Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Web Security
Web Security Threats
Threats Consequences Counter Measures
Integrity Modification of
user data, memory or message
traffic
...
Security Facilities
HTTP FTP SMTP
TCP
IP / IPSec
HTTP FTP SMTP
SSL or TLS
TCP
IP
S/MIME PGP SET
Kerberos SMTP HTTP
UDP TCP...
Secure Socket Layer
SSL Architecture
Handshake
Protocol
Change Cipher
Spec Protocol
Alert Protocol HTTP
SSL Record Protoco...
Secure Socket Layer
Connection
Session
A connection is a transport that provides a suitable type of service.
For SSL its p...
Secure Socket Layer
Session
Session Identifier
Peer Certificate
Compression Method
Cipher Spec
Master Secret
Is Resumable
...
Secure Socket Layer
Protocols
SSL Record Protocol
Handshake Protocol
Change Cipher Spec Protocol
Alert Protocol
SSL Record Protocol
Provides
Confidentiality
Message Integrity
SSL Record Protocol
Hash( MAC_write_secret ||pad_2 ||
hash(MAC_write_secret || pad_1 || seq_num ||
SSLCompressed.type ||
S...
SSL Record Protocol
SSL Record Protocol Header
Content Type : The higher layer Protocol
Major Version : For SSlv3 its valu...
SSL Handshake Protocol
SSL Handshake Protocol
SSL Handshake Protocol
SSL Handshake Protocol
SSL Change Cipher Specification Protocol
a single message.
causes pending state to become current.
hence updating the ciph...
SSL Alert Protocol
conveys SSL-related alerts to peer entity
Severity
warning or fatal
Specific alert
fatal: unexpected me...
Secure Electronic Transaction
Business Requirements
• Provide confidentiality of PAYMENT and ORDERING info.
• Ensure the i...
Secure Electronic Transaction
Features of SET
• Confidentiality of INFORMATION
• Integrity of DATA
• Cardholder account au...
Secure Electronic Transaction
SET Participants
Secure Electronic Transaction
SET Transaction
1. customer opens account
2. customer receives a certificate
3. merchants ha...
Secure Electronic Transaction
SET Transaction
Secure Electronic Transaction
Dual Signature
• customer creates dual messages
• order information (OI) for merchant
• paym...
Upcoming SlideShare
Loading in …5
×

web security

1,382 views

Published on

Cryptography and network security
Firewall, network security, william stallings

Published in: Engineering
  • Be the first to comment

web security

  1. 1. Web Security
  2. 2. Web Security Threats Threats Consequences Counter Measures Integrity Modification of user data, memory or message traffic Loss of Information, Compromise of machine Cryptographic of checksum Confidentiality Eavesdropping on the Net Theft of into from server/client Info about Network Configuration Loss of Information and Privacy Encryption and Web Proxies Denial of Service Killing of user Threads Flooding machines with bogus requests Filling up Disk or Memory Isolating machine by DNS attack Prevent user from getting work Done Difficult to prevent Authentication Impersonation of legitimate user Misrepresentation of user Belief that false information is valid Cryptographic techniques
  3. 3. Security Facilities HTTP FTP SMTP TCP IP / IPSec HTTP FTP SMTP SSL or TLS TCP IP S/MIME PGP SET Kerberos SMTP HTTP UDP TCP IP Network Level Transport Level Application Level
  4. 4. Secure Socket Layer SSL Architecture Handshake Protocol Change Cipher Spec Protocol Alert Protocol HTTP SSL Record Protocol TCP IP
  5. 5. Secure Socket Layer Connection Session A connection is a transport that provides a suitable type of service. For SSL its peer-to-peer relationship They are transient. Associated with one session. Association between Client and Server Created by handshake protocol Defines security parameters Shared among multiple connections Avoid expensive negotiation of new security parameters
  6. 6. Secure Socket Layer Session Session Identifier Peer Certificate Compression Method Cipher Spec Master Secret Is Resumable Connection Server and Client Random Server write MAC secret Client write MAC secret Server write Key Client Write Key Initialization Vector Sequence Number Parameters
  7. 7. Secure Socket Layer Protocols SSL Record Protocol Handshake Protocol Change Cipher Spec Protocol Alert Protocol
  8. 8. SSL Record Protocol Provides Confidentiality Message Integrity
  9. 9. SSL Record Protocol Hash( MAC_write_secret ||pad_2 || hash(MAC_write_secret || pad_1 || seq_num || SSLCompressed.type || SSLCompressed.length || SSLCompressed.fragment ) )
  10. 10. SSL Record Protocol SSL Record Protocol Header Content Type : The higher layer Protocol Major Version : For SSlv3 its value is 3 Minor Version : For SSlv3 its value is 0 Compressed Length : The length of bytes of Plaintext fragment
  11. 11. SSL Handshake Protocol
  12. 12. SSL Handshake Protocol
  13. 13. SSL Handshake Protocol
  14. 14. SSL Handshake Protocol
  15. 15. SSL Change Cipher Specification Protocol a single message. causes pending state to become current. hence updating the cipher suite in use.
  16. 16. SSL Alert Protocol conveys SSL-related alerts to peer entity Severity warning or fatal Specific alert fatal: unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter warning: close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown compressed & encrypted like all SSL data
  17. 17. Secure Electronic Transaction Business Requirements • Provide confidentiality of PAYMENT and ORDERING info. • Ensure the integrity of all TRANSMITTED data • Provide authentication that a card holder is a LEGITIMATE user • Provide authentication that a merchant can accept credit card transaction • Ensure the use of best security practices and system design techniques • Create protocol that doesn’t depends on transport security mechanism.
  18. 18. Secure Electronic Transaction Features of SET • Confidentiality of INFORMATION • Integrity of DATA • Cardholder account authentication • Merchant authentication
  19. 19. Secure Electronic Transaction SET Participants
  20. 20. Secure Electronic Transaction SET Transaction 1. customer opens account 2. customer receives a certificate 3. merchants have their own certificates 4. customer places an order 5. merchant is verified 6. order and payment are sent 7. merchant requests payment authorization 8. merchant confirms order 9. merchant provides goods or service 10.merchant requests payment
  21. 21. Secure Electronic Transaction SET Transaction
  22. 22. Secure Electronic Transaction Dual Signature • customer creates dual messages • order information (OI) for merchant • payment information (PI) for bank • neither party needs details of other • but must know they are linked

×