SlideShare a Scribd company logo

Websecurity

Download as PPT, PDF
Merve Bilgen
Merve Bilgen
Technology
1 of 81
WEB Security
Information securityInformation security  Pre computer age Rugged filing cabinets with combination lock  Computer age Automated tools for security  Computer security Collection of tools to protect data  Network security  Internet security 3
3 aspects of information security3 aspects of information security  Security Attack: Any action that compromises the security of information.  Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack.  Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms. 4
Web Security Considerations  WWW is Client server application over Internet and TCP/IP intranets  Web is vulnerable to attacks on web servers over the Internet  The WEB is visible outlet for corporates  Web servers are easy to configure and manage.  Complex software hide many security flaws.  Subverted servers will provide access to intranet systems  Users are not aware of the risks.
Internet security issuesInternet security issues  Requirements  Confidentiality  Authentication  Nonrepudiation  Integrity  Selection of algorithms  Services  Security mechanisms  Creation, distribution and protection of secret keys  Dependence of protocol  Placement of security mechanisms 6
OSI security architecture  ITU-T recommendations X.800 Defines a systematic approach  International standard For managers to provide security For security products  Focuses on services, mechanisms and attacks 7
Security services  Definition in RFC 2828 A processing or communication service that is provided by a system to give a specific kind of protection to system resources  X.800 services Five categories and 14 specific services 8
Categories  Authentication  Access control  Data Confidentiality  Data Integrity  Nonrepudiation 9
Specific services  Authentication (1) Peer entity authentication (2) Data-origin authentication  Data confidentiality (3) Connection confidentiality (4) Connectionless confidentiality (5) Selective-field confidentiality (6) Traffic flow confidentiality 10
Specific services  Data integrity (7) Connection integrity with recovery (8) Connection integrity without recovery (9) Selective-field Connection Integrity (10) Connectionless Integrity (11) Selective-field Connectionless Integrity 11
Specific services  Nonrepudiation (12) Nonrepudiation, origin (13) Nonrepudiation, destination (14) Availability service Protect to ensure availability Depends on - Proper management & control of system resources 12
Security mechanisms (Specific)  Encipherment  Digital signature  Access control  Data integrity  Authentication exchange  Traffic padding  Routing control  Notarization 13
Security mechanisms (Pervasive)  Trusted functionality  Security label  Event detection  Security audit trail  Security recovery 14
Security AttacksSecurity Attacks 15
Security AttacksSecurity Attacks  Interruption: This is an attack on availability  Interception: This is an attack on confidentiality  Modification: This is an attack on integrity  Fabrication: This is an attack on authenticity 16
17
Methods of DefenceMethods of Defence  Encryption  Software Controls (access limitations in a data base, in operating system protect each user from other users)  Hardware Controls (smartcard)  Policies (frequent changes of passwords)  Physical Controls 20
Placement of security mechanisms  Link to link Hardware device Application unaware Distribution of keys a problem  End to end Application/software aware Large no of keys involved
Link layer mechanisms  Radius (Remote authentication dial in user service) NSA, RADIUS servers Authentication, authorisation, accounting  WEP (Wireless encryption Protocol) Static keys  WPA (WiFi protected Access) Dynamic keys
Security mechanisms in the TCP/IP protocol stack
Need for IPSec  Application level security services  Electronic mail ○ S/MIME, PGP  Client Server ○ Kerberos, X.509  Web access ○ SSL, TLS, SET  Enterprises need security at IP layer  To protect security ignorant applications  Additional security to applications with security mechanisms  Establish private secure network
IPv4 Header
IPv6 Header
IP Security Overview  IPSec is not a single protocol.  IPSec provides a set of security algorithms  IPSec provides a general security framework for a pair of communicating entities  Across LAN, Private & Public WANs  Across Internet
IP Security Overview  Applications of IPSec Secure branch office connectivity over the Internet Secure remote access over the Internet Establsihing extranet and intranet connectivity with partners Enhancing electronic commerce security
IP Security Overview  Benefits of IPSec Better firewall protection Transparent to applications (below transport layer (TCP, UDP) Provide security for individual users  IPSec can assure that: A router or neighbor advertisement comes from an authorized router A redirect message comes from the router to which the initial packet was sent A routing update is not forged
IP Security Scenario
IP Security Architectures  Integrated architecture Supported in IPv6 Difficult to implement in IPv4  Bump in The stack (BITS) for IPv4 Between Data link and IP layers  Bump in The Wire (BITW) Hardware implementation
IPSec RFCs  IPSec documents: RFC 2401: An overview of security architecture RFC 2402: Description of a packet authentication extension to IPv4 and IPv6 RFC 2406: Description of a packet encryption extension to IPv4 and IPv6 RFC 2408: Specification of key managament capabilities
IPSec Services  Access Control  Connectionless integrity  Data origin authentication  Rejection of replayed packets  Confidentiality (encryption)  Limited traffic flow confidentiallity
IPSec protocols  Authentication header (AH)  Encapsulating security payload (ESP)  ESP with Authentication
IPSec modes of operations  Transport IPSec protects IP payload IPSec headers added before IP payload No change in IP header  Tunnel IPSec protects total IP packet IPSec headers encapsulates IP packet New IP header is created
Discussion onTunnel and Transport mode  Tunnel mode header order New IP hdr->IPsec hdr->old IP hdr->IP payload BITS or BITW architecture Choice for VPN  Transport mode header order IP hdr->IPSec hdr->IP payload IPSec integrated architecture End to End security
Protocols Transport Mode SA Tunnel Mode SA AH Authenticates IP payload and selected portions of IP header and IPv6 extension headers Authenticates entire inner IP packet plus selected portions of outer IP header ESP Encrypts IP payload and any IPv6 extesion header Encrypts inner IP packet ESP with authentication Encrypts IP payload and any IPv6 extesion header. Authenticates IP payload but no IP header Encrypts inner IP packet. Authenticates inner IP packet. Security services
Before applying AH
Transport Mode (AH Authentication)
Tunnel Mode (AH Authentication)
ESP Encryption and Authentication
ESP Encryption and Authentication
Combinations of Security Associations
Combinations of Security Associations
Combinations of Security Associations
Combinations of Security Associations
SSL and TLS  SSL was originated by Netscape  TLS working group was formed within IETF  First version of TLS can be viewed as an SSLv3.1
SSL  Make use of TCP  Provide reliable end to end secure communication  Two layers of protocols Higher layer ○ Handshake ○ change cipher spec ○ Alert Lower layer ○ Record
SSL Architecture
SSL connection  A logical client/server link  A peer-to-peer connection with two network nodes.  Transient.  Every connection associated with one session.
SSL session  An association between a client and a server  Defines a set of parameters such as algorithms used, session number etc.  An SSL session is created by the Handshake Protocol  that allows parameters to be shared among the connections made between the server and the client  Sessions are used to avoid negotiation of new parameters for each connection.  A single session is shared among multiple SSL connections between the client and the server.  In theory, it may also be possible that multiple sessions are shared by a single connection, but this feature is not used in practice.
SSL session state  A session state is defined by the following parameters:  session identifier: this is an identifier generated by the server to identify a session with a chosen client,  Peer certificate: X.509 certificate of the peer,  compression method: a method used to compress data prior to encryption,  CipherSpec: specifies the bulk data encryption algorithm (for example DES) and the hash algorithm (for example MD5) used during the session,  Master secret: 48-byte data being a secret shared between the client and server  “is resumable”: this is a flag indicating whether the session can be used to initiate new connections.
SSL connection state  The SSL connection state is defined by the following parameters:  Server and client random: random data generated by both the client and server for each connection,  Server write MAC secret: the secret key used for data written by the server,  Client write MAC secret: the secret used for data written by the client,  Server write key: the bulk cipher key for data encrypted by the server and decrypted by the client,  Client write key: the bulk cipher key for data encrypted by the client and decrypted by the server,  Initialisation vectors: for CBC mode of block cipher  Sequence number: sequence numbers maintained separately by the server for messages transmitted and received during the data session.
Record protocol  Services provided Confidentiality ○ Encryption of payloads using shared secret key obtained from handshake protocol Message Integrity ○ MAC using shared secret key obtained from handshake protocol
SSL Record Protocol Operation
SSL Record Format
Change cipher spec protocol  Payload of record protocol  Consist of single message Single byte value = 1  Purpose of message Cause copy of pending state to current state Updates cipher suite to be used on the current connection
Alert protocol  Conveys SSL alerts to peer  Payload of record  Consists of two bytes 1st byte : warning or fatal 2nd byte: code for specific alerts
SSL Record Protocol Payload
Handshake Protocol  The most complex part of SSL.  Allows the server and client to authenticate each other.  Negotiate encryption, MAC algorithm and cryptographic keys.  Used before any application data are transmitted.
handshake protocol phases  1st phase Establish security capabilities  2nd phase Server authentication and key exchange  3rd phase Client authentication and key exchange  4th phase finish
Handshake Protocol Action
Full handshake
Re-establish old session
Cryptographic computations  Shared master secret : 48 byte  Creation in 2 stages  Pre-master secret exchanged ○ RSA ○ Diffie Hellman  Master secret calculated at both ends  Use of master secret at client end  Client write MAC secret  Client write key  Client write IV  Use of master secret at client end  Server write MAC secret  Server write key  Client write IV
Transport Layer Security  The same record format as the SSL record format.  Defined in RFC 2246.  Similar to SSLv3.  Differences in the:  version number (3.1)  message authentication code (HMAC, TLScomressed.version)  pseudorandom function ( different from SSL)  alert codes ( more in TSL)  cipher suites ( fortezza dropped)  client certificate types ( fortezza schemes not included)  certificate_verify and finished message ( calculation different)  cryptographic computations ( different from SSL)  Padding ( any amount for total length = Xblock length upto max 255 bytes )
Master secret in SSL Master secret = MD5(pre_master_secret||SHA(“A”|| pre_master_secret||ClientHello.random|| serverHello.random))|| MD5(pre_master_secret||SHA(“BB”|| pre_master_secret||ClientHello.random|| serverHello.random))|| MD5(pre_master_secret||SHA(“CCC”|| pre_master_secret||ClientHello.random|| serverHello.random))||
Key block in SSL Key block = MD5(master_secret||SHA(“A”|| master_secret||serverHello.random|| ClientHello.random))|| MD5(master_secret||SHA(“BB”|| pre_master_secret|| serverHello.random|| ClientHello.random))|| MD5(master_secret||SHA(“CCC”|| pre_master_secret|| serverHello.random|| ClientHello.random))||…..
Master secret and Key block in TLS Master secret = PRF(pre_master_secret, “master secret”, ClientHello.random||serverHello.random) Key block = PRF(master_secret, “key expansion”, Security Parameters.server_random|| SecurityParameters.client_random) PRF(secret,label,seed) = P_MD5(S1,label|| seed)XOR P_SHA-1(S2,label||seed)
Secure Electronic Transactions  An open encryption and security specification.  Protect credit card transaction on the Internet.  Companies involved: MasterCard, Visa, IBM, Microsoft, Netscape, RSA, Terisa and Verisign  Not a payment system.  Set of security protocols and formats.
SET Services  Provides a secure communication channel in a transaction.  Provides tust by the use of X.509v3 digital certificates.  Ensures privacy.
SET Overview  Key Features of SET: Confidentiality of information Integrity of data Cardholder account authentication Merchant authentication
SET Participants
SET participants  Cardholder: authorised holder of credit card issued by issuer. Interacts with merchants over internet  Merchant : Seller of goods over internet  Issuer : Bank which issues credit card to card holder.  Acquirer : Fin institution which has an account with a merchant, processes card authorisation and payments.  Payment gateway: Interfaces between SET and Payment network  CA: Issues X.509 certificates to All players
Sequence of events for transactions 1. The customer opens an account. 2. The customer receives a certificate. 3. Merchants have their own certificates. 4. The customer places an order. 5. The merchant is verified. 6. The order and payment are sent. 7. The merchant request payment authorization. 8. The merchant confirm the order. 9. The merchant provides the goods or service. 10. The merchant requests payments.
Dual Signature H(OI))]||)(([ PIHHEDS cKR=
Payment processing Cardholder sends Purchase Request
Payment processing Merchant Verifies Customer Purchase Request
Payment processing  Payment Request: Initiate request Initiate response Purchase request Purchase response  Payment Authorization: Authorization Request Authorization Response  Payment Capture: Capture Request Capture Response
Payment Request  Initiate request from card holder  Request certificates to merchant  Incl: Brand of cc, ID req/resp, nonce  Initiate response by merchant  Response signed by Kr of merchant  Incl: Cust nonce, new nonce, trans ID, merchant’s signature certificate, payment gateways key exchange certificate Cardholder  verifies merchant and gateway’s certificates  Generates ○ OI- ref to order ○ PI – card number, value etc
Payment Request  Purchase request by card holder Forwarded to payment gateway ○ Incl: EKs[PI+Dual sig+OIMD], EKUch[Ks] To merchant ○ OI+dual sig+PIMD, CH certificate  Purchase response by merchant Incl: Trans ID, response block with order ack signed by merchant using Kr, merchant’s signature certificate Card holder Verifies merchant’s signature on response block
Payment Authorization  Authorization Request to payment gateway from merchant  forwarded ○ PI+dual sig+OIMD+EKUch[Ks]  Generated ○ Auth block: EKms[SignKrm[Trans ID]] ○ EKUpg[EKms]  Certificates ○ Card holder signature key, merchant signature key and merchant key exchange certificates Payment gateway  Verifies all certificates, obtains EKms, decrypts auth block, verifies merchant’s sign, verifies dual sign, verifies trans ID, requests and receives an auth from issuer  Authorisation response by payment gateway to merchant  Auth block: ○ EKpgs[SignKrpg[authorisation]] ○ EKUm[EKpgs]  Capture token info: ○ EKpgs[SignKrpg[capture token]]  Certificate ○ Gateway’s signature key certifixcate
Payment capture  Capture Request by merchant to payment gateway Capture req block ○ Amount+Trand ID+token signed and encrypted by merchant This is verified by payment gateway. Req issuer to release payment  Capture Response by payment gateway to merchant confirmation of payment

Recommended

IP Security
IP SecurityIP Security
IP SecurityKeshab Nath
 
IP Security
IP SecurityIP Security
IP SecurityAmbo University
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 
Internet protocol security
Internet protocol securityInternet protocol security
Internet protocol securityfarhan516
 
Ip security
Ip security Ip security
Ip security Naveen Dubey
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
Keymanagement of ipsec
Keymanagement of ipsecKeymanagement of ipsec
Keymanagement of ipsecPACHIYAPPAN PACHIYAPPAS
 
IP Security and its Components
IP Security and its ComponentsIP Security and its Components
IP Security and its ComponentsMohibullah Saail
 

Recommended

IP Security
IP SecurityIP Security
IP SecurityKeshab Nath
 
IP Security
IP SecurityIP Security
IP SecurityAmbo University
 
BAIT1103 Chapter 6
BAIT1103 Chapter 6BAIT1103 Chapter 6
BAIT1103 Chapter 6limsh
 
Internet protocol security
Internet protocol securityInternet protocol security
Internet protocol securityfarhan516
 
Ip security
Ip security Ip security
Ip security Naveen Dubey
 
Ipsec
IpsecIpsec
IpsecRupesh Mishra
 
Keymanagement of ipsec
Keymanagement of ipsecKeymanagement of ipsec
Keymanagement of ipsecPACHIYAPPAN PACHIYAPPAS
 
IP Security and its Components
IP Security and its ComponentsIP Security and its Components
IP Security and its ComponentsMohibullah Saail
 
Ipsec
IpsecIpsec
IpsecBaidyanath Dutta
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip securityrajakhurram
 
IS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecurityIS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecuritySarthak Patel
 
IP Protocol Security
IP Protocol SecurityIP Protocol Security
IP Protocol SecurityDavid Barker
 
Ip security
Ip security Ip security
Ip security Dr.K.Sreenivas Rao
 
8 Authentication Security Protocols
8 Authentication Security Protocols8 Authentication Security Protocols
8 Authentication Security Protocolsguestfbf635
 
Ip Sec
Ip SecIp Sec
Ip SecRam Dutt Shukla
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talkanoean
 
Ip security
Ip securityIp security
Ip securityJernej Virag
 
IP Security in Network Security NS6
IP Security in Network Security NS6IP Security in Network Security NS6
IP Security in Network Security NS6koolkampus
 
ip security
ip securityip security
ip securityChirag Patel
 
IP Security
IP SecurityIP Security
IP Securitysahilshah200
 
Internet security protocol
Internet security protocolInternet security protocol
Internet security protocolMousmi Pawar
 
Ipsecurity
IpsecurityIpsecurity
IpsecurityJyoshna Cec Cse Staf bejjam
 
S/MIME
S/MIMES/MIME
S/MIMEmaria azam
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnelArunKumar Subbiah
 
Cns unit4
Cns unit4Cns unit4
Cns unit4PRADEEPJ30
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1CAS
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic ConceptsAvadhesh Agrawal
 
Video dissemination over hybrid cellular and ad hoc networks
Video dissemination over hybrid cellular and ad hoc networksVideo dissemination over hybrid cellular and ad hoc networks
Video dissemination over hybrid cellular and ad hoc networksLeMeniz Infotech
 
Colegionicolsesguerra 1305151jojgkfvukfv
Colegionicolsesguerra 1305151jojgkfvukfvColegionicolsesguerra 1305151jojgkfvukfv
Colegionicolsesguerra 1305151jojgkfvukfvJuan David Valderrama
 
Caso - IKON
Caso - IKONCaso - IKON
Caso - IKONInformatica Latinoamerica
 

More Related Content

What's hot

Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip securityrajakhurram
 
IS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecurityIS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecuritySarthak Patel
 
IP Protocol Security
IP Protocol SecurityIP Protocol Security
IP Protocol SecurityDavid Barker
 
8 Authentication Security Protocols
8 Authentication Security Protocols8 Authentication Security Protocols
8 Authentication Security Protocolsguestfbf635
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talkanoean
 
IP Security in Network Security NS6
IP Security in Network Security NS6IP Security in Network Security NS6
IP Security in Network Security NS6koolkampus
 
Internet security protocol
Internet security protocolInternet security protocol
Internet security protocolMousmi Pawar
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1CAS
 

What's hot (19)

Ipsec
IpsecIpsec
Ipsec
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip security
 
IS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email SecurityIS Unit 8_IP Security and Email Security
IS Unit 8_IP Security and Email Security
 
IP Protocol Security
IP Protocol SecurityIP Protocol Security
IP Protocol Security
 
Ip security
Ip security Ip security
Ip security
 
8 Authentication Security Protocols
8 Authentication Security Protocols8 Authentication Security Protocols
8 Authentication Security Protocols
 
Ip Sec
Ip SecIp Sec
Ip Sec
 
Ip sec talk
Ip sec talkIp sec talk
Ip sec talk
 
Ip security
Ip securityIp security
Ip security
 
IP Security in Network Security NS6
IP Security in Network Security NS6IP Security in Network Security NS6
IP Security in Network Security NS6
 
ip security
ip securityip security
ip security
 
IP Security
IP SecurityIP Security
IP Security
 
Internet security protocol
Internet security protocolInternet security protocol
Internet security protocol
 
Ipsecurity
IpsecurityIpsecurity
Ipsecurity
 
S/MIME
S/MIMES/MIME
S/MIME
 
IPSec VPN tunnel
IPSec VPN tunnelIPSec VPN tunnel
IPSec VPN tunnel
 
Cns unit4
Cns unit4Cns unit4
Cns unit4
 
IP security Part 1
IP security Part 1IP security Part 1
IP security Part 1
 
IP Sec - Basic Concepts
IP Sec - Basic ConceptsIP Sec - Basic Concepts
IP Sec - Basic Concepts
 

Viewers also liked

Video dissemination over hybrid cellular and ad hoc networks
Video dissemination over hybrid cellular and ad hoc networksVideo dissemination over hybrid cellular and ad hoc networks
Video dissemination over hybrid cellular and ad hoc networksLeMeniz Infotech
 
Colegionicolsesguerra 1305151jojgkfvukfv
Colegionicolsesguerra 1305151jojgkfvukfvColegionicolsesguerra 1305151jojgkfvukfv
Colegionicolsesguerra 1305151jojgkfvukfvJuan David Valderrama
 
Nota técnica do mpf sobre proposta que aumenta poderes dos delegados
Nota técnica do mpf sobre proposta que aumenta poderes dos delegadosNota técnica do mpf sobre proposta que aumenta poderes dos delegados
Nota técnica do mpf sobre proposta que aumenta poderes dos delegadosJosé Ripardo
 
Ontwikkeling van de bouwconjunctuur in september
Ontwikkeling van de bouwconjunctuur in september Ontwikkeling van de bouwconjunctuur in september
Ontwikkeling van de bouwconjunctuur in september Buildsight Communicatie
 
Novell group wise to exchange
Novell group wise to exchangeNovell group wise to exchange
Novell group wise to exchangejohnsonnobuko
 
Marcelo caetano
Marcelo caetanoMarcelo caetano
Marcelo caetanoberenvaz
 
Nota técnica do mpf sobre a pec 37, a pec da impunidade
Nota técnica do mpf sobre a pec 37, a pec da impunidadeNota técnica do mpf sobre a pec 37, a pec da impunidade
Nota técnica do mpf sobre a pec 37, a pec da impunidadeJosé Ripardo
 
La colonia en mexico (la administracion)
La colonia en mexico (la administracion)La colonia en mexico (la administracion)
La colonia en mexico (la administracion)insucoppt
 
EIA 2015 How Start-ups Can Go Faster with Google Cloud Platform
EIA 2015 How Start-ups Can Go Faster with Google Cloud PlatformEIA 2015 How Start-ups Can Go Faster with Google Cloud Platform
EIA 2015 How Start-ups Can Go Faster with Google Cloud PlatformEuropean Innovation Academy
 
inscription club natation
inscription club natationinscription club natation
inscription club natationbenyahiaimene
 

Viewers also liked (20)

Video dissemination over hybrid cellular and ad hoc networks
Video dissemination over hybrid cellular and ad hoc networksVideo dissemination over hybrid cellular and ad hoc networks
Video dissemination over hybrid cellular and ad hoc networks
 
Colegionicolsesguerra 1305151jojgkfvukfv
Colegionicolsesguerra 1305151jojgkfvukfvColegionicolsesguerra 1305151jojgkfvukfv
Colegionicolsesguerra 1305151jojgkfvukfv
 
Caso - IKON
Caso - IKONCaso - IKON
Caso - IKON
 
Inicio
InicioInicio
Inicio
 
Nota técnica do mpf sobre proposta que aumenta poderes dos delegados
Nota técnica do mpf sobre proposta que aumenta poderes dos delegadosNota técnica do mpf sobre proposta que aumenta poderes dos delegados
Nota técnica do mpf sobre proposta que aumenta poderes dos delegados
 
Ontwikkeling van de bouwconjunctuur in september
Ontwikkeling van de bouwconjunctuur in september Ontwikkeling van de bouwconjunctuur in september
Ontwikkeling van de bouwconjunctuur in september
 
Nido
NidoNido
Nido
 
Novell group wise to exchange
Novell group wise to exchangeNovell group wise to exchange
Novell group wise to exchange
 
Cribado de las enfermedades genéticas.
Cribado de las enfermedades genéticas.Cribado de las enfermedades genéticas.
Cribado de las enfermedades genéticas.
 
Marcelo caetano
Marcelo caetanoMarcelo caetano
Marcelo caetano
 
The Meaning of Patent Infringement and Patent Litigation
The Meaning of Patent Infringement and Patent LitigationThe Meaning of Patent Infringement and Patent Litigation
The Meaning of Patent Infringement and Patent Litigation
 
La fabula
La fabulaLa fabula
La fabula
 
Nota técnica do mpf sobre a pec 37, a pec da impunidade
Nota técnica do mpf sobre a pec 37, a pec da impunidadeNota técnica do mpf sobre a pec 37, a pec da impunidade
Nota técnica do mpf sobre a pec 37, a pec da impunidade
 
La elipse
La elipseLa elipse
La elipse
 
La colonia en mexico (la administracion)
La colonia en mexico (la administracion)La colonia en mexico (la administracion)
La colonia en mexico (la administracion)
 
EIA 2015 How Start-ups Can Go Faster with Google Cloud Platform
EIA 2015 How Start-ups Can Go Faster with Google Cloud PlatformEIA 2015 How Start-ups Can Go Faster with Google Cloud Platform
EIA 2015 How Start-ups Can Go Faster with Google Cloud Platform
 
inscription club natation
inscription club natationinscription club natation
inscription club natation
 
Examen admonredes
Examen admonredesExamen admonredes
Examen admonredes
 
Suelos y aguas
Suelos y aguasSuelos y aguas
Suelos y aguas
 
Buscadores
BuscadoresBuscadores
Buscadores
 

Similar to Websecurity

authentication and access control(http://4knet.ir)
authentication and access control(http://4knet.ir)authentication and access control(http://4knet.ir)
authentication and access control(http://4knet.ir)Azad Kaki
 
Network Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. ShivashankarNetwork Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. ShivashankarDr. Shivashankar
 
Web security
Web securityWeb security
Web securityLayla Tk
 

Similar to Websecurity (20)

Web Security
Web SecurityWeb Security
Web Security
 
IS - SSL
IS - SSLIS - SSL
IS - SSL
 
WLAN and IP security
WLAN and IP securityWLAN and IP security
WLAN and IP security
 
CNS UNIT-VI.pptx
CNS UNIT-VI.pptxCNS UNIT-VI.pptx
CNS UNIT-VI.pptx
 
Ip Sec Rev1
Ip Sec Rev1Ip Sec Rev1
Ip Sec Rev1
 
Unit 6
Unit 6Unit 6
Unit 6
 
Ipsec vpn v0.1
Ipsec vpn v0.1Ipsec vpn v0.1
Ipsec vpn v0.1
 
Wireless Security
Wireless SecurityWireless Security
Wireless Security
 
Ip Sec
Ip SecIp Sec
Ip Sec
 
Unit 6
Unit 6Unit 6
Unit 6
 
Vpn
VpnVpn
Vpn
 
VPN presentation - moeshesh
VPN presentation - moesheshVPN presentation - moeshesh
VPN presentation - moeshesh
 
authentication and access control(http://4knet.ir)
authentication and access control(http://4knet.ir)authentication and access control(http://4knet.ir)
authentication and access control(http://4knet.ir)
 
Network IP Security.pdf
Network IP Security.pdfNetwork IP Security.pdf
Network IP Security.pdf
 
Network Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. ShivashankarNetwork Security_3rd Module_Dr. Shivashankar
Network Security_3rd Module_Dr. Shivashankar
 
Lecture14..pdf
Lecture14..pdfLecture14..pdf
Lecture14..pdf
 
Unit 5
Unit 5Unit 5
Unit 5
 
vpn_1104046
vpn_1104046vpn_1104046
vpn_1104046
 
Ecommerce final ppt
Ecommerce final pptEcommerce final ppt
Ecommerce final ppt
 
Web security
Web securityWeb security
Web security
 

Recently uploaded

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxnull - The Open Security Community
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptxMaking_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
Making_way_through_DLL_hollowing_inspite_of_CFG_by_Debjeet Banerjee.pptx
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

Websecurity

  • 2. Information securityInformation security  Pre computer age Rugged filing cabinets with combination lock  Computer age Automated tools for security  Computer security Collection of tools to protect data  Network security  Internet security 3
  • 3. 3 aspects of information security3 aspects of information security  Security Attack: Any action that compromises the security of information.  Security Mechanism: A mechanism that is designed to detect, prevent, or recover from a security attack.  Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms. 4
  • 4. Web Security Considerations  WWW is Client server application over Internet and TCP/IP intranets  Web is vulnerable to attacks on web servers over the Internet  The WEB is visible outlet for corporates  Web servers are easy to configure and manage.  Complex software hide many security flaws.  Subverted servers will provide access to intranet systems  Users are not aware of the risks.
  • 5. Internet security issuesInternet security issues  Requirements  Confidentiality  Authentication  Nonrepudiation  Integrity  Selection of algorithms  Services  Security mechanisms  Creation, distribution and protection of secret keys  Dependence of protocol  Placement of security mechanisms 6
  • 6. OSI security architecture  ITU-T recommendations X.800 Defines a systematic approach  International standard For managers to provide security For security products  Focuses on services, mechanisms and attacks 7
  • 7. Security services  Definition in RFC 2828 A processing or communication service that is provided by a system to give a specific kind of protection to system resources  X.800 services Five categories and 14 specific services 8
  • 8. Categories  Authentication  Access control  Data Confidentiality  Data Integrity  Nonrepudiation 9
  • 9. Specific services  Authentication (1) Peer entity authentication (2) Data-origin authentication  Data confidentiality (3) Connection confidentiality (4) Connectionless confidentiality (5) Selective-field confidentiality (6) Traffic flow confidentiality 10
  • 10. Specific services  Data integrity (7) Connection integrity with recovery (8) Connection integrity without recovery (9) Selective-field Connection Integrity (10) Connectionless Integrity (11) Selective-field Connectionless Integrity 11
  • 11. Specific services  Nonrepudiation (12) Nonrepudiation, origin (13) Nonrepudiation, destination (14) Availability service Protect to ensure availability Depends on - Proper management & control of system resources 12
  • 12. Security mechanisms (Specific)  Encipherment  Digital signature  Access control  Data integrity  Authentication exchange  Traffic padding  Routing control  Notarization 13
  • 13. Security mechanisms (Pervasive)  Trusted functionality  Security label  Event detection  Security audit trail  Security recovery 14
  • 15. Security AttacksSecurity Attacks  Interruption: This is an attack on availability  Interception: This is an attack on confidentiality  Modification: This is an attack on integrity  Fabrication: This is an attack on authenticity 16
  • 16. 17
  • 17. Methods of DefenceMethods of Defence  Encryption  Software Controls (access limitations in a data base, in operating system protect each user from other users)  Hardware Controls (smartcard)  Policies (frequent changes of passwords)  Physical Controls 20
  • 18. Placement of security mechanisms  Link to link Hardware device Application unaware Distribution of keys a problem  End to end Application/software aware Large no of keys involved
  • 19. Link layer mechanisms  Radius (Remote authentication dial in user service) NSA, RADIUS servers Authentication, authorisation, accounting  WEP (Wireless encryption Protocol) Static keys  WPA (WiFi protected Access) Dynamic keys
  • 20. Security mechanisms in the TCP/IP protocol stack
  • 21. Need for IPSec  Application level security services  Electronic mail ○ S/MIME, PGP  Client Server ○ Kerberos, X.509  Web access ○ SSL, TLS, SET  Enterprises need security at IP layer  To protect security ignorant applications  Additional security to applications with security mechanisms  Establish private secure network
  • 24. IP Security Overview  IPSec is not a single protocol.  IPSec provides a set of security algorithms  IPSec provides a general security framework for a pair of communicating entities  Across LAN, Private & Public WANs  Across Internet
  • 25. IP Security Overview  Applications of IPSec Secure branch office connectivity over the Internet Secure remote access over the Internet Establsihing extranet and intranet connectivity with partners Enhancing electronic commerce security
  • 26. IP Security Overview  Benefits of IPSec Better firewall protection Transparent to applications (below transport layer (TCP, UDP) Provide security for individual users  IPSec can assure that: A router or neighbor advertisement comes from an authorized router A redirect message comes from the router to which the initial packet was sent A routing update is not forged
  • 28. IP Security Architectures  Integrated architecture Supported in IPv6 Difficult to implement in IPv4  Bump in The stack (BITS) for IPv4 Between Data link and IP layers  Bump in The Wire (BITW) Hardware implementation
  • 29. IPSec RFCs  IPSec documents: RFC 2401: An overview of security architecture RFC 2402: Description of a packet authentication extension to IPv4 and IPv6 RFC 2406: Description of a packet encryption extension to IPv4 and IPv6 RFC 2408: Specification of key managament capabilities
  • 30. IPSec Services  Access Control  Connectionless integrity  Data origin authentication  Rejection of replayed packets  Confidentiality (encryption)  Limited traffic flow confidentiallity
  • 31. IPSec protocols  Authentication header (AH)  Encapsulating security payload (ESP)  ESP with Authentication
  • 32. IPSec modes of operations  Transport IPSec protects IP payload IPSec headers added before IP payload No change in IP header  Tunnel IPSec protects total IP packet IPSec headers encapsulates IP packet New IP header is created
  • 33. Discussion onTunnel and Transport mode  Tunnel mode header order New IP hdr->IPsec hdr->old IP hdr->IP payload BITS or BITW architecture Choice for VPN  Transport mode header order IP hdr->IPSec hdr->IP payload IPSec integrated architecture End to End security
  • 34. Protocols Transport Mode SA Tunnel Mode SA AH Authenticates IP payload and selected portions of IP header and IPv6 extension headers Authenticates entire inner IP packet plus selected portions of outer IP header ESP Encrypts IP payload and any IPv6 extesion header Encrypts inner IP packet ESP with authentication Encrypts IP payload and any IPv6 extesion header. Authenticates IP payload but no IP header Encrypts inner IP packet. Authenticates inner IP packet. Security services
  • 38. ESP Encryption and Authentication
  • 44. SSL and TLS  SSL was originated by Netscape  TLS working group was formed within IETF  First version of TLS can be viewed as an SSLv3.1
  • 45. SSL  Make use of TCP  Provide reliable end to end secure communication  Two layers of protocols Higher layer ○ Handshake ○ change cipher spec ○ Alert Lower layer ○ Record
  • 47. SSL connection  A logical client/server link  A peer-to-peer connection with two network nodes.  Transient.  Every connection associated with one session.
  • 48. SSL session  An association between a client and a server  Defines a set of parameters such as algorithms used, session number etc.  An SSL session is created by the Handshake Protocol  that allows parameters to be shared among the connections made between the server and the client  Sessions are used to avoid negotiation of new parameters for each connection.  A single session is shared among multiple SSL connections between the client and the server.  In theory, it may also be possible that multiple sessions are shared by a single connection, but this feature is not used in practice.
  • 49. SSL session state  A session state is defined by the following parameters:  session identifier: this is an identifier generated by the server to identify a session with a chosen client,  Peer certificate: X.509 certificate of the peer,  compression method: a method used to compress data prior to encryption,  CipherSpec: specifies the bulk data encryption algorithm (for example DES) and the hash algorithm (for example MD5) used during the session,  Master secret: 48-byte data being a secret shared between the client and server  “is resumable”: this is a flag indicating whether the session can be used to initiate new connections.
  • 50. SSL connection state  The SSL connection state is defined by the following parameters:  Server and client random: random data generated by both the client and server for each connection,  Server write MAC secret: the secret key used for data written by the server,  Client write MAC secret: the secret used for data written by the client,  Server write key: the bulk cipher key for data encrypted by the server and decrypted by the client,  Client write key: the bulk cipher key for data encrypted by the client and decrypted by the server,  Initialisation vectors: for CBC mode of block cipher  Sequence number: sequence numbers maintained separately by the server for messages transmitted and received during the data session.
  • 51. Record protocol  Services provided Confidentiality ○ Encryption of payloads using shared secret key obtained from handshake protocol Message Integrity ○ MAC using shared secret key obtained from handshake protocol
  • 52. SSL Record Protocol Operation
  • 54. Change cipher spec protocol  Payload of record protocol  Consist of single message Single byte value = 1  Purpose of message Cause copy of pending state to current state Updates cipher suite to be used on the current connection
  • 55. Alert protocol  Conveys SSL alerts to peer  Payload of record  Consists of two bytes 1st byte : warning or fatal 2nd byte: code for specific alerts
  • 57. Handshake Protocol  The most complex part of SSL.  Allows the server and client to authenticate each other.  Negotiate encryption, MAC algorithm and cryptographic keys.  Used before any application data are transmitted.
  • 58. handshake protocol phases  1st phase Establish security capabilities  2nd phase Server authentication and key exchange  3rd phase Client authentication and key exchange  4th phase finish
  • 62. Cryptographic computations  Shared master secret : 48 byte  Creation in 2 stages  Pre-master secret exchanged ○ RSA ○ Diffie Hellman  Master secret calculated at both ends  Use of master secret at client end  Client write MAC secret  Client write key  Client write IV  Use of master secret at client end  Server write MAC secret  Server write key  Client write IV
  • 63. Transport Layer Security  The same record format as the SSL record format.  Defined in RFC 2246.  Similar to SSLv3.  Differences in the:  version number (3.1)  message authentication code (HMAC, TLScomressed.version)  pseudorandom function ( different from SSL)  alert codes ( more in TSL)  cipher suites ( fortezza dropped)  client certificate types ( fortezza schemes not included)  certificate_verify and finished message ( calculation different)  cryptographic computations ( different from SSL)  Padding ( any amount for total length = Xblock length upto max 255 bytes )
  • 64.
  • 65. Master secret in SSL Master secret = MD5(pre_master_secret||SHA(“A”|| pre_master_secret||ClientHello.random|| serverHello.random))|| MD5(pre_master_secret||SHA(“BB”|| pre_master_secret||ClientHello.random|| serverHello.random))|| MD5(pre_master_secret||SHA(“CCC”|| pre_master_secret||ClientHello.random|| serverHello.random))||
  • 66. Key block in SSL Key block = MD5(master_secret||SHA(“A”|| master_secret||serverHello.random|| ClientHello.random))|| MD5(master_secret||SHA(“BB”|| pre_master_secret|| serverHello.random|| ClientHello.random))|| MD5(master_secret||SHA(“CCC”|| pre_master_secret|| serverHello.random|| ClientHello.random))||…..
  • 67. Master secret and Key block in TLS Master secret = PRF(pre_master_secret, “master secret”, ClientHello.random||serverHello.random) Key block = PRF(master_secret, “key expansion”, Security Parameters.server_random|| SecurityParameters.client_random) PRF(secret,label,seed) = P_MD5(S1,label|| seed)XOR P_SHA-1(S2,label||seed)
  • 68. Secure Electronic Transactions  An open encryption and security specification.  Protect credit card transaction on the Internet.  Companies involved: MasterCard, Visa, IBM, Microsoft, Netscape, RSA, Terisa and Verisign  Not a payment system.  Set of security protocols and formats.
  • 69. SET Services  Provides a secure communication channel in a transaction.  Provides tust by the use of X.509v3 digital certificates.  Ensures privacy.
  • 70. SET Overview  Key Features of SET: Confidentiality of information Integrity of data Cardholder account authentication Merchant authentication
  • 72. SET participants  Cardholder: authorised holder of credit card issued by issuer. Interacts with merchants over internet  Merchant : Seller of goods over internet  Issuer : Bank which issues credit card to card holder.  Acquirer : Fin institution which has an account with a merchant, processes card authorisation and payments.  Payment gateway: Interfaces between SET and Payment network  CA: Issues X.509 certificates to All players
  • 73. Sequence of events for transactions 1. The customer opens an account. 2. The customer receives a certificate. 3. Merchants have their own certificates. 4. The customer places an order. 5. The merchant is verified. 6. The order and payment are sent. 7. The merchant request payment authorization. 8. The merchant confirm the order. 9. The merchant provides the goods or service. 10. The merchant requests payments.
  • 76. Payment processing Merchant Verifies Customer Purchase Request
  • 77. Payment processing  Payment Request: Initiate request Initiate response Purchase request Purchase response  Payment Authorization: Authorization Request Authorization Response  Payment Capture: Capture Request Capture Response
  • 78. Payment Request  Initiate request from card holder  Request certificates to merchant  Incl: Brand of cc, ID req/resp, nonce  Initiate response by merchant  Response signed by Kr of merchant  Incl: Cust nonce, new nonce, trans ID, merchant’s signature certificate, payment gateways key exchange certificate Cardholder  verifies merchant and gateway’s certificates  Generates ○ OI- ref to order ○ PI – card number, value etc
  • 79. Payment Request  Purchase request by card holder Forwarded to payment gateway ○ Incl: EKs[PI+Dual sig+OIMD], EKUch[Ks] To merchant ○ OI+dual sig+PIMD, CH certificate  Purchase response by merchant Incl: Trans ID, response block with order ack signed by merchant using Kr, merchant’s signature certificate Card holder Verifies merchant’s signature on response block
  • 80. Payment Authorization  Authorization Request to payment gateway from merchant  forwarded ○ PI+dual sig+OIMD+EKUch[Ks]  Generated ○ Auth block: EKms[SignKrm[Trans ID]] ○ EKUpg[EKms]  Certificates ○ Card holder signature key, merchant signature key and merchant key exchange certificates Payment gateway  Verifies all certificates, obtains EKms, decrypts auth block, verifies merchant’s sign, verifies dual sign, verifies trans ID, requests and receives an auth from issuer  Authorisation response by payment gateway to merchant  Auth block: ○ EKpgs[SignKrpg[authorisation]] ○ EKUm[EKpgs]  Capture token info: ○ EKpgs[SignKrpg[capture token]]  Certificate ○ Gateway’s signature key certifixcate
  • 81. Payment capture  Capture Request by merchant to payment gateway Capture req block ○ Amount+Trand ID+token signed and encrypted by merchant This is verified by payment gateway. Req issuer to release payment  Capture Response by payment gateway to merchant confirmation of payment