Chapter 6

Application and Web

Security
08 Marks
Content
 Application hardening
 Application patches
 web servers
 Active directory
 Web security threats
 Web traffic security approaches
 Secure socket layer
 Transport layer security
 Secure Electronic transaction.
Mar 8, 2024 2
 Application Hardening
 Application hardening is a securing an
application against local and Internet-based
attacks.
 We can remove functions of application that we
does not need.
 Most applications have problems of buffer
overflows in legitimate user input fields.
 So patching the application is only way to
secure it from attack.
Mar 8, 2024 3
 Application patches
Hotfixes
 Hotfixes are usually small section of code, which
is designed to fix a specific problem.
Patches
 Patches are usually collections of fixes, they are
likely to be much larger, and they are usually
released on a periodic basis
Upgrades
Mar 8, 2024 4
 Web Servers
 Data is stored in the form of HTML pages
 Clients can access through client side
application program such as web browser.
 Communication between web server and
browser done by using HTTP protocol.
 Provide the content and functionality to
remote user.
Mar 8, 2024 5
 Active Directory
 Allow a single login access to multiple
application, data sources and systems that
include advance encryption capabilities like
Kerberos and PKI.
 Contains information about network objects
like domains, server, workstation, printers,
groups and users.
 Every object is placed into a domain where it
can be used to control which user may access to
which object.
Mar 8, 2024 6
 Active Directory
 Every domain has its own security policies,
administrative control, privileges and
relationship with other domain.
 Hierarchical structure of domain is known as
forest.
 Microsoft uses a Lightweight Directory Access
Protocol (LDAP) to update and query active
directory.

Mar 8, 2024 7
 Web Security
 Web now widely used by business,
government, individuals
 But Internet & Web are vulnerable
 Have a variety of threats
 Integrity
 Confidentiality
 Denial of service
 Authentication
 Need added security mechanisms
Mar 8, 2024 8
Mar 8, 2024 9
 Web Traffic Security
Approaches

Mar 8, 2024 10
 SSL (Secure Socket
Layer)
 Transport layer security service
 Originally developed by Netscape
 Version 3 designed with public input
 Subsequently became Internet standard known
as TLS (Transport Layer Security)
 Uses TCP to provide a reliable end-to-end
service
 SSL has two layers of protocols
Mar 8, 2024 11
 SSL (Secure Socket
Layer)
 Lower layer is SSL Record Protocol
 provides basic security services to various higher
layer protocols
 Three higher-layer protocols
 Handshake Protocol,
 The Change Cipher Spec Protocol, and
 The Alert Protocol

Mar 8, 2024 12
 SSL Architecture

Mar 8, 2024 13
 L5 Data L5 Data

L5 Data SH L5 Data SH

L5 Data H4 L5 Data H4

L4 Data H3 L4 Data H3

L3 Data H2 L3 Data H2

01011011 01011011
Mar 8, 2024 14
 SSL Architecture
 SSL connection
 A transport that provides suitable type of service
 A transient, peer-to-peer, communications link
 Associated with one SSL session
 SSL session
 An association between client & server
 Created by the Handshake Protocol
 Define a set of cryptographic parameters,
which may be shared by multiple SSL connections
Mar 8, 2024 15
A session state is defined by the
following parameters
 Peer certificate: An X509.v3 certificate of the peer.
 Compression method: algorithm used to compress
 Cipher spec: data encryption algo, hash algo.
 Master secret: 48-byte secret shared between the
client and server
 Is resumable: A flag indicating whether session
can be used to initiate new connection

Mar 8, 2024 16
 A connection state is defined by
the following parameters
 Server and client random: byte sequence
 Server write MAC secret: The secret key used in MAC
 Client write MAC secret: The secret key used in MAC
 Server write key: The secret encryption key for data
encrypted by the server and decrypted by the client.
 Client write key: The symmetric encryption key for data
encrypted by the client and decrypted by the server.
 Initialization vectors (IV) is maintained for each key
 Sequence numbers
Mar 8, 2024 17
 SSL Record Protocol
Services
 Confidentiality
 Using symmetric encryption with a shared secret
key defined by Handshake Protocol
 AES, IDEA, RC2-40, DES-40, DES, 3DES,
Fortezza, RC4-40, RC4-128
 Message is compressed before encryption
 Message integrity
 Using a MAC with shared secret key
 Similar to HMAC but with different padding
Mar 8, 2024 18
 SSL Record Protocol
Operation

Mar 8, 2024 19
 SSL Change Cipher Spec
Protocol
 One of 3 SSL specific protocols which use the
SSL Record protocol
 A single message
 Causes pending state to become current
 Hence updating the cipher suite in use

Mar 8, 2024 20
 SSL Alert Protocol
 Conveys SSL-related alerts to peer entity
 Severity
Warning or fatal
 Specific alert
Fatal: unexpected message, bad record mac,
decompression failure, handshake failure, illegal
parameter
Warning: close notify, no certificate, bad certificate,
unsupported certificate, certificate revoked, certificate
expired, certificate unknown
 Compressed & encrypted like all SSL data
Mar 8, 2024 21
 SSL Handshake Protocol
 Allows server & client to:
 Authenticate each other
 To negotiate encryption & MAC algorithms
 To negotiate cryptographic keys to be used
 comprises a series of messages in phases
1. Establish Security Capabilities
2. Server Authentication and Key Exchange
3. Client Authentication and Key Exchange
4. Finish
Mar 8, 2024 22
 SSL
Handshak
e Protocol

Mar 8, 2024 23
 TLS (Transport Layer
Security)
 IETF standard RFC 2246 similar to SSLv3
 Ensures privacy between communication
appl.
 With minor differences
 In record format version number
 Uses HMAC for MAC
 Has additional alert codes
 Some changes in supported ciphers
 Changes in certificate types & negotiations
 Changes in crypto computations & padding
Mar 8, 2024 24
 TLS Record Protocol
 It provides connection security with some encryption
method such as DES.
 TLS Handshake Protocol
 Allow server and client to authenticate each other.
 Message Authentication Code
HMACK(M)= H[(K+ XOR opad) ||H[(K+ XOR ipad)||M]]
 Pseudorandom function
 Alert codes
Mar 8, 2024 25
 Secure Electronic
transaction
 SET is open encryption and security specification that is
designed to protect credit card transaction on internet.
 SET is not payment system but it is set of security
protocols and formats that enables user to employ the
credit card specification on internet.
 It provide three services
 It provides a secure communication channel for all parties.
 It provides authentication by using X.509 V3 digital
certificate
 It ensures the privacy because the information is only
available to parties when it required.
Mar 8, 2024 26
 SET Overview
 Provide confidentiality of payment and ordering
information
 Ensure the integrity of all transmitted data
 Provide authentication that a cardholder is a
legitimate user of a credit card account
 Provide authentication that a merchant can
accept credit card transactions through its
relationship with financial institution

Mar 8, 2024 27
 SET Overview
 Ensure the use of the best security practices and
system design techniques to protect all
legitimate parties in an electronic commerce
transaction
 Create a protocol that neither depends on
transport security mechanisms nor prevents
their use
 Facilitate and encourage interoperability among
software and network providers
Mar 8, 2024 28
Mar 8, 2024 29
 SET Participants
Cardholder: A cardholder is an authorized holder
of a payment card that has been issued by an
issuer.
Merchant: A merchant is a person or org that has
goods and services to sell to the cardholder.
Issuer: This is a financial institution, such as a
bank, that provides the cardholder with the
payment card.

Mar 8, 2024 30
 SET Participants
Acquirer:
A financial institution that establishes
an account with a merchant and processes
payment card authorizations and payments.
Certification Authority (CA):
This is an entity that is trusted to issue
X509v3 public-key certificates for
cardholders, merchants, and payment
gateways.
Mar 8, 2024 31