Data''<BR><br />
3.)Protect stored Card Holder data<BR><br />
* This requirement is meant to protect the card holder data while it is stored on merchant computers<BR><br />
4.)Encrypt transmission of Card Holder data across open, public networks<BR><br />
* This requirement is meant to protect Card Holder data when it might be necessary to transmit it across a public network (ie when contacting the Payment Card server)<BR><br />
<BR><br />
<br />
''Maintain a Vulnerability Management Program''<BR><br />
5.)Use and regularly update anti-virus software<BR><br />
* This requirement is meant to ensure that all merchants do take advantage of some form of anti-virus software.<BR><br />
6.)Develop and maintain secure systems and applications<BR><br />
* This requirement is meant to put security as a priority during the development of software. This is an important requirement because many times when software is being designed, security is tacked on as an afterthought. By at least making developers aware of security as being a requirement of their software, this ensures better quality of any security mechanisms built into the software.<BR><br />
<BR><br />
<br />
''Implement Strong Access Control Measures''<BR><br />
7.)Restrict access to Card Holder data by business need-to-know<BR><br />
* This requirement is meant to ensure that only people who need to know about Card Holder data have access to it. This is similar to the principle of least privilege. <BR><br />
8.)Assign a unique ID to each person with computer access<BR><br />
* This requirement is meant to add a level of accountability to all users on the system. If each user has their own unique ID on the merchant's system, then actions can be tracked on linked to the person who did them.<BR><br />
9.)Restrict physical access to Card Holder data<BR><br />
* This requirement is meant to extend the coverage of the PCI DSS to any form of Card Holder data which may not be on a computer. Hence, the PCI DSS is extended to cover not only digital information but also physical copies of the information. However, this does not prevent the threat of customer data being stolen entirely. There is nothing to prevent an employee from copying down information with a pencil and paper. Though this is a problem, it is partially alleviated by requirement 7: Restrict access to Card Holder data by business need-to-know. If only a small number of employees can access the Card Holder data, then it is much easier to track down who may have stolen Card Holder data if there is a security breech from the inside.<BR><br />
<BR><br />
<br />
''Regularly Monitor and Test Networks''<BR><br />
10.) Track and monitor all access to network resources and Card Holder data<BR><br />
* This requirement is designed to catch any unauthorized accesses to Card Holder data. If an anomaly is detected, then the system should be able to detect it and steps should be taken to fix the problem<BR><br />
11.) Regularly test security systems and processes<BR><br />
* This requirement is meant to ensure that merchants don't just set and forget their security systems. It reminds them that security is a full time job and must constantly be maintained.<BR><br />
<BR><br />
''Maintain an Information Security Policy''<BR><br />
12.) Maintain a policy that addresses information security<BR><br />
* Though this may seem a bit redundant, this is an important requirement. It means that every merchant that deals with Cardholder Data must have their own security policy as well in order to protect Card Holder data.<BR><br />
<BR><br />
<br />
----<br />
<br />
=== Design/Implementation ===<br />
<br />
<P>There is no design or implementation specified in the PCI DSS. This is because the application of this security policy is so broad that it is impossible to have one design that will work for every company. For example Soney, which may handle millions of transactions a year, will need a different implementation than a small "mom and pop" company, who may handle only a few hundred transactions a year. However, requirements must still be met to some degree depending on the volume of Payment Card transactions which occur per given merchant. This makes the PCI DSS sound rather weak. However, there is a way which the Payment Card Industry Security Standards Council can keep track of whether or not the requirements are being met. This is through the use of QSA's and ASV's.</P><br />
*[https://www.pcisecuritystandards.org/programs/qsa_program.htm Qualified Security Assessors (QSA's)] are companies who have been approved by the PCI Security Standards Council to assess the compliance of merchants to the PCI DSS. The way the PCI Security Standards Council does this is through a certification program. This requires not only the company to be certified, but also all of it's employees to be certified on a yearly bases.<br />
*[https://www.pcisecuritystandards.org/programs/asv_program.htm Approved Scanning Vendors (ASV's)] are companies who are approved by the PCI Security Standards Council to assess merchants' networks for security vulnerabilities. They accomplish this by simulating both normal and abnormal processes on the merchants networks. Again, ASV's must also be certified by the PCI Security Standards Council on a yearly basis.<br />
<BR><br />
<br />
----<br />
<br />
=== Operation and Maintenance ===<br />
The final step of the Security Life Cycle is Operation and Maintenance. Though this is the final step, it is by far not the least and the life cycle does not end here. This step requires that any time a security breach is detected, steps must be taken to improve the security system. The PCI DSS has definately entered this phase. There are two examples of such maintenance and updating occuring in the PCI DSS:<br />
* Version 1.1<br />
* TJ Max<br />
<br />
====Version 1.1====<br />
Version 1.1 of the PCI DSS was releases on September 2006. This was only a year and a half after the release of the version 1.0 of the PCI DSS, which is pretty fast considering the PCI DSS is meant to be a security wide standard. Version 1.1 clarified many of the requirements and wording of Version 1.0 and also included suggestions on how to achieve compliance. A full summary of the changes between PCI DSS Version 1.1 and PCI DSS Version 1.0 are available[[http://www.procheckup.com/PDFs/ProCheckUp_PCIDSS_SummaryOfChanges.pdf|here]].<br />
<br />
====T.J. Maxx====<br />
[Image:TJMaxxCustAlert.jpg|frame|right|Figure 3: Notice to T.J.Maxx customers]<br />
In Mid-December of 2006, the company computer systems were compromised and customer data was stolen. Everything from credit card numbers to street addresses were stolen from 45.7 million customers<SUP>[3]</SUP>. The attack did not come from the internet, but rather from an inadequate secure wireless network. As you can see from the screen shot of the [http://www.tjmaxx.com/index.asp T.J.Maxx website] figure 3, this even it still affecting the company today, December of 2007. The highlighted link links to an explanation to the customers about what happened, why it happened and what steps are being taken to fix the problem. <br />
<BR><br />
As a direct result of this, the PCI DSS was updated to included better guidelines about wireless networks. Specifically, section 4.1.1 added specifications about implementing Wireless Encryption Protocol Correctly and provided better guidelines for key rotation. For Specifics, see https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf.<br />
<br />
== References ==<br />
# Bishop, Matt. ''Introduction to Computer Security''. Boston: Addison-Wesley, 2006.<br />
# (2007). About the PCI DSS - PCI Security Standards Council. Retrieved December 2, 2007, Web site: https://www.pcisecuritystandards.org/tech/index.htm <br />
# T.J. Maxx. (2007). In ''Wikipedia'' [Web]. Retrieved December 2, 2007, from http://en.wikipedia.org/wiki/T.J._Maxx <br />
# PCI DSS. (2007). In ''Wikipedia'' [Web]. Retrieved December 2, 2007, from http://en.wikipedia.org/wiki/PCI_DSS <br />
# PCI DSS Compliance Demystified. Retrieved December 2, 2007, Web site: http://pcianswers.com/ <br />
# PCI DSS Compliance, Payment Card Industry Data Security Standard and Credit Card Security. Retrieved December 2, 2007, from PCI Data Security Standard Web site: http://www.itgovernance.co.uk/pci_dss.aspx<br />
<br />
==External Links==<br />
* https://www.pcisecuritystandards.org/<br />
* http://en.wikipedia.org/wiki/PCI_DSS<br />
* http://pcianswers.com/<br />
* http://www.itgovernance.co.uk/pci_dss.aspx<br />
<br />
== See Also ==<br />
[[Random Number Generators and Information Security]]<BR><br />
[[Security and Storage Mediums]]<BR><br />
[[Piggybacking]]<BR><br />
[[Honeypot]]<BR><br />
[[Biometric Systems Regarding Security Design Principle]]<BR><br />
[[Phishing]]<BR><br />
[[Email Security]]<BR><br />
[[Biometrics in Information Security]]<BR><br />
[[Smart Card Technology to Prevent Fraud]]<BR><br />
[[Electronic Voting Systems]]<BR><br />
[[Anti-spam systems and techniques]]<BR><br />
[[The Mitnick Attack]]<BR><br />
[[Operating Systems Security]]<BR><br />
[[Autocomplete]]<BR><br />
[[Internet Cookies and Confidentiality]]<BR><br />
[[Social Engineering]]<BR><br />
[[Identity Theft]]<BR><br />
[[Information Security Awareness]]<br />
<br />
[[User:Manselnj|Manselnj]] 11:54, 5 December 2007 (EST)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/File:TJMaxxCustAlert.jpgFile:TJMaxxCustAlert.jpg2007-12-06T18:16:15Z<p>Manselnj: Screen shot of T.J.Maxx's website taken December 2007</p>
<hr />
<div>Screen shot of T.J.Maxx's website taken December 2007</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/Payment_Card_Industry_Data_Security_StandardPayment Card Industry Data Security Standard2007-12-06T18:13:35Z<p>Manselnj: /* T.J. Maxx */</p>
<hr />
<div>NOTE: This is currently a very rough draft. I have 2 exams this week and will be making the final draft in one week (12/9/07)<br />
<BR><BR><br />
The Payment Card Industry Data Security Standard (PCI DSS) is a security document created by the Payment Card Industry Security Standards Council (PCI SSC) in order to unify the security requirements of the Payment Card Industry. In order to tie this in with what was taught in [http://www.cas.mcmaster.ca/~wmfarmer/CS-3IS3-07 Comp Sci 3IS3] (taught at [http://www.mcmaster.ca McMaster University]), the PCI DSS will be presented as an Industry Wide Security Policy and as such will be evaluated by tracing its development through the Security Life Cycle. The first step in the Security Life Cycle is to identify threats. The main threat to the PCI is that of Card Holder data being stolen. The next step is Policy Creation. In order to create one coherent document for Merchants to follow, the five major brands of the PCI (Visa, Mastercard, American Express, Discover and JCB) formed the Payment Card Industry Security Standards Council (PCI SSC). Next comes the requirements specifications. The PCI SSC created a detailed document of 12 major requirements for Merchants and any company which deals with Card Holder data to comply with. These requirements focused on the ability of the Merchant to protect Card Holder data, in both electronic and physical form. The next phase includes the design and implementation of a security system to enforce the afore stated requirements. For a company wide security policy, this is possible. However, for an industry wide security policy it does not make sense to specify implementation because of varying Merchant sizes. Finally comes the Operation and Maintenance phase. The operation of each Merchants security system depends on their implementation of the requirements stated in the PCI DSS. These operations can be assured to be PCI DSS compliant through the use of QSA's and ASV's. The important part of this phase is the Maintenance part. The PCI DSS has gone through a few updates since it's creation as direct results of problems with the first version of it or new security issues that may have arisen.<br />
<br />
== Terms Used In This Article ==<br />
* '''PCI''' ('''P'''ayment '''C'''ard '''I'''ndustry): A Payment Card is any "card" form of payment. This can cover everything from credit cards to debit cards. The Payment Card Industry consists of all the companies which make up the many different brands of payment cards in use today. (ie Visa, Mastercard, ect..)<br />
* '''PCI SSC''' ('''P'''ayment '''C'''ard '''I'''ndustry '''S'''ecurity '''S'''tandards '''C'''ouncil): A council made up of Visa, Mastercard, American Express, Discover and JCB (Japan Credit Bureau) created in order to align their individual security goals into one document - the PCI DSS.<br />
* '''PCI DSS''' ('''P'''ayment '''C'''ard '''I'''ndustry '''D'''ata '''S'''ecurity '''S'''tandard): The document created by the PCI SSC in order to align each companies security goals.<br />
* '''Card Holder''': Any customer of a Payment Card company.<br />
* '''Merchant''': Any company which accepts Payment Cards as a form of payment. The definition also includes any other companies which may deal with Card Holder data without necessarily dealing directly with the Card Holder.<br />
<br />
== What is a Security Policy? ==<br />
A Security Policy is a statement that partitions the states of a system into sets of authorized, or secure, states and a set of unauthorized, or nonsecure, states. <SUP>[ [[Payment Card Industry Data Security Standard #References|1]] ]</SUP> A security policy is the bases on which all the rest of a companies security mechanisms are based on. Obviously, having a good company wide security policy is important. The next logical step is to incorporate an industry wide security policy. The Payment Card Industry Data Security Standard could be viewed as an example of an industry wide security policy.<br />
<br />
== Security Life Cycle ==<br />
<BR><br />
[[Image:SecurityLifyCycle.GIF|frame|right|Figure 1: The Security Life Cycle<SUP>[1]</SUP>]]<br />
The Security Life Cycle consists of the following phases: Threats, Policy, Specification, Design, Implementation and Operation and Maintenance (See Figure 1). As you can see, the security life cycle relies heavily upon later phases giving input to previous phases so that they can be updated. This keeps the security system up to date and hence keeps what the security system is protecting more secure too.<br />
----<br />
=== Identify Threats ===<br />
<P>The main threat to the Payment Card Industry as a whole is more of a threat to the Card Holders than the industry itself. The Card Holders are taking a chance every time they use their credit cards to make a purchase. This threat is not only present when purchasing online, but also when purchasing in stores (or at the "point of purchase"). The threat originates from a lack of industry wide standards on how card holder information should be stored, processed or transmitted.</P><br />
<br />
<P>This security threat directly affects the Payment Card Industry because if cardholders don't trust that their information is secure, then they will not use their credit cards and hence the payment card vendors loose business. This is why the Payment Card Industry is moving forward with their industry wide standard for security, the Payment Card Industry Data Security Standard.</P><br />
<BR><br />
[[Image:PCICouncil.JPG|frame|right|Figure 2: Formation of the PCI SSC]]<br />
----<br />
=== Policy Creation===<br />
<P>Before December 14th 2004, the 5 major Payment Card companies (Visa, Mastercard, American Express, Discover and JCB (Japan Credit Bureau)) each had their own set of Information Security Standards. This meant that retailers had 5 different security policies to comply with. After December 14th 2004, these 5 brands of cards collaborated to create the Payment Card Industry Security Standards Council (PCI SSC). The purpose of this council is to align the goals of each of the Payment Card companies in an industry wide security policy for merchants to follow.</P><br />
----<br />
=== Requirements Specifications ===<br />
An overview of the list of requirements needed to maintain Payment Card Industry Data Security Standard (PCI DSS) compliance is available here [https://www.pcisecuritystandards.org/tech/index.htm About the PCI Data Security Standard (PCI DSS)]. The full list of requirements is available here: [https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm Download the PCI DSS]. Below is the summarized list and an explanation of what each item means. There are 12 major requirements which can be broken up into 6 categories.<br />
<BR><br />
<br />
''Build and Maintain a Secure Network''<BR><br />
1.)Install and maintain a firewall configuration to protect cardholders' data<BR><br />
2.)Do not use vendor-supplied defaults for system password and other security parameters<BR><br />
* This set of requirements is meant to keep any network of computers which contain Card Holder information in a secure state<BR><br />
<BR><br />
<br />
''Protect Card Holder Data''<BR><br />
3.)Protect stored Card Holder data<BR><br />
* This requirement is meant to protect the card holder data while it is stored on merchant computers<BR><br />
4.)Encrypt transmission of Card Holder data across open, public networks<BR><br />
* This requirement is meant to protect Card Holder data when it might be necessary to transmit it across a public network (ie when contacting the Payment Card server)<BR><br />
<BR><br />
<br />
''Maintain a Vulnerability Management Program''<BR><br />
5.)Use and regularly update anti-virus software<BR><br />
* This requirement is meant to ensure that all merchants do take advantage of some form of anti-virus software.<BR><br />
6.)Develop and maintain secure systems and applications<BR><br />
* This requirement is meant to put security as a priority during the development of software. This is an important requirement because many times when software is being designed, security is tacked on as an afterthought. By at least making developers aware of security as being a requirement of their software, this ensures better quality of any security mechanisms built into the software.<BR><br />
<BR><br />
<br />
''Implement Strong Access Control Measures''<BR><br />
7.)Restrict access to Card Holder data by business need-to-know<BR><br />
* This requirement is meant to ensure that only people who need to know about Card Holder data have access to it. This is similar to the principle of least privilege. <BR><br />
8.)Assign a unique ID to each person with computer access<BR><br />
* This requirement is meant to add a level of accountability to all users on the system. If each user has their own unique ID on the merchant's system, then actions can be tracked on linked to the person who did them.<BR><br />
9.)Restrict physical access to Card Holder data<BR><br />
* This requirement is meant to extend the coverage of the PCI DSS to any form of Card Holder data which may not be on a computer. Hence, the PCI DSS is extended to cover not only digital information but also physical copies of the information. However, this does not prevent the threat of customer data being stolen entirely. There is nothing to prevent an employee from copying down information with a pencil and paper. Though this is a problem, it is partially alleviated by requirement 7: Restrict access to Card Holder data by business need-to-know. If only a small number of employees can access the Card Holder data, then it is much easier to track down who may have stolen Card Holder data if there is a security breech from the inside.<BR><br />
<BR><br />
<br />
''Regularly Monitor and Test Networks''<BR><br />
10.) Track and monitor all access to network resources and Card Holder data<BR><br />
* This requirement is designed to catch any unauthorized accesses to Card Holder data. If an anomaly is detected, then the system should be able to detect it and steps should be taken to fix the problem<BR><br />
11.) Regularly test security systems and processes<BR><br />
* This requirement is meant to ensure that merchants don't just set and forget their security systems. It reminds them that security is a full time job and must constantly be maintained.<BR><br />
<BR><br />
''Maintain an Information Security Policy''<BR><br />
12.) Maintain a policy that addresses information security<BR><br />
* Though this may seem a bit redundant, this is an important requirement. It means that every merchant that deals with Cardholder Data must have their own security policy as well in order to protect Card Holder data.<BR><br />
<BR><br />
<br />
----<br />
<br />
=== Design/Implementation ===<br />
<br />
<P>There is no design or implementation specified in the PCI DSS. This is because the application of this security policy is so broad that it is impossible to have one design that will work for every company. For example Soney, which may handle millions of transactions a year, will need a different implementation than a small "mom and pop" company, who may handle only a few hundred transactions a year. However, requirements must still be met to some degree depending on the volume of Payment Card transactions which occur per given merchant. This makes the PCI DSS sound rather weak. However, there is a way which the Payment Card Industry Security Standards Council can keep track of whether or not the requirements are being met. This is through the use of QSA's and ASV's.</P><br />
*[https://www.pcisecuritystandards.org/programs/qsa_program.htm Qualified Security Assessors (QSA's)] are companies who have been approved by the PCI Security Standards Council to assess the compliance of merchants to the PCI DSS. The way the PCI Security Standards Council does this is through a certification program. This requires not only the company to be certified, but also all of it's employees to be certified on a yearly bases.<br />
*[https://www.pcisecuritystandards.org/programs/asv_program.htm Approved Scanning Vendors (ASV's)] are companies who are approved by the PCI Security Standards Council to assess merchants' networks for security vulnerabilities. They accomplish this by simulating both normal and abnormal processes on the merchants networks. Again, ASV's must also be certified by the PCI Security Standards Council on a yearly basis.<br />
<BR><br />
<br />
----<br />
<br />
=== Operation and Maintenance ===<br />
The final step of the Security Life Cycle is Operation and Maintenance. Though this is the final step, it is by far not the least and the life cycle does not end here. This step requires that any time a security breach is detected, steps must be taken to improve the security system. The PCI DSS has definately entered this phase. There are two examples of such maintenance and updating occuring in the PCI DSS:<br />
* Version 1.1<br />
* TJ Max<br />
<br />
====Version 1.1====<br />
Version 1.1 of the PCI DSS was releases on September 2006. This was only a year and a half after the release of the version 1.0 of the PCI DSS, which is pretty fast considering the PCI DSS is meant to be a security wide standard. Version 1.1 clarified many of the requirements and wording of Version 1.0 and also included suggestions on how to achieve compliance. A full summary of the changes between PCI DSS Version 1.1 and PCI DSS Version 1.0 are available[[http://www.procheckup.com/PDFs/ProCheckUp_PCIDSS_SummaryOfChanges.pdf|here]].<br />
<br />
====T.J. Maxx====<br />
In Mid-December of 2006, the company computer systems were compromised and customer data was stolen. Everything from credit card numbers to street addresses were stolen from 45.7 million customers<SUP>[3]</SUP>. The attack did not come from the internet, but rather from an inadequate secure wireless network. As you can see from the screen shot of the [http://www.tjmaxx.com/index.asp T.J.Maxx website] figure 3, this even it still affecting the company today, December of 2007. The highlighted link links to an explanation to the customers about what happened, why it happened and what steps are being taken to fix the problem. <br />
<BR><br />
As a direct result of this, the PCI DSS was updated to included better guidelines about wireless networks. Specifically, section 4.1.1 added specifications about implementing Wireless Encryption Protocol Correctly and provided better guidelines for key rotation. For Specifics, see https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf.<br />
<br />
== References ==<br />
# Bishop, Matt. ''Introduction to Computer Security''. Boston: Addison-Wesley, 2006.<br />
# (2007). About the PCI DSS - PCI Security Standards Council. Retrieved December 2, 2007, Web site: https://www.pcisecuritystandards.org/tech/index.htm <br />
# T.J. Maxx. (2007). In ''Wikipedia'' [Web]. Retrieved December 2, 2007, from http://en.wikipedia.org/wiki/T.J._Maxx <br />
# PCI DSS. (2007). In ''Wikipedia'' [Web]. Retrieved December 2, 2007, from http://en.wikipedia.org/wiki/PCI_DSS <br />
# PCI DSS Compliance Demystified. Retrieved December 2, 2007, Web site: http://pcianswers.com/ <br />
# PCI DSS Compliance, Payment Card Industry Data Security Standard and Credit Card Security. Retrieved December 2, 2007, from PCI Data Security Standard Web site: http://www.itgovernance.co.uk/pci_dss.aspx<br />
<br />
==External Links==<br />
* https://www.pcisecuritystandards.org/<br />
* http://en.wikipedia.org/wiki/PCI_DSS<br />
* http://pcianswers.com/<br />
* http://www.itgovernance.co.uk/pci_dss.aspx<br />
<br />
== See Also ==<br />
[[Random Number Generators and Information Security]]<BR><br />
[[Security and Storage Mediums]]<BR><br />
[[Piggybacking]]<BR><br />
[[Honeypot]]<BR><br />
[[Biometric Systems Regarding Security Design Principle]]<BR><br />
[[Phishing]]<BR><br />
[[Email Security]]<BR><br />
[[Biometrics in Information Security]]<BR><br />
[[Smart Card Technology to Prevent Fraud]]<BR><br />
[[Electronic Voting Systems]]<BR><br />
[[Anti-spam systems and techniques]]<BR><br />
[[The Mitnick Attack]]<BR><br />
[[Operating Systems Security]]<BR><br />
[[Autocomplete]]<BR><br />
[[Internet Cookies and Confidentiality]]<BR><br />
[[Social Engineering]]<BR><br />
[[Identity Theft]]<BR><br />
[[Information Security Awareness]]<br />
<br />
[[User:Manselnj|Manselnj]] 11:54, 5 December 2007 (EST)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/Payment_Card_Industry_Data_Security_StandardPayment Card Industry Data Security Standard2007-12-06T18:13:21Z<p>Manselnj: /* T.J. Maxx */</p>
<hr />
<div>NOTE: This is currently a very rough draft. I have 2 exams this week and will be making the final draft in one week (12/9/07)<br />
<BR><BR><br />
The Payment Card Industry Data Security Standard (PCI DSS) is a security document created by the Payment Card Industry Security Standards Council (PCI SSC) in order to unify the security requirements of the Payment Card Industry. In order to tie this in with what was taught in [http://www.cas.mcmaster.ca/~wmfarmer/CS-3IS3-07 Comp Sci 3IS3] (taught at [http://www.mcmaster.ca McMaster University]), the PCI DSS will be presented as an Industry Wide Security Policy and as such will be evaluated by tracing its development through the Security Life Cycle. The first step in the Security Life Cycle is to identify threats. The main threat to the PCI is that of Card Holder data being stolen. The next step is Policy Creation. In order to create one coherent document for Merchants to follow, the five major brands of the PCI (Visa, Mastercard, American Express, Discover and JCB) formed the Payment Card Industry Security Standards Council (PCI SSC). Next comes the requirements specifications. The PCI SSC created a detailed document of 12 major requirements for Merchants and any company which deals with Card Holder data to comply with. These requirements focused on the ability of the Merchant to protect Card Holder data, in both electronic and physical form. The next phase includes the design and implementation of a security system to enforce the afore stated requirements. For a company wide security policy, this is possible. However, for an industry wide security policy it does not make sense to specify implementation because of varying Merchant sizes. Finally comes the Operation and Maintenance phase. The operation of each Merchants security system depends on their implementation of the requirements stated in the PCI DSS. These operations can be assured to be PCI DSS compliant through the use of QSA's and ASV's. The important part of this phase is the Maintenance part. The PCI DSS has gone through a few updates since it's creation as direct results of problems with the first version of it or new security issues that may have arisen.<br />
<br />
== Terms Used In This Article ==<br />
* '''PCI''' ('''P'''ayment '''C'''ard '''I'''ndustry): A Payment Card is any "card" form of payment. This can cover everything from credit cards to debit cards. The Payment Card Industry consists of all the companies which make up the many different brands of payment cards in use today. (ie Visa, Mastercard, ect..)<br />
* '''PCI SSC''' ('''P'''ayment '''C'''ard '''I'''ndustry '''S'''ecurity '''S'''tandards '''C'''ouncil): A council made up of Visa, Mastercard, American Express, Discover and JCB (Japan Credit Bureau) created in order to align their individual security goals into one document - the PCI DSS.<br />
* '''PCI DSS''' ('''P'''ayment '''C'''ard '''I'''ndustry '''D'''ata '''S'''ecurity '''S'''tandard): The document created by the PCI SSC in order to align each companies security goals.<br />
* '''Card Holder''': Any customer of a Payment Card company.<br />
* '''Merchant''': Any company which accepts Payment Cards as a form of payment. The definition also includes any other companies which may deal with Card Holder data without necessarily dealing directly with the Card Holder.<br />
<br />
== What is a Security Policy? ==<br />
A Security Policy is a statement that partitions the states of a system into sets of authorized, or secure, states and a set of unauthorized, or nonsecure, states. <SUP>[ [[Payment Card Industry Data Security Standard #References|1]] ]</SUP> A security policy is the bases on which all the rest of a companies security mechanisms are based on. Obviously, having a good company wide security policy is important. The next logical step is to incorporate an industry wide security policy. The Payment Card Industry Data Security Standard could be viewed as an example of an industry wide security policy.<br />
<br />
== Security Life Cycle ==<br />
<BR><br />
[[Image:SecurityLifyCycle.GIF|frame|right|Figure 1: The Security Life Cycle<SUP>[1]</SUP>]]<br />
The Security Life Cycle consists of the following phases: Threats, Policy, Specification, Design, Implementation and Operation and Maintenance (See Figure 1). As you can see, the security life cycle relies heavily upon later phases giving input to previous phases so that they can be updated. This keeps the security system up to date and hence keeps what the security system is protecting more secure too.<br />
----<br />
=== Identify Threats ===<br />
<P>The main threat to the Payment Card Industry as a whole is more of a threat to the Card Holders than the industry itself. The Card Holders are taking a chance every time they use their credit cards to make a purchase. This threat is not only present when purchasing online, but also when purchasing in stores (or at the "point of purchase"). The threat originates from a lack of industry wide standards on how card holder information should be stored, processed or transmitted.</P><br />
<br />
<P>This security threat directly affects the Payment Card Industry because if cardholders don't trust that their information is secure, then they will not use their credit cards and hence the payment card vendors loose business. This is why the Payment Card Industry is moving forward with their industry wide standard for security, the Payment Card Industry Data Security Standard.</P><br />
<BR><br />
[[Image:PCICouncil.JPG|frame|right|Figure 2: Formation of the PCI SSC]]<br />
----<br />
=== Policy Creation===<br />
<P>Before December 14th 2004, the 5 major Payment Card companies (Visa, Mastercard, American Express, Discover and JCB (Japan Credit Bureau)) each had their own set of Information Security Standards. This meant that retailers had 5 different security policies to comply with. After December 14th 2004, these 5 brands of cards collaborated to create the Payment Card Industry Security Standards Council (PCI SSC). The purpose of this council is to align the goals of each of the Payment Card companies in an industry wide security policy for merchants to follow.</P><br />
----<br />
=== Requirements Specifications ===<br />
An overview of the list of requirements needed to maintain Payment Card Industry Data Security Standard (PCI DSS) compliance is available here [https://www.pcisecuritystandards.org/tech/index.htm About the PCI Data Security Standard (PCI DSS)]. The full list of requirements is available here: [https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm Download the PCI DSS]. Below is the summarized list and an explanation of what each item means. There are 12 major requirements which can be broken up into 6 categories.<br />
<BR><br />
<br />
''Build and Maintain a Secure Network''<BR><br />
1.)Install and maintain a firewall configuration to protect cardholders' data<BR><br />
2.)Do not use vendor-supplied defaults for system password and other security parameters<BR><br />
* This set of requirements is meant to keep any network of computers which contain Card Holder information in a secure state<BR><br />
<BR><br />
<br />
''Protect Card Holder Data''<BR><br />
3.)Protect stored Card Holder data<BR><br />
* This requirement is meant to protect the card holder data while it is stored on merchant computers<BR><br />
4.)Encrypt transmission of Card Holder data across open, public networks<BR><br />
* This requirement is meant to protect Card Holder data when it might be necessary to transmit it across a public network (ie when contacting the Payment Card server)<BR><br />
<BR><br />
<br />
''Maintain a Vulnerability Management Program''<BR><br />
5.)Use and regularly update anti-virus software<BR><br />
* This requirement is meant to ensure that all merchants do take advantage of some form of anti-virus software.<BR><br />
6.)Develop and maintain secure systems and applications<BR><br />
* This requirement is meant to put security as a priority during the development of software. This is an important requirement because many times when software is being designed, security is tacked on as an afterthought. By at least making developers aware of security as being a requirement of their software, this ensures better quality of any security mechanisms built into the software.<BR><br />
<BR><br />
<br />
''Implement Strong Access Control Measures''<BR><br />
7.)Restrict access to Card Holder data by business need-to-know<BR><br />
* This requirement is meant to ensure that only people who need to know about Card Holder data have access to it. This is similar to the principle of least privilege. <BR><br />
8.)Assign a unique ID to each person with computer access<BR><br />
* This requirement is meant to add a level of accountability to all users on the system. If each user has their own unique ID on the merchant's system, then actions can be tracked on linked to the person who did them.<BR><br />
9.)Restrict physical access to Card Holder data<BR><br />
* This requirement is meant to extend the coverage of the PCI DSS to any form of Card Holder data which may not be on a computer. Hence, the PCI DSS is extended to cover not only digital information but also physical copies of the information. However, this does not prevent the threat of customer data being stolen entirely. There is nothing to prevent an employee from copying down information with a pencil and paper. Though this is a problem, it is partially alleviated by requirement 7: Restrict access to Card Holder data by business need-to-know. If only a small number of employees can access the Card Holder data, then it is much easier to track down who may have stolen Card Holder data if there is a security breech from the inside.<BR><br />
<BR><br />
<br />
''Regularly Monitor and Test Networks''<BR><br />
10.) Track and monitor all access to network resources and Card Holder data<BR><br />
* This requirement is designed to catch any unauthorized accesses to Card Holder data. If an anomaly is detected, then the system should be able to detect it and steps should be taken to fix the problem<BR><br />
11.) Regularly test security systems and processes<BR><br />
* This requirement is meant to ensure that merchants don't just set and forget their security systems. It reminds them that security is a full time job and must constantly be maintained.<BR><br />
<BR><br />
''Maintain an Information Security Policy''<BR><br />
12.) Maintain a policy that addresses information security<BR><br />
* Though this may seem a bit redundant, this is an important requirement. It means that every merchant that deals with Cardholder Data must have their own security policy as well in order to protect Card Holder data.<BR><br />
<BR><br />
<br />
----<br />
<br />
=== Design/Implementation ===<br />
<br />
<P>There is no design or implementation specified in the PCI DSS. This is because the application of this security policy is so broad that it is impossible to have one design that will work for every company. For example Soney, which may handle millions of transactions a year, will need a different implementation than a small "mom and pop" company, who may handle only a few hundred transactions a year. However, requirements must still be met to some degree depending on the volume of Payment Card transactions which occur per given merchant. This makes the PCI DSS sound rather weak. However, there is a way which the Payment Card Industry Security Standards Council can keep track of whether or not the requirements are being met. This is through the use of QSA's and ASV's.</P><br />
*[https://www.pcisecuritystandards.org/programs/qsa_program.htm Qualified Security Assessors (QSA's)] are companies who have been approved by the PCI Security Standards Council to assess the compliance of merchants to the PCI DSS. The way the PCI Security Standards Council does this is through a certification program. This requires not only the company to be certified, but also all of it's employees to be certified on a yearly bases.<br />
*[https://www.pcisecuritystandards.org/programs/asv_program.htm Approved Scanning Vendors (ASV's)] are companies who are approved by the PCI Security Standards Council to assess merchants' networks for security vulnerabilities. They accomplish this by simulating both normal and abnormal processes on the merchants networks. Again, ASV's must also be certified by the PCI Security Standards Council on a yearly basis.<br />
<BR><br />
<br />
----<br />
<br />
=== Operation and Maintenance ===<br />
The final step of the Security Life Cycle is Operation and Maintenance. Though this is the final step, it is by far not the least and the life cycle does not end here. This step requires that any time a security breach is detected, steps must be taken to improve the security system. The PCI DSS has definately entered this phase. There are two examples of such maintenance and updating occuring in the PCI DSS:<br />
* Version 1.1<br />
* TJ Max<br />
<br />
====Version 1.1====<br />
Version 1.1 of the PCI DSS was releases on September 2006. This was only a year and a half after the release of the version 1.0 of the PCI DSS, which is pretty fast considering the PCI DSS is meant to be a security wide standard. Version 1.1 clarified many of the requirements and wording of Version 1.0 and also included suggestions on how to achieve compliance. A full summary of the changes between PCI DSS Version 1.1 and PCI DSS Version 1.0 are available[[http://www.procheckup.com/PDFs/ProCheckUp_PCIDSS_SummaryOfChanges.pdf|here]].<br />
<br />
====T.J. Maxx====<br />
In Mid-December of 2006, the company computer systems were compromised and customer data was stolen. Everything from credit card numbers to street addresses were stolen from 45.7 million customers<SUP>[3]</SUP>. The attack did not come from the internet, but rather from an inadequate secure wireless network. As you can see from the screen shot of the [http://www.tjmaxx.com/index.asp | T.J.Maxx website] figure 3, this even it still affecting the company today, December of 2007. The highlighted link links to an explanation to the customers about what happened, why it happened and what steps are being taken to fix the problem. <br />
<BR><br />
As a direct result of this, the PCI DSS was updated to included better guidelines about wireless networks. Specifically, section 4.1.1 added specifications about implementing Wireless Encryption Protocol Correctly and provided better guidelines for key rotation. For Specifics, see https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf.<br />
<br />
== References ==<br />
# Bishop, Matt. ''Introduction to Computer Security''. Boston: Addison-Wesley, 2006.<br />
# (2007). About the PCI DSS - PCI Security Standards Council. Retrieved December 2, 2007, Web site: https://www.pcisecuritystandards.org/tech/index.htm <br />
# T.J. Maxx. (2007). In ''Wikipedia'' [Web]. Retrieved December 2, 2007, from http://en.wikipedia.org/wiki/T.J._Maxx <br />
# PCI DSS. (2007). In ''Wikipedia'' [Web]. Retrieved December 2, 2007, from http://en.wikipedia.org/wiki/PCI_DSS <br />
# PCI DSS Compliance Demystified. Retrieved December 2, 2007, Web site: http://pcianswers.com/ <br />
# PCI DSS Compliance, Payment Card Industry Data Security Standard and Credit Card Security. Retrieved December 2, 2007, from PCI Data Security Standard Web site: http://www.itgovernance.co.uk/pci_dss.aspx<br />
<br />
==External Links==<br />
* https://www.pcisecuritystandards.org/<br />
* http://en.wikipedia.org/wiki/PCI_DSS<br />
* http://pcianswers.com/<br />
* http://www.itgovernance.co.uk/pci_dss.aspx<br />
<br />
== See Also ==<br />
[[Random Number Generators and Information Security]]<BR><br />
[[Security and Storage Mediums]]<BR><br />
[[Piggybacking]]<BR><br />
[[Honeypot]]<BR><br />
[[Biometric Systems Regarding Security Design Principle]]<BR><br />
[[Phishing]]<BR><br />
[[Email Security]]<BR><br />
[[Biometrics in Information Security]]<BR><br />
[[Smart Card Technology to Prevent Fraud]]<BR><br />
[[Electronic Voting Systems]]<BR><br />
[[Anti-spam systems and techniques]]<BR><br />
[[The Mitnick Attack]]<BR><br />
[[Operating Systems Security]]<BR><br />
[[Autocomplete]]<BR><br />
[[Internet Cookies and Confidentiality]]<BR><br />
[[Social Engineering]]<BR><br />
[[Identity Theft]]<BR><br />
[[Information Security Awareness]]<br />
<br />
[[User:Manselnj|Manselnj]] 11:54, 5 December 2007 (EST)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/Payment_Card_Industry_Data_Security_StandardPayment Card Industry Data Security Standard2007-12-06T18:12:38Z<p>Manselnj: /* T.J. Maxx */</p>
<hr />
<div>NOTE: This is currently a very rough draft. I have 2 exams this week and will be making the final draft in one week (12/9/07)<br />
<BR><BR><br />
The Payment Card Industry Data Security Standard (PCI DSS) is a security document created by the Payment Card Industry Security Standards Council (PCI SSC) in order to unify the security requirements of the Payment Card Industry. In order to tie this in with what was taught in [http://www.cas.mcmaster.ca/~wmfarmer/CS-3IS3-07 Comp Sci 3IS3] (taught at [http://www.mcmaster.ca McMaster University]), the PCI DSS will be presented as an Industry Wide Security Policy and as such will be evaluated by tracing its development through the Security Life Cycle. The first step in the Security Life Cycle is to identify threats. The main threat to the PCI is that of Card Holder data being stolen. The next step is Policy Creation. In order to create one coherent document for Merchants to follow, the five major brands of the PCI (Visa, Mastercard, American Express, Discover and JCB) formed the Payment Card Industry Security Standards Council (PCI SSC). Next comes the requirements specifications. The PCI SSC created a detailed document of 12 major requirements for Merchants and any company which deals with Card Holder data to comply with. These requirements focused on the ability of the Merchant to protect Card Holder data, in both electronic and physical form. The next phase includes the design and implementation of a security system to enforce the afore stated requirements. For a company wide security policy, this is possible. However, for an industry wide security policy it does not make sense to specify implementation because of varying Merchant sizes. Finally comes the Operation and Maintenance phase. The operation of each Merchants security system depends on their implementation of the requirements stated in the PCI DSS. These operations can be assured to be PCI DSS compliant through the use of QSA's and ASV's. The important part of this phase is the Maintenance part. The PCI DSS has gone through a few updates since it's creation as direct results of problems with the first version of it or new security issues that may have arisen.<br />
<br />
== Terms Used In This Article ==<br />
* '''PCI''' ('''P'''ayment '''C'''ard '''I'''ndustry): A Payment Card is any "card" form of payment. This can cover everything from credit cards to debit cards. The Payment Card Industry consists of all the companies which make up the many different brands of payment cards in use today. (ie Visa, Mastercard, ect..)<br />
* '''PCI SSC''' ('''P'''ayment '''C'''ard '''I'''ndustry '''S'''ecurity '''S'''tandards '''C'''ouncil): A council made up of Visa, Mastercard, American Express, Discover and JCB (Japan Credit Bureau) created in order to align their individual security goals into one document - the PCI DSS.<br />
* '''PCI DSS''' ('''P'''ayment '''C'''ard '''I'''ndustry '''D'''ata '''S'''ecurity '''S'''tandard): The document created by the PCI SSC in order to align each companies security goals.<br />
* '''Card Holder''': Any customer of a Payment Card company.<br />
* '''Merchant''': Any company which accepts Payment Cards as a form of payment. The definition also includes any other companies which may deal with Card Holder data without necessarily dealing directly with the Card Holder.<br />
<br />
== What is a Security Policy? ==<br />
A Security Policy is a statement that partitions the states of a system into sets of authorized, or secure, states and a set of unauthorized, or nonsecure, states. <SUP>[ [[Payment Card Industry Data Security Standard #References|1]] ]</SUP> A security policy is the bases on which all the rest of a companies security mechanisms are based on. Obviously, having a good company wide security policy is important. The next logical step is to incorporate an industry wide security policy. The Payment Card Industry Data Security Standard could be viewed as an example of an industry wide security policy.<br />
<br />
== Security Life Cycle ==<br />
<BR><br />
[[Image:SecurityLifyCycle.GIF|frame|right|Figure 1: The Security Life Cycle<SUP>[1]</SUP>]]<br />
The Security Life Cycle consists of the following phases: Threats, Policy, Specification, Design, Implementation and Operation and Maintenance (See Figure 1). As you can see, the security life cycle relies heavily upon later phases giving input to previous phases so that they can be updated. This keeps the security system up to date and hence keeps what the security system is protecting more secure too.<br />
----<br />
=== Identify Threats ===<br />
<P>The main threat to the Payment Card Industry as a whole is more of a threat to the Card Holders than the industry itself. The Card Holders are taking a chance every time they use their credit cards to make a purchase. This threat is not only present when purchasing online, but also when purchasing in stores (or at the "point of purchase"). The threat originates from a lack of industry wide standards on how card holder information should be stored, processed or transmitted.</P><br />
<br />
<P>This security threat directly affects the Payment Card Industry because if cardholders don't trust that their information is secure, then they will not use their credit cards and hence the payment card vendors loose business. This is why the Payment Card Industry is moving forward with their industry wide standard for security, the Payment Card Industry Data Security Standard.</P><br />
<BR><br />
[[Image:PCICouncil.JPG|frame|right|Figure 2: Formation of the PCI SSC]]<br />
----<br />
=== Policy Creation===<br />
<P>Before December 14th 2004, the 5 major Payment Card companies (Visa, Mastercard, American Express, Discover and JCB (Japan Credit Bureau)) each had their own set of Information Security Standards. This meant that retailers had 5 different security policies to comply with. After December 14th 2004, these 5 brands of cards collaborated to create the Payment Card Industry Security Standards Council (PCI SSC). The purpose of this council is to align the goals of each of the Payment Card companies in an industry wide security policy for merchants to follow.</P><br />
----<br />
=== Requirements Specifications ===<br />
An overview of the list of requirements needed to maintain Payment Card Industry Data Security Standard (PCI DSS) compliance is available here [https://www.pcisecuritystandards.org/tech/index.htm About the PCI Data Security Standard (PCI DSS)]. The full list of requirements is available here: [https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm Download the PCI DSS]. Below is the summarized list and an explanation of what each item means. There are 12 major requirements which can be broken up into 6 categories.<br />
<BR><br />
<br />
''Build and Maintain a Secure Network''<BR><br />
1.)Install and maintain a firewall configuration to protect cardholders' data<BR><br />
2.)Do not use vendor-supplied defaults for system password and other security parameters<BR><br />
* This set of requirements is meant to keep any network of computers which contain Card Holder information in a secure state<BR><br />
<BR><br />
<br />
''Protect Card Holder Data''<BR><br />
3.)Protect stored Card Holder data<BR><br />
* This requirement is meant to protect the card holder data while it is stored on merchant computers<BR><br />
4.)Encrypt transmission of Card Holder data across open, public networks<BR><br />
* This requirement is meant to protect Card Holder data when it might be necessary to transmit it across a public network (ie when contacting the Payment Card server)<BR><br />
<BR><br />
<br />
''Maintain a Vulnerability Management Program''<BR><br />
5.)Use and regularly update anti-virus software<BR><br />
* This requirement is meant to ensure that all merchants do take advantage of some form of anti-virus software.<BR><br />
6.)Develop and maintain secure systems and applications<BR><br />
* This requirement is meant to put security as a priority during the development of software. This is an important requirement because many times when software is being designed, security is tacked on as an afterthought. By at least making developers aware of security as being a requirement of their software, this ensures better quality of any security mechanisms built into the software.<BR><br />
<BR><br />
<br />
''Implement Strong Access Control Measures''<BR><br />
7.)Restrict access to Card Holder data by business need-to-know<BR><br />
* This requirement is meant to ensure that only people who need to know about Card Holder data have access to it. This is similar to the principle of least privilege. <BR><br />
8.)Assign a unique ID to each person with computer access<BR><br />
* This requirement is meant to add a level of accountability to all users on the system. If each user has their own unique ID on the merchant's system, then actions can be tracked on linked to the person who did them.<BR><br />
9.)Restrict physical access to Card Holder data<BR><br />
* This requirement is meant to extend the coverage of the PCI DSS to any form of Card Holder data which may not be on a computer. Hence, the PCI DSS is extended to cover not only digital information but also physical copies of the information. However, this does not prevent the threat of customer data being stolen entirely. There is nothing to prevent an employee from copying down information with a pencil and paper. Though this is a problem, it is partially alleviated by requirement 7: Restrict access to Card Holder data by business need-to-know. If only a small number of employees can access the Card Holder data, then it is much easier to track down who may have stolen Card Holder data if there is a security breech from the inside.<BR><br />
<BR><br />
<br />
''Regularly Monitor and Test Networks''<BR><br />
10.) Track and monitor all access to network resources and Card Holder data<BR><br />
* This requirement is designed to catch any unauthorized accesses to Card Holder data. If an anomaly is detected, then the system should be able to detect it and steps should be taken to fix the problem<BR><br />
11.) Regularly test security systems and processes<BR><br />
* This requirement is meant to ensure that merchants don't just set and forget their security systems. It reminds them that security is a full time job and must constantly be maintained.<BR><br />
<BR><br />
''Maintain an Information Security Policy''<BR><br />
12.) Maintain a policy that addresses information security<BR><br />
* Though this may seem a bit redundant, this is an important requirement. It means that every merchant that deals with Cardholder Data must have their own security policy as well in order to protect Card Holder data.<BR><br />
<BR><br />
<br />
----<br />
<br />
=== Design/Implementation ===<br />
<br />
<P>There is no design or implementation specified in the PCI DSS. This is because the application of this security policy is so broad that it is impossible to have one design that will work for every company. For example Soney, which may handle millions of transactions a year, will need a different implementation than a small "mom and pop" company, who may handle only a few hundred transactions a year. However, requirements must still be met to some degree depending on the volume of Payment Card transactions which occur per given merchant. This makes the PCI DSS sound rather weak. However, there is a way which the Payment Card Industry Security Standards Council can keep track of whether or not the requirements are being met. This is through the use of QSA's and ASV's.</P><br />
*[https://www.pcisecuritystandards.org/programs/qsa_program.htm Qualified Security Assessors (QSA's)] are companies who have been approved by the PCI Security Standards Council to assess the compliance of merchants to the PCI DSS. The way the PCI Security Standards Council does this is through a certification program. This requires not only the company to be certified, but also all of it's employees to be certified on a yearly bases.<br />
*[https://www.pcisecuritystandards.org/programs/asv_program.htm Approved Scanning Vendors (ASV's)] are companies who are approved by the PCI Security Standards Council to assess merchants' networks for security vulnerabilities. They accomplish this by simulating both normal and abnormal processes on the merchants networks. Again, ASV's must also be certified by the PCI Security Standards Council on a yearly basis.<br />
<BR><br />
<br />
----<br />
<br />
=== Operation and Maintenance ===<br />
The final step of the Security Life Cycle is Operation and Maintenance. Though this is the final step, it is by far not the least and the life cycle does not end here. This step requires that any time a security breach is detected, steps must be taken to improve the security system. The PCI DSS has definately entered this phase. There are two examples of such maintenance and updating occuring in the PCI DSS:<br />
* Version 1.1<br />
* TJ Max<br />
<br />
====Version 1.1====<br />
Version 1.1 of the PCI DSS was releases on September 2006. This was only a year and a half after the release of the version 1.0 of the PCI DSS, which is pretty fast considering the PCI DSS is meant to be a security wide standard. Version 1.1 clarified many of the requirements and wording of Version 1.0 and also included suggestions on how to achieve compliance. A full summary of the changes between PCI DSS Version 1.1 and PCI DSS Version 1.0 are available[[http://www.procheckup.com/PDFs/ProCheckUp_PCIDSS_SummaryOfChanges.pdf|here]].<br />
<br />
====T.J. Maxx====<br />
In Mid-December of 2006, the company computer systems were compromised and customer data was stolen. Everything from credit card numbers to street addresses were stolen from 45.7 million customers<SUP>[3]</SUP>. The attack did not come from the internet, but rather from an inadequate secure wireless network. As you can see from the screen shot of the [T.J.Maxx website] figure 3, this even it still affecting the company today, December of 2007. The highlighted link links to an explanation to the customers about what happened, why it happened and what steps are being taken to fix the problem. <br />
<BR><br />
As a direct result of this, the PCI DSS was updated to included better guidelines about wireless networks. Specifically, section 4.1.1 added specifications about implementing Wireless Encryption Protocol Correctly and provided better guidelines for key rotation. For Specifics, see https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf.<br />
<br />
== References ==<br />
# Bishop, Matt. ''Introduction to Computer Security''. Boston: Addison-Wesley, 2006.<br />
# (2007). About the PCI DSS - PCI Security Standards Council. Retrieved December 2, 2007, Web site: https://www.pcisecuritystandards.org/tech/index.htm <br />
# T.J. Maxx. (2007). In ''Wikipedia'' [Web]. Retrieved December 2, 2007, from http://en.wikipedia.org/wiki/T.J._Maxx <br />
# PCI DSS. (2007). In ''Wikipedia'' [Web]. Retrieved December 2, 2007, from http://en.wikipedia.org/wiki/PCI_DSS <br />
# PCI DSS Compliance Demystified. Retrieved December 2, 2007, Web site: http://pcianswers.com/ <br />
# PCI DSS Compliance, Payment Card Industry Data Security Standard and Credit Card Security. Retrieved December 2, 2007, from PCI Data Security Standard Web site: http://www.itgovernance.co.uk/pci_dss.aspx<br />
<br />
==External Links==<br />
* https://www.pcisecuritystandards.org/<br />
* http://en.wikipedia.org/wiki/PCI_DSS<br />
* http://pcianswers.com/<br />
* http://www.itgovernance.co.uk/pci_dss.aspx<br />
<br />
== See Also ==<br />
[[Random Number Generators and Information Security]]<BR><br />
[[Security and Storage Mediums]]<BR><br />
[[Piggybacking]]<BR><br />
[[Honeypot]]<BR><br />
[[Biometric Systems Regarding Security Design Principle]]<BR><br />
[[Phishing]]<BR><br />
[[Email Security]]<BR><br />
[[Biometrics in Information Security]]<BR><br />
[[Smart Card Technology to Prevent Fraud]]<BR><br />
[[Electronic Voting Systems]]<BR><br />
[[Anti-spam systems and techniques]]<BR><br />
[[The Mitnick Attack]]<BR><br />
[[Operating Systems Security]]<BR><br />
[[Autocomplete]]<BR><br />
[[Internet Cookies and Confidentiality]]<BR><br />
[[Social Engineering]]<BR><br />
[[Identity Theft]]<BR><br />
[[Information Security Awareness]]<br />
<br />
[[User:Manselnj|Manselnj]] 11:54, 5 December 2007 (EST)</div>Manselnjhttp://wiki.cas.mcmaster.ca/index.php/Payment_Card_Industry_Data_Security_StandardPayment Card Industry Data Security Standard2007-12-06T18:10:30Z<p>Manselnj: /* See Also */</p>
<hr />
<div>NOTE: This is currently a very rough draft. I have 2 exams this week and will be making the final draft in one week (12/9/07)<br />
<BR><BR><br />
The Payment Card Industry Data Security Standard (PCI DSS) is a security document created by the Payment Card Industry Security Standards Council (PCI SSC) in order to unify the security requirements of the Payment Card Industry. In order to tie this in with what was taught in [http://www.cas.mcmaster.ca/~wmfarmer/CS-3IS3-07 Comp Sci 3IS3] (taught at [http://www.mcmaster.ca McMaster University]), the PCI DSS will be presented as an Industry Wide Security Policy and as such will be evaluated by tracing its development through the Security Life Cycle. The first step in the Security Life Cycle is to identify threats. The main threat to the PCI is that of Card Holder data being stolen. The next step is Policy Creation. In order to create one coherent document for Merchants to follow, the five major brands of the PCI (Visa, Mastercard, American Express, Discover and JCB) formed the Payment Card Industry Security Standards Council (PCI SSC). Next comes the requirements specifications. The PCI SSC created a detailed document of 12 major requirements for Merchants and any company which deals with Card Holder data to comply with. These requirements focused on the ability of the Merchant to protect Card Holder data, in both electronic and physical form. The next phase includes the design and implementation of a security system to enforce the afore stated requirements. For a company wide security policy, this is possible. However, for an industry wide security policy it does not make sense to specify implementation because of varying Merchant sizes. Finally comes the Operation and Maintenance phase. The operation of each Merchants security system depends on their implementation of the requirements stated in the PCI DSS. These operations can be assured to be PCI DSS compliant through the use of QSA's and ASV's. The important part of this phase is the Maintenance part. The PCI DSS has gone through a few updates since it's creation as direct results of problems with the first version of it or new security issues that may have arisen.<br />
<br />
== Terms Used In This Article ==<br />
* '''PCI''' ('''P'''ayment '''C'''ard '''I'''ndustry): A Payment Card is any "card" form of payment. This can cover everything from credit cards to debit cards. The Payment Card Industry consists of all the companies which make up the many different brands of payment cards in use today. (ie Visa, Mastercard, ect..)<br />
* '''PCI SSC''' ('''P'''ayment '''C'''ard '''I'''ndustry '''S'''ecurity '''S'''tandards '''C'''ouncil): A council made up of Visa, Mastercard, American Express, Discover and JCB (Japan Credit Bureau) created in order to align their individual security goals into one document - the PCI DSS.<br />
* '''PCI DSS''' ('''P'''ayment '''C'''ard '''I'''ndustry '''D'''ata '''S'''ecurity '''S'''tandard): The document created by the PCI SSC in order to align each companies security goals.<br />
* '''Card Holder''': Any customer of a Payment Card company.<br />
* '''Merchant''': Any company which accepts Payment Cards as a form of payment. The definition also includes any other companies which may deal with Card Holder data without necessarily dealing directly with the Card Holder.<br />
<br />
== What is a Security Policy? ==<br />
A Security Policy is a statement that partitions the states of a system into sets of authorized, or secure, states and a set of unauthorized, or nonsecure, states. <SUP>[ [[Payment Card Industry Data Security Standard #References|1]] ]</SUP> A security policy is the bases on which all the rest of a companies security mechanisms are based on. Obviously, having a good company wide security policy is important. The next logical step is to incorporate an industry wide security policy. The Payment Card Industry Data Security Standard could be viewed as an example of an industry wide security policy.<br />
<br />
== Security Life Cycle ==<br />
<BR><br />
[[Image:SecurityLifyCycle.GIF|frame|right|Figure 1: The Security Life Cycle<SUP>[1]</SUP>]]<br />
The Security Life Cycle consists of the following phases: Threats, Policy, Specification, Design, Implementation and Operation and Maintenance (See Figure 1). As you can see, the security life cycle relies heavily upon later phases giving input to previous phases so that they can be updated. This keeps the security system up to date and hence keeps what the security system is protecting more secure too.<br />
----<br />
=== Identify Threats ===<br />
<P>The main threat to the Payment Card Industry as a whole is more of a threat to the Card Holders than the industry itself. The Card Holders are taking a chance every time they use their credit cards to make a purchase. This threat is not only present when purchasing online, but also when purchasing in stores (or at the "point of purchase"). The threat originates from a lack of industry wide standards on how card holder information should be stored, processed or transmitted.</P><br />
<br />
<P>This security threat directly affects the Payment Card Industry because if cardholders don't trust that their information is secure, then they will not use their credit cards and hence the payment card vendors loose business. This is why the Payment Card Industry is moving forward with their industry wide standard for security, the Payment Card Industry Data Security Standard.</P><br />
<BR><br />
[[Image:PCICouncil.JPG|frame|right|Figure 2: Formation of the PCI SSC]]<br />
----<br />
=== Policy Creation===<br />
<P>Before December 14th 2004, the 5 major Payment Card companies (Visa, Mastercard, American Express, Discover and JCB (Japan Credit Bureau)) each had their own set of Information Security Standards. This meant that retailers had 5 different security policies to comply with. After December 14th 2004, these 5 brands of cards collaborated to create the Payment Card Industry Security Standards Council (PCI SSC). The purpose of this council is to align the goals of each of the Payment Card companies in an industry wide security policy for merchants to follow.</P><br />
----<br />
=== Requirements Specifications ===<br />
An overview of the list of requirements needed to maintain Payment Card Industry Data Security Standard (PCI DSS) compliance is available here [https://www.pcisecuritystandards.org/tech/index.htm About the PCI Data Security Standard (PCI DSS)]. The full list of requirements is available here: [https://www.pcisecuritystandards.org/tech/download_the_pci_dss.htm Download the PCI DSS]. Below is the summarized list and an explanation of what each item means. There are 12 major requirements which can be broken up into 6 categories.<br />
<BR><br />
<br />
''Build and Maintain a Secure Network''<BR><br />
1.)Install and maintain a firewall configuration to protect cardholders' data<BR><br />
2.)Do not use vendor-supplied defaults for system password and other security parameters<BR><br />
* This set of requirements is meant to keep any network of computers which contain Card Holder information in a secure state<BR><br />
<BR><br />
<br />
''Protect Card Holder Data''<BR><br />
3.)Protect stored Card Holder data<BR><br />
* This requirement is meant to protect the card holder data while it is stored on merchant computers<BR><br />
4.)Encrypt transmission of Card Holder data across open, public networks<BR><br />
* This requirement is meant to protect Card Holder data when it might be necessary to transmit it across a public network (ie when contacting the Payment Card server)<BR><br />
<BR><br />
<br />
''Maintain a Vulnerability Management Program''<BR><br />
5.)Use and regularly update anti-virus software<BR><br />
* This requirement is meant to ensure that all merchants do take advantage of some form of anti-virus software.<BR><br />
6.)Develop and maintain secure systems and applications<BR><br />
* This requirement is meant to put security as a priority during the development of software. This is an important requirement because many times when software is being designed, security is tacked on as an afterthought. By at least making developers aware of security as being a requirement of their software, this ensures better quality of any security mechanisms built into the software.<BR><br />
<BR><br />
<br />
''Implement Strong Access Control Measures''<BR><br />
7.)Restrict access to Card Holder data by business need-to-know<BR><br />
* This requirement is meant to ensure that only people who need to know about Card Holder data have access to it. This is similar to the principle of least privilege. <BR><br />
8.)Assign a unique ID to each person with computer access<BR><br />
* This requirement is meant to add a level of accountability to all users on the system. If each user has their own unique ID on the merchant's system, then actions can be tracked on linked to the person who did them.<BR><br />
9.)Restrict physical access to Card Holder data<BR><br />
* This requirement is meant to extend the coverage of the PCI DSS to any form of Card Holder data which may not be on a computer. Hence, the PCI DSS is extended to cover not only digital information but also physical copies of the information. However, this does not prevent the threat of customer data being stolen entirely. There is nothing to prevent an employee from copying down information with a pencil and paper. Though this is a problem, it is partially alleviated by requirement 7: Restrict access to Card Holder data by business need-to-know. If only a small number of employees can access the Card Holder data, then it is much easier to track down who may have stolen Card Holder data if there is a security breech from the inside.<BR><br />
<BR><br />
<br />
''Regularly Monitor and Test Networks''<BR><br />
10.) Track and monitor all access to network resources and Card Holder data<BR><br />
* This requirement is designed to catch any unauthorized accesses to Card Holder data. If an anomaly is detected, then the system should be able to detect it and steps should be taken to fix the problem<BR><br />
11.) Regularly test security systems and processes<BR><br />
* This requirement is meant to ensure that merchants don't just set and forget their security systems. It reminds them that security is a full time job and must constantly be maintained.<BR><br />
<BR><br />
''Maintain an Information Security Policy''<BR><br />
12.) Maintain a policy that addresses information security<BR><br />
* Though this may seem a bit redundant, this is an important requirement. It means that every merchant that deals with Cardholder Data must have their own security policy as well in order to protect Card Holder data.<BR><br />
<BR><br />
<br />
----<br />
<br />
=== Design/Implementation ===<br />
<br />
<P>There is no design or implementation specified in the PCI DSS. This is because the application of this security policy is so broad that it is impossible to have one design that will work for every company. For example Soney, which may handle millions of transactions a year, will need a different implementation than a small "mom and pop" company, who may handle only a few hundred transactions a year. However, requirements must still be met to some degree depending on the volume of Payment Card transactions which occur per given merchant. This makes the PCI DSS sound rather weak. However, there is a way which the Payment Card Industry Security Standards Council can keep track of whether or not the requirements are being met. This is through the use of QSA's and ASV's.</P><br />
*[https://www.pcisecuritystandards.org/programs/qsa_program.htm Qualified Security Assessors (QSA's)] are companies who have been approved by the PCI Security Standards Council to assess the compliance of merchants to the PCI DSS. The way the PCI Security Standards Council does this is through a certification program. This requires not only the company to be certified, but also all of it's employees to be certified on a yearly bases.<br />
*[https://www.pcisecuritystandards.org/programs/asv_program.htm Approved Scanning Vendors (ASV's)] are companies who are approved by the PCI Security Standards Council to assess merchants' networks for security vulnerabilities. They accomplish this by simulating both normal and abnormal processes on the merchants networks. Again, ASV's must also be certified by the PCI Security Standards Council on a yearly basis.<br />
<BR><br />
<br />
----<br />
<br />
=== Operation and Maintenance ===<br />
The final step of the Security Life Cycle is Operation and Maintenance. Though this is the final step, it is by far not the least and the life cycle does not end here. This step requires that any time a security breach is detected, steps must be taken to improve the security system. The PCI DSS has definately entered this phase. There are two examples of such maintenance and updating occuring in the PCI DSS:<br />
* Version 1.1<br />
* TJ Max<br />
<br />
====Version 1.1====<br />
Version 1.1 of the PCI DSS was releases on September 2006. This was only a year and a half after the release of the version 1.0 of the PCI DSS, which is pretty fast considering the PCI DSS is meant to be a security wide standard. Version 1.1 clarified many of the requirements and wording of Version 1.0 and also included suggestions on how to achieve compliance. A full summary of the changes between PCI DSS Version 1.1 and PCI DSS Version 1.0 are available[[http://www.procheckup.com/PDFs/ProCheckUp_PCIDSS_SummaryOfChanges.pdf|here]].<br />
<br />
====T.J. Maxx====<br />
In Mid-December of 2006, the company computer systems were compromised and customer data was stolen. Everything from credit card numbers to street addresses were stolen from 45.7 million customers<SUP>[3]</SUP>. The attack did not come from the internet, but rather from an inadequate secure wireless network. As you can see from figure 3, this even it still affecting the company today, December of 2007. The highlighted link links to an explanation to the customers about what happened, why it happened and what steps are being taken to fix the problem. <br />
<BR><br />
As a direct result of this, the PCI DSS was updated to included better guidelines about wireless networks. Specifically, section 4.1.1 added specifications about implementing Wireless Encryption Protocol Correctly and provided better guidelines for key rotation. For Specifics, see https://www.pcisecuritystandards.org/pdfs/pci_dss_v1-1.pdf.<br />
<br />
== References ==<br />
# Bishop, Matt. ''Introduction to Computer Security''. Boston: Addison-Wesley, 2006.<br />
# (2007). About the PCI DSS - PCI Security Standards Council. Retrieved December 2, 2007, Web site: https://www.pcisecuritystandards.org/tech/index.htm <br />
# T.J. Maxx. (2007). In ''Wikipedia'' [Web]. Retrieved December 2, 2007, from http://en.wikipedia.org/wiki/T.J._Maxx <br />
# PCI DSS. (2007). In ''Wikipedia'' [Web]. Retrieved December 2, 2007, from http://en.wikipedia.org/wiki/PCI_DSS <br />
# PCI DSS Compliance Demystified. Retrieved December 2, 2007, Web site: http://pcianswers.com/ <br />
# PCI DSS Compliance, Payment Card Industry Data Security Standard and Credit Card Security. Retrieved December 2, 2007, from PCI Data Security Standard Web site: http://www.itgovernance.co.uk/pci_dss.aspx<br />
<br />
==External Links==<br />
* https://www.pcisecuritystandards.org/<br />
* http://en.wikipedia.org/wiki/PCI_DSS<br />
* http://pcianswers.com/<br />
* http://www.itgovernance.co.uk/pci_dss.aspx<br />
<br />
== See Also ==<br />
[[Random Number Generators and Information Security]]<BR><br />
[[Security and Storage Mediums]]<BR><br />
[[Piggybacking]]<BR><br />
[[Honeypot]]<BR><br />
[[Biometric Systems Regarding Security Design Principle]]<BR><br />
[[Phishing]]<BR><br />
[[Email Security]]<BR><br />
[[Biometrics in Information Security]]<BR><br />
[[Smart Card Technology to Prevent Fraud]]<BR><br />
[[Electronic Voting Systems]]<BR><br />
[[Anti-spam systems and techniques]]<BR><br />
[[The Mitnick Attack]]<BR><br />
[[Operating Systems Security]]<BR><br />
[[Autocomplete]]<BR><br />
[[Internet Cookies and Confidentiality]]<BR><br />
[[Social Engineering]]<BR><br />
[[Identity Theft]]<BR><br />
[[Information Security Awareness]]<br />
<br />
[[User:Manselnj|Manselnj]] 11:54, 5 December 2007 (EST)</div>Manselnj