WEB SECURITY

Prepared By,
R.S.RAMPRIYA/CSE.
 CONTENTS

• WEB SECURITY
• SSL
• SET
 Web Security

• Almost everything in today’s world relies on computer and

internet.
• Communications (emails, phones)
• Transportation (car engine system, airplane navigation system)
• Medicine ( medical records, equipments)
• Shopping (online store, online payments)
• Entertainment (digital cables)
 What is Web Security ?

Web security , also known as “cyber security “ involves protecting

the information by protecting , preventing and responding to
the attacks.
 Web Security: Terminology

• HACKERS: People who strive to exploit weaknesses in

software and computer for their own gain.
• VIRUSES: Infects your computer before actually u can
do something.
• WORMS: Propagates without users intervention.
• TROJAN: A software that claims to do something while
in fact doing something in background.
 Cont…

• RANSOMWARE:
• A form of Trojan that has been since 1989, as known as ‘PC
CYBORG’ Trojan.
• It affects the user computer by encrypting the user’s personal
files.
• The victim then contacted and offered the decrypt key in
exchange of cash.
 Cont…

• KEYLOGGERS:
• It is an software that monitor users activity such as key typed in
keyboard.
• KeyLoggers can
• Record keystrokes on keyboards.
• Record mouse movement and clicks.
• Record menus that are invoked.
• Takes screenshot of the desktop at pre defined intervals.
SECURE SOCKET LAYER
(SSL)
 Introduction - SSL

• SSL stands for Secure Sockets Layer

• SSL is the standard security technology for establishing
an Encrypted link between a web server and a browser.
• This link ensures that all data passed between the web
servers and the browsers remain Private & Integral.
 Need of SSL
• Authentication of server
How does the client know who they are dealing with?

• Information Integrity
How do we know third party has not altered data en route?
 Objectives of SSL Protocol

• Data encryption
• Server authentication
• Message integrity
 Where it works: An example

Normal HTTP: http://www.bbc.com

Secured HTTP: https://www.facebook.com

HTTPS Without Certification
HTTPS Without Certification
 Certificates
• Web sites that deal in ecommerce must have certificates for
authentication
• Installed at server
• Transmitted to client for authentication
• Validated using CA’s public key

Server machine
Request for
Client machine secure session CA
Browser Web Container
(JSP, ASP)

Certificate
signed by CA
 SSL?

• Designed to make use of TCP to provide a reliable end to end

connection between applications (e.g., a web server and a
browser).
• Invented by Phil Karlton (CMU Ph.D.) and others at Netscape.
Positioning of SSL layer in TCP/IP model
Normal Application Application with SSL

Application Application

SSL
TCP
TCP

IP IP

• SSL provides application programming interface (API)

to applications
• C and Java SSL libraries/classes readily available
SSL Architecture
 Cont…

Initializes secure Error handling

Communication

Protocols
Initializes communication
Handles secure data Between client & server
transmission
 SSL Components
• SSL Record Protocol
– For secure transmission of data
– Processes are fragmentation, compression, message authentication and
integrity protection (MAC computation, padding is used), encryption.
• SSL Handshake Protocol
– For establishing secure connection
– Key exchange
– Server authentication and optionally client authentication
• SSL Alert Protocol
– Error messages (fatal alerts and warnings)
• SSL Change Cipher Spec Protocol
– A single message that indicates the end of the SSL handshake
 SSL Record Protocol

• Provides two services:

• Confidentiality: Defines a shared secret key used for
conventional encryption.
• Message Integrity: Defines a shared secret key used for MAC.
SSL Record Protocol Operation
 Handshake Protocol

• Allows server & client to:

• Authenticate each other
• To negotiate encryption, MAC algorithms and keys
• Comprises a series of messages exchanged in phases:
• Establish Security Capabilities
• Server Authentication and Key Exchange
• Client Authentication and Key Exchange
Handshake Protocol
Sample Cipher Suite
 Change Cipher Spec Protocol

• It consists of a single message which consists of a single

byte with value 1/
• It includes, encryption algorithm, MAC, Hash size
• Purpose: Pending state is copied into the current state.
 Alert Protocol
• Convey SSL alerts to the peer entity.
• It has two bytes:
• Byte 1: Values can be “warning” or “fatal”
• Byte 2: Values are:
• unexpected_message
• bad_record_mac
• decompression_failure
• handshake_failure
• illegal_parameter
SET
Secure Electronic Transaction (SET)

• Developed by Visa and MasterCard

• Designed to protect credit card transactions
• SET provides three services
1. Confidentiality: all messages encrypted
2. Trust: all parties must have digital certificates
3. Privacy: information made available only when and where
necessary
 SET Business Requirements
• Provide confidentiality of payment and ordering information
• Ensure the integrity of all transmitted data
• Provide authentication that a cardholder is a legitimate user of
a credit card account
• Provide authentication that a merchant can accept credit card
transactions through its relationship with a financial institution
• Ensure the use of the best security practices and system design
techniques to protect all legitimate parties in an electronic
commerce transaction
• Facilitate and encourage interoperability among software and
network providers
SET Participants
 SET Participants
• Cardholder- This is an authorized holder of a payment card that has been issued by
an issuer.
• Merchant- This is a person or organization who has things to sell to the cardholder.
Ex. flipcart, ebay.
• Issuer- This is a financial institution such as a bank that provides the card holder
with the payment card. Ex: Bank that uses MasterCard, Visa card.
• Acquirer- This is a financial institution that establishes an account with the
merchant and processes credit card authorizations and payments. The acquirer
provides authorization to the merchant that a given card account is active. The
Acquirer also provides electronic payments transfers to the merchant’s account.
• Payment Gateway- This is a function that can be undertaken by the acquirer that
processes merchant payment messages. The payment gateway interfaces between
SET and the existing bankcard payment networks for authorization and payment
functions.
• Certificate Authority- This is an entity that is entrusted to issue X.509v3 public-key
certificates for cardholders, merchants, and payment gateways.
 Key Features of SET

• Confidentiality of Information
• Integrity of Data
• Cardholder account Authentication
• Merchant Authentication
SET Transactions
 Dual Signatures
• Links two messages securely but allows only one party to read each.

MESSAGE 1 MESSAGE 2
HASH 1 & 2
With SHA
Concatenate digests
Together
DIGEST 1 DIGEST 2

HASH with SHA to

Create new digest
NEW DIGEST
Encrypt new digest with
PRIVATE KEY signer’s private key

DUAL SIGNATURE
 Dual Signature for SET
• Concept: Link Two Messages Intended for Two Different Receivers:
• Order Information (OI): Customer to Merchant
• Payment Information (PI): Customer to Bank
• Goal: Limit Information to A “Need-to-Know” Basis:
• Merchant does not need credit card number.
• Bank does not need details of customer order.
• Afford the customer extra protection in terms of privacy by
keeping these items separate.
• This link is needed to prove that payment is intended for this order
and not some other one.
 Why Dual Signature?

• Suppose that customers send the merchant two messages:

• The signed order information (OI).
• The signed payment information (PI).
• In addition, the merchant passes the payment
information (PI) to the bank.
• If the merchant can capture another order information (OI)
from this customer, the merchant could claim this order goes
with the payment information (PI) rather than the original.
 Dual Signature Operation

• The operation for dual signature is as follows:

– Take the hash (SHA-1) of the payment and order information.
– These two hash values are concatenated [H(PI) || H(OI)] and then the result is hashed.
– Customer encrypts the final hash with a private key creating the dual signature.

DS = EKRC [ H(H(PI) || H(OI)) ]

• What did we accomplish?
– The merchant has received OI and verified the signature.
– The bank has received PI and verified the signature.
– The customer has linked the OI and PI and can prove the linkage.
 Payment Processing

• Purchase Request
• Payment Authorization
• Payment Capture
 Purchase Request

• Before the purchase request begins, the card holder has

completed browsing, selecting and ordering.
• Purchasing involves 4 messages:
• Initial Request
• Initial Response
• Purchase Request
• Purchase Response
 Cont…
• Basic Requirements:
• Cardholder Must Have Copy of Certificates for Merchant and Payment Gateway
1)Initiate Request: Customer Requests the Certificates in the Initiate Request Message to
Merchant
• Brand of Credit Card
• ID Assigned to this Request/response pair by customer.
• nonce(timestamp) used to ensure timeliness.
2) Initiate Response: Merchant Generates a Response
• Signs with Private Signature Key.
• Transaction ID for Purchase Transaction
• Merchant’s Signature Certificate
• Payment Gateway’s Key Exchange Certificate
• the nonce from the customer
• another nonce for the customer to return in the next message
3) Purchase Request: It includes:
• Purchase-related Information – Payment Information, dual signature, OIMD: This
message is forwarded by merchant to the payment.
• Order-related Information: OI, Dual Sign, PI
• Cardholder Certificate
4) Purchase Response: Sent from card holder to the merchant.
Purchase Request – Customer
Merchant Verifies Purchase Request
Payment Gateway Authorization
• Verifies all certificates
• Decrypts digital envelope of authorization block to obtain
symmetric key & then decrypts authorization block
• Verifies merchant's signature on authorization block
• Decrypts digital envelope of payment block to obtain
symmetric key & then decrypts payment block
• Verifies dual signature on payment block
• Verifies that transaction ID received from merchant matches
that in PI received (indirectly) from customer
• Requests & receives an authorization from issuer
• Sends authorization response back to merchant
 Payment Capture
• Merchant sends payment gateway a payment capture
request
• Gateway checks request
• Then causes funds to be transferred to merchants
account
• Notifies merchant using capture response
 THANK YOU
&
HAPPY SECURE WEB BROWSING!