The presentation discussed web security issues including client-side, server-side, and data transmission risks and proposed SSL as a solution to encrypt data exchange between clients and servers, providing authentication, integrity, and confidentiality of data. It described the SSL architecture and protocols for encrypting records, negotiating keys during handshake, and alerting of errors. The presentation also covered the SET protocol for secure online payment transactions.
How To Learn The Network Security
Slide berikut merupakan slide yang berisikan dasar-dasar bagi kita dalam memahami konsep keamanan jaringan komputer, baik dari sisi inftrastruktur, teknologi dan paradigma bagi pengguna.
Materi yang diberikan sudah disusun oleh Pakar yang merupakan Trainer CEH dan memang berkompeten dibidang keamanan jaringan.
Slide ini saya dapatkan dari beliau saat mengikut training Certified Computer Security Officer (CCSO) dan Certified Computer Security Analyst (CCSA) dari beliau.
Semoga bermanfaat sebagai acuan bagi kita untuk belajar tentang keamanan jaringan komputer.
Terimakasih
How To Learn The Network Security
Slide berikut merupakan slide yang berisikan dasar-dasar bagi kita dalam memahami konsep keamanan jaringan komputer, baik dari sisi inftrastruktur, teknologi dan paradigma bagi pengguna.
Materi yang diberikan sudah disusun oleh Pakar yang merupakan Trainer CEH dan memang berkompeten dibidang keamanan jaringan.
Slide ini saya dapatkan dari beliau saat mengikut training Certified Computer Security Officer (CCSO) dan Certified Computer Security Analyst (CCSA) dari beliau.
Semoga bermanfaat sebagai acuan bagi kita untuk belajar tentang keamanan jaringan komputer.
Terimakasih
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
Secure web programming plus end users' awareness are the last line of defense against attacks targeted at the corporate systems, particularly web applications, in the era of world-wide web.
Most web application attacks occur through Cross Site Scripting (XSS), and SQL Injection. On the other hand, most web application vulnerabilities arise from weak coding with failure to properly validate users' input, and failure to properly sanitize output while displaying the data to the visitors.
The literature also confirms the following web application weaknesses in 2010: 26% improper output handling, 22% improper input handling, and 15% insufficient authentication, and others.
Abdul Rahman Sherzad, lecturer at Computer Science Faculty of Herat University, and Ph.D. student at Technical University of Berlin gave a presentation at 12th IT conference on Higher Education for Afghanistan in MoHE, and then conducted a seminar at Hariwa Institute of Higher Education in Herat, Afghanistan introducing web application security threats by demonstrating the security problems that exist in corporate systems with a strong emphasis on secure development. Major security vulnerabilities, secure design and coding best practices when designing and developing web-based applications were covered.
The main objective of the presentation was raising awareness about the problems that might occur in web-application systems, as well as secure coding practices and principles. The presentation's aims were to build security awareness for web applications, to discuss the threat landscape and the controls users should use during the software development lifecycle, to introduce attack methods, to discuss approaches for discovering security vulnerabilities, and finally to discuss the basics of secure web development techniques and principles.
-The project "Strengthening European Network Centres of Excellence in Cybercrime" (SENTER
project, Reference No HOME/2014/ISFP/AG/7170) is funded by the European Commission under
Internal Security Fund-Police 2014-2020 (ISFP). The main goal of the project is to create a single
point of Reference for EU national Cybercrime Centres of Excellence (CoE) and develop further the
Network of national CoE into well-defined and well-functioning community. More details here: http://www.senter-project.eu/
Cybersecurity Awareness Training Presentation v1.3DallasHaselhorst
This free cybersecurity awareness training slide deck is meant to be used by organizations and end users to educate them on ways to avoid scams and attacks and become more security aware. This slide deck is based on version 1.3 of our wildly popular slide deck we originally released as open-source in September 2019. In just over 6 months, it was downloaded thousands of times and in over 150 countries!
On our website, you will also find several other related goodies. For example, we have worksheets free and downloadable worksheets referenced in the training. We have a free cybersecurity quiz that is based directly off of this material so anyone can test their awareness knowledge. We even have a downloadable 'certificate of completion' for this training, which allows attendees to fill-in their name and date so they can then print it out to show others (or even their employer) that they are now more cyber aware.
https://www.treetopsecurity.com/cat
We also have a video/webinar presentation of this material if you would like to share it with others.
https://www.treetopsecurity.com/cat#video
Want to take this content and present it in your own community? Fantastic! You may download this slide deck as editable content. This allows you to make changes and present it at your local library, business events, co-working spaces, schools, etc. The latest version is always available on our website as a Microsoft PowerPoint presentation (.pptx) or using ‘Make a Copy’ in Google Slides.
https://www.treetopsecurity.com/slides
Definition, SSL Concepts Connection and Service, SSL Architecture, SSL Record Protocol, Record Format, Higher Layer Protocol, Handshake Protocol- Change Cipher Specification and lert Protocol
In cryptanalysis and computer security, password cracking is the process of recovering passwords from data that have been stored in or transmitted by a computer system.
This Edureka PPT on "Application Security" will help you understand what application security is and measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.
Following are the topics covered in this PPT:
Introduction to Cybersecurity
What is Application Security?
What is an SQL Injection attack
Demo on SQL Injection
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
Vulnerabilities in modern web applicationsNiyas Nazar
Microsoft powerpoint presentation for BTech academic seminar.This seminar discuses about penetration testing, penetration testing tools, web application vulnerabilities, impact of vulnerabilities and security recommendations.
Secure web programming plus end users' awareness are the last line of defense against attacks targeted at the corporate systems, particularly web applications, in the era of world-wide web.
Most web application attacks occur through Cross Site Scripting (XSS), and SQL Injection. On the other hand, most web application vulnerabilities arise from weak coding with failure to properly validate users' input, and failure to properly sanitize output while displaying the data to the visitors.
The literature also confirms the following web application weaknesses in 2010: 26% improper output handling, 22% improper input handling, and 15% insufficient authentication, and others.
Abdul Rahman Sherzad, lecturer at Computer Science Faculty of Herat University, and Ph.D. student at Technical University of Berlin gave a presentation at 12th IT conference on Higher Education for Afghanistan in MoHE, and then conducted a seminar at Hariwa Institute of Higher Education in Herat, Afghanistan introducing web application security threats by demonstrating the security problems that exist in corporate systems with a strong emphasis on secure development. Major security vulnerabilities, secure design and coding best practices when designing and developing web-based applications were covered.
The main objective of the presentation was raising awareness about the problems that might occur in web-application systems, as well as secure coding practices and principles. The presentation's aims were to build security awareness for web applications, to discuss the threat landscape and the controls users should use during the software development lifecycle, to introduce attack methods, to discuss approaches for discovering security vulnerabilities, and finally to discuss the basics of secure web development techniques and principles.
-The project "Strengthening European Network Centres of Excellence in Cybercrime" (SENTER
project, Reference No HOME/2014/ISFP/AG/7170) is funded by the European Commission under
Internal Security Fund-Police 2014-2020 (ISFP). The main goal of the project is to create a single
point of Reference for EU national Cybercrime Centres of Excellence (CoE) and develop further the
Network of national CoE into well-defined and well-functioning community. More details here: http://www.senter-project.eu/
Cybersecurity Awareness Training Presentation v1.3DallasHaselhorst
This free cybersecurity awareness training slide deck is meant to be used by organizations and end users to educate them on ways to avoid scams and attacks and become more security aware. This slide deck is based on version 1.3 of our wildly popular slide deck we originally released as open-source in September 2019. In just over 6 months, it was downloaded thousands of times and in over 150 countries!
On our website, you will also find several other related goodies. For example, we have worksheets free and downloadable worksheets referenced in the training. We have a free cybersecurity quiz that is based directly off of this material so anyone can test their awareness knowledge. We even have a downloadable 'certificate of completion' for this training, which allows attendees to fill-in their name and date so they can then print it out to show others (or even their employer) that they are now more cyber aware.
https://www.treetopsecurity.com/cat
We also have a video/webinar presentation of this material if you would like to share it with others.
https://www.treetopsecurity.com/cat#video
Want to take this content and present it in your own community? Fantastic! You may download this slide deck as editable content. This allows you to make changes and present it at your local library, business events, co-working spaces, schools, etc. The latest version is always available on our website as a Microsoft PowerPoint presentation (.pptx) or using ‘Make a Copy’ in Google Slides.
https://www.treetopsecurity.com/slides
Definition, SSL Concepts Connection and Service, SSL Architecture, SSL Record Protocol, Record Format, Higher Layer Protocol, Handshake Protocol- Change Cipher Specification and lert Protocol
In cryptanalysis and computer security, password cracking is the process of recovering passwords from data that have been stored in or transmitted by a computer system.
This Edureka PPT on "Application Security" will help you understand what application security is and measures taken to improve the security of an application often by finding, fixing and preventing security vulnerabilities.
Following are the topics covered in this PPT:
Introduction to Cybersecurity
What is Application Security?
What is an SQL Injection attack
Demo on SQL Injection
Follow us to never miss an update in the future.
Instagram: https://www.instagram.com/edureka_learning/
Facebook: https://www.facebook.com/edurekaIN/
Twitter: https://twitter.com/edurekain
LinkedIn: https://www.linkedin.com/company/edureka
Security+ Guide to Network Security Fundamentals, 3rd Edition, by Mark Ciampa
Knowledge and skills required for Network Administrators and Information Technology professionals to be aware of security vulnerabilities, to implement security measures, to analyze an existing network environment in consideration of known security threats or risks, to defend against attacks or viruses, and to ensure data privacy and integrity. Terminology and procedures for implementation and configuration of security, including access control, authorization, encryption, packet filters, firewalls, and Virtual Private Networks (VPNs).
CNIT 120: Network Security
http://samsclass.info/120/120_S09.shtml#lecture
Policy: http://samsclass.info/policy_use.htm
Many thanks to Sam Bowne for allowing to publish these presentations.
An exposition on the security of the web. Is the web safe enough? History has taught us that we should never underestimate the amount of money, time, and effort someone will expend to thwart a security system.
Biometric ATM are used for wide range of applications like for Banking, Coupons & Self service ATM. Biometrics ATM offer ATM type interface along with at-least one Biometrics capture device like Fingerprint Scanner, Iris camera, Palm/Finger Vein scanner , Face recognition camera. They are often called Multi-Biometrics ATM, Wall mount Biometrics ATM, Biometrics Devices / Machine.
Most of the ATM in the past have been using ID cards to identify users but with the wide acceptance of Biometrics , a new generation of Biometrics ATM are being deployed for wide range of applications worldwide.
Fundamental of Secure Socket Layer (SSL) | Part - 2 Vishal Kumar
In this presentation we will learn about the Record Protocol, Alert Protocol, Closing and Resuming SSL Connections and Attacks on SSL.
The Part - 1 cab be founded at : https://www.slideshare.net/vishalkumar245/fundamental-of-secure-socket-layer-ssl-part-1
SSL (Secure Socket Layer) and TLS (Transport Layer Security) are popular cryptographic protocols that are used to imbue web communications with integrity, security, and resilience against unauthorized tampering.
This paper analyzes vulnerabilities of the SSL/TLS
Handshake
protocol
, which
is
responsible
for
authentication of
the parties in the
communication
and
negotiation of
security parameters
that
will be used
to protect
confidentiality and
integrity of the
data
. It
will
be
analyzed the
attacks
against the implementation of Handshake
protocol, as well as the
attacks against the other
elements
necessary to SSL/TLS protocol to discover security
flaws that were exploited, modes of
attack, the potential consequences, but also studyi
ng methods of defense
.
All versions of the
protocol are going to be the subject of the researc
h but
emphasis will be placed
on the critical
attack that
the most endanger the safety of data.
The goal of
the research
is
to point out the
danger of
existence
of at least
vulnerability
in the SSL/TLS protocol
, which
can be exploited
and
endanger the safety of
the data
that should be protected.
This paper analyzes vulnerabilities of the SSL/TLS Handshake protocol, which is responsible for authentication of the parties in the communication and negotiation of security parameters that will be used to protect confidentiality and integrity of the data. It will be analyzed the attacks against the implementation of Handshake protocol, as well as the attacks against the other
elements necessary to SSL/TLS protocol to discover security flaws that were exploited, modes of
attack, the potential consequences, but also studying methods of defense. All versions of the
protocol are going to be the subject of the research but emphasis will be placed on the critical attack that the most endanger the safety of data. The goal of the research is to point out the
danger of existence of at least vulnerability in the SSL/TLS protocol, which can be exploited and endanger the safety of the data that should be protected.
2.Cellular Networks_The final stage of connectivity is achieved by segmenting...JeyaPerumal1
A cellular network, frequently referred to as a mobile network, is a type of communication system that enables wireless communication between mobile devices. The final stage of connectivity is achieved by segmenting the comprehensive service area into several compact zones, each called a cell.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Gen Z and the marketplaces - let's translate their needsLaura Szabó
The product workshop focused on exploring the requirements of Generation Z in relation to marketplace dynamics. We delved into their specific needs, examined the specifics in their shopping preferences, and analyzed their preferred methods for accessing information and making purchases within a marketplace. Through the study of real-life cases , we tried to gain valuable insights into enhancing the marketplace experience for Generation Z.
The workshop was held on the DMA Conference in Vienna June 2024.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
2. contents
Introduction
Issues related to web security
-client-side issues
-server-side issues
-data on transmission issues
Solution to web security: SSL
SSL Architecture
Its advantages and uses
SET:
conclusion
05/28/14 2ASSAM UNIVERSITY SILCHAR
3. introduction
o Now-a-days almost everything relies on computers and
all the sensitive tasks are done through the web:
-communication(email)
-shopping(online store)
-transportation(e-ticketing)
-database access
-entertainment etc.
“web security involves protecting those information
by preventing,detecting and responding to attacks”
05/28/14 3ASSAM UNIVERSITY SILCHAR
4. Web security: client-side security risks
Browser risks:
-Crashes the browser, damages the user's system, or
merely creates an annoyance.
-The misuse of personal information knowingly or
unknowingly provided by the end-user.
Active content, such as ActiveX controls and Java
applets:
– Introduces the possibility that Web browsing will
introduce viruses or other malicious software into the
user's system,
5. Web security: server-side
security risks
Risk: Allow unauthorized remote users to:
– Steal confidential documents.
– Execute commands on the server host machine
to modify the system.
– Gain information about the Web server's host
machine to break into the system.
– Launch denial-of-service attacks, rendering the
machine temporarily unusable.
05/28/14 5ASSAM UNIVERSITY SILCHAR
6. server-side security
risks(contd..)
Bugs in the Web server
- Buggy software opens up security holes.
Misconfiguration problems in the Web server
– A poorly configured Web server can punch a hole in the
most carefully designed firewall system.
05/28/14 6ASSAM UNIVERSITY SILCHAR
7. security risk of data in
transmission
• Risk: Interception of network data sent from
browser to server or vice versa via network
eavesdropping.
– Eavesdroppers can operate from any point on
the pathway between browser and server .
• Reason: The TCP/IP protocol was not
designed with security in mind; hence it is
vulnerable to network eavesdropping.
05/28/14 7ASSAM UNIVERSITY SILCHAR
9. ssL
SSL is the most used security protocol for authentication on the Web and
developed by Netscape communication in 1995.
SSL secures data exchange between a client and a server by encrypting it.
SSL runs above TCP/IP and below higher-level protocols such as HTTP.
SSL protocol allows client-server applications to communicate in such a
way that they prevent eavesdropping, tampering or message forgery.
05/28/14 9ASSAM UNIVERSITY SILCHAR
10. ssL provides 3 main things:
• End Point Authentication
– The server is the actual party you wish to communicate with, not
someone faking their identity.
• Message Integrity
– The data exchange with the server has not been modified along the
way. If it is, it can be easily detected.
• Confidentiality
– Data is encrypted. A hacker cannot read your information by simply
looking at the packets on the network.
05/28/14 10ASSAM UNIVERSITY SILCHAR
11. hoW ssL Works:
• Secure Web pages feature “https” in their URL
instead of the usual “http”.
• The browser sees the https in the URL and initiates a
connection to the SSL port on the Web server.
05/28/14 11ASSAM UNIVERSITY SILCHAR
12. ssL architecture
SSL is designed to make use of TCP to provide a
reliable end-to-end secure service.
SSL is a two layer protocol:
-at the lower level there is SSL record
protocol and
- at the upper level there are higher layer protocol
such as handshake protocol, change cipher spec
protocol and the alert protocol.
05/28/14 12ASSAM UNIVERSITY SILCHAR
14. ssL record protocoL
• The SSL Record Protocol is used to encapsulate
various higher-level protocols.
• The SSL Record Protocol takes the upper-layer
application message to be transmitted, Fragments
the data into manageable blocks, optionally
compresses the data, applies an MAC, encrypts, adds
a header, and transmits the result to TCP.
• The received data is decrypted, verified,
decompressed, reassembled ,and then delivered to
higher-level clients.
05/28/14 14ASSAM UNIVERSITY SILCHAR
15. operation of ssL record
protocoL
05/28/14 15ASSAM UNIVERSITY SILCHAR
16. operation of ssL record
protocoL
• The first step is fragmentation. Each upper-layer message is
fragmented into blocks of 214
Bytes (16384 bytes) or less.
• Next, compression is optionally applied. Compression must be
lossless and may not increase the content length by more
than 1024 bytes. In SSLv3,no compression algorithm is
specified, so the default compression algorithm is null.
• The next step in processing is to compute Message
Authentication Code over the compressed data. For this
purpose, a shared secret key is used.
05/28/14 16ASSAM UNIVERSITY SILCHAR
18. operAtion of SSL reCord
protoCoL
• Next, the compressed message plus the MAC are encrypted using
symmetric encryption. Encryption may not increase the content length by
more than 1024 bytes. The following encryption algorithms are permitted:
05/28/14 18ASSAM UNIVERSITY SILCHAR
19. operAtion of SSL reCord
protoCoL
The final step of SSL Record Protocol processing is to append a header,
consisting of the following fields:
o Content Type (8 bits): The higher layer protocol used to process the
enclosed fragment.
o Major Version (8 bits): Indicates major version of SSL in use. For SSLv3,
the value is 3.
o Minor Version (8 bits): Indicates minor version in use. For SSLv3, the
value is 0.
o Compressed Length (16 bits): The length in bytes of the plaintext
fragment (or compressed fragment if compression is used).
20. SSL ChAnge Cipher SpeC
protoCoL
• The Change Cipher Spec Protocol is the simplest of the three SSL-specific
protocols.
• This protocol consists of a single message,which is compressed and
encrypted under the current CipherSpec. The message consists of a single
byte of value 1.
• The sole purpose of this message is to cause the pending state to be
copied into the current state, which updates the cipher suite to be used
on this connection.
• The client sends a change CipherSpec message following handshake key
exchange and certificate verify messages (if any),and the server sends one
after successfully processing the key exchange message it received from
the client
05/28/14 20ASSAM UNIVERSITY SILCHAR
21. SSL ALert protoCoL
• One of the content types supported by the SSL Record Layer
is the alert type.
• Alert messages consist of 2 bytes.
-The first byte takes the value warning to convey the
seriousness of the message. If the level is fatal, SSL
immediately terminates the connection.
-The second byte contains a code that indicates the
specific alert.
05/28/14 21ASSAM UNIVERSITY SILCHAR
22. SSL ALert protoCoL
A specification of SSL-related alerts that are always fatal is
listed in the following:
• unexpected_message: An inappropriate message was
received.
• bad_record_mac: An incorrect MAC was received.
• decompression_failure: The decompression function
received improper input (e.g., unable to decompress).
• handshake_failure: Sender was unable to negotiate an
acceptable set of security parameters given the options
available.
• illegal_parameter: A field in a handshake message was out of
range or inconsistent with other fields.
05/28/14 22ASSAM UNIVERSITY SILCHAR
23. SSL hAndShAke protoCoL
• The SSL Handshake Protocol is operated on top of the SSL
Record Layer and it is the most important and most complex
part of SSL.
• This protocol allows the server and client to authenticate
each other and to negotiate an encryption and MAC
algorithm and cryptographic keys to be used to protect data
sent in an SSL record.
• The Handshake Protocol is used before any application data is
transmitted.
• The Handshake Protocol consists of a series of messages
exchanged by the client and the server.
05/28/14 23ASSAM UNIVERSITY SILCHAR
24. Contd…
Each message has three fields as follows:
• Type (1 byte): Indicates one of 10 messages as indicated in the following
table.
• Length (3 bytes): The length of the message in bytes.
• Content ( 0 bytes): The parameters associated with this message; these
are listed in the following Table.
26. hAndShAke phASe
Phase-1
o This phase is used to initiate a logical connection and to establish the
security capabilities that will be associated with it.
o The exchange is initiated by the client, which sends a client_hello
message with the parameters such as Version, Session ID, CipherSuite,
Compression Method etc.
o After sending the client_hello message, the client waits for the
server_hello message , which contains the same parameters as the
client_hello message.
27. hAndShAke phASe
Phase-2
o The server begins this phase by sending its certificate, if it needs to be
authenticated; the message contains one or a chain of X.509 certificates.
o Next, a server key_exchange message may be sent if it is required.
o Next, a nonanonymous server can request a certificate from the client.
The certificate_request message includes two parameters:
certificate_type and certificate_authorities.
o The final message in Phase 2, and one that is always required, is the
server_done message , which is sent by the server to indicate the end of
the server hello and associated messages.
28. hAndShAke phASe
Phase-3
o Upon receipt of the server_done message, the client should verify that
the server provided a valid certificate.
o If the server has requested a certificate, the client begins this phase by
sending a certificate message. If no suitable certificate is available, the
client sends a no_certificate alert instead.
o Next is the client_key_exchange message , which must be sent in this
phase. The content of the message depends on the type of key exchange.
For e.g: In Anonymous Diffie-Hellman: The client's public Diffie-Hellman
parameters are sent.
o Finally, in this phase, the client may send a certificate_verify message to
provide explicit verification of a client certificate. This message is only sent
following any client certificate that has signing capability
29. hAndShAke phASe
Phase-4
o This phase completes the setting up of a secure connection.
o The client sends a change_cipher_spec message and copies the pending
CipherSpec into the current CipherSpec.
o The client then immediately sends the finished message under the new
algorithms, keys, and secrets.
o The finished message verifies that the key exchange and authentication
processes were successful.
o In response to these two messages, the server sends its own
change_cipher_spec message, transfers the pending to the current
CipherSpec, and sends its finished message.
30. Contd…
The handshake is now complete: the server is
authenticated and any information
exchanged between the browser and the
server is protected.
31. SSL USeS
• SSL enables secure communication on an insecure
network such as the Internet.
• Most web-based online purchases and monetary
transactions are now secured by SSL
– Online banking
– Credit card purchases
05/28/14 31ASSAM UNIVERSITY SILCHAR
32. AdvAntAgeS
• SSL it already built into browsers.
– There is no need to install extra software
• The server that the user wants to connect has no
significant reduction in speed.
– SSL was developed with server performance in mind.
• SSL can be used as an alternative for Virtual Private
Network (VPN).
– VPN creates a virtual pipeline from a client directly to the
server.
– SSL secures data transmitted through the web to the
server.
05/28/14 32ASSAM UNIVERSITY SILCHAR
34. Introduction
• SET is a protocol designed to ensure that
merchant and cardholders can conduct
business over insecure networks..
• Developed by Visa and MasterCard
05/28/14 ASSAM UNIVERSITY SILCHAR 34
35. Purpose
The purpose of the SET protocol is to establish
payment transactions that
• Provide confidentiality of information;
• Ensure the integrity of payment instructions
• Authenticate both the cardholder and the
merchant .
• To maintain privacy i.e information made
available only when and where necessary
05/28/14 ASSAM UNIVERSITY SILCHAR 35
36. SET Participants
There are six main entities in SET:
1)Cardholder (customer)
2)Merchant (web server)
3)Issuer (cardholder’s bank)
4)Acquirer
5)Payment gateway(is a device operated by an
acquirer. Sometime, separate these two entities)
6)Certificate Authority
05/28/14 ASSAM UNIVERSITY SILCHAR 36
38. Contd…
The participants in the SET system, which include the
following:
• Cardholder: A cardholder is an authorized holder of a
payment card (e.g., MasterCard, Visa) that has been
issued by an issuer.
• Merchant: A merchant is a person or organization that
has goods or services to sell to the cardholder.
• Issuer: This is a financial institution, such as a bank, that
provides the cardholder with the payment card.
• Acquirer: This is a financial institution that establishes an
account with a merchant and processes payment card
authorizations and payments.05/28/14 ASSAM UNIVERSITY SILCHAR 38
39. Contd..
• Payment gateway: This is a function operated by the
acquirer or a designated third party that processes
merchant payment messages. The payment gateway
interfaces between SET and the existing bankcard
payment networks for authorization and payment
functions.
• Certification authority (CA): This is an entity that is
trusted to issue X.509v3 public-key certificates for
cardholders, merchants, and payment gateways.
05/28/14 ASSAM UNIVERSITY SILCHAR 39
40. How It Work ?
Both cardholders and merchants must register
with CA first, before they can buy or sell on
the Internet. Once registration is done,
cardholder and merchant can start to do
transactions.
05/28/14 ASSAM UNIVERSITY SILCHAR 40
41. Contd...
SET involve 9 basic steps in this protocol, which are :
1. Customer browses website and decides on what to
purchase
2. Customer sends order and payment information,
which includes 2 parts in one message:
a. Purchase Order – this part is for merchant
b. Card Information – this pat is for merchant’s bank
only.
3. Merchant forwards card information (part b) to their
bank
05/28/14 ASSAM UNIVERSITY SILCHAR 41
42. Contd...
4. Merchant’s bank checks with Issuer for payment
authorization
5. Issuer send authorization to Merchant’s bank
6. Merchant’s bank send authorization to merchant
7. Merchant completes the order and sends
confirmation to the customer
8. Merchant captures the transaction from their bank
9. Issuer prints credit card bill (invoice) to customer
05/28/14 ASSAM UNIVERSITY SILCHAR 42
44. Key Technologies of SET
• Confidentiality of information: DES
• Integrity of data: RSA digital signatures with SHA-1
hash codes
• Cardholder account authentication: X.509v3 digital
certificates with RSA signatures
• Merchant authentication: X.509v3 digital certificates
with RSA signatures
• Privacy: separation of order and payment
information using dual signatures
05/28/14 44ASSAM UNIVERSITY SILCHAR
46. Examples
• Examples of Certificate Chain For Merchant
05/28/14 ASSAM UNIVERSITY SILCHAR 46
47. Dual Signature
A new application of digital signatures is
introduced in SET, namely the concept of dual
signatures.
Dual signatures is needed when two messages
are need to be linked securely but only one
party is allowed to read each.
05/28/14 ASSAM UNIVERSITY SILCHAR 47
48. Dual Signatures
• Links two messages securely but allows only one party to read each.
MESSAGE 1
DIGEST 1
NEW DIGEST
HASH 1 & 2
WITH SHA
MESSAGE 2
DIGEST 2
CONCATENATE DIGESTS
TOGETHER
HASH WITH SHA TO
CREATE NEW DIGEST
DUAL SIGNATURE
PRIVATE KEY
ENCRYPT NEW DIGEST
WITH SIGNER’S PRIVATE KEY
05/28/14 48ASSAM UNIVERSITY SILCHAR
49. Goal
• Goal: Limit Information to A “Need-to-Know” Basis:
– Merchant does not need credit card number.
– Bank does not need details of customer order.
– It Afford the customer extra protection in terms of
privacy by keeping these items separate.
05/28/14 49ASSAM UNIVERSITY SILCHAR
50. Why Dual Signature?
• Suppose that customers send the merchant two messages:
• The signed order information (OI).
• The signed payment information (PI).
• In addition, the merchant passes the payment
information (PI) to the bank.
• If the merchant can capture another order information (OI)
from this customer, the merchant could claim this order goes
with the payment information (PI) rather than the original.
• So this link is needed to prove that payment is intended for
this order and not some other one.
05/28/14 50ASSAM UNIVERSITY SILCHAR
51. Dual Signature Operation
• The operation for dual signature is as follows:
– Take the hash (SHA-1) of the payment and order information.
– These two hash values are concatenated [H(PI) || H(OI)] and then
the result is hashed.
– Customer encrypts the final hash with a private key creating the
dual signature.
DS = EKRC [ H(H(PI) || H(OI)) ]
05/28/14 51ASSAM UNIVERSITY SILCHAR
52. DS Verification by Merchant
• The merchant has the public key of the customer
obtained from the customer’s certificate.
• Now, the merchant can compute two values:
H(PIMD || H(OI))
DKUC[DS]
• Should be equal!
05/28/14 52ASSAM UNIVERSITY SILCHAR
53. DS Verification by Bank
• The bank is in possession of DS, PI, the message
digest for OI (OIMD), and the customer’s public key,
then the bank can compute the following:
H(H(PI) || OIMD)
DKUC [ DS ]
05/28/14 53ASSAM UNIVERSITY SILCHAR
54. What did we accomplish?
• The merchant has received OI and verified the
signature.
• The bank has received PI and verified the signature.
• The customer has linked the OI and PI and can prove
the linkage.
05/28/14 54ASSAM UNIVERSITY SILCHAR
55. Payment Processing
There are three main phases in a secure
electronic transaction:
• Purchase request
• Payment authorization
• Payment capture
05/28/14 ASSAM UNIVERSITY SILCHAR 55
56. Contd…
Purchase Request:- The purchase request exchange
consists of four messages:
• Initiate Request
• Initiate Response
• Purchase Request and
• Purchase Response.
Payment Authorization:-During the processing of
an order from a cardholder, the merchant
authorizes the transaction with the payment
gateway.
05/28/14 ASSAM UNIVERSITY SILCHAR 56
57. Contd..
• Payment Capture:-The merchant creates a
digitally signed payment request that includes
the final transaction amount, the transaction
ID, and other transaction information.
05/28/14 ASSAM UNIVERSITY SILCHAR 57
59. SET Overhead
Simple purchase transaction:
• Four messages between merchant and customer
• Four messages between merchant and payment gateway
• 4 certificate verifications
• Multiple servers need copies of all certificates
05/28/14 59ASSAM UNIVERSITY SILCHAR
61. conclusion
• The web is very vulnerable to attacks. It does
not provide a secure communication for
exchanging information between the client
and the server. But these two protocol namely
SSL and SET makes it possible to become the
web more secure for exchanging information
as well as making electronic transaction
between the client and the server.
05/28/14 61ASSAM UNIVERSITY SILCHAR
SET Transaction:
Order and Payment are Sent: Customer sends both order and payment information to merchant along with customer’s certificate.
The order confirms the purchase of items in the order form.
The payment contains credit card details.
The payment information is encrypted so that it cannot be read by the merchant.
The customer’s certificate enables the merchant to verify the customer.
Merchant Requests Payment Authorization: Merchant sends the payment information to the payment gateway.
This requests authorization that the customer’s available credit is sufficient for this purchase.
Merchant Confirms Order: Merchant sends a confirmation of the order to the customer.
Merchant Provides Goods or Service: Merchant ships the goods or provides the service to the customer.
Merchant Requests Payment: Request is sent to payment gateway to handle payment processing
SET Transaction:
Order and Payment are Sent: Customer sends both order and payment information to merchant along with customer’s certificate.
The order confirms the purchase of items in the order form.
The payment contains credit card details.
The payment information is encrypted so that it cannot be read by the merchant.
The customer’s certificate enables the merchant to verify the customer.
Merchant Requests Payment Authorization: Merchant sends the payment information to the payment gateway.
This requests authorization that the customer’s available credit is sufficient for this purchase.
Merchant Confirms Order: Merchant sends a confirmation of the order to the customer.
Merchant Provides Goods or Service: Merchant ships the goods or provides the service to the customer.
Merchant Requests Payment: Request is sent to payment gateway to handle payment processing
SET Transaction:
Order and Payment are Sent: Customer sends both order and payment information to merchant along with customer’s certificate.
The order confirms the purchase of items in the order form.
The payment contains credit card details.
The payment information is encrypted so that it cannot be read by the merchant.
The customer’s certificate enables the merchant to verify the customer.
Merchant Requests Payment Authorization: Merchant sends the payment information to the payment gateway.
This requests authorization that the customer’s available credit is sufficient for this purchase.
Merchant Confirms Order: Merchant sends a confirmation of the order to the customer.
Merchant Provides Goods or Service: Merchant ships the goods or provides the service to the customer.
Merchant Requests Payment: Request is sent to payment gateway to handle payment processing
SET Transaction:
Order and Payment are Sent: Customer sends both order and payment information to merchant along with customer’s certificate.
The order confirms the purchase of items in the order form.
The payment contains credit card details.
The payment information is encrypted so that it cannot be read by the merchant.
The customer’s certificate enables the merchant to verify the customer.
Merchant Requests Payment Authorization: Merchant sends the payment information to the payment gateway.
This requests authorization that the customer’s available credit is sufficient for this purchase.
Merchant Confirms Order: Merchant sends a confirmation of the order to the customer.
Merchant Provides Goods or Service: Merchant ships the goods or provides the service to the customer.
Merchant Requests Payment: Request is sent to payment gateway to handle payment processing
SET Transaction:
Order and Payment are Sent: Customer sends both order and payment information to merchant along with customer’s certificate.
The order confirms the purchase of items in the order form.
The payment contains credit card details.
The payment information is encrypted so that it cannot be read by the merchant.
The customer’s certificate enables the merchant to verify the customer.
Merchant Requests Payment Authorization: Merchant sends the payment information to the payment gateway.
This requests authorization that the customer’s available credit is sufficient for this purchase.
Merchant Confirms Order: Merchant sends a confirmation of the order to the customer.
Merchant Provides Goods or Service: Merchant ships the goods or provides the service to the customer.
Merchant Requests Payment: Request is sent to payment gateway to handle payment processing
SET Transaction:
Order and Payment are Sent: Customer sends both order and payment information to merchant along with customer’s certificate.
The order confirms the purchase of items in the order form.
The payment contains credit card details.
The payment information is encrypted so that it cannot be read by the merchant.
The customer’s certificate enables the merchant to verify the customer.
Merchant Requests Payment Authorization: Merchant sends the payment information to the payment gateway.
This requests authorization that the customer’s available credit is sufficient for this purchase.
Merchant Confirms Order: Merchant sends a confirmation of the order to the customer.
Merchant Provides Goods or Service: Merchant ships the goods or provides the service to the customer.
Merchant Requests Payment: Request is sent to payment gateway to handle payment processing