Professional Documents
Culture Documents
Mar 8, 2024 7
Web Security
Web now widely used by business,
government, individuals
But Internet & Web are vulnerable
Have a variety of threats
Integrity
Confidentiality
Denial of service
Authentication
Need added security mechanisms
Mar 8, 2024 8
Mar 8, 2024 9
Web Traffic Security
Approaches
Mar 8, 2024 10
SSL (Secure Socket
Layer)
Transport layer security service
Originally developed by Netscape
Version 3 designed with public input
Subsequently became Internet standard known
as TLS (Transport Layer Security)
Uses TCP to provide a reliable end-to-end
service
SSL has two layers of protocols
Mar 8, 2024 11
SSL (Secure Socket
Layer)
Lower layer is SSL Record Protocol
provides basic security services to various higher
layer protocols
Three higher-layer protocols
Handshake Protocol,
The Change Cipher Spec Protocol, and
The Alert Protocol
Mar 8, 2024 12
SSL Architecture
Mar 8, 2024 13
L5 Data L5 Data
L5 Data SH L5 Data SH
L5 Data H4 L5 Data H4
L4 Data H3 L4 Data H3
L3 Data H2 L3 Data H2
01011011 01011011
Mar 8, 2024 14
SSL Architecture
SSL connection
A transport that provides suitable type of service
A transient, peer-to-peer, communications link
Associated with one SSL session
SSL session
An association between client & server
Created by the Handshake Protocol
Define a set of cryptographic parameters,
which may be shared by multiple SSL connections
Mar 8, 2024 15
A session state is defined by the
following parameters
Peer certificate: An X509.v3 certificate of the peer.
Compression method: algorithm used to compress
Cipher spec: data encryption algo, hash algo.
Master secret: 48-byte secret shared between the
client and server
Is resumable: A flag indicating whether session
can be used to initiate new connection
Mar 8, 2024 16
A connection state is defined by
the following parameters
Server and client random: byte sequence
Server write MAC secret: The secret key used in MAC
Client write MAC secret: The secret key used in MAC
Server write key: The secret encryption key for data
encrypted by the server and decrypted by the client.
Client write key: The symmetric encryption key for data
encrypted by the client and decrypted by the server.
Initialization vectors (IV) is maintained for each key
Sequence numbers
Mar 8, 2024 17
SSL Record Protocol
Services
Confidentiality
Using symmetric encryption with a shared secret
key defined by Handshake Protocol
AES, IDEA, RC2-40, DES-40, DES, 3DES,
Fortezza, RC4-40, RC4-128
Message is compressed before encryption
Message integrity
Using a MAC with shared secret key
Similar to HMAC but with different padding
Mar 8, 2024 18
SSL Record Protocol
Operation
Mar 8, 2024 19
SSL Change Cipher Spec
Protocol
One of 3 SSL specific protocols which use the
SSL Record protocol
A single message
Causes pending state to become current
Hence updating the cipher suite in use
Mar 8, 2024 20
SSL Alert Protocol
Conveys SSL-related alerts to peer entity
Severity
Warning or fatal
Specific alert
Fatal: unexpected message, bad record mac,
decompression failure, handshake failure, illegal
parameter
Warning: close notify, no certificate, bad certificate,
unsupported certificate, certificate revoked, certificate
expired, certificate unknown
Compressed & encrypted like all SSL data
Mar 8, 2024 21
SSL Handshake Protocol
Allows server & client to:
Authenticate each other
To negotiate encryption & MAC algorithms
To negotiate cryptographic keys to be used
comprises a series of messages in phases
1. Establish Security Capabilities
2. Server Authentication and Key Exchange
3. Client Authentication and Key Exchange
4. Finish
Mar 8, 2024 22
SSL
Handshak
e Protocol
Mar 8, 2024 23
TLS (Transport Layer
Security)
IETF standard RFC 2246 similar to SSLv3
Ensures privacy between communication
appl.
With minor differences
In record format version number
Uses HMAC for MAC
Has additional alert codes
Some changes in supported ciphers
Changes in certificate types & negotiations
Changes in crypto computations & padding
Mar 8, 2024 24
TLS Record Protocol
It provides connection security with some encryption
method such as DES.
TLS Handshake Protocol
Allow server and client to authenticate each other.
Message Authentication Code
HMACK(M)= H[(K+ XOR opad) ||H[(K+ XOR ipad)||M]]
Pseudorandom function
Alert codes
Mar 8, 2024 25
Secure Electronic
transaction
SET is open encryption and security specification that is
designed to protect credit card transaction on internet.
SET is not payment system but it is set of security
protocols and formats that enables user to employ the
credit card specification on internet.
It provide three services
It provides a secure communication channel for all parties.
It provides authentication by using X.509 V3 digital
certificate
It ensures the privacy because the information is only
available to parties when it required.
Mar 8, 2024 26
SET Overview
Provide confidentiality of payment and ordering
information
Ensure the integrity of all transmitted data
Provide authentication that a cardholder is a
legitimate user of a credit card account
Provide authentication that a merchant can
accept credit card transactions through its
relationship with financial institution
Mar 8, 2024 27
SET Overview
Ensure the use of the best security practices and
system design techniques to protect all
legitimate parties in an electronic commerce
transaction
Create a protocol that neither depends on
transport security mechanisms nor prevents
their use
Facilitate and encourage interoperability among
software and network providers
Mar 8, 2024 28
Mar 8, 2024 29
SET Participants
Cardholder: A cardholder is an authorized holder
of a payment card that has been issued by an
issuer.
Merchant: A merchant is a person or org that has
goods and services to sell to the cardholder.
Issuer: This is a financial institution, such as a
bank, that provides the cardholder with the
payment card.
Mar 8, 2024 30
SET Participants
Acquirer:
A financial institution that establishes
an account with a merchant and processes
payment card authorizations and payments.
Certification Authority (CA):
This is an entity that is trusted to issue
X509v3 public-key certificates for
cardholders, merchants, and payment
gateways.
Mar 8, 2024 31