Web Security Considerations,SSL (Secure Socket Layer),TLS (Transport Layer Security),SET (Secure Electronic Transaction)

1. NETWORK SECURITY
Name of the Staff : M.FLORENCE DAYANA M.C.A.,M.Phil.,(Ph.D).,
Head, Dept. of CA
Bon Secours College For Women
Thanjavur.
Class : II MSc., CS
Semester : III
Unit : IV
Topic : Web Security
2/15/2019 1

2. CONTENTS
• Web Security Considerations
• SSL (Secure Socket Layer)
• TLS (Transport Layer Security)
• SET (Secure Electronic Transaction)

3. WEB SECURITY
CONSIDERATIONS

4. WEB SECURITY CONSIDERATIONS:
Web security is fundamentally a client/server
application running over the Internet and TCP/IP
intranets.
• The WEB is very visible.
• Complex software hide many security flaws.
• Web servers are easy to configure and manage.
• Users are not aware of the risks.

5. Web Security Threats:
Security threats faced in using the web
1. One way
Active attacks
Passive attacks
2. Another way
Classify location of the threat
e.g Web server, Web browser, and network
traffic between browser and server

6. Web Traffic Security Approaches:
•Web security provide to use IP security
•Advantage of using IPSec is that is transparent to end
users and applications
• IPSec includes a filtering capability so that only selected
traffic need incur the overhead of IPSec processing
•The foremost example of this approach is Secure Sockets
Layer (SSL) and Transport Layer Security (TLS)
•SSL or TLS could be provided protocol suite
•SSL can be embedded in specific packages

7. A Comparison of Threats on the Web
7

8. Security Facilities in the TCP/IP Protocol Stack:
PGP- used to send message confidentially
kerberos-computer network authentication protocol
Secure Electronic Transaction (SET) – (ie.) digital signature
transaction

9. SECURE SOCKET
LAYER
(SSL)

10. Secure Socket Layer (SSL) Protocol:
• SSL was originated by Netscape
•Secure Sockets Layer (SSL) is a computer
networking protocol for securing connections between
network application clients and servers over an insecure
network, such as the internet.
•SSL is designed to make use of TCP to provide
reliable end-to-end secure service.
•SSL is not a single layer protocol but rather two
layers of protocols.

11. SSL Architecture
HTTP provides the
transfer service for web
client/server
interaction.
The three higher layer
protocols (handshake,
change cipher spec and
Alert) of SSL is used in
the management of SSL
exchanges.

12. The two important SSL Concepts are:
Connection: A connection is a transport that provides a
suitable type of service, such connections are peer-peer
relationship.
Every connection is associated with one session
Session: An SSL session is an associated between a client and
a server. Sessions are created by Handshake protocol.
Sessions are used to avoid the expensive negotiation of new
security parameters.
Web client
Web server

13. SSL Record Protocol:
Provides basic security services to various higher-layer protocols.
o HTTP
o Handshake Protocol
o Change Cipher Spec Protocol
o Alert Protocol
Provides 2 services for SSL connections:
o Confidentiality: Handshake protocol defines a shared secret key
used for conventional encryption of SSL payloads.
o Message Integrity: Handshake protocol also defines a shared secret
key used to form a message authentication code (MAC).

14. SSL Record Protocol Operation:
1. The first step is fragmentation into block(214 bytes)
2. Compression must be lossless or may not increase the content of the length. So
the default compression algorithm is null
3. MAC shared the secret key.
4. The compression msg + MAC are encrypted using symmetric encryption.
5.SSL is to prepared a header consisting of following fields

15. SSL Record Format:
Content type(8 bits)-used to process the enclosed fragment.
Major version(8 bits)- indicates the major version of SSL
Minor version(8 bits) - indicates the minor version of SSL
Compressed length – the length of the bytes of plaintext

16. Higher-Layer Protocols:
• The most complex part of SSL.
• Allows the server and client to authenticate each other.
• Negotiate encryption, MAC algorithm and cryptographic
keys.
• Used before any application data are transmitted.

17. Handshake Protocol

18. 2. Change Cipher Spec Protocol
• Use SSL record protocol
• Update the cipher suite to be used on
this connection
• It consists of single msg with single
byte with the value 1
3. Alert Protocol
• Used to convey SSL-related alerts to the
peer entity.
• It consists of 2 bytes.
The first bytes takes the value warning or
fatal. If level is fatal means the SSL
terminates the connection.
The second byte contains code that indicates
the specific alert.

19. TRANSPORT
LAYER SECURITY
(TLS)

20. Transport Layer Security (TLS):
• TLS provides secure communications on the
Internet for such things as e-mail, Internet
faxing, and other data transfers.
•There are slight differences between SSL 3.0
and TLS 1.0, but the protocol remains
substantially the same
•Major websites use TLS to secure all
communications between their servers and web
browsers.

21. Version number:
•Transport Layer Security (TLS) and its predecessor, Secure Sockets
Layer (SSL), both frequently referred to as "SSL", are cryptographic
protocols that provide communications security over a computer network.
•Several versions of the protocols find widespread use in applications such
as web browsing, email, Internet faxing, instant messaging, and voice-over-
IP (VoIP).
•The TLS record format is the same as that of the SSL Record
Format, and the fields in the header have the same meanings
• The one difference is in version values
• For the current version of TLS,
Major Version is 3 and
Minor Version is 1

22. Message Authentication Code:
• Message authentication code (MAC) is a short
piece of information used to authenticate a message
and has not been changed.
•Two difference between SSLv3 and TLS MAC
schemes:
-actual algorithm
-scope of the MAC calculation

23. Pseudorandom Function:
• TLS makes use of pseudorandom function referred to as
PRF to expand secrets into block of data for purpose of key
generation or validation
• The objective is to make use of relatively small shared
secret value but to generate longer blocks of data that is
secure from the kinds of attacks made on hash function and
MACs
• The PRF is based on following data expansion function:
p_hash(secret, seed)=HMAC_hash (secret, A(1)||seed) ||
HMAC_hash (secret, A(2)||seed) ||
HMAC_hash (secret, A(3)||seed) ||
A random seed or seed state is a number (or vector) used
to initialize a pseudorandom number generator.

24. Alert Codes:
• TLS support all of alert codes defined in SSLv3
with the exception of no_certificate
• A number of additional codes defined in TLS;
the following:
1. Decryption _failed
2. Record_overflow
3. Unknown_ca
4. Access_denied
5. Decode_error
6. Export_restriction
7. Protocol_version
8. Insufficient_security
9. Internal_error

25. Cipher Suites:
A cipher suite is a collection of symmetric and
asymmetric encryption algorithms used by hosts to
establish a secure communication.
Supported cipher suites can be classified based on
encryption algorithm strength, key length, key
exchange and authentication mechanisms.
There are several small difference between
Cipher Suites available under SSLv3 and
under TLS:
• Key Exchange
• Symmetric Encryption Algorithm

26. Certificate_Verify and Finished Message:
• TLS certificate_verify message, the MD5 and
SHA-1 hashes are calculated only over
handshake_messages
• Hash calculation also include master secret and
pads
• TLS finished message is a hash based on shared
master_secret, the previous handshake message,
and label that identifies client or server

27. Padding:
•In TLS, the padding can be any amount that result in a total that
is a multiple of the cipher’s block length, up to maximum of 255
bytes
•If your plaintext data is always a fixed length equal to a multiple
of the block size (8 or 16), you can avoid using padding.
•If the plaintext to be encrypted is not an exact multiple, you need
to pad before encrypting by adding a padding string.
•When decrypting, the receiving party needs to know how to
remove the padding in an unambiguous manner.
•Padding is a way to take data that may or may not be a multiple
of the block size for a cipher and extend it out so that it is

28. SECURE
ELECTRONIC
TRANSACTION
(SET)

29. Secure Electronic Transactions (SET):
•Secure Electronic Transaction (SET) was a
communications protocol standard for securing credit
card transactions over insecure networks, specifically,
the Internet.
• Companies involved:
o MasterCard, Visa, IBM, Microsoft, Netscape, RSA,
Terisa and Verisign
• Not a payment system.
• Set of security protocols and formats.

30. SET Services:
• Provides a secure communication channel in a
transaction.
• Provides trust by the use of digital certificates.
• Ensures privacy.

31. SET Participants:
1. The customer opens an account.
2. The customer receives a certificate.
3. Merchants have their own certificates.
4. The customer places an order.
5. The merchant is verified.
6. The order and payment are sent.
7. The merchant request payment authorization.
8. The merchant confirm the order.
9. The merchant provides the goods or service.
10. The merchant requests payments.

32. Dual Signature
The purpose of the dual signature is to link two
messages that are intended for two different recipients.
In this case, the customer wants to send the order
information (OI) to the merchant and the payment
information (PI) to the bank.
Dual signature can also mean the use of encryption with
two electronic signatures as a security measure for
delivering an electronic message in a Secure Electronic
Transaction (SET).

33. Payment processing:
Cardholder sends Purchase Request

34. Payment processing:
Merchant Verifies Customer Purchase Request

35. Purchase Request Transaction
Initiate Request
• The costumer requests the
certificates
• The message includes other
informations
Initiate Response
• The merchant includes the
certificates
• The message includes other
informations
35
Purchase Request
•Verifies the merchant and
gateway certificates
Purchase Response
Give the purchase response
message
costumer merchant

36. Tasks performed by Payment
Gateway
1. verifies all certificates
2. decrypts digital envelope of authorization block to obtain symmetric key
& then decrypts authorization block
3. verifies merchant's signature on authorization block
4. decrypts digital envelope of payment block to obtain symmetric key &
then decrypts payment block
5. verifies dual signature on payment block
6. verifies that transaction ID received from merchant matches that in PI
received (indirectly) from customer
7. requests & receives an authorization from issuer
8. sends authorization response(*) back to merchant
36
(*) - Authorization-related information
- Capture token information (to effect payment later)
- Certificate