SlideShare a Scribd company logo

Web security

Subhash Basistha
Subhash Basistha

This ppt will discuss the basic security issues in web . And how to overcome this.

InternetTechnologyEducation
1 of 62
Download to read offline
Presentation on web security Presented by Subhash Basishtha Saptarshi Boruah 05/28/14 1ASSAM UNIVERSITY SILCHAR
contents  Introduction  Issues related to web security -client-side issues -server-side issues -data on transmission issues  Solution to web security: SSL  SSL Architecture  Its advantages and uses  SET:  conclusion 05/28/14 2ASSAM UNIVERSITY SILCHAR
introduction o Now-a-days almost everything relies on computers and all the sensitive tasks are done through the web: -communication(email) -shopping(online store) -transportation(e-ticketing) -database access -entertainment etc. “web security involves protecting those information by preventing,detecting and responding to attacks” 05/28/14 3ASSAM UNIVERSITY SILCHAR
Web security: client-side security risks Browser risks: -Crashes the browser, damages the user's system, or merely creates an annoyance. -The misuse of personal information knowingly or unknowingly provided by the end-user. Active content, such as ActiveX controls and Java applets: – Introduces the possibility that Web browsing will introduce viruses or other malicious software into the user's system,
Web security: server-side security risks  Risk: Allow unauthorized remote users to: – Steal confidential documents. – Execute commands on the server host machine to modify the system. – Gain information about the Web server's host machine to break into the system. – Launch denial-of-service attacks, rendering the machine temporarily unusable. 05/28/14 5ASSAM UNIVERSITY SILCHAR
server-side security risks(contd..)  Bugs in the Web server - Buggy software opens up security holes.  Misconfiguration problems in the Web server – A poorly configured Web server can punch a hole in the most carefully designed firewall system. 05/28/14 6ASSAM UNIVERSITY SILCHAR
security risk of data in transmission • Risk: Interception of network data sent from browser to server or vice versa via network eavesdropping. – Eavesdroppers can operate from any point on the pathway between browser and server . • Reason: The TCP/IP protocol was not designed with security in mind; hence it is vulnerable to network eavesdropping. 05/28/14 7ASSAM UNIVERSITY SILCHAR
Secure Socket Layer (SSL) 05/28/14 8ASSAM UNIVERSITY SILCHAR
ssL  SSL is the most used security protocol for authentication on the Web and developed by Netscape communication in 1995.  SSL secures data exchange between a client and a server by encrypting it.  SSL runs above TCP/IP and below higher-level protocols such as HTTP.  SSL protocol allows client-server applications to communicate in such a way that they prevent eavesdropping, tampering or message forgery. 05/28/14 9ASSAM UNIVERSITY SILCHAR
ssL provides 3 main things: • End Point Authentication – The server is the actual party you wish to communicate with, not someone faking their identity. • Message Integrity – The data exchange with the server has not been modified along the way. If it is, it can be easily detected. • Confidentiality – Data is encrypted. A hacker cannot read your information by simply looking at the packets on the network. 05/28/14 10ASSAM UNIVERSITY SILCHAR
hoW ssL Works: • Secure Web pages feature “https” in their URL instead of the usual “http”. • The browser sees the https in the URL and initiates a connection to the SSL port on the Web server. 05/28/14 11ASSAM UNIVERSITY SILCHAR
ssL architecture  SSL is designed to make use of TCP to provide a reliable end-to-end secure service.  SSL is a two layer protocol: -at the lower level there is SSL record protocol and - at the upper level there are higher layer protocol such as handshake protocol, change cipher spec protocol and the alert protocol. 05/28/14 12ASSAM UNIVERSITY SILCHAR
ssL architecture 05/28/14 13ASSAM UNIVERSITY SILCHAR
ssL record protocoL • The SSL Record Protocol is used to encapsulate various higher-level protocols. • The SSL Record Protocol takes the upper-layer application message to be transmitted, Fragments the data into manageable blocks, optionally compresses the data, applies an MAC, encrypts, adds a header, and transmits the result to TCP. • The received data is decrypted, verified, decompressed, reassembled ,and then delivered to higher-level clients. 05/28/14 14ASSAM UNIVERSITY SILCHAR
operation of ssL record protocoL 05/28/14 15ASSAM UNIVERSITY SILCHAR
operation of ssL record protocoL • The first step is fragmentation. Each upper-layer message is fragmented into blocks of 214 Bytes (16384 bytes) or less. • Next, compression is optionally applied. Compression must be lossless and may not increase the content length by more than 1024 bytes. In SSLv3,no compression algorithm is specified, so the default compression algorithm is null. • The next step in processing is to compute Message Authentication Code over the compressed data. For this purpose, a shared secret key is used. 05/28/14 16ASSAM UNIVERSITY SILCHAR
MAC operAtion 05/28/14 17ASSAM UNIVERSITY SILCHAR
operAtion of SSL reCord protoCoL • Next, the compressed message plus the MAC are encrypted using symmetric encryption. Encryption may not increase the content length by more than 1024 bytes. The following encryption algorithms are permitted: 05/28/14 18ASSAM UNIVERSITY SILCHAR
operAtion of SSL reCord protoCoL The final step of SSL Record Protocol processing is to append a header, consisting of the following fields: o Content Type (8 bits): The higher layer protocol used to process the enclosed fragment. o Major Version (8 bits): Indicates major version of SSL in use. For SSLv3, the value is 3. o Minor Version (8 bits): Indicates minor version in use. For SSLv3, the value is 0. o Compressed Length (16 bits): The length in bytes of the plaintext fragment (or compressed fragment if compression is used).
SSL ChAnge Cipher SpeC protoCoL • The Change Cipher Spec Protocol is the simplest of the three SSL-specific protocols. • This protocol consists of a single message,which is compressed and encrypted under the current CipherSpec. The message consists of a single byte of value 1. • The sole purpose of this message is to cause the pending state to be copied into the current state, which updates the cipher suite to be used on this connection. • The client sends a change CipherSpec message following handshake key exchange and certificate verify messages (if any),and the server sends one after successfully processing the key exchange message it received from the client 05/28/14 20ASSAM UNIVERSITY SILCHAR
SSL ALert protoCoL • One of the content types supported by the SSL Record Layer is the alert type. • Alert messages consist of 2 bytes. -The first byte takes the value warning to convey the seriousness of the message. If the level is fatal, SSL immediately terminates the connection. -The second byte contains a code that indicates the specific alert. 05/28/14 21ASSAM UNIVERSITY SILCHAR
SSL ALert protoCoL A specification of SSL-related alerts that are always fatal is listed in the following: • unexpected_message: An inappropriate message was received. • bad_record_mac: An incorrect MAC was received. • decompression_failure: The decompression function received improper input (e.g., unable to decompress). • handshake_failure: Sender was unable to negotiate an acceptable set of security parameters given the options available. • illegal_parameter: A field in a handshake message was out of range or inconsistent with other fields. 05/28/14 22ASSAM UNIVERSITY SILCHAR
SSL hAndShAke protoCoL • The SSL Handshake Protocol is operated on top of the SSL Record Layer and it is the most important and most complex part of SSL. • This protocol allows the server and client to authenticate each other and to negotiate an encryption and MAC algorithm and cryptographic keys to be used to protect data sent in an SSL record. • The Handshake Protocol is used before any application data is transmitted. • The Handshake Protocol consists of a series of messages exchanged by the client and the server. 05/28/14 23ASSAM UNIVERSITY SILCHAR
Contd… Each message has three fields as follows: • Type (1 byte): Indicates one of 10 messages as indicated in the following table. • Length (3 bytes): The length of the message in bytes. • Content ( 0 bytes): The parameters associated with this message; these are listed in the following Table.
Fig: Handshake Protocol Action
hAndShAke phASe Phase-1 o This phase is used to initiate a logical connection and to establish the security capabilities that will be associated with it. o The exchange is initiated by the client, which sends a client_hello message with the parameters such as Version, Session ID, CipherSuite, Compression Method etc. o After sending the client_hello message, the client waits for the server_hello message , which contains the same parameters as the client_hello message.
hAndShAke phASe Phase-2 o The server begins this phase by sending its certificate, if it needs to be authenticated; the message contains one or a chain of X.509 certificates. o Next, a server key_exchange message may be sent if it is required. o Next, a nonanonymous server can request a certificate from the client. The certificate_request message includes two parameters: certificate_type and certificate_authorities. o The final message in Phase 2, and one that is always required, is the server_done message , which is sent by the server to indicate the end of the server hello and associated messages.
hAndShAke phASe Phase-3 o Upon receipt of the server_done message, the client should verify that the server provided a valid certificate. o If the server has requested a certificate, the client begins this phase by sending a certificate message. If no suitable certificate is available, the client sends a no_certificate alert instead. o Next is the client_key_exchange message , which must be sent in this phase. The content of the message depends on the type of key exchange. For e.g: In Anonymous Diffie-Hellman: The client's public Diffie-Hellman parameters are sent. o Finally, in this phase, the client may send a certificate_verify message to provide explicit verification of a client certificate. This message is only sent following any client certificate that has signing capability
hAndShAke phASe Phase-4 o This phase completes the setting up of a secure connection. o The client sends a change_cipher_spec message and copies the pending CipherSpec into the current CipherSpec. o The client then immediately sends the finished message under the new algorithms, keys, and secrets. o The finished message verifies that the key exchange and authentication processes were successful. o In response to these two messages, the server sends its own change_cipher_spec message, transfers the pending to the current CipherSpec, and sends its finished message.
Contd… The handshake is now complete: the server is authenticated and any information exchanged between the browser and the server is protected.
SSL USeS • SSL enables secure communication on an insecure network such as the Internet. • Most web-based online purchases and monetary transactions are now secured by SSL – Online banking – Credit card purchases 05/28/14 31ASSAM UNIVERSITY SILCHAR
AdvAntAgeS • SSL it already built into browsers. – There is no need to install extra software • The server that the user wants to connect has no significant reduction in speed. – SSL was developed with server performance in mind. • SSL can be used as an alternative for Virtual Private Network (VPN). – VPN creates a virtual pipeline from a client directly to the server. – SSL secures data transmitted through the web to the server. 05/28/14 32ASSAM UNIVERSITY SILCHAR
Secure Electronic Transaction (SET) 05/28/14 33ASSAM UNIVERSITY SILCHAR
Introduction • SET is a protocol designed to ensure that merchant and cardholders can conduct business over insecure networks.. • Developed by Visa and MasterCard 05/28/14 ASSAM UNIVERSITY SILCHAR 34
Purpose The purpose of the SET protocol is to establish payment transactions that • Provide confidentiality of information; • Ensure the integrity of payment instructions • Authenticate both the cardholder and the merchant . • To maintain privacy i.e information made available only when and where necessary 05/28/14 ASSAM UNIVERSITY SILCHAR 35
SET Participants There are six main entities in SET: 1)Cardholder (customer) 2)Merchant (web server) 3)Issuer (cardholder’s bank) 4)Acquirer 5)Payment gateway(is a device operated by an acquirer. Sometime, separate these two entities) 6)Certificate Authority 05/28/14 ASSAM UNIVERSITY SILCHAR 36
Participants in the SET System 05/28/14 37ASSAM UNIVERSITY SILCHAR
Contd… The participants in the SET system, which include the following: • Cardholder: A cardholder is an authorized holder of a payment card (e.g., MasterCard, Visa) that has been issued by an issuer. • Merchant: A merchant is a person or organization that has goods or services to sell to the cardholder. • Issuer: This is a financial institution, such as a bank, that provides the cardholder with the payment card. • Acquirer: This is a financial institution that establishes an account with a merchant and processes payment card authorizations and payments.05/28/14 ASSAM UNIVERSITY SILCHAR 38
Contd.. • Payment gateway: This is a function operated by the acquirer or a designated third party that processes merchant payment messages. The payment gateway interfaces between SET and the existing bankcard payment networks for authorization and payment functions. • Certification authority (CA): This is an entity that is trusted to issue X.509v3 public-key certificates for cardholders, merchants, and payment gateways. 05/28/14 ASSAM UNIVERSITY SILCHAR 39
How It Work ? Both cardholders and merchants must register with CA first, before they can buy or sell on the Internet. Once registration is done, cardholder and merchant can start to do transactions. 05/28/14 ASSAM UNIVERSITY SILCHAR 40
Contd... SET involve 9 basic steps in this protocol, which are : 1. Customer browses website and decides on what to purchase 2. Customer sends order and payment information, which includes 2 parts in one message: a. Purchase Order – this part is for merchant b. Card Information – this pat is for merchant’s bank only. 3. Merchant forwards card information (part b) to their bank 05/28/14 ASSAM UNIVERSITY SILCHAR 41
Contd... 4. Merchant’s bank checks with Issuer for payment authorization 5. Issuer send authorization to Merchant’s bank 6. Merchant’s bank send authorization to merchant 7. Merchant completes the order and sends confirmation to the customer 8. Merchant captures the transaction from their bank 9. Issuer prints credit card bill (invoice) to customer 05/28/14 ASSAM UNIVERSITY SILCHAR 42
SET Transactions 05/28/14 43ASSAM UNIVERSITY SILCHAR
Key Technologies of SET • Confidentiality of information: DES • Integrity of data: RSA digital signatures with SHA-1 hash codes • Cardholder account authentication: X.509v3 digital certificates with RSA signatures • Merchant authentication: X.509v3 digital certificates with RSA signatures • Privacy: separation of order and payment information using dual signatures 05/28/14 44ASSAM UNIVERSITY SILCHAR
SET Certificate Hierarchy 05/28/14 ASSAM UNIVERSITY SILCHAR 45
Examples • Examples of Certificate Chain For Merchant 05/28/14 ASSAM UNIVERSITY SILCHAR 46
Dual Signature A new application of digital signatures is introduced in SET, namely the concept of dual signatures. Dual signatures is needed when two messages are need to be linked securely but only one party is allowed to read each. 05/28/14 ASSAM UNIVERSITY SILCHAR 47
Dual Signatures • Links two messages securely but allows only one party to read each. MESSAGE 1 DIGEST 1 NEW DIGEST HASH 1 & 2 WITH SHA MESSAGE 2 DIGEST 2 CONCATENATE DIGESTS TOGETHER HASH WITH SHA TO CREATE NEW DIGEST DUAL SIGNATURE PRIVATE KEY ENCRYPT NEW DIGEST WITH SIGNER’S PRIVATE KEY 05/28/14 48ASSAM UNIVERSITY SILCHAR
Goal • Goal: Limit Information to A “Need-to-Know” Basis: – Merchant does not need credit card number. – Bank does not need details of customer order. – It Afford the customer extra protection in terms of privacy by keeping these items separate. 05/28/14 49ASSAM UNIVERSITY SILCHAR
Why Dual Signature? • Suppose that customers send the merchant two messages: • The signed order information (OI). • The signed payment information (PI). • In addition, the merchant passes the payment information (PI) to the bank. • If the merchant can capture another order information (OI) from this customer, the merchant could claim this order goes with the payment information (PI) rather than the original. • So this link is needed to prove that payment is intended for this order and not some other one. 05/28/14 50ASSAM UNIVERSITY SILCHAR
Dual Signature Operation • The operation for dual signature is as follows: – Take the hash (SHA-1) of the payment and order information. – These two hash values are concatenated [H(PI) || H(OI)] and then the result is hashed. – Customer encrypts the final hash with a private key creating the dual signature. DS = EKRC [ H(H(PI) || H(OI)) ] 05/28/14 51ASSAM UNIVERSITY SILCHAR
DS Verification by Merchant • The merchant has the public key of the customer obtained from the customer’s certificate. • Now, the merchant can compute two values: H(PIMD || H(OI)) DKUC[DS] • Should be equal! 05/28/14 52ASSAM UNIVERSITY SILCHAR
DS Verification by Bank • The bank is in possession of DS, PI, the message digest for OI (OIMD), and the customer’s public key, then the bank can compute the following: H(H(PI) || OIMD) DKUC [ DS ] 05/28/14 53ASSAM UNIVERSITY SILCHAR
What did we accomplish? • The merchant has received OI and verified the signature. • The bank has received PI and verified the signature. • The customer has linked the OI and PI and can prove the linkage. 05/28/14 54ASSAM UNIVERSITY SILCHAR
Payment Processing There are three main phases in a secure electronic transaction: • Purchase request • Payment authorization • Payment capture 05/28/14 ASSAM UNIVERSITY SILCHAR 55
Contd… Purchase Request:- The purchase request exchange consists of four messages: • Initiate Request • Initiate Response • Purchase Request and • Purchase Response. Payment Authorization:-During the processing of an order from a cardholder, the merchant authorizes the transaction with the payment gateway. 05/28/14 ASSAM UNIVERSITY SILCHAR 56
Contd.. • Payment Capture:-The merchant creates a digitally signed payment request that includes the final transaction amount, the transaction ID, and other transaction information. 05/28/14 ASSAM UNIVERSITY SILCHAR 57
05/28/14 ASSAM UNIVERSITY SILCHAR 58
SET Overhead Simple purchase transaction: • Four messages between merchant and customer • Four messages between merchant and payment gateway • 4 certificate verifications • Multiple servers need copies of all certificates 05/28/14 59ASSAM UNIVERSITY SILCHAR
SET Future Technology 05/28/14 ASSAM UNIVERSITY SILCHAR 60
conclusion • The web is very vulnerable to attacks. It does not provide a secure communication for exchanging information between the client and the server. But these two protocol namely SSL and SET makes it possible to become the web more secure for exchanging information as well as making electronic transaction between the client and the server. 05/28/14 61ASSAM UNIVERSITY SILCHAR
Thank you 05/28/14 62ASSAM UNIVERSITY SILCHAR

Recommended

Network Security
Network SecurityNetwork Security
Network SecurityMAJU
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Network security
Network securityNetwork security
Network securityEstiak Khan
 
Web Security
Web SecurityWeb Security
Web SecurityBharath Manoharan
 
Web security
Web securityWeb security
Web securityMuhammad Usman
 
Network attacks
Network attacksNetwork attacks
Network attacksManjushree Mashal
 
Network security
Network security Network security
Network security Madhumithah Ilango
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Dr. Kapil Gupta
 

Recommended

Network Security
Network SecurityNetwork Security
Network SecurityMAJU
 
Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Network security (vulnerabilities, threats, and attacks)
Network security (vulnerabilities, threats, and attacks)Fabiha Shahzad
 
Network security
Network securityNetwork security
Network securityEstiak Khan
 
Web Security
Web SecurityWeb Security
Web SecurityBharath Manoharan
 
Web security
Web securityWeb security
Web securityMuhammad Usman
 
Network attacks
Network attacksNetwork attacks
Network attacksManjushree Mashal
 
Network security
Network security Network security
Network security Madhumithah Ilango
 
Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Chapter 1 Introduction of Cryptography and Network security
Chapter 1 Introduction of Cryptography and Network security Dr. Kapil Gupta
 
Encryption ppt
Encryption pptEncryption ppt
Encryption pptAnil Neupane
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
Public key Infrastructure (PKI)
Public key Infrastructure (PKI)Public key Infrastructure (PKI)
Public key Infrastructure (PKI)Venkatesh Jambulingam
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Information security
Information securityInformation security
Information securityavinashbalakrishnan2
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Email security
Email securityEmail security
Email securityIndrajit Sreemany
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
System security
System securitySystem security
System securitysommerville-videos
 
Web security
Web securityWeb security
Web securitykareem zock
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Database security
Database securityDatabase security
Database securityMaryamAsghar9
 
Email security presentation
Email security presentationEmail security presentation
Email security presentationSubhradeepMaji
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Web security ppt sniper corporation
Web security ppt sniper corporationWeb security ppt sniper corporation
Web security ppt sniper corporationsharmaakash1881
 
Types of cyber attacks
Types of cyber attacksTypes of cyber attacks
Types of cyber attackskrishh sivakrishna
 
Tutorial 6 - User-Generated Content on the Internet
Tutorial 6 - User-Generated Content on the InternetTutorial 6 - User-Generated Content on the Internet
Tutorial 6 - User-Generated Content on the Internetdpd
 
Bio-metrics Authentication Technique
Bio-metrics Authentication TechniqueBio-metrics Authentication Technique
Bio-metrics Authentication TechniqueRekha Yadav
 

More Related Content

What's hot

Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)Arun Shukla
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security FundamentalsRahmat Suhatman
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingNezar Alazzabi
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber SecurityStephen Lahanas
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Asad Ali
 
Application Security
Application SecurityApplication Security
Application Securityflorinc
 
Email security presentation
Email security presentationEmail security presentation
Email security presentationSubhradeepMaji
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolMohammed Adam
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network SecurityJohn Ely Masculino
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on itWSO2
 
Web security ppt sniper corporation
Web security ppt sniper corporationWeb security ppt sniper corporation
Web security ppt sniper corporationsharmaakash1881
 

What's hot (20)

Encryption ppt
Encryption pptEncryption ppt
Encryption ppt
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
 
Public key Infrastructure (PKI)
Public key Infrastructure (PKI)Public key Infrastructure (PKI)
Public key Infrastructure (PKI)
 
Network Security Fundamentals
Network Security FundamentalsNetwork Security Fundamentals
Network Security Fundamentals
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
Information security
Information securityInformation security
Information security
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Email security
Email securityEmail security
Email security
 
Introduction to Cyber Security
Introduction to Cyber SecurityIntroduction to Cyber Security
Introduction to Cyber Security
 
System security
System securitySystem security
System security
 
Web security
Web securityWeb security
Web security
 
Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)Ssl (Secure Sockets Layer)
Ssl (Secure Sockets Layer)
 
Application Security
Application SecurityApplication Security
Application Security
 
Database security
Database securityDatabase security
Database security
 
Email security presentation
Email security presentationEmail security presentation
Email security presentation
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 
Introduction to Network Security
Introduction to Network SecurityIntroduction to Network Security
Introduction to Network Security
 
Application Security - Your Success Depends on it
Application Security - Your Success Depends on itApplication Security - Your Success Depends on it
Application Security - Your Success Depends on it
 
Web security ppt sniper corporation
Web security ppt sniper corporationWeb security ppt sniper corporation
Web security ppt sniper corporation
 
Types of cyber attacks
Types of cyber attacksTypes of cyber attacks
Types of cyber attacks
 

Viewers also liked

Tutorial 6 - User-Generated Content on the Internet
Tutorial 6 - User-Generated Content on the InternetTutorial 6 - User-Generated Content on the Internet
Tutorial 6 - User-Generated Content on the Internetdpd
 
Bio-metrics Authentication Technique
Bio-metrics Authentication TechniqueBio-metrics Authentication Technique
Bio-metrics Authentication TechniqueRekha Yadav
 
Tutorial 8 - Creating Effective Web Pages
Tutorial 8 - Creating Effective Web PagesTutorial 8 - Creating Effective Web Pages
Tutorial 8 - Creating Effective Web Pagesdpd
 
Tutorial 10 - Electronic Commerce
Tutorial 10 - Electronic CommerceTutorial 10 - Electronic Commerce
Tutorial 10 - Electronic Commercedpd
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Webdpd
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Samip jain
 
Tutorial 7 - Wireless Networking and Security
Tutorial 7 - Wireless Networking and SecurityTutorial 7 - Wireless Networking and Security
Tutorial 7 - Wireless Networking and Securitydpd
 
Final Report Biometrics
Final Report BiometricsFinal Report Biometrics
Final Report Biometricsanoop80686
 
Web Security
Web SecurityWeb Security
Web SecurityADIEFEH
 
Tutorial 06 - Real-Time Communication on the Internet
Tutorial 06 - Real-Time Communication on the InternetTutorial 06 - Real-Time Communication on the Internet
Tutorial 06 - Real-Time Communication on the Internetdpd
 
Web Security in Network Security NS7
Web Security in Network Security NS7Web Security in Network Security NS7
Web Security in Network Security NS7koolkampus
 
BIOMETRIC IDENTIFICATION IN ATM’S PPT
BIOMETRIC IDENTIFICATION IN ATM’S PPTBIOMETRIC IDENTIFICATION IN ATM’S PPT
BIOMETRIC IDENTIFICATION IN ATM’S PPTsravya raju
 
A study on biometric authentication techniques
A study on biometric authentication techniquesA study on biometric authentication techniques
A study on biometric authentication techniquesSubhash Basistha
 
SET THEORY
SET THEORYSET THEORY
SET THEORYLena
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security TutorialNeil Matatall
 
Biometric's final ppt
Biometric's final pptBiometric's final ppt
Biometric's final pptAnkita Vanage
 

Viewers also liked (20)

Tutorial 6 - User-Generated Content on the Internet
Tutorial 6 - User-Generated Content on the InternetTutorial 6 - User-Generated Content on the Internet
Tutorial 6 - User-Generated Content on the Internet
 
Bio-metrics Authentication Technique
Bio-metrics Authentication TechniqueBio-metrics Authentication Technique
Bio-metrics Authentication Technique
 
Tutorial 8 - Creating Effective Web Pages
Tutorial 8 - Creating Effective Web PagesTutorial 8 - Creating Effective Web Pages
Tutorial 8 - Creating Effective Web Pages
 
Biometrics
BiometricsBiometrics
Biometrics
 
APA Style
APA StyleAPA Style
APA Style
 
Tutorial 10 - Electronic Commerce
Tutorial 10 - Electronic CommerceTutorial 10 - Electronic Commerce
Tutorial 10 - Electronic Commerce
 
Tutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the WebTutorial 09 - Security on the Internet and the Web
Tutorial 09 - Security on the Internet and the Web
 
Secure Socket Layer (SSL)
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Secure Socket Layer (SSL)
 
Tutorial 7 - Wireless Networking and Security
Tutorial 7 - Wireless Networking and SecurityTutorial 7 - Wireless Networking and Security
Tutorial 7 - Wireless Networking and Security
 
Final Report Biometrics
Final Report BiometricsFinal Report Biometrics
Final Report Biometrics
 
Web Security
Web SecurityWeb Security
Web Security
 
Tutorial 06 - Real-Time Communication on the Internet
Tutorial 06 - Real-Time Communication on the InternetTutorial 06 - Real-Time Communication on the Internet
Tutorial 06 - Real-Time Communication on the Internet
 
Web Security in Network Security NS7
Web Security in Network Security NS7Web Security in Network Security NS7
Web Security in Network Security NS7
 
BIOMETRIC IDENTIFICATION IN ATM’S PPT
BIOMETRIC IDENTIFICATION IN ATM’S PPTBIOMETRIC IDENTIFICATION IN ATM’S PPT
BIOMETRIC IDENTIFICATION IN ATM’S PPT
 
A study on biometric authentication techniques
A study on biometric authentication techniquesA study on biometric authentication techniques
A study on biometric authentication techniques
 
SET THEORY
SET THEORYSET THEORY
SET THEORY
 
2008: Web Application Security Tutorial
2008: Web Application Security Tutorial2008: Web Application Security Tutorial
2008: Web Application Security Tutorial
 
biometrics
biometricsbiometrics
biometrics
 
Web Security
Web SecurityWeb Security
Web Security
 
Biometric's final ppt
Biometric's final pptBiometric's final ppt
Biometric's final ppt
 

Similar to Web security

SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layerAhmed Elnaggar
 
Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Vishal Kumar
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4limsh
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )Monodip Singha Roy
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYMonodip Singha Roy
 
Network Security_Module_2.pdf
Network Security_Module_2.pdfNetwork Security_Module_2.pdf
Network Security_Module_2.pdfDr. Shivashankar
 
Network Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarNetwork Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarDr. Shivashankar
 
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptWEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptSonukumarRawat
 
Secure Sockets Layer (SSL)
Secure Sockets Layer (SSL)Secure Sockets Layer (SSL)
Secure Sockets Layer (SSL)BGSBU Rajouri
 
Network Security- Secure Socket Layer
Network Security- Secure Socket LayerNetwork Security- Secure Socket Layer
Network Security- Secure Socket LayerDr.Florence Dayana
 
SecureSocketLayer.ppt
SecureSocketLayer.pptSecureSocketLayer.ppt
SecureSocketLayer.pptPranavUndre1
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket LayerPina Parmar
 
Network and internet security
Network and internet security Network and internet security
Network and internet security SabthamiS1
 
VULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOLVULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOLcscpconf
 
Vulnerabilities of the SSL/TLS Protocol
Vulnerabilities of the SSL/TLS ProtocolVulnerabilities of the SSL/TLS Protocol
Vulnerabilities of the SSL/TLS Protocolcsandit
 

Similar to Web security (20)

SSL Secure socket layer
SSL Secure socket layerSSL Secure socket layer
SSL Secure socket layer
 
Unit 6
Unit 6Unit 6
Unit 6
 
Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2
 
BAIT1103 Chapter 4
BAIT1103 Chapter 4BAIT1103 Chapter 4
BAIT1103 Chapter 4
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
 
Secure socket later
Secure socket laterSecure socket later
Secure socket later
 
Network Security_Module_2.pdf
Network Security_Module_2.pdfNetwork Security_Module_2.pdf
Network Security_Module_2.pdf
 
Web Security
Web SecurityWeb Security
Web Security
 
Network Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarNetwork Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr Shivashankar
 
Secure Socket Layer.pptx
Secure Socket Layer.pptxSecure Socket Layer.pptx
Secure Socket Layer.pptx
 
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptWEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
 
Secure Sockets Layer (SSL)
Secure Sockets Layer (SSL)Secure Sockets Layer (SSL)
Secure Sockets Layer (SSL)
 
Network Security- Secure Socket Layer
Network Security- Secure Socket LayerNetwork Security- Secure Socket Layer
Network Security- Secure Socket Layer
 
SecureSocketLayer.ppt
SecureSocketLayer.pptSecureSocketLayer.ppt
SecureSocketLayer.ppt
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
Network and internet security
Network and internet security Network and internet security
Network and internet security
 
VULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOLVULNERABILITIES OF THE SSL/TLS PROTOCOL
VULNERABILITIES OF THE SSL/TLS PROTOCOL
 
Vulnerabilities of the SSL/TLS Protocol
Vulnerabilities of the SSL/TLS ProtocolVulnerabilities of the SSL/TLS Protocol
Vulnerabilities of the SSL/TLS Protocol
 

Recently uploaded

How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...rrouter90
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...vmzoxnx5
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesLumiverse Solutions Pvt Ltd
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)ICT Watch - Indonesia
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...ICT Watch - Indonesia
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 

Recently uploaded (9)

How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...How to login to Router net ORBI LOGIN...
How to login to Router net ORBI LOGIN...
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
办理澳洲USYD文凭证书学历认证【Q微/1954292140】办理悉尼大学毕业证书真实成绩单GPA修改/办理澳洲大学文凭证书Offer录取通知书/在读证明...
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
Cybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best PracticesCybersecurity Threats and Cybersecurity Best Practices
Cybersecurity Threats and Cybersecurity Best Practices
 
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
Summary IGF 2013 Bali - English (tata kelola internet / internet governance)
 
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
Summary ID-IGF 2016 National Dialogue - English (tata kelola internet / int...
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 

Web security

  • 1. Presentation on web security Presented by Subhash Basishtha Saptarshi Boruah 05/28/14 1ASSAM UNIVERSITY SILCHAR
  • 2. contents  Introduction  Issues related to web security -client-side issues -server-side issues -data on transmission issues  Solution to web security: SSL  SSL Architecture  Its advantages and uses  SET:  conclusion 05/28/14 2ASSAM UNIVERSITY SILCHAR
  • 3. introduction o Now-a-days almost everything relies on computers and all the sensitive tasks are done through the web: -communication(email) -shopping(online store) -transportation(e-ticketing) -database access -entertainment etc. “web security involves protecting those information by preventing,detecting and responding to attacks” 05/28/14 3ASSAM UNIVERSITY SILCHAR
  • 4. Web security: client-side security risks Browser risks: -Crashes the browser, damages the user's system, or merely creates an annoyance. -The misuse of personal information knowingly or unknowingly provided by the end-user. Active content, such as ActiveX controls and Java applets: – Introduces the possibility that Web browsing will introduce viruses or other malicious software into the user's system,
  • 5. Web security: server-side security risks  Risk: Allow unauthorized remote users to: – Steal confidential documents. – Execute commands on the server host machine to modify the system. – Gain information about the Web server's host machine to break into the system. – Launch denial-of-service attacks, rendering the machine temporarily unusable. 05/28/14 5ASSAM UNIVERSITY SILCHAR
  • 6. server-side security risks(contd..)  Bugs in the Web server - Buggy software opens up security holes.  Misconfiguration problems in the Web server – A poorly configured Web server can punch a hole in the most carefully designed firewall system. 05/28/14 6ASSAM UNIVERSITY SILCHAR
  • 7. security risk of data in transmission • Risk: Interception of network data sent from browser to server or vice versa via network eavesdropping. – Eavesdroppers can operate from any point on the pathway between browser and server . • Reason: The TCP/IP protocol was not designed with security in mind; hence it is vulnerable to network eavesdropping. 05/28/14 7ASSAM UNIVERSITY SILCHAR
  • 8. Secure Socket Layer (SSL) 05/28/14 8ASSAM UNIVERSITY SILCHAR
  • 9. ssL  SSL is the most used security protocol for authentication on the Web and developed by Netscape communication in 1995.  SSL secures data exchange between a client and a server by encrypting it.  SSL runs above TCP/IP and below higher-level protocols such as HTTP.  SSL protocol allows client-server applications to communicate in such a way that they prevent eavesdropping, tampering or message forgery. 05/28/14 9ASSAM UNIVERSITY SILCHAR
  • 10. ssL provides 3 main things: • End Point Authentication – The server is the actual party you wish to communicate with, not someone faking their identity. • Message Integrity – The data exchange with the server has not been modified along the way. If it is, it can be easily detected. • Confidentiality – Data is encrypted. A hacker cannot read your information by simply looking at the packets on the network. 05/28/14 10ASSAM UNIVERSITY SILCHAR
  • 11. hoW ssL Works: • Secure Web pages feature “https” in their URL instead of the usual “http”. • The browser sees the https in the URL and initiates a connection to the SSL port on the Web server. 05/28/14 11ASSAM UNIVERSITY SILCHAR
  • 12. ssL architecture  SSL is designed to make use of TCP to provide a reliable end-to-end secure service.  SSL is a two layer protocol: -at the lower level there is SSL record protocol and - at the upper level there are higher layer protocol such as handshake protocol, change cipher spec protocol and the alert protocol. 05/28/14 12ASSAM UNIVERSITY SILCHAR
  • 13. ssL architecture 05/28/14 13ASSAM UNIVERSITY SILCHAR
  • 14. ssL record protocoL • The SSL Record Protocol is used to encapsulate various higher-level protocols. • The SSL Record Protocol takes the upper-layer application message to be transmitted, Fragments the data into manageable blocks, optionally compresses the data, applies an MAC, encrypts, adds a header, and transmits the result to TCP. • The received data is decrypted, verified, decompressed, reassembled ,and then delivered to higher-level clients. 05/28/14 14ASSAM UNIVERSITY SILCHAR
  • 15. operation of ssL record protocoL 05/28/14 15ASSAM UNIVERSITY SILCHAR
  • 16. operation of ssL record protocoL • The first step is fragmentation. Each upper-layer message is fragmented into blocks of 214 Bytes (16384 bytes) or less. • Next, compression is optionally applied. Compression must be lossless and may not increase the content length by more than 1024 bytes. In SSLv3,no compression algorithm is specified, so the default compression algorithm is null. • The next step in processing is to compute Message Authentication Code over the compressed data. For this purpose, a shared secret key is used. 05/28/14 16ASSAM UNIVERSITY SILCHAR
  • 17. MAC operAtion 05/28/14 17ASSAM UNIVERSITY SILCHAR
  • 18. operAtion of SSL reCord protoCoL • Next, the compressed message plus the MAC are encrypted using symmetric encryption. Encryption may not increase the content length by more than 1024 bytes. The following encryption algorithms are permitted: 05/28/14 18ASSAM UNIVERSITY SILCHAR
  • 19. operAtion of SSL reCord protoCoL The final step of SSL Record Protocol processing is to append a header, consisting of the following fields: o Content Type (8 bits): The higher layer protocol used to process the enclosed fragment. o Major Version (8 bits): Indicates major version of SSL in use. For SSLv3, the value is 3. o Minor Version (8 bits): Indicates minor version in use. For SSLv3, the value is 0. o Compressed Length (16 bits): The length in bytes of the plaintext fragment (or compressed fragment if compression is used).
  • 20. SSL ChAnge Cipher SpeC protoCoL • The Change Cipher Spec Protocol is the simplest of the three SSL-specific protocols. • This protocol consists of a single message,which is compressed and encrypted under the current CipherSpec. The message consists of a single byte of value 1. • The sole purpose of this message is to cause the pending state to be copied into the current state, which updates the cipher suite to be used on this connection. • The client sends a change CipherSpec message following handshake key exchange and certificate verify messages (if any),and the server sends one after successfully processing the key exchange message it received from the client 05/28/14 20ASSAM UNIVERSITY SILCHAR
  • 21. SSL ALert protoCoL • One of the content types supported by the SSL Record Layer is the alert type. • Alert messages consist of 2 bytes. -The first byte takes the value warning to convey the seriousness of the message. If the level is fatal, SSL immediately terminates the connection. -The second byte contains a code that indicates the specific alert. 05/28/14 21ASSAM UNIVERSITY SILCHAR
  • 22. SSL ALert protoCoL A specification of SSL-related alerts that are always fatal is listed in the following: • unexpected_message: An inappropriate message was received. • bad_record_mac: An incorrect MAC was received. • decompression_failure: The decompression function received improper input (e.g., unable to decompress). • handshake_failure: Sender was unable to negotiate an acceptable set of security parameters given the options available. • illegal_parameter: A field in a handshake message was out of range or inconsistent with other fields. 05/28/14 22ASSAM UNIVERSITY SILCHAR
  • 23. SSL hAndShAke protoCoL • The SSL Handshake Protocol is operated on top of the SSL Record Layer and it is the most important and most complex part of SSL. • This protocol allows the server and client to authenticate each other and to negotiate an encryption and MAC algorithm and cryptographic keys to be used to protect data sent in an SSL record. • The Handshake Protocol is used before any application data is transmitted. • The Handshake Protocol consists of a series of messages exchanged by the client and the server. 05/28/14 23ASSAM UNIVERSITY SILCHAR
  • 24. Contd… Each message has three fields as follows: • Type (1 byte): Indicates one of 10 messages as indicated in the following table. • Length (3 bytes): The length of the message in bytes. • Content ( 0 bytes): The parameters associated with this message; these are listed in the following Table.
  • 26. hAndShAke phASe Phase-1 o This phase is used to initiate a logical connection and to establish the security capabilities that will be associated with it. o The exchange is initiated by the client, which sends a client_hello message with the parameters such as Version, Session ID, CipherSuite, Compression Method etc. o After sending the client_hello message, the client waits for the server_hello message , which contains the same parameters as the client_hello message.
  • 27. hAndShAke phASe Phase-2 o The server begins this phase by sending its certificate, if it needs to be authenticated; the message contains one or a chain of X.509 certificates. o Next, a server key_exchange message may be sent if it is required. o Next, a nonanonymous server can request a certificate from the client. The certificate_request message includes two parameters: certificate_type and certificate_authorities. o The final message in Phase 2, and one that is always required, is the server_done message , which is sent by the server to indicate the end of the server hello and associated messages.
  • 28. hAndShAke phASe Phase-3 o Upon receipt of the server_done message, the client should verify that the server provided a valid certificate. o If the server has requested a certificate, the client begins this phase by sending a certificate message. If no suitable certificate is available, the client sends a no_certificate alert instead. o Next is the client_key_exchange message , which must be sent in this phase. The content of the message depends on the type of key exchange. For e.g: In Anonymous Diffie-Hellman: The client's public Diffie-Hellman parameters are sent. o Finally, in this phase, the client may send a certificate_verify message to provide explicit verification of a client certificate. This message is only sent following any client certificate that has signing capability
  • 29. hAndShAke phASe Phase-4 o This phase completes the setting up of a secure connection. o The client sends a change_cipher_spec message and copies the pending CipherSpec into the current CipherSpec. o The client then immediately sends the finished message under the new algorithms, keys, and secrets. o The finished message verifies that the key exchange and authentication processes were successful. o In response to these two messages, the server sends its own change_cipher_spec message, transfers the pending to the current CipherSpec, and sends its finished message.
  • 30. Contd… The handshake is now complete: the server is authenticated and any information exchanged between the browser and the server is protected.
  • 31. SSL USeS • SSL enables secure communication on an insecure network such as the Internet. • Most web-based online purchases and monetary transactions are now secured by SSL – Online banking – Credit card purchases 05/28/14 31ASSAM UNIVERSITY SILCHAR
  • 32. AdvAntAgeS • SSL it already built into browsers. – There is no need to install extra software • The server that the user wants to connect has no significant reduction in speed. – SSL was developed with server performance in mind. • SSL can be used as an alternative for Virtual Private Network (VPN). – VPN creates a virtual pipeline from a client directly to the server. – SSL secures data transmitted through the web to the server. 05/28/14 32ASSAM UNIVERSITY SILCHAR
  • 33. Secure Electronic Transaction (SET) 05/28/14 33ASSAM UNIVERSITY SILCHAR
  • 34. Introduction • SET is a protocol designed to ensure that merchant and cardholders can conduct business over insecure networks.. • Developed by Visa and MasterCard 05/28/14 ASSAM UNIVERSITY SILCHAR 34
  • 35. Purpose The purpose of the SET protocol is to establish payment transactions that • Provide confidentiality of information; • Ensure the integrity of payment instructions • Authenticate both the cardholder and the merchant . • To maintain privacy i.e information made available only when and where necessary 05/28/14 ASSAM UNIVERSITY SILCHAR 35
  • 36. SET Participants There are six main entities in SET: 1)Cardholder (customer) 2)Merchant (web server) 3)Issuer (cardholder’s bank) 4)Acquirer 5)Payment gateway(is a device operated by an acquirer. Sometime, separate these two entities) 6)Certificate Authority 05/28/14 ASSAM UNIVERSITY SILCHAR 36
  • 37. Participants in the SET System 05/28/14 37ASSAM UNIVERSITY SILCHAR
  • 38. Contd… The participants in the SET system, which include the following: • Cardholder: A cardholder is an authorized holder of a payment card (e.g., MasterCard, Visa) that has been issued by an issuer. • Merchant: A merchant is a person or organization that has goods or services to sell to the cardholder. • Issuer: This is a financial institution, such as a bank, that provides the cardholder with the payment card. • Acquirer: This is a financial institution that establishes an account with a merchant and processes payment card authorizations and payments.05/28/14 ASSAM UNIVERSITY SILCHAR 38
  • 39. Contd.. • Payment gateway: This is a function operated by the acquirer or a designated third party that processes merchant payment messages. The payment gateway interfaces between SET and the existing bankcard payment networks for authorization and payment functions. • Certification authority (CA): This is an entity that is trusted to issue X.509v3 public-key certificates for cardholders, merchants, and payment gateways. 05/28/14 ASSAM UNIVERSITY SILCHAR 39
  • 40. How It Work ? Both cardholders and merchants must register with CA first, before they can buy or sell on the Internet. Once registration is done, cardholder and merchant can start to do transactions. 05/28/14 ASSAM UNIVERSITY SILCHAR 40
  • 41. Contd... SET involve 9 basic steps in this protocol, which are : 1. Customer browses website and decides on what to purchase 2. Customer sends order and payment information, which includes 2 parts in one message: a. Purchase Order – this part is for merchant b. Card Information – this pat is for merchant’s bank only. 3. Merchant forwards card information (part b) to their bank 05/28/14 ASSAM UNIVERSITY SILCHAR 41
  • 42. Contd... 4. Merchant’s bank checks with Issuer for payment authorization 5. Issuer send authorization to Merchant’s bank 6. Merchant’s bank send authorization to merchant 7. Merchant completes the order and sends confirmation to the customer 8. Merchant captures the transaction from their bank 9. Issuer prints credit card bill (invoice) to customer 05/28/14 ASSAM UNIVERSITY SILCHAR 42
  • 43. SET Transactions 05/28/14 43ASSAM UNIVERSITY SILCHAR
  • 44. Key Technologies of SET • Confidentiality of information: DES • Integrity of data: RSA digital signatures with SHA-1 hash codes • Cardholder account authentication: X.509v3 digital certificates with RSA signatures • Merchant authentication: X.509v3 digital certificates with RSA signatures • Privacy: separation of order and payment information using dual signatures 05/28/14 44ASSAM UNIVERSITY SILCHAR
  • 45. SET Certificate Hierarchy 05/28/14 ASSAM UNIVERSITY SILCHAR 45
  • 46. Examples • Examples of Certificate Chain For Merchant 05/28/14 ASSAM UNIVERSITY SILCHAR 46
  • 47. Dual Signature A new application of digital signatures is introduced in SET, namely the concept of dual signatures. Dual signatures is needed when two messages are need to be linked securely but only one party is allowed to read each. 05/28/14 ASSAM UNIVERSITY SILCHAR 47
  • 48. Dual Signatures • Links two messages securely but allows only one party to read each. MESSAGE 1 DIGEST 1 NEW DIGEST HASH 1 & 2 WITH SHA MESSAGE 2 DIGEST 2 CONCATENATE DIGESTS TOGETHER HASH WITH SHA TO CREATE NEW DIGEST DUAL SIGNATURE PRIVATE KEY ENCRYPT NEW DIGEST WITH SIGNER’S PRIVATE KEY 05/28/14 48ASSAM UNIVERSITY SILCHAR
  • 49. Goal • Goal: Limit Information to A “Need-to-Know” Basis: – Merchant does not need credit card number. – Bank does not need details of customer order. – It Afford the customer extra protection in terms of privacy by keeping these items separate. 05/28/14 49ASSAM UNIVERSITY SILCHAR
  • 50. Why Dual Signature? • Suppose that customers send the merchant two messages: • The signed order information (OI). • The signed payment information (PI). • In addition, the merchant passes the payment information (PI) to the bank. • If the merchant can capture another order information (OI) from this customer, the merchant could claim this order goes with the payment information (PI) rather than the original. • So this link is needed to prove that payment is intended for this order and not some other one. 05/28/14 50ASSAM UNIVERSITY SILCHAR
  • 51. Dual Signature Operation • The operation for dual signature is as follows: – Take the hash (SHA-1) of the payment and order information. – These two hash values are concatenated [H(PI) || H(OI)] and then the result is hashed. – Customer encrypts the final hash with a private key creating the dual signature. DS = EKRC [ H(H(PI) || H(OI)) ] 05/28/14 51ASSAM UNIVERSITY SILCHAR
  • 52. DS Verification by Merchant • The merchant has the public key of the customer obtained from the customer’s certificate. • Now, the merchant can compute two values: H(PIMD || H(OI)) DKUC[DS] • Should be equal! 05/28/14 52ASSAM UNIVERSITY SILCHAR
  • 53. DS Verification by Bank • The bank is in possession of DS, PI, the message digest for OI (OIMD), and the customer’s public key, then the bank can compute the following: H(H(PI) || OIMD) DKUC [ DS ] 05/28/14 53ASSAM UNIVERSITY SILCHAR
  • 54. What did we accomplish? • The merchant has received OI and verified the signature. • The bank has received PI and verified the signature. • The customer has linked the OI and PI and can prove the linkage. 05/28/14 54ASSAM UNIVERSITY SILCHAR
  • 55. Payment Processing There are three main phases in a secure electronic transaction: • Purchase request • Payment authorization • Payment capture 05/28/14 ASSAM UNIVERSITY SILCHAR 55
  • 56. Contd… Purchase Request:- The purchase request exchange consists of four messages: • Initiate Request • Initiate Response • Purchase Request and • Purchase Response. Payment Authorization:-During the processing of an order from a cardholder, the merchant authorizes the transaction with the payment gateway. 05/28/14 ASSAM UNIVERSITY SILCHAR 56
  • 57. Contd.. • Payment Capture:-The merchant creates a digitally signed payment request that includes the final transaction amount, the transaction ID, and other transaction information. 05/28/14 ASSAM UNIVERSITY SILCHAR 57
  • 59. SET Overhead Simple purchase transaction: • Four messages between merchant and customer • Four messages between merchant and payment gateway • 4 certificate verifications • Multiple servers need copies of all certificates 05/28/14 59ASSAM UNIVERSITY SILCHAR
  • 60. SET Future Technology 05/28/14 ASSAM UNIVERSITY SILCHAR 60
  • 61. conclusion • The web is very vulnerable to attacks. It does not provide a secure communication for exchanging information between the client and the server. But these two protocol namely SSL and SET makes it possible to become the web more secure for exchanging information as well as making electronic transaction between the client and the server. 05/28/14 61ASSAM UNIVERSITY SILCHAR
  • 62. Thank you 05/28/14 62ASSAM UNIVERSITY SILCHAR

Editor's Notes

  1. SET Transaction: Order and Payment are Sent: Customer sends both order and payment information to merchant along with customer’s certificate. The order confirms the purchase of items in the order form. The payment contains credit card details. The payment information is encrypted so that it cannot be read by the merchant. The customer’s certificate enables the merchant to verify the customer. Merchant Requests Payment Authorization: Merchant sends the payment information to the payment gateway. This requests authorization that the customer’s available credit is sufficient for this purchase. Merchant Confirms Order: Merchant sends a confirmation of the order to the customer. Merchant Provides Goods or Service: Merchant ships the goods or provides the service to the customer. Merchant Requests Payment: Request is sent to payment gateway to handle payment processing
  2. SET Transaction: Order and Payment are Sent: Customer sends both order and payment information to merchant along with customer’s certificate. The order confirms the purchase of items in the order form. The payment contains credit card details. The payment information is encrypted so that it cannot be read by the merchant. The customer’s certificate enables the merchant to verify the customer. Merchant Requests Payment Authorization: Merchant sends the payment information to the payment gateway. This requests authorization that the customer’s available credit is sufficient for this purchase. Merchant Confirms Order: Merchant sends a confirmation of the order to the customer. Merchant Provides Goods or Service: Merchant ships the goods or provides the service to the customer. Merchant Requests Payment: Request is sent to payment gateway to handle payment processing
  3. SET Transaction: Order and Payment are Sent: Customer sends both order and payment information to merchant along with customer’s certificate. The order confirms the purchase of items in the order form. The payment contains credit card details. The payment information is encrypted so that it cannot be read by the merchant. The customer’s certificate enables the merchant to verify the customer. Merchant Requests Payment Authorization: Merchant sends the payment information to the payment gateway. This requests authorization that the customer’s available credit is sufficient for this purchase. Merchant Confirms Order: Merchant sends a confirmation of the order to the customer. Merchant Provides Goods or Service: Merchant ships the goods or provides the service to the customer. Merchant Requests Payment: Request is sent to payment gateway to handle payment processing
  4. SET Transaction: Order and Payment are Sent: Customer sends both order and payment information to merchant along with customer’s certificate. The order confirms the purchase of items in the order form. The payment contains credit card details. The payment information is encrypted so that it cannot be read by the merchant. The customer’s certificate enables the merchant to verify the customer. Merchant Requests Payment Authorization: Merchant sends the payment information to the payment gateway. This requests authorization that the customer’s available credit is sufficient for this purchase. Merchant Confirms Order: Merchant sends a confirmation of the order to the customer. Merchant Provides Goods or Service: Merchant ships the goods or provides the service to the customer. Merchant Requests Payment: Request is sent to payment gateway to handle payment processing
  5. SET Transaction: Order and Payment are Sent: Customer sends both order and payment information to merchant along with customer’s certificate. The order confirms the purchase of items in the order form. The payment contains credit card details. The payment information is encrypted so that it cannot be read by the merchant. The customer’s certificate enables the merchant to verify the customer. Merchant Requests Payment Authorization: Merchant sends the payment information to the payment gateway. This requests authorization that the customer’s available credit is sufficient for this purchase. Merchant Confirms Order: Merchant sends a confirmation of the order to the customer. Merchant Provides Goods or Service: Merchant ships the goods or provides the service to the customer. Merchant Requests Payment: Request is sent to payment gateway to handle payment processing
  6. SET Transaction: Order and Payment are Sent: Customer sends both order and payment information to merchant along with customer’s certificate. The order confirms the purchase of items in the order form. The payment contains credit card details. The payment information is encrypted so that it cannot be read by the merchant. The customer’s certificate enables the merchant to verify the customer. Merchant Requests Payment Authorization: Merchant sends the payment information to the payment gateway. This requests authorization that the customer’s available credit is sufficient for this purchase. Merchant Confirms Order: Merchant sends a confirmation of the order to the customer. Merchant Provides Goods or Service: Merchant ships the goods or provides the service to the customer. Merchant Requests Payment: Request is sent to payment gateway to handle payment processing