Your SlideShare is downloading. ×
IS Unit 9_Web Security
IS Unit 9_Web Security
IS Unit 9_Web Security
IS Unit 9_Web Security
IS Unit 9_Web Security
IS Unit 9_Web Security
IS Unit 9_Web Security
IS Unit 9_Web Security
IS Unit 9_Web Security
IS Unit 9_Web Security
IS Unit 9_Web Security
IS Unit 9_Web Security
IS Unit 9_Web Security
IS Unit 9_Web Security
IS Unit 9_Web Security
IS Unit 9_Web Security
IS Unit 9_Web Security
IS Unit 9_Web Security
IS Unit 9_Web Security
IS Unit 9_Web Security
IS Unit 9_Web Security
IS Unit 9_Web Security
IS Unit 9_Web Security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

IS Unit 9_Web Security

713

Published on

Web Security,Requirement,SSL And Transport Layer Security,Secure ElectronicTransactions (SET),Firewall Design Principles,Trusted Systems

Web Security,Requirement,SSL And Transport Layer Security,Secure ElectronicTransactions (SET),Firewall Design Principles,Trusted Systems

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
713
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
46
Comments
0
Likes
1
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Chapter 9:Chapter 9:Chapter 9:Chapter 9:----Web SecurityWeb SecurityWeb SecurityWeb SecurityBy:- Sarthak Patel (www.sarthakpatel.in)
  • 2. OutlineWeb Security RequirementSSLAndTransport Layer SecuritySecure ElectronicTransactions (SET)Firewall Design PrinciplesSarthak Patel (sarthakpatel.in)2Trusted Systems
  • 3. Web SecurityWeb now widely used by business, government, individualsbut Internet &Web are vulnerablehave a variety of threatsintegrityconfidentialitySarthak Patel (sarthakpatel.in)3confidentialitydenial of serviceauthenticationneed added security mechanisms
  • 4. SSL (Secure Socket Layer)transport layer security serviceoriginally developed by Netscapeversion 3 designed with public inputsubsequently became Internet standard known asTLS(Transport Layer Security)Sarthak Patel (sarthakpatel.in)4(Transport Layer Security)usesTCP to provide a reliable end-to-end serviceSSL has two layers of protocols
  • 5. SSL ArchitectureSarthak Patel (sarthakpatel.in)5
  • 6. SSL ArchitectureSSL connectiona transient, peer-to-peer, communications linkassociated with 1 SSL sessionSSL sessionan association between client & serverSarthak Patel (sarthakpatel.in)6an association between client & servercreated by the Handshake Protocoldefine a set of cryptographic parametersmay be shared by multiple SSL connections
  • 7. SSL Record Protocol Servicesmessage integrityusing a MAC with shared secret keyconfidentialityusing symmetric encryption with a shared secret key defined byHandshake ProtocolSarthak Patel (sarthakpatel.in)7Handshake ProtocolAES, IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40,RC4-128message is compressed before encryption
  • 8. SSL Record Protocol OperationSarthak Patel (sarthakpatel.in)8
  • 9. SSL Change Cipher Spec Protocolone of 3 SSL specific protocols which use the SSL Recordprotocola single messagecauses pending state to become currenthence updating the cipher suite in useSarthak Patel (sarthakpatel.in)9hence updating the cipher suite in use
  • 10. SSL Alert Protocolconveys SSL-related alerts to peer entityseveritywarning or fatalspecific alertfatal: unexpected message, bad record mac, decompression failure,Sarthak Patel (sarthakpatel.in)10fatal: unexpected message, bad record mac, decompression failure,handshake failure, illegal parameterwarning: close notify, no certificate, bad certificate, unsupportedcertificate, certificate revoked, certificate expired, certificate unknowncompressed & encrypted like all SSL data
  • 11. SSL Handshake Protocolallows server & client to:authenticate each otherto negotiate encryption & MAC algorithmsto negotiate cryptographic keys to be usedcomprises a series of messages in phasesSarthak Patel (sarthakpatel.in)11comprises a series of messages in phases1. Establish Security Capabilities2. ServerAuthentication and Key Exchange3. ClientAuthentication and Key Exchange4. Finish
  • 12. SSL Handshake ProtocolSarthak Patel (sarthakpatel.in)12
  • 13. TLS (Transport Layer Security)IETF standard RFC 2246 similar to SSLv3with minor differencesin record format version numberuses HMAC for MACa pseudo-random function expands secretsSarthak Patel (sarthakpatel.in)13has additional alert codessome changes in supported cipherschanges in certificate types & negotiationschanges in crypto computations & padding
  • 14. Secure Electronic Transactions(SET)open encryption & security specificationto protect Internet credit card transactionsdeveloped in 1996 by Mastercard,Visa etcnot a payment systemrather a set of security protocols & formatsSarthak Patel (sarthakpatel.in)14rather a set of security protocols & formatssecure communications amongst partiestrust from use of X.509v3 certificatesprivacy by restricted info to those who need it
  • 15. SET ComponentsSarthak Patel (sarthakpatel.in)15
  • 16. SET Transaction1. customer opens account2. customer receives a certificate3. merchants have their own certificates4. customer places an order5. merchant is verifiedSarthak Patel (sarthakpatel.in)165. merchant is verified6. order and payment are sent7. merchant requests payment authorization8. merchant confirms order9. merchant provides goods or service10. merchant requests payment
  • 17. Dual Signaturecustomer creates dual messagesorder information (OI) for merchantpayment information (PI) for bankneither party needs details of otherbut must know they are linkedSarthak Patel (sarthakpatel.in)17but must know they are linkeduse a dual signature for thissigned concatenated hashes of OI & PIDS=E(PRc, [H(H(PI)||H(OI))])
  • 18. SET Purchase RequestSET purchase request exchange consists offour messages1. Initiate Request - get certificates2. Initiate Response - signed response3. Purchase Request - of OI & PISarthak Patel (sarthakpatel.in)183. Purchase Request - of OI & PI4. Purchase Response - ack order
  • 19. Purchase Request – CustomerSarthak Patel (sarthakpatel.in)19
  • 20. Purchase Request – Merchant1. verifies cardholder certificates using CA sigs2. verifies dual signature using customers publicsignature key to ensure order has not been tamperedwith in transit & that it was signed using cardholdersprivate signature keySarthak Patel (sarthakpatel.in)20private signature key3. processes order and forwards the payment informationto the payment gateway for authorization (describedlater)4. sends a purchase response to cardholder
  • 21. Purchase Request – MerchantSarthak Patel (sarthakpatel.in)21
  • 22. Payment Gateway Authorization1. verifies all certificates2. decrypts digital envelope of authorization block to obtainsymmetric key & then decrypts authorization block3. verifies merchants signature on authorization block4. decrypts digital envelope of payment block to obtain symmetrickey & then decrypts payment blockSarthak Patel (sarthakpatel.in)22key & then decrypts payment block5. verifies dual signature on payment block6. verifies that transaction ID received from merchant matches thatin PI received (indirectly) from customer7. requests & receives an authorization from issuer8. sends authorization response back to merchant
  • 23. Payment Capturemerchant sends payment gateway a payment capture requestgateway checks requestthen causes funds to be transferred to merchants accountnotifies merchant using capture responseSarthak Patel (sarthakpatel.in)23

×