SlideShare a Scribd company logo

SSL TSL;& SET

Ramesh Ogania
Ramesh Ogania

SSL/TLS provides encryption and authentication for secure internet communications. It originated from efforts by IETF, ANSI, and Netscape in the 1990s. SSL/TLS establishes a secure channel through a handshake to negotiate encryption keys before data transfer. SET builds on SSL/TLS to provide additional privacy, authentication, and integrity specifically for online credit card transactions through the use of digital signatures and certificates. It establishes separate encryption for payment and order information that is only revealed to authorized parties.

Technology
1 of 32
email : rameshogania@gmail.com Gsm : 9969 37 44 37 Intro to SSL/TLS & SET
SSL Origins • Internet Engineering Task Force (IETF) – www.ietf.org – Documents: RFC 2246 • ANSI – X9.42 • ITU – X.509 • Netscape
Architecture IP TCP SSL Application (HTTP)
SSL security services • Server authentication – Client authentication is optional • Encryption • Message integrity
SSL phases • Handshake • Set protocol details – Authenticate server – Establish keys • Data transfer 2/2/2016 Gene Itkis: CS558 Network Security 5
Handshake • ClientHello – Supported options • ServerHello – Options to be used • ServerCertificate (ServerKeyExchange) • ServerHelloDone • ClientKeyExchange • Finished (sent by client) 2/2/2016 Gene Itkis: CS558 Network Security 6
SSL Handshake - First PartTime Gray areas are optional in some circumstances. 7
SSL Handshake - Second PartTime Gray areas are optional in some circumstances. 8 Client Server
9 Application Transport Layer (TCP,UDP) Network Layer (IP) E'net Data Link Layer Ethernet Phys. Layer Network Layer E'net Data Link Layer E'net Phys. Layer Network Layer Process Process Router Buffers Packets that need to be forwarded (based on IP address). Application Transport Layer (TCP,UDP) Network Layer (IP) Token Ring Data-Link Layer Token Ring Phys. Layer Token Ring Data Link Layer Token Ring Phys. Layer IPsec IPsec SSL SSL
HTTPS is HTTP with SSL (Secure Socket Layer). HTTPS uses the TLS/SSL default TCP port, port 443 10 Encrypt HTTPS :"Network Security Essentials: Applications and Standards," Prentice Hall, by Wm. Stallings (ECE6612) Web Browser or Web Server
SSL (Secure Sockets Layer) • NOT a payment protocol -- can be used for any secure communications, like credit card numbers • SSL is a secure data exchange protocol providing – Privacy between two Internet applications – Authentication of server (authentication of browser optional) • Uses enveloping: RSA used to exchange DES keys • SSL Handshake Protocol – Negotiates symmetric encryption protocol, authenticates • SSL Record Protocol – Packs/unpacks records, performs encryption/decryption • Does not provide non-repudiation
WireShark* View of HTTPS (TLS = SSL) Connection *Capture Filter: ether host 00:D0:**:**:**:*c
13 SET (Secure Electronic Transactions) • Provides a secure communications channel among all the parties involved in a transaction: Customer, Seller, Customer’s credit provider, Seller’s bank. • Provides trust by the use of X.509v3 certificates. • Ensures privacy because information is only made available to the parties that need it. * Cardholder account authentication to the Merchant (Cardholder must have a Certificate issued by the credit company). Merchant may issue a temporary Certificate to issue the session is not hijacked). * Verifies Merchant's relationship with financial institution. * Integrity of data customer sends to Merchant (order info tied to funds transfer).
14 SET - Steps in a Transaction 1. Customer opens account with credit company or bank. 2. Bank issues X.509 cert. to the Customer with RSA Keys. 3. Merchant has two certificates, signing and key exchange. ---- 4. Customer places an order. 5. The Merchant sends the customer a copy of his certificate. 6. The Customer sends Order Information (OI) encrypted so the Merchant can read it, and Payment Information (PI) encrypted so the Merchant can not read it. --- 7. Merchant requests payment by sending PI to the “Payment Gateway” (who can decrypt it) and verifies Customer’s credit. 8. Merchant confirms the order to the Customer. 9. Merchant ships goods to Customer. 10. Merchant sends request for payment to the Payment Gateway which handles transfer of funds.
15 Secure Electronic Transactions (SET)
Electronic Payment Systems Credit Card Protocols: SSL, TLS, SET
Participants •Issuing Bank •Issues card •Extends credit •Assumes risk of card •Cardholder reporting Card Associations Merchant •Merchant Bank (Acquirer) •Sets up merchant •Extends credit •Assumes risk of merchant •Funds merchant Consumer Processor Processor
TLS (Transport Layer Security) • SSL is so important it was adopted by the Internet Engineering Task Force (IETF) • TLS Protocol 1.0 (RFC 2246) • TLS is very similar to SSL but they do not interoperate • Goals – Separate record and handshaking protocols – Extensibility (add new cipher suites easily) – Efficiency (minimize network activity)
1. Customer •pays with card •card swiped •mag data read •(get signature) 5. Merchant •stores authorizations and sales conducted •captures sales (at end of day) •submits batch for funding Authorizations Batch Settlement 2.Card Authorization via dial, lease line, satellite 3 . Acquiring Bank’s Processor •direct connections to MC /VI •obtains authorization from Issuer •returns response to merchant •five digit number that must be stored 6. Acquiring Bank / Processor •scans settlement file •verifies authorizations match captured data •prepares file for MC/VI •prepares funding file •records txs for reporting 4 . Issuing Bank / Processor •receives auth request •verifies available funds •places hold on funds 7. Issuing Bank / Processor •receives settlement file from MC / VI •funds MC / VI •matches txs to auths •post txs to cardholder •records transactions for reporting 8. MC / VI debit issuers / credit acquirers9. Acquiring Bank funds merchant
Parties in Secure eCommerce
SET in Practice SOURCE: http://www.software.ibm.com/commerce/payment/specsheetetill.html
SET Objectives • Confidentiality of payment and order information – Encryption • Integrity of all data (digital signatures) • Authentication of cardholder & account (certificates) • Authentication of merchant (certificates) • No reliance on secure transport protocols (uses TCP/IP) • Interoperability between SET software and network – Standardized message formats • SET is a payment protocol – Messages relate to various steps in a credit card transaction
Root CA (SET Co) Geo-Political CA (optional) (only for VISA) Brand CA (MasterCard, Visa) Merchant CA (Banesto) Cardholder CA (Banesto) Cardholder Payment Gateway CA (MasterCard, Banesto in VISA Merchant Payment Gateway SET Certificate Hierarchy Hosted by SOURCE: INZA.COM
SSL Vs. SET • A part of SSL (Secure Socket Layer) is available on customers’ browsers – it is basically an encryption mechanism for order taking, queries and other applications – it does not protect against all security hazards – it is mature, simple, and widely use • SET ( Secure Electronic Transaction) is a very comprehensive security protocol – it provides for privacy, authenticity, integrity, and, or repudiation – it is used very infrequently due to its complexity and the need for a special card reader by the user – it may be abandoned if it is not simplified/improved
SET Vs. SSL Secure Electronic Transaction (SET) Secure Socket Layer (SSL) Complex Simple SET is tailored to the credit card payment to the merchants. SSL is a protocol for general- purpose secure message exchanges (encryption). SET protocol hides the customer’s credit card information from merchants, and also hides the order information to banks, to protect privacy. This scheme is called dual signature. SSL protocol may use a certificate, but there is no payment gateway. So, the merchants need to receive both the ordering information and credit card information, because the capturing process should be initiated by the merchants.
Payments, Protocols and Related Issues • SET Protocol is for Credit Card Payments • Electronic Cash and Micropayments • Electronic Fund Transfer on the Internet • Stored Value Cards and Electronic Cash • Electronic Check Systems
• Security requirements Payments, Protocols and Related Issues (cont.) Authentication: A way to verify the buyer’s identity before payments are made Integrity: Ensuring that information will not be accidentally or maliciously altered or destroyed, usually during transmission Encryption: A process of making messages indecipherable except by those who have an authorized decryption key Non-repudiation: Merchants need protection against the customer’s unjustifiable denial of placed orders, and customers need protection against the merchants’ unjustifiable denial of past payment
Electronic Credit Card System on the Internet • The Players Cardholder Merchant (seller) Issuer (your bank) Acquirer (merchant’s financial institution, acquires the sales slips) Brand (VISA, Master Card)
Secure Electronic Transaction (SET) Protocol 1. The message is hashed to a prefixed length of message digest. 2. The message digest is encrypted with the sender’s private signature key, and a digital signature is created. 3. The composition of message, digital signature, and Sender’s certificate is encrypted with the symmetric key which is generated at sender’s computer for every transaction. The result is an encrypted message. SET protocol uses the DES algorithm instead of RSA for encryption because DES can be executed much faster than RSA. 4. The Symmetric key itself is encrypted with the receiver’s public key which was sent to the sender in advance. The result is a digital envelope. 29 Sender’s Computer
5. The encrypted message and digital envelope are transmitted to receiver’s computer via the Internet. 6. The digital envelope is decrypted with receiver’s private exchange key. 7. Using the restored symmetric key, the encrypted message can be restored to the message, digital signature, and sender’s certificate. 8. To confirm the integrity, the digital signature is decrypted by sender’s public key, obtaining the message digest. 9. The delivered message is hashed to generate message digest. 10. The message digests obtained by steps 8 and 9 respectively, are compared by the receiver to confirm whether there was any change during the transmission. This step confirms the integrity. Receiver’s Computer Secure Electronic Transaction (SET) Protocol (cont.) 30© Prentice Hall, 2000
Five Security Tips • Don’t reveal your online Passcode to anyone. If you think your online Passcode has been compromised, change it immediately. • Don’t walk away from your computer if you are in the middle of a session. • Once you have finished conducting your banking on the Internet, always sign off before visiting other Internet sites. • If anyone else is likely to use your computer, clear your cache or turn off and re-initiate your browser in order to eliminate copies of Web pages that have been stored in your hard drive. • Banks strongly recommends that you use a browser with 128-bit encryption to conduct secure financial transactions over the Internet.
Questions ? email : rameshogania@gmail.com Gsm : 9969 37 44 37

Recommended

OSI Security Architecture
OSI Security ArchitectureOSI Security Architecture
OSI Security Architecture
university of education,Lahore
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanismspriya_trehan
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security Architecture
BharathiKrishna6
 
key distribution in network security
key distribution in network securitykey distribution in network security
key distribution in network security
babak danyal
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
Pawan Arya
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
Mohamed Talaat
 
Network security & cryptography full notes
Network security & cryptography full notesNetwork security & cryptography full notes
Network security & cryptography full notes
gangadhar9989166446
 
Security services and mechanisms
Security services and mechanismsSecurity services and mechanisms
Security services and mechanisms
Rajapriya82
 

Recommended

OSI Security Architecture
OSI Security ArchitectureOSI Security Architecture
OSI Security Architecture
university of education,Lahore
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanismspriya_trehan
 
Network security - OSI Security Architecture
Network security - OSI Security ArchitectureNetwork security - OSI Security Architecture
Network security - OSI Security Architecture
BharathiKrishna6
 
key distribution in network security
key distribution in network securitykey distribution in network security
key distribution in network security
babak danyal
 
Pgp pretty good privacy
Pgp pretty good privacyPgp pretty good privacy
Pgp pretty good privacy
Pawan Arya
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
Mohamed Talaat
 
Network security & cryptography full notes
Network security & cryptography full notesNetwork security & cryptography full notes
Network security & cryptography full notes
gangadhar9989166446
 
Security services and mechanisms
Security services and mechanismsSecurity services and mechanisms
Security services and mechanisms
Rajapriya82
 
Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction ppt
Subhash Gupta
 
Cryptography
CryptographyCryptography
Cryptography
jayashri kolekar
 
Public Key Cryptosystem
Public Key CryptosystemPublic Key Cryptosystem
Public Key Cryptosystem
Devakumar Kp
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Naveen Kumar
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMShashank Shetty
 
Network security ppt
Network security pptNetwork security ppt
Network security ppt
OECLIB Odisha Electronics Control Library
 
Analog and Digital Transmission
Analog and Digital TransmissionAnalog and Digital Transmission
Analog and Digital Transmission
Anushiya Ram
 
Active and Passive Network Attacks
Active and Passive Network AttacksActive and Passive Network Attacks
Active and Passive Network Attacks
Pradipta Poudel
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
Adarsh Kumar Yadav
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithms
Rashmi Burugupalli
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distribution
Riya Choudhary
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMAC
Krishna Gehlot
 
Encryption ppt
Encryption pptEncryption ppt
Encryption ppt
Anil Neupane
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
kusum sharma
 
Cryptography
CryptographyCryptography
Cryptography
Shivanand Arur
 
Cryptography ppt
Cryptography pptCryptography ppt
Cryptography ppt
OECLIB Odisha Electronics Control Library
 
SSL
SSLSSL
SSL
Badrul Alam bulon
 
IoT Security
IoT SecurityIoT Security
IoT Security
Narudom Roongsiriwong, CISSP
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
Vivek Gandhi
 
Email Security : PGP & SMIME
Email Security : PGP & SMIMEEmail Security : PGP & SMIME
Email Security : PGP & SMIME
Rohit Soni
 
SSL
SSLSSL
SSLDuy Do Phan
 
Ecommerce Chap 08
Ecommerce Chap 08Ecommerce Chap 08
Ecommerce Chap 08Pimsat University
 

More Related Content

What's hot

Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction ppt
Subhash Gupta
 
Cryptography
CryptographyCryptography
Cryptography
jayashri kolekar
 
Public Key Cryptosystem
Public Key CryptosystemPublic Key Cryptosystem
Public Key Cryptosystem
Devakumar Kp
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Naveen Kumar
 
Network security ppt
Network security pptNetwork security ppt
Network security ppt
OECLIB Odisha Electronics Control Library
 
Analog and Digital Transmission
Analog and Digital TransmissionAnalog and Digital Transmission
Analog and Digital Transmission
Anushiya Ram
 
Active and Passive Network Attacks
Active and Passive Network AttacksActive and Passive Network Attacks
Active and Passive Network Attacks
Pradipta Poudel
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
Adarsh Kumar Yadav
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithms
Rashmi Burugupalli
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distribution
Riya Choudhary
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMAC
Krishna Gehlot
 
Encryption ppt
Encryption pptEncryption ppt
Encryption ppt
Anil Neupane
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
kusum sharma
 
Cryptography
CryptographyCryptography
Cryptography
Shivanand Arur
 
Cryptography ppt
Cryptography pptCryptography ppt
Cryptography ppt
OECLIB Odisha Electronics Control Library
 
SSL
SSLSSL
SSL
Badrul Alam bulon
 
IoT Security
IoT SecurityIoT Security
IoT Security
Narudom Roongsiriwong, CISSP
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
Vivek Gandhi
 
Email Security : PGP & SMIME
Email Security : PGP & SMIMEEmail Security : PGP & SMIME
Email Security : PGP & SMIME
Rohit Soni
 

What's hot (20)

Secure electronic transaction ppt
Secure electronic transaction pptSecure electronic transaction ppt
Secure electronic transaction ppt
 
Cryptography
CryptographyCryptography
Cryptography
 
Public Key Cryptosystem
Public Key CryptosystemPublic Key Cryptosystem
Public Key Cryptosystem
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHM
 
Network security ppt
Network security pptNetwork security ppt
Network security ppt
 
Analog and Digital Transmission
Analog and Digital TransmissionAnalog and Digital Transmission
Analog and Digital Transmission
 
Active and Passive Network Attacks
Active and Passive Network AttacksActive and Passive Network Attacks
Active and Passive Network Attacks
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
 
symmetric key encryption algorithms
symmetric key encryption algorithms symmetric key encryption algorithms
symmetric key encryption algorithms
 
Key management and distribution
Key management and distributionKey management and distribution
Key management and distribution
 
Message Authentication Code & HMAC
Message Authentication Code & HMACMessage Authentication Code & HMAC
Message Authentication Code & HMAC
 
Encryption ppt
Encryption pptEncryption ppt
Encryption ppt
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography ppt
Cryptography pptCryptography ppt
Cryptography ppt
 
SSL
SSLSSL
SSL
 
IoT Security
IoT SecurityIoT Security
IoT Security
 
Types of attacks
Types of attacksTypes of attacks
Types of attacks
 
Email Security : PGP & SMIME
Email Security : PGP & SMIMEEmail Security : PGP & SMIME
Email Security : PGP & SMIME
 

Viewers also liked

Web authentication
Web authenticationWeb authentication
Web authenticationPradeep J V
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
Sylvain Maret
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorizationAlexandru Pasaila
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )
Monodip Singha Roy
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
Sam Bowne
 
Topsec email security 2016
Topsec email security 2016Topsec email security 2016
Topsec email security 2016
Nathan CAVRIL
 
SSL
SSLSSL
SSL
theekuchi
 
The wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign OnThe wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign On
Clément OUDOT
 
Inro to Secure Sockets Layer: SSL
Inro to Secure Sockets Layer: SSLInro to Secure Sockets Layer: SSL
Inro to Secure Sockets Layer: SSL
Dipankar Achinta
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
Asad Ali
 
Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011
Sylvain Maret
 
SSL/TLS그리고 암호화
SSL/TLS그리고 암호화SSL/TLS그리고 암호화
SSL/TLS그리고 암호화
Hyeok Oh
 
Email security
Email securityEmail security
Email security
Indrajit Sreemany
 
Pgp smime
Pgp smimePgp smime
Pgp smime
Tania Agni
 
Pmbok 4th edition chapter 11 - Project Risk Management
Pmbok 4th edition chapter 11 - Project Risk ManagementPmbok 4th edition chapter 11 - Project Risk Management
Pmbok 4th edition chapter 11 - Project Risk Management
Ahmad Maharma, PMP,RMP
 
P.5 ensayo de flexion
P.5 ensayo de flexionP.5 ensayo de flexion
P.5 ensayo de flexionfacasis
 
Email Security Presentation
Email Security PresentationEmail Security Presentation
Email Security PresentationYosef Gamble
 

Viewers also liked (20)

SSL
SSLSSL
SSL
 
Ecommerce Chap 08
Ecommerce Chap 08Ecommerce Chap 08
Ecommerce Chap 08
 
Web authentication
Web authenticationWeb authentication
Web authentication
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
 
Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorization
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )
 
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
TrustBearer - Virginia Security Summit - Web Authentication Strategies - Apri...
 
CNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS VulnerabilitesCNIT 123: 8: Desktop and Server OS Vulnerabilites
CNIT 123: 8: Desktop and Server OS Vulnerabilites
 
Topsec email security 2016
Topsec email security 2016Topsec email security 2016
Topsec email security 2016
 
SSL
SSLSSL
SSL
 
The wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign OnThe wonderful story of Web Authentication and Single-Sign On
The wonderful story of Web Authentication and Single-Sign On
 
Inro to Secure Sockets Layer: SSL
Inro to Secure Sockets Layer: SSLInro to Secure Sockets Layer: SSL
Inro to Secure Sockets Layer: SSL
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011Strong Authentication in Web Application / ConFoo.ca 2011
Strong Authentication in Web Application / ConFoo.ca 2011
 
SSL/TLS그리고 암호화
SSL/TLS그리고 암호화SSL/TLS그리고 암호화
SSL/TLS그리고 암호화
 
Email security
Email securityEmail security
Email security
 
Pgp smime
Pgp smimePgp smime
Pgp smime
 
Pmbok 4th edition chapter 11 - Project Risk Management
Pmbok 4th edition chapter 11 - Project Risk ManagementPmbok 4th edition chapter 11 - Project Risk Management
Pmbok 4th edition chapter 11 - Project Risk Management
 
P.5 ensayo de flexion
P.5 ensayo de flexionP.5 ensayo de flexion
P.5 ensayo de flexion
 
Email Security Presentation
Email Security PresentationEmail Security Presentation
Email Security Presentation
 

Similar to SSL TSL;& SET

ch1 eriht eriotery erogyteip ergy7.ppt
ch1 eriht eriotery erogyteip ergy7.pptch1 eriht eriotery erogyteip ergy7.ppt
ch1 eriht eriotery erogyteip ergy7.ppt
SonukumarRawat
 
Unit -- 5.ppt
Unit -- 5.pptUnit -- 5.ppt
Unit -- 5.ppt
DHANABALSUBRAMANIAN
 
ch17.ppt
ch17.pptch17.ppt
ch17.ppt
SomuPatil8
 
secnet.ppt
secnet.pptsecnet.ppt
secnet.ppt
vishy230892
 
Secure Web Transactions Electronic Commerce Underlying Technologies
Secure Web Transactions Electronic Commerce Underlying TechnologiesSecure Web Transactions Electronic Commerce Underlying Technologies
Secure Web Transactions Electronic Commerce Underlying Technologies
BangNgoVanCong
 
Web Security
Web SecurityWeb Security
Web Security
Ram Dutt Shukla
 
NETWORK SECURITY-SET.pptx
NETWORK SECURITY-SET.pptxNETWORK SECURITY-SET.pptx
NETWORK SECURITY-SET.pptx
Dr.Florence Dayana
 
E-Business security
E-Business security E-Business security
E-Business security
Surendhranatha Reddy
 
Secure electronic transactions (SET)
Secure electronic transactions (SET)Secure electronic transactions (SET)
Secure electronic transactions (SET)
Omar Ghazi
 
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptWEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
SonukumarRawat
 
Secure Electronic Transaction
Secure Electronic TransactionSecure Electronic Transaction
Secure Electronic Transaction
United International University
 
Secure Electronic Transaction (SET)
Secure Electronic Transaction (SET)Secure Electronic Transaction (SET)
Secure Electronic Transaction (SET)
Syed Taimoor Hussain Shah
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
Arash Ramez
 
SET (1).ppt
SET (1).pptSET (1).ppt
SET (1).ppt
chandrakaren21
 
Introduction of an SSL Certificate
Introduction of an SSL CertificateIntroduction of an SSL Certificate
Introduction of an SSL Certificate
CheapSSLUSA
 
Understanding transport-layer_security__ssl
Understanding transport-layer_security__sslUnderstanding transport-layer_security__ssl
Understanding transport-layer_security__ssl
Mainak Goswami
 
Web Security in Network Security NS7
Web Security in Network Security NS7Web Security in Network Security NS7
Web Security in Network Security NS7koolkampus
 

Similar to SSL TSL;& SET (20)

ch1 eriht eriotery erogyteip ergy7.ppt
ch1 eriht eriotery erogyteip ergy7.pptch1 eriht eriotery erogyteip ergy7.ppt
ch1 eriht eriotery erogyteip ergy7.ppt
 
Unit -- 5.ppt
Unit -- 5.pptUnit -- 5.ppt
Unit -- 5.ppt
 
ch17.ppt
ch17.pptch17.ppt
ch17.ppt
 
secnet.ppt
secnet.pptsecnet.ppt
secnet.ppt
 
Secure Web Transactions Electronic Commerce Underlying Technologies
Secure Web Transactions Electronic Commerce Underlying TechnologiesSecure Web Transactions Electronic Commerce Underlying Technologies
Secure Web Transactions Electronic Commerce Underlying Technologies
 
Secure electronic transaction (set)
Secure electronic transaction (set)Secure electronic transaction (set)
Secure electronic transaction (set)
 
Secnet
SecnetSecnet
Secnet
 
Web Security
Web SecurityWeb Security
Web Security
 
NETWORK SECURITY-SET.pptx
NETWORK SECURITY-SET.pptxNETWORK SECURITY-SET.pptx
NETWORK SECURITY-SET.pptx
 
E-Business security
E-Business security E-Business security
E-Business security
 
Secure electronic transactions (SET)
Secure electronic transactions (SET)Secure electronic transactions (SET)
Secure electronic transactions (SET)
 
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptWEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
 
Secure Electronic Transaction
Secure Electronic TransactionSecure Electronic Transaction
Secure Electronic Transaction
 
Secure Electronic Transaction (SET)
Secure Electronic Transaction (SET)Secure Electronic Transaction (SET)
Secure Electronic Transaction (SET)
 
Ch17
Ch17Ch17
Ch17
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
SET (1).ppt
SET (1).pptSET (1).ppt
SET (1).ppt
 
Introduction of an SSL Certificate
Introduction of an SSL CertificateIntroduction of an SSL Certificate
Introduction of an SSL Certificate
 
Understanding transport-layer_security__ssl
Understanding transport-layer_security__sslUnderstanding transport-layer_security__ssl
Understanding transport-layer_security__ssl
 
Web Security in Network Security NS7
Web Security in Network Security NS7Web Security in Network Security NS7
Web Security in Network Security NS7
 

Recently uploaded

Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
Product School
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
Bhaskar Mitra
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
DianaGray10
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
BookNet Canada
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 

Recently uploaded (20)

Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
FIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdfFIDO Alliance Osaka Seminar: Overview.pdf
FIDO Alliance Osaka Seminar: Overview.pdf
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...Transcript: Selling digital books in 2024: Insights from industry leaders - T...
Transcript: Selling digital books in 2024: Insights from industry leaders - T...
 
The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 

SSL TSL;& SET

  • 1. email : rameshogania@gmail.com Gsm : 9969 37 44 37 Intro to SSL/TLS & SET
  • 2. SSL Origins • Internet Engineering Task Force (IETF) – www.ietf.org – Documents: RFC 2246 • ANSI – X9.42 • ITU – X.509 • Netscape
  • 4. SSL security services • Server authentication – Client authentication is optional • Encryption • Message integrity
  • 5. SSL phases • Handshake • Set protocol details – Authenticate server – Establish keys • Data transfer 2/2/2016 Gene Itkis: CS558 Network Security 5
  • 6. Handshake • ClientHello – Supported options • ServerHello – Options to be used • ServerCertificate (ServerKeyExchange) • ServerHelloDone • ClientKeyExchange • Finished (sent by client) 2/2/2016 Gene Itkis: CS558 Network Security 6
  • 7. SSL Handshake - First PartTime Gray areas are optional in some circumstances. 7
  • 8. SSL Handshake - Second PartTime Gray areas are optional in some circumstances. 8 Client Server
  • 9. 9 Application Transport Layer (TCP,UDP) Network Layer (IP) E'net Data Link Layer Ethernet Phys. Layer Network Layer E'net Data Link Layer E'net Phys. Layer Network Layer Process Process Router Buffers Packets that need to be forwarded (based on IP address). Application Transport Layer (TCP,UDP) Network Layer (IP) Token Ring Data-Link Layer Token Ring Phys. Layer Token Ring Data Link Layer Token Ring Phys. Layer IPsec IPsec SSL SSL
  • 10. HTTPS is HTTP with SSL (Secure Socket Layer). HTTPS uses the TLS/SSL default TCP port, port 443 10 Encrypt HTTPS :"Network Security Essentials: Applications and Standards," Prentice Hall, by Wm. Stallings (ECE6612) Web Browser or Web Server
  • 11. SSL (Secure Sockets Layer) • NOT a payment protocol -- can be used for any secure communications, like credit card numbers • SSL is a secure data exchange protocol providing – Privacy between two Internet applications – Authentication of server (authentication of browser optional) • Uses enveloping: RSA used to exchange DES keys • SSL Handshake Protocol – Negotiates symmetric encryption protocol, authenticates • SSL Record Protocol – Packs/unpacks records, performs encryption/decryption • Does not provide non-repudiation
  • 12. WireShark* View of HTTPS (TLS = SSL) Connection *Capture Filter: ether host 00:D0:**:**:**:*c
  • 13. 13 SET (Secure Electronic Transactions) • Provides a secure communications channel among all the parties involved in a transaction: Customer, Seller, Customer’s credit provider, Seller’s bank. • Provides trust by the use of X.509v3 certificates. • Ensures privacy because information is only made available to the parties that need it. * Cardholder account authentication to the Merchant (Cardholder must have a Certificate issued by the credit company). Merchant may issue a temporary Certificate to issue the session is not hijacked). * Verifies Merchant's relationship with financial institution. * Integrity of data customer sends to Merchant (order info tied to funds transfer).
  • 14. 14 SET - Steps in a Transaction 1. Customer opens account with credit company or bank. 2. Bank issues X.509 cert. to the Customer with RSA Keys. 3. Merchant has two certificates, signing and key exchange. ---- 4. Customer places an order. 5. The Merchant sends the customer a copy of his certificate. 6. The Customer sends Order Information (OI) encrypted so the Merchant can read it, and Payment Information (PI) encrypted so the Merchant can not read it. --- 7. Merchant requests payment by sending PI to the “Payment Gateway” (who can decrypt it) and verifies Customer’s credit. 8. Merchant confirms the order to the Customer. 9. Merchant ships goods to Customer. 10. Merchant sends request for payment to the Payment Gateway which handles transfer of funds.
  • 16. Electronic Payment Systems Credit Card Protocols: SSL, TLS, SET
  • 17. Participants •Issuing Bank •Issues card •Extends credit •Assumes risk of card •Cardholder reporting Card Associations Merchant •Merchant Bank (Acquirer) •Sets up merchant •Extends credit •Assumes risk of merchant •Funds merchant Consumer Processor Processor
  • 18. TLS (Transport Layer Security) • SSL is so important it was adopted by the Internet Engineering Task Force (IETF) • TLS Protocol 1.0 (RFC 2246) • TLS is very similar to SSL but they do not interoperate • Goals – Separate record and handshaking protocols – Extensibility (add new cipher suites easily) – Efficiency (minimize network activity)
  • 19. 1. Customer •pays with card •card swiped •mag data read •(get signature) 5. Merchant •stores authorizations and sales conducted •captures sales (at end of day) •submits batch for funding Authorizations Batch Settlement 2.Card Authorization via dial, lease line, satellite 3 . Acquiring Bank’s Processor •direct connections to MC /VI •obtains authorization from Issuer •returns response to merchant •five digit number that must be stored 6. Acquiring Bank / Processor •scans settlement file •verifies authorizations match captured data •prepares file for MC/VI •prepares funding file •records txs for reporting 4 . Issuing Bank / Processor •receives auth request •verifies available funds •places hold on funds 7. Issuing Bank / Processor •receives settlement file from MC / VI •funds MC / VI •matches txs to auths •post txs to cardholder •records transactions for reporting 8. MC / VI debit issuers / credit acquirers9. Acquiring Bank funds merchant
  • 20. Parties in Secure eCommerce
  • 21. SET in Practice SOURCE: http://www.software.ibm.com/commerce/payment/specsheetetill.html
  • 22. SET Objectives • Confidentiality of payment and order information – Encryption • Integrity of all data (digital signatures) • Authentication of cardholder & account (certificates) • Authentication of merchant (certificates) • No reliance on secure transport protocols (uses TCP/IP) • Interoperability between SET software and network – Standardized message formats • SET is a payment protocol – Messages relate to various steps in a credit card transaction
  • 23. Root CA (SET Co) Geo-Political CA (optional) (only for VISA) Brand CA (MasterCard, Visa) Merchant CA (Banesto) Cardholder CA (Banesto) Cardholder Payment Gateway CA (MasterCard, Banesto in VISA Merchant Payment Gateway SET Certificate Hierarchy Hosted by SOURCE: INZA.COM
  • 24. SSL Vs. SET • A part of SSL (Secure Socket Layer) is available on customers’ browsers – it is basically an encryption mechanism for order taking, queries and other applications – it does not protect against all security hazards – it is mature, simple, and widely use • SET ( Secure Electronic Transaction) is a very comprehensive security protocol – it provides for privacy, authenticity, integrity, and, or repudiation – it is used very infrequently due to its complexity and the need for a special card reader by the user – it may be abandoned if it is not simplified/improved
  • 25. SET Vs. SSL Secure Electronic Transaction (SET) Secure Socket Layer (SSL) Complex Simple SET is tailored to the credit card payment to the merchants. SSL is a protocol for general- purpose secure message exchanges (encryption). SET protocol hides the customer’s credit card information from merchants, and also hides the order information to banks, to protect privacy. This scheme is called dual signature. SSL protocol may use a certificate, but there is no payment gateway. So, the merchants need to receive both the ordering information and credit card information, because the capturing process should be initiated by the merchants.
  • 26. Payments, Protocols and Related Issues • SET Protocol is for Credit Card Payments • Electronic Cash and Micropayments • Electronic Fund Transfer on the Internet • Stored Value Cards and Electronic Cash • Electronic Check Systems
  • 27. • Security requirements Payments, Protocols and Related Issues (cont.) Authentication: A way to verify the buyer’s identity before payments are made Integrity: Ensuring that information will not be accidentally or maliciously altered or destroyed, usually during transmission Encryption: A process of making messages indecipherable except by those who have an authorized decryption key Non-repudiation: Merchants need protection against the customer’s unjustifiable denial of placed orders, and customers need protection against the merchants’ unjustifiable denial of past payment
  • 28. Electronic Credit Card System on the Internet • The Players Cardholder Merchant (seller) Issuer (your bank) Acquirer (merchant’s financial institution, acquires the sales slips) Brand (VISA, Master Card)
  • 29. Secure Electronic Transaction (SET) Protocol 1. The message is hashed to a prefixed length of message digest. 2. The message digest is encrypted with the sender’s private signature key, and a digital signature is created. 3. The composition of message, digital signature, and Sender’s certificate is encrypted with the symmetric key which is generated at sender’s computer for every transaction. The result is an encrypted message. SET protocol uses the DES algorithm instead of RSA for encryption because DES can be executed much faster than RSA. 4. The Symmetric key itself is encrypted with the receiver’s public key which was sent to the sender in advance. The result is a digital envelope. 29 Sender’s Computer
  • 30. 5. The encrypted message and digital envelope are transmitted to receiver’s computer via the Internet. 6. The digital envelope is decrypted with receiver’s private exchange key. 7. Using the restored symmetric key, the encrypted message can be restored to the message, digital signature, and sender’s certificate. 8. To confirm the integrity, the digital signature is decrypted by sender’s public key, obtaining the message digest. 9. The delivered message is hashed to generate message digest. 10. The message digests obtained by steps 8 and 9 respectively, are compared by the receiver to confirm whether there was any change during the transmission. This step confirms the integrity. Receiver’s Computer Secure Electronic Transaction (SET) Protocol (cont.) 30© Prentice Hall, 2000
  • 31. Five Security Tips • Don’t reveal your online Passcode to anyone. If you think your online Passcode has been compromised, change it immediately. • Don’t walk away from your computer if you are in the middle of a session. • Once you have finished conducting your banking on the Internet, always sign off before visiting other Internet sites. • If anyone else is likely to use your computer, clear your cache or turn off and re-initiate your browser in order to eliminate copies of Web pages that have been stored in your hard drive. • Banks strongly recommends that you use a browser with 128-bit encryption to conduct secure financial transactions over the Internet.
  • 32. Questions ? email : rameshogania@gmail.com Gsm : 9969 37 44 37