2. Web now widely used by business,
government, individuals
but Internet & Web are vulnerable
have a variety of threats
◦ integrity
◦ confidentiality
◦ authentication
need added security mechanisms
3. provides security to the data that is
transferred between web browser and
server. SSL encrypts the link between a
web server and a browser which
ensures that all data passed between
them remain private and free from
attack
SSL has two layers of protocols
4.
5. SSL session
A connection and a session are distinguished by
SSL. A client and server are connected through a
session.
SSL connection
The creation of a session is required, but not
sufficient for two entities to communicate with one
another and exchange data. The two parties
exchange two random integers while generating
the keys and parameters required for transmitting
messages including authentication and privacy
using the master secret.
6. SSL Record provides two services to SSL
connection.
Confidentiality
Message Integrity
In the SSL Record Protocol application data is
divided into fragments. The fragment is
compressed and then encrypted MAC (Message
Authentication Code) generated by algorithms like
SHA (Secure Hash Protocol) and MD5 (Message
Digest) is appended. After that encryption of the
data is done and in last SSL header is appended to
the data
7. This protocol uses the SSL record protocol.
Unless Handshake Protocol is completed, the
SSL record Output will be in a pending state.
After the handshake protocol, the Pending
state is converted into the current state.
Change-cipher protocol consists of a single
message which is 1 byte in length and can
have only one value. This protocol’s purpose
is to cause the pending state to be copied
into the current state.
8. conveys SSL-related alerts to peer entity
severity
warning or fatal
specific alert
unexpected message, bad record mac, decompression
failure, handshake failure, illegal parameter
close notify, no certificate, bad certificate, unsupported
certificate, certificate revoked, certificate expired,
certificate unknown
compressed & encrypted like all SSL data
9. Handshake Protocol is used to establish sessions. This
protocol allows the client and server to authenticate each
other by sending a series of messages to each other.
Handshake protocol uses four phases to complete its cycle.
Phase-1: In Phase-1 both Client and Server send hello-
packets to each other. In this IP session, cipher suite and
protocol version are exchanged for security purposes.
Phase-2: Server sends his certificate and Server-key-
exchange. The server end phase-2 by sending the Server-
hello-end packet.
Phase-3: In this phase, Client replies to the server by sending
his certificate and Client-exchange-key.
Phase-4: In Phase-4 Change-cipher suite occurs and after
this the Handshake Protocol ends.
10.
11. Transport Layer Securities (TLS) are designed
to provide security at the transport layer. TLS
ensures that no third party may eavesdrop or
tampers with any message.
There are several benefits of TLS:
Encryption:
TLS/SSL can help to secure transmitted data using encryption.
Interoperability:
TLS/SSL works with most web browsers, including Microsoft
Internet Explorer and on most operating systems and web
servers.
Algorithm flexibility:
TLS/SSL provides operations for authentication mechanism,
encryption algorithms and hashing algorithm that are used
during the secure session.
12. open encryption & security specification
to protect Internet credit card transactions
developed in 1996 by Mastercard, Visa etc
not a payment system
rather a set of security protocols & formats
◦ secure communications amongst parties
◦ trust from use of X.509v3 certificates
◦ privacy by restricted info to those who need it
13.
14. 1. customer opens account
2. customer receives a certificate
3. merchants have their own certificates
4. customer places an order
5. merchant is verified
6. order and payment are sent
7. merchant requests payment authorization
8. merchant confirms order
9. merchant provides goods or service
10. merchant requests payment
15.
16. 1. verifies cardholder certificates using CA
sigs
2. verifies dual signature using customer's
public signature key to ensure order has
not been tampered with in transit & that it
was signed using cardholder's private
signature key
3. processes order and forwards the payment
information to the payment gateway for
authorization (described later)
4. sends a purchase response to cardholder