Professional Documents
Culture Documents
Web Security
y Web now widely used by business,
government, individuals y But internet & web are vulnerable y Have a variety of threats y Integrity y Confidentiality y Denial of service y Authentication y Need added security mechanisms
2 SHIRAJ MOHAMED M | MIS UNIT
(transport layer security) y Uses TCP to provide a reliable end-to-end service y SSL has two layers of protocols
SSL Architecture
SSL Architecture
y SSL connection
y Network transport y A transient, peer-to-peer, communications link y Associated with 1 SSL session
y SSL session
y An association between client & server y Created by the handshake protocol y Define a set of cryptographic parameters y May be shared by multiple SSL connections
y Confidentiality
y Using symmetric encryption with a shared secret key
record protocol y A single message y Causes pending state to become current y Hence updating the cipher suite in use
y Specific alert
y Warning: Close notify, no certificate, bad certificate, unsupported
certificate, certificate revoked, certificate expired, certificate unknown y Fatal: Unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter
Establish security capabilities Server authentication and key exchange Client authentication and key exchange Finish
10
11
12
13
SET Components
14
SET Transaction
1. 2. 3. 4. 5. 6. 7. 8. 9. 10.
Customer opens account Customer receives a certificate Merchants have their own certificates Customer places an order Merchant is verified Order and payment are sent Merchant requests payment authorization Merchant confirms order Merchant provides goods or service Merchant requests payment
15
Dual Signature
y Customer creates dual messages
y Order information (OI) for merchant y Payment information (PI) for bank
y Neither party needs details of other y But must know they are linked y Use a dual signature for this
y Signed concatenated hashes of OI & PI
DS=E(PRc, [H(H(PI)||H(OI))])
16
SET purchase request exchange consists of four messages 1. Initiate request - get certificates 2. Initiate response - signed response 3. Purchase request - of OI & PI 4. Purchase response - ack order
17
18
20
Verifies all certificates Decrypts digital envelope of authorization block to obtain symmetric key & then decrypts authorization block Verifies merchant's signature on authorization block Decrypts digital envelope of payment block to obtain symmetric key & then decrypts payment block Verifies dual signature on payment block Verifies that transaction ID received from merchant matches that in PI received (indirectly) from customer Requests & receives an authorization from issuer Sends authorization response back to merchant
21
Payment Capture
y Merchant sends payment gateway a payment
capture request y Gateway checks request y Then causes funds to be transferred to merchants account y Notifies merchant using capture response
22
Summary
y Have considered:
y Need for web security y SSL/TLS transport layer security protocols y SET secure credit card payment protocols
23
References
y William Stallings, Cryptography and Network Security
(Fourth Edition).
2 4