IS Unit 9_Web Security

1,272 views

Published on

Web Security,Requirement,SSL And Transport Layer Security,Secure ElectronicTransactions (SET),Firewall Design Principles,Trusted Systems

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,272
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
54
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

IS Unit 9_Web Security

  1. 1. Chapter 9:Chapter 9:Chapter 9:Chapter 9:----Web SecurityWeb SecurityWeb SecurityWeb SecurityBy:- Sarthak Patel (www.sarthakpatel.in)
  2. 2. OutlineWeb Security RequirementSSLAndTransport Layer SecuritySecure ElectronicTransactions (SET)Firewall Design PrinciplesSarthak Patel (sarthakpatel.in)2Trusted Systems
  3. 3. Web SecurityWeb now widely used by business, government, individualsbut Internet &Web are vulnerablehave a variety of threatsintegrityconfidentialitySarthak Patel (sarthakpatel.in)3confidentialitydenial of serviceauthenticationneed added security mechanisms
  4. 4. SSL (Secure Socket Layer)transport layer security serviceoriginally developed by Netscapeversion 3 designed with public inputsubsequently became Internet standard known asTLS(Transport Layer Security)Sarthak Patel (sarthakpatel.in)4(Transport Layer Security)usesTCP to provide a reliable end-to-end serviceSSL has two layers of protocols
  5. 5. SSL ArchitectureSarthak Patel (sarthakpatel.in)5
  6. 6. SSL ArchitectureSSL connectiona transient, peer-to-peer, communications linkassociated with 1 SSL sessionSSL sessionan association between client & serverSarthak Patel (sarthakpatel.in)6an association between client & servercreated by the Handshake Protocoldefine a set of cryptographic parametersmay be shared by multiple SSL connections
  7. 7. SSL Record Protocol Servicesmessage integrityusing a MAC with shared secret keyconfidentialityusing symmetric encryption with a shared secret key defined byHandshake ProtocolSarthak Patel (sarthakpatel.in)7Handshake ProtocolAES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40,RC4-128message is compressed before encryption
  8. 8. SSL Record Protocol OperationSarthak Patel (sarthakpatel.in)8
  9. 9. SSL Change Cipher Spec Protocolone of 3 SSL specific protocols which use the SSL Recordprotocola single messagecauses pending state to become currenthence updating the cipher suite in useSarthak Patel (sarthakpatel.in)9hence updating the cipher suite in use
  10. 10. SSL Alert Protocolconveys SSL-related alerts to peer entityseveritywarning or fatalspecific alertfatal: unexpected message, bad record mac, decompression failure,Sarthak Patel (sarthakpatel.in)10fatal: unexpected message, bad record mac, decompression failure,handshake failure, illegal parameterwarning: close notify, no certificate, bad certificate, unsupportedcertificate, certificate revoked, certificate expired, certificate unknowncompressed & encrypted like all SSL data
  11. 11. SSL Handshake Protocolallows server & client to:authenticate each otherto negotiate encryption & MAC algorithmsto negotiate cryptographic keys to be usedcomprises a series of messages in phasesSarthak Patel (sarthakpatel.in)11comprises a series of messages in phases1. Establish Security Capabilities2. ServerAuthentication and Key Exchange3. ClientAuthentication and Key Exchange4. Finish
  12. 12. SSL Handshake ProtocolSarthak Patel (sarthakpatel.in)12
  13. 13. TLS (Transport Layer Security)IETF standard RFC 2246 similar to SSLv3with minor differencesin record format version numberuses HMAC for MACa pseudo-random function expands secretsSarthak Patel (sarthakpatel.in)13has additional alert codessome changes in supported cipherschanges in certificate types & negotiationschanges in crypto computations & padding
  14. 14. Secure Electronic Transactions(SET)open encryption & security specificationto protect Internet credit card transactionsdeveloped in 1996 by Mastercard,Visa etcnot a payment systemrather a set of security protocols & formatsSarthak Patel (sarthakpatel.in)14rather a set of security protocols & formatssecure communications amongst partiestrust from use of X.509v3 certificatesprivacy by restricted info to those who need it
  15. 15. SET ComponentsSarthak Patel (sarthakpatel.in)15
  16. 16. SET Transaction1. customer opens account2. customer receives a certificate3. merchants have their own certificates4. customer places an order5. merchant is verifiedSarthak Patel (sarthakpatel.in)165. merchant is verified6. order and payment are sent7. merchant requests payment authorization8. merchant confirms order9. merchant provides goods or service10. merchant requests payment
  17. 17. Dual Signaturecustomer creates dual messagesorder information (OI) for merchantpayment information (PI) for bankneither party needs details of otherbut must know they are linkedSarthak Patel (sarthakpatel.in)17but must know they are linkeduse a dual signature for thissigned concatenated hashes of OI & PIDS=E(PRc, [H(H(PI)||H(OI))])
  18. 18. SET Purchase RequestSET purchase request exchange consists offour messages1. Initiate Request - get certificates2. Initiate Response - signed response3. Purchase Request - of OI & PISarthak Patel (sarthakpatel.in)183. Purchase Request - of OI & PI4. Purchase Response - ack order
  19. 19. Purchase Request – CustomerSarthak Patel (sarthakpatel.in)19
  20. 20. Purchase Request – Merchant1. verifies cardholder certificates using CA sigs2. verifies dual signature using customers publicsignature key to ensure order has not been tamperedwith in transit & that it was signed using cardholdersprivate signature keySarthak Patel (sarthakpatel.in)20private signature key3. processes order and forwards the payment informationto the payment gateway for authorization (describedlater)4. sends a purchase response to cardholder
  21. 21. Purchase Request – MerchantSarthak Patel (sarthakpatel.in)21
  22. 22. Payment Gateway Authorization1. verifies all certificates2. decrypts digital envelope of authorization block to obtainsymmetric key & then decrypts authorization block3. verifies merchants signature on authorization block4. decrypts digital envelope of payment block to obtain symmetrickey & then decrypts payment blockSarthak Patel (sarthakpatel.in)22key & then decrypts payment block5. verifies dual signature on payment block6. verifies that transaction ID received from merchant matches thatin PI received (indirectly) from customer7. requests & receives an authorization from issuer8. sends authorization response back to merchant
  23. 23. Payment Capturemerchant sends payment gateway a payment capture requestgateway checks requestthen causes funds to be transferred to merchants accountnotifies merchant using capture responseSarthak Patel (sarthakpatel.in)23

×