IPSec is a collection of protocols that provide security at the network layer, including authentication and encryption of IP packets. It has two modes, transport and tunnel, and two security protocols: the Authentication Header (AH) and Encapsulating Security Payload (ESP). The Internet Key Exchange (IKE) protocol is used to establish Security Associations (SAs) between hosts to define encryption keys and algorithms. At the transport layer, the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols provide data security and server authentication over TCP. Application layer protocols like PGP and S/MIME can be used to encrypt and authenticate email messages. Firewalls filter network traffic between internal and external networks and can operate at the
SSL/TLS provides transport layer security for web traffic using encryption, message authentication codes, and digital certificates to authenticate servers and optionally clients. It establishes encrypted sessions between clients and servers to protect confidentiality and integrity. SET builds on SSL/TLS to securely transmit credit card payment information for e-commerce. It uses digital signatures and certificates to authenticate parties and link payment and order information while restricting details to authorized participants.
This document discusses web security and summarizes several related protocols:
1) SSL/TLS provides transport layer security for the web through encryption, authentication, and integrity checks between clients and servers.
2) SET was a secure payment protocol that used digital certificates and dual signatures to protect credit card transactions over the internet.
3) Payment authorization in SET involved the merchant sending payment information to a payment gateway, which then verified certificates and signatures before requesting authorization from the card issuer.
This document discusses various methods of implementing information security. It describes message/data security, channel security, security internal and external to applications, and Secure Sockets Layer (SSL). SSL provides secure transport channels using authentication, encryption, and message integrity. The document also discusses IPsec, which implements security at the network layer and can protect all network traffic and applications transparently. It describes how IPsec uses Authentication Headers (AH) and Encapsulating Security Payloads (ESP) to provide integrity, authentication, confidentiality, and anti-replay protection to IP packets.
This document discusses various protocols for securing network communications, including SSL/TLS, HTTPS, and SSH. It provides details on how SSL/TLS uses encryption and authentication to provide secure connections between a client and server. It also explains how HTTPS combines HTTP and SSL/TLS to securely transmit web traffic, and how SSH establishes secure channels for remote login and forwarding of network traffic.
SSL and TLS provide secure communication over the internet using encryption. SSL uses public key encryption to establish a secure connection and exchange keys to encrypt data sent between a client and server. It defines sessions which allow parameters like encryption algorithms to be shared for multiple connections. TLS is an updated version of SSL that uses similar record and handshake protocols. SET is an open standard that uses digital certificates and dual signatures to securely conduct credit card transactions over the internet between cardholders, merchants, issuers and payment gateways.
This document discusses various aspects of web security including:
1. Secure Socket Layer (SSL) and Transport Layer Security (TLS) which provide secure communication over the internet.
2. Secure Electronic Transaction (SET) which is an open encryption standard that protects credit card transactions on the internet.
3. The document outlines different security considerations for the web including vulnerabilities of web servers and the need for mechanisms like SSL, TLS at the transport layer and SET at the application layer.
SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that provide secure communication over the internet. They allow for confidentiality, integrity, and authentication between two applications communicating over TCP. SSL/TLS works by encrypting the segments of TCP connections above the transport layer through the use of symmetric and asymmetric cryptography. It establishes a secure channel over an insecure network such as the internet.
This document provides an overview of Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL). It begins with an introduction to TLS/SSL, explaining what they are and their purposes of providing encryption, authentication and integrity verification. It then discusses digital certificates, the TLS/SSL handshake protocol and record protocol. It explains the four upper layer protocols: record, change cipher spec, alert and handshake. It provides details on SSL, TLS, their implementations and applications. The document is intended to explore how TLS works, best practices for its use, and its various applications in securing business computing.
SSL/TLS provides transport layer security for web traffic using encryption, message authentication codes, and digital certificates to authenticate servers and optionally clients. It establishes encrypted sessions between clients and servers to protect confidentiality and integrity. SET builds on SSL/TLS to securely transmit credit card payment information for e-commerce. It uses digital signatures and certificates to authenticate parties and link payment and order information while restricting details to authorized participants.
This document discusses web security and summarizes several related protocols:
1) SSL/TLS provides transport layer security for the web through encryption, authentication, and integrity checks between clients and servers.
2) SET was a secure payment protocol that used digital certificates and dual signatures to protect credit card transactions over the internet.
3) Payment authorization in SET involved the merchant sending payment information to a payment gateway, which then verified certificates and signatures before requesting authorization from the card issuer.
This document discusses various methods of implementing information security. It describes message/data security, channel security, security internal and external to applications, and Secure Sockets Layer (SSL). SSL provides secure transport channels using authentication, encryption, and message integrity. The document also discusses IPsec, which implements security at the network layer and can protect all network traffic and applications transparently. It describes how IPsec uses Authentication Headers (AH) and Encapsulating Security Payloads (ESP) to provide integrity, authentication, confidentiality, and anti-replay protection to IP packets.
This document discusses various protocols for securing network communications, including SSL/TLS, HTTPS, and SSH. It provides details on how SSL/TLS uses encryption and authentication to provide secure connections between a client and server. It also explains how HTTPS combines HTTP and SSL/TLS to securely transmit web traffic, and how SSH establishes secure channels for remote login and forwarding of network traffic.
SSL and TLS provide secure communication over the internet using encryption. SSL uses public key encryption to establish a secure connection and exchange keys to encrypt data sent between a client and server. It defines sessions which allow parameters like encryption algorithms to be shared for multiple connections. TLS is an updated version of SSL that uses similar record and handshake protocols. SET is an open standard that uses digital certificates and dual signatures to securely conduct credit card transactions over the internet between cardholders, merchants, issuers and payment gateways.
This document discusses various aspects of web security including:
1. Secure Socket Layer (SSL) and Transport Layer Security (TLS) which provide secure communication over the internet.
2. Secure Electronic Transaction (SET) which is an open encryption standard that protects credit card transactions on the internet.
3. The document outlines different security considerations for the web including vulnerabilities of web servers and the need for mechanisms like SSL, TLS at the transport layer and SET at the application layer.
SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that provide secure communication over the internet. They allow for confidentiality, integrity, and authentication between two applications communicating over TCP. SSL/TLS works by encrypting the segments of TCP connections above the transport layer through the use of symmetric and asymmetric cryptography. It establishes a secure channel over an insecure network such as the internet.
This document provides an overview of Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL). It begins with an introduction to TLS/SSL, explaining what they are and their purposes of providing encryption, authentication and integrity verification. It then discusses digital certificates, the TLS/SSL handshake protocol and record protocol. It explains the four upper layer protocols: record, change cipher spec, alert and handshake. It provides details on SSL, TLS, their implementations and applications. The document is intended to explore how TLS works, best practices for its use, and its various applications in securing business computing.
SSL provides authentication and confidentiality for web communications. It operates at the transport layer, encrypting data between the application and transport layers. The SSL handshake protocol establishes a secure connection in 4 phases: establishing capabilities, server authentication and key exchange, client authentication and key exchange, and finishing. The record protocol then encrypts and integrity checks data sent over the secure connection, while the alert protocol closes the connection if an error is detected.
The document provides an overview of the Secure Sockets Layer (SSL) protocol. It discusses SSL's goals of providing confidentiality, integrity, and authentication for network communications. It describes the SSL handshake process, where the client and server authenticate each other and negotiate encryption parameters before transmitting application data. It also discusses SSL applications like securing web traffic and online payments. The document concludes that SSL is vital for web security and ensures user confidentiality and integrity.
Transport Layer Security (TLS) is the successor to the Secure Sockets Layer (SSL) protocol. TLS ensures privacy and security between communicating applications and users on the internet by preventing eavesdropping, tampering, and message forgery. It works by having the client and server negotiate a cipher suite and protocol version to use to securely transmit encrypted messages. This establishes a secure channel over an unsecured network like the internet to provide confidentiality, integrity, and authentication of communications.
The document discusses web security considerations and threats. It provides 3 levels at which security can be implemented - at the IP level using IPSec, at the transport level using SSL/TLS, and at the application level using protocols like SET. SSL/TLS works by establishing an encrypted channel between the client and server for secure communication. It uses handshake, change cipher spec, and alert protocols for negotiation and management of the secure session. Common web security threats include eavesdropping, message modification, denial of service attacks, and impersonation which can be mitigated using encryption, authentication and other cryptographic techniques.
IPSec is an open standard protocol suite that provides security services like data confidentiality, integrity, and authentication for IP communications. It operates at the network layer and can be used to secure communication between hosts, network devices, and between hosts and devices. The key components of IPSec include Internet Key Exchange (IKE) for setting up Security Associations (SA), the Authentication Header (AH) for data integrity and authentication, and the Encapsulating Security Payload (ESP) for confidentiality, integrity, and authentication.
The document summarizes web security considerations and technologies like SSL, TLS, and SET.
SSL and TLS provide encryption and authentication to secure data transmission between a client and server on the web. The handshake protocol allows servers and clients to authenticate each other and negotiate encryption before transmitting application data.
SET is an open encryption specification that protects credit card transactions on the internet. It provides security protocols and formats to ensure confidentiality, integrity of data, cardholder authentication, and merchant authentication for online payments. The sequence of events for transactions using SET is described briefly.
SSL (Secure Sockets Layer) is a standard protocol that provides secure communication between a web server and browser by encrypting data transmission. It establishes an encrypted connection through a handshake process where the server and client authenticate each other and negotiate encryption keys before transmitting secure data. The SSL/TLS record protocol then encrypts fragmented data using symmetric encryption and verifies integrity with MACs before transmission. Alert messages are used to notify errors between the client and server.
IPSec provides a framework for securing communications over IP networks by authenticating and encrypting IP packets. It includes protocols for authentication (Authentication Header or AH) and encryption (Encapsulating Security Payload or ESP). Key management protocols like Oakley and ISAKMP are used to establish security associations (SA) to protect communications between two endpoints. IPSec can operate in either transport mode to secure communications between applications, or tunnel mode to secure entire IP packets between network devices like VPN gateways.
This paper analyzes vulnerabilities of the SSL/TLS
Handshake
protocol
, which
is
responsible
for
authentication of
the parties in the
communication
and
negotiation of
security parameters
that
will be used
to protect
confidentiality and
integrity of the
data
. It
will
be
analyzed the
attacks
against the implementation of Handshake
protocol, as well as the
attacks against the other
elements
necessary to SSL/TLS protocol to discover security
flaws that were exploited, modes of
attack, the potential consequences, but also studyi
ng methods of defense
.
All versions of the
protocol are going to be the subject of the researc
h but
emphasis will be placed
on the critical
attack that
the most endanger the safety of data.
The goal of
the research
is
to point out the
danger of
existence
of at least
vulnerability
in the SSL/TLS protocol
, which
can be exploited
and
endanger the safety of
the data
that should be protected.
This paper analyzes vulnerabilities of the SSL/TLS Handshake protocol, which is responsible for authentication of the parties in the communication and negotiation of security parameters that will be used to protect confidentiality and integrity of the data. It will be analyzed the attacks against the implementation of Handshake protocol, as well as the attacks against the other
elements necessary to SSL/TLS protocol to discover security flaws that were exploited, modes of
attack, the potential consequences, but also studying methods of defense. All versions of the
protocol are going to be the subject of the research but emphasis will be placed on the critical attack that the most endanger the safety of data. The goal of the research is to point out the
danger of existence of at least vulnerability in the SSL/TLS protocol, which can be exploited and endanger the safety of the data that should be protected.
- Web security is important to protect business, government and personal information from threats to integrity, confidentiality, availability, and authentication.
- SSL/TLS are transport layer security protocols that provide end-to-end encryption and authentication using symmetric and asymmetric cryptography to secure internet communications.
- SET is a secure payment protocol that uses digital signatures and certificates to securely transmit payment and order information between customers, merchants and payment processors to enable secure online credit card transactions.
IPSec provides a framework for securing communications over IP networks by authenticating and encrypting IP packets. It includes protocols for authentication headers and encapsulating security payloads to provide integrity, authentication, and confidentiality. Key management protocols like Oakley and ISAKMP are used to securely establish security associations between communicating parties to protect data flows.
IPSec provides a framework for securing communications over IP networks by authenticating and encrypting IP packets. It includes protocols for authentication headers and encapsulating security payloads to provide integrity, authentication, and confidentiality. Key management protocols like Oakley and ISAKMP are used to securely establish security associations between communicating parties to protect data flows.
The document discusses web security and information security. It covers topics such as security attacks, security services defined by OSI, security mechanisms like encryption and digital signatures, and security protocols like SSL/TLS and IPSec. It provides an overview of how these different aspects of security work together to protect data and network communications.
SSL/TLS is a protocol that provides secure communication over the Internet through the use of cryptography. It allows for authentication of server and client, data integrity, and confidentiality. SSL/TLS uses both symmetric and asymmetric encryption. It has gone through several versions starting from SSLv1 in 1995 to the current TLSv1.3. The TLS handshake establishes a secure connection through negotiation of cryptographic parameters, authentication, and key exchange. Application data is then sent securely over the established connection through encryption and integrity checks.
SSL provides authentication and confidentiality for web communications. It operates at the transport layer, encrypting data between the application and transport layers. The SSL handshake protocol establishes a secure connection in 4 phases: establishing capabilities, server authentication and key exchange, client authentication and key exchange, and finishing. The record protocol then encrypts and integrity checks data sent over the secure connection, while the alert protocol closes the connection if an error is detected.
The document provides an overview of the Secure Sockets Layer (SSL) protocol. It discusses SSL's goals of providing confidentiality, integrity, and authentication for network communications. It describes the SSL handshake process, where the client and server authenticate each other and negotiate encryption parameters before transmitting application data. It also discusses SSL applications like securing web traffic and online payments. The document concludes that SSL is vital for web security and ensures user confidentiality and integrity.
Transport Layer Security (TLS) is the successor to the Secure Sockets Layer (SSL) protocol. TLS ensures privacy and security between communicating applications and users on the internet by preventing eavesdropping, tampering, and message forgery. It works by having the client and server negotiate a cipher suite and protocol version to use to securely transmit encrypted messages. This establishes a secure channel over an unsecured network like the internet to provide confidentiality, integrity, and authentication of communications.
The document discusses web security considerations and threats. It provides 3 levels at which security can be implemented - at the IP level using IPSec, at the transport level using SSL/TLS, and at the application level using protocols like SET. SSL/TLS works by establishing an encrypted channel between the client and server for secure communication. It uses handshake, change cipher spec, and alert protocols for negotiation and management of the secure session. Common web security threats include eavesdropping, message modification, denial of service attacks, and impersonation which can be mitigated using encryption, authentication and other cryptographic techniques.
IPSec is an open standard protocol suite that provides security services like data confidentiality, integrity, and authentication for IP communications. It operates at the network layer and can be used to secure communication between hosts, network devices, and between hosts and devices. The key components of IPSec include Internet Key Exchange (IKE) for setting up Security Associations (SA), the Authentication Header (AH) for data integrity and authentication, and the Encapsulating Security Payload (ESP) for confidentiality, integrity, and authentication.
The document summarizes web security considerations and technologies like SSL, TLS, and SET.
SSL and TLS provide encryption and authentication to secure data transmission between a client and server on the web. The handshake protocol allows servers and clients to authenticate each other and negotiate encryption before transmitting application data.
SET is an open encryption specification that protects credit card transactions on the internet. It provides security protocols and formats to ensure confidentiality, integrity of data, cardholder authentication, and merchant authentication for online payments. The sequence of events for transactions using SET is described briefly.
SSL (Secure Sockets Layer) is a standard protocol that provides secure communication between a web server and browser by encrypting data transmission. It establishes an encrypted connection through a handshake process where the server and client authenticate each other and negotiate encryption keys before transmitting secure data. The SSL/TLS record protocol then encrypts fragmented data using symmetric encryption and verifies integrity with MACs before transmission. Alert messages are used to notify errors between the client and server.
IPSec provides a framework for securing communications over IP networks by authenticating and encrypting IP packets. It includes protocols for authentication (Authentication Header or AH) and encryption (Encapsulating Security Payload or ESP). Key management protocols like Oakley and ISAKMP are used to establish security associations (SA) to protect communications between two endpoints. IPSec can operate in either transport mode to secure communications between applications, or tunnel mode to secure entire IP packets between network devices like VPN gateways.
This paper analyzes vulnerabilities of the SSL/TLS
Handshake
protocol
, which
is
responsible
for
authentication of
the parties in the
communication
and
negotiation of
security parameters
that
will be used
to protect
confidentiality and
integrity of the
data
. It
will
be
analyzed the
attacks
against the implementation of Handshake
protocol, as well as the
attacks against the other
elements
necessary to SSL/TLS protocol to discover security
flaws that were exploited, modes of
attack, the potential consequences, but also studyi
ng methods of defense
.
All versions of the
protocol are going to be the subject of the researc
h but
emphasis will be placed
on the critical
attack that
the most endanger the safety of data.
The goal of
the research
is
to point out the
danger of
existence
of at least
vulnerability
in the SSL/TLS protocol
, which
can be exploited
and
endanger the safety of
the data
that should be protected.
This paper analyzes vulnerabilities of the SSL/TLS Handshake protocol, which is responsible for authentication of the parties in the communication and negotiation of security parameters that will be used to protect confidentiality and integrity of the data. It will be analyzed the attacks against the implementation of Handshake protocol, as well as the attacks against the other
elements necessary to SSL/TLS protocol to discover security flaws that were exploited, modes of
attack, the potential consequences, but also studying methods of defense. All versions of the
protocol are going to be the subject of the research but emphasis will be placed on the critical attack that the most endanger the safety of data. The goal of the research is to point out the
danger of existence of at least vulnerability in the SSL/TLS protocol, which can be exploited and endanger the safety of the data that should be protected.
- Web security is important to protect business, government and personal information from threats to integrity, confidentiality, availability, and authentication.
- SSL/TLS are transport layer security protocols that provide end-to-end encryption and authentication using symmetric and asymmetric cryptography to secure internet communications.
- SET is a secure payment protocol that uses digital signatures and certificates to securely transmit payment and order information between customers, merchants and payment processors to enable secure online credit card transactions.
IPSec provides a framework for securing communications over IP networks by authenticating and encrypting IP packets. It includes protocols for authentication headers and encapsulating security payloads to provide integrity, authentication, and confidentiality. Key management protocols like Oakley and ISAKMP are used to securely establish security associations between communicating parties to protect data flows.
IPSec provides a framework for securing communications over IP networks by authenticating and encrypting IP packets. It includes protocols for authentication headers and encapsulating security payloads to provide integrity, authentication, and confidentiality. Key management protocols like Oakley and ISAKMP are used to securely establish security associations between communicating parties to protect data flows.
The document discusses web security and information security. It covers topics such as security attacks, security services defined by OSI, security mechanisms like encryption and digital signatures, and security protocols like SSL/TLS and IPSec. It provides an overview of how these different aspects of security work together to protect data and network communications.
SSL/TLS is a protocol that provides secure communication over the Internet through the use of cryptography. It allows for authentication of server and client, data integrity, and confidentiality. SSL/TLS uses both symmetric and asymmetric encryption. It has gone through several versions starting from SSLv1 in 1995 to the current TLSv1.3. The TLS handshake establishes a secure connection through negotiation of cryptographic parameters, authentication, and key exchange. Application data is then sent securely over the established connection through encryption and integrity checks.
Discover the benefits of outsourcing SEO to Indiadavidjhones387
"Discover the benefits of outsourcing SEO to India! From cost-effective services and expert professionals to round-the-clock work advantages, learn how your business can achieve digital success with Indian SEO solutions.
HijackLoader Evolution: Interactive Process HollowingDonato Onofri
CrowdStrike researchers have identified a HijackLoader (aka IDAT Loader) sample that employs sophisticated evasion techniques to enhance the complexity of the threat. HijackLoader, an increasingly popular tool among adversaries for deploying additional payloads and tooling, continues to evolve as its developers experiment and enhance its capabilities.
In their analysis of a recent HijackLoader sample, CrowdStrike researchers discovered new techniques designed to increase the defense evasion capabilities of the loader. The malware developer used a standard process hollowing technique coupled with an additional trigger that was activated by the parent process writing to a pipe. This new approach, called "Interactive Process Hollowing", has the potential to make defense evasion stealthier.
Ready to Unlock the Power of Blockchain!Toptal Tech
Imagine a world where data flows freely, yet remains secure. A world where trust is built into the fabric of every transaction. This is the promise of blockchain, a revolutionary technology poised to reshape our digital landscape.
Toptal Tech is at the forefront of this innovation, connecting you with the brightest minds in blockchain development. Together, we can unlock the potential of this transformative technology, building a future of transparency, security, and endless possibilities.
3. Network Layer
IP Security (IPSec) is a collection of protocols
designed by the Internet Engineering Task
Force (IETF) to provide security for a packet at
the network layer
IPSec helps create authenticated and
confidential packets for the IP layer.
4. TCP/IP Protocol Suite
4
Topics Discussed in the Section
Two Modes
Two Security Protocols
Services Provided by IPSec
Security Association
Internet Key Exchange (IKE)
Virtual Private Network (VPN)
6. TCP/IP Protocol Suite
6
IPSec in transport mode does not protect
the IP header;
it only protects the information coming from
the transport layer.
Note
12. Two Security Protocols
IPSec defines two protocols the Authentication
Header (AH) Protocol and the Encapsulating
Security Payload (ESP) Protocol
to provide authentication and/or encryption for
packets at the IP level
13. Authentication Header (AH)
The Authentication Header (AH) Protocol is
designed to authenticate the source host and to
ensure the integrity of the payload carried in the IP
packet
The protocol uses a hash function and a symmetric
(secret) key to create a message digest; the digest
is inserted in the authentication header
The AH is then placed in the appropriate location,
based on the mode (transport or tunnel)
14. 14
The AH protocol provides source
authentication and data integrity,
but not privacy.
Note
15. Encapsulating Security
Payload (ESP)
Encapsulating Security Payload(ESP), that
provides source authentication, integrity, and
confidentiality
ESP adds a header and trailer
17. Security Association
IPSec requires a logical relationship, called a
Security Association (SA), between two hosts.
there are two Security Associations (SAs)
between Alice and Bob; one outbound SA and
one inbound SA. Each of them stores the
value of the key in a variable and the name of
the encryption/decryption algorithm in another
A Security Association is a contract between
two parties; it creates a secure channel
between them
22. TRANSPORT LAYER SECURITY
Two protocols are dominant today for providing security
at the transport layer: the Secure Sockets Layer (SSL)
protocol and the Transport Layer Security (TLS)
protocol. The latter is actually an IETF version of the
former. We discuss SSL in this section; TLS is very
similar. Figure shows the position of SSL and TLS in the
Internet model.
25. The Record Protocol is the carrier. It carries
messages from three other protocols as well as
the data coming from the application layer.
Messages from the Record Protocol are payloads
to the transport layer, normally TCP.
The Handshake Protocol provides security
parameters for the Record Protocol. It establishes
a cipher set and provides keys and security
parameters. It also authenticates the server to the
client and the client to the server if needed.
The ChangeCipherSpec Protocol is used for
signaling the readiness of cryptographic secrets.
The Alert Protocol is used to report abnormal
conditions
26. Web Security
Web now widely used by business,
government, individuals
but Internet & Web are vulnerable
have a variety of threats
integrity
confidentiality
denial of service
authentication
need added security mechanisms
27. SSL (Secure Socket Layer)
transport layer security service
originally developed by Netscape
version 3 designed with public input
subsequently became Internet standard known
as TLS (Transport Layer Security)
uses TCP to provide a reliable end-to-end
service
SSL has two layers of protocols
29. SSL Architecture
SSL connection
a transient, peer-to-peer, communications link
associated with 1 SSL session
SSL session
an association between client & server
created by the Handshake Protocol
define a set of cryptographic parameters
may be shared by multiple SSL connections
30. SSL Record Protocol Services
message integrity
using a MAC with shared secret key
similar to HMAC but with different padding
confidentiality
using symmetric encryption with a shared secret
key defined by Handshake Protocol
AES, IDEA, RC2-40, DES-40, DES, 3DES,
Fortezza, RC4-40, RC4-128
message is compressed before encryption
32. SSL Change Cipher Spec Protocol
one of 3 SSL specific protocols which use the
SSL Record protocol
a single message
causes pending state to become current
hence updating the cipher suite in use
33. SSL Alert Protocol
conveys SSL-related alerts to peer entity
severity
warning or fatal
specific alert
fatal: unexpected message, bad record mac,
decompression failure, handshake failure, illegal
parameter
warning: close notify, no certificate, bad certificate,
unsupported certificate, certificate revoked, certificate
expired, certificate unknown
compressed & encrypted like all SSL data
34. SSL Handshake Protocol
allows server & client to:
authenticate each other
to negotiate encryption & MAC algorithms
to negotiate cryptographic keys to be used
comprises a series of messages in phases
1. Establish Security Capabilities
2. Server Authentication and Key Exchange
3. Client Authentication and Key Exchange
4. Finish
36. TLS (Transport Layer Security)
IETF standard RFC 2246 similar to SSLv3
with minor differences
in record format version number
uses HMAC for MAC
a pseudo-random function expands secrets
has additional alert codes
some changes in supported ciphers
changes in certificate types & negotiations
changes in crypto computations & padding
37. Secure Electronic Transactions
(SET)
open encryption & security specification
to protect Internet credit card transactions
developed in 1996 by Mastercard, Visa etc
not a payment system
rather a set of security protocols & formats
secure communications amongst parties
trust from use of X.509v3 certificates
privacy by restricted info to those who need it
39. SET Transaction
1. customer opens account
2. customer receives a certificate
3. merchants have their own certificates
4. customer places an order
5. merchant is verified
6. order and payment are sent
7. merchant requests payment authorization
8. merchant confirms order
9. merchant provides goods or service
10. merchant requests payment
40. Dual Signature
customer creates dual messages
order information (OI) for merchant
payment information (PI) for bank
neither party needs details of other
but must know they are linked
use a dual signature for this
signed concatenated hashes of OI & PI
DS=E(PRc, [H(H(PI)||H(OI))])
41. SET Purchase Request
SET purchase request exchange consists of
four messages
1. Initiate Request - get certificates
2. Initiate Response - signed response
3. Purchase Request - of OI & PI
4. Purchase Response - ack order
43. Purchase Request – Merchant
1. verifies cardholder certificates using CA sigs
2. verifies dual signature using customer's public
signature key to ensure order has not been
tampered with in transit & that it was signed
using cardholder's private signature key
3. processes order and forwards the payment
information to the payment gateway for
authorization (described later)
4. sends a purchase response to cardholder
45. Payment Gateway Authorization
1. verifies all certificates
2. decrypts digital envelope of authorization block to
obtain symmetric key & then decrypts authorization
block
3. verifies merchant's signature on authorization block
4. decrypts digital envelope of payment block to obtain
symmetric key & then decrypts payment block
5. verifies dual signature on payment block
6. verifies that transaction ID received from merchant
matches that in PI received (indirectly) from customer
7. requests & receives an authorization from issuer
8. sends authorization response back to merchant
46. Payment Capture
merchant sends payment gateway a payment
capture request
gateway checks request
then causes funds to be transferred to
merchants account
notifies merchant using capture response
47. 47
APPLICATION LAYER SECURITY
Usually we have two protocols providing security
services for e-mails: Pretty Good Privacy (PGP) and
Secure/Multipurpose Internet Mail Extension (S/MIME).
https://www.youtube.com/watch?v=CEADq-B8KtI
48. In e-mail security, the sender of the
message needs to include the name
or identifiers of the algorithms
used in the message.
Note
49. In e-mail security, the encryption/decryption
is done using a symmetric-key algorithm,
but the secret key to decrypt the message
is
encrypted with the public key of the
receiver and is sent with the message.
Note
52. 52
30-4 FIREWALLS
All previous security measures cannot prevent Eve from
sending a harmful message to a system. To control
access to a system we need firewalls. A firewall is a
device (usually a router or a computer) installed
between the internal network of an organization and the
rest of the Internet. It is designed to forward some
packets and filter (not forward) others. Figure 30.32
shows a firewall.