Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
9 views22 pages

Chapter 7

Chapter 7 discusses web security, focusing on the importance of secure communication protocols like SSL and TLS, and the Secure Electronic Transaction (SET) framework for protecting online credit card transactions. It outlines the complexities of SSL's handshake protocol and the roles of various participants in SET transactions. Additionally, it provides recommended readings and resources for further exploration of web security topics.

Uploaded by

Trần Hồng
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
9 views22 pages

Chapter 7

Chapter 7 discusses web security, focusing on the importance of secure communication protocols like SSL and TLS, and the Secure Electronic Transaction (SET) framework for protecting online credit card transactions. It outlines the complexities of SSL's handshake protocol and the roles of various participants in SET transactions. Additionally, it provides recommended readings and resources for further exploration of web security topics.

Uploaded by

Trần Hồng
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 22

Chapter 7

WEB Security

Henric Johnson
Blekinge Institute of Technology, Sweden
http://www.its.bth.se/staff/hjo/
[email protected]
Henric Johnson 1
Outline
• Web Security Considerations
• Secure Socket Layer (SSL) and
Transport Layer Security (TLS)
• Secure Electronic Transaction
(SET)
• Recommended Reading and WEB
Sites
Henric Johnson 2
Web Security
Considerations
• The WEB is very visible.
• Complex software hide many
security flaws.
• Web servers are easy to configure
and manage.
• Users are not aware of the risks.

Henric Johnson 3
Security facilities in the
TCP/IP protocol stack

Henric Johnson 4
SSL and TLS
• SSL was originated by Netscape
• TLS working group was formed
within IETF
• First version of TLS can be viewed
as an SSLv3.1

Henric Johnson 5
SSL Architecture

Henric Johnson 6
SSL Record Protocol
Operation

Henric Johnson 7
SSL Record Format

Henric Johnson 8
SSL Record Protocol
Payload

Henric Johnson 9
Handshake Protocol
• The most complex part of SSL.
• Allows the server and client to
authenticate each other.
• Negotiate encryption, MAC
algorithm and cryptographic keys.
• Used before any application data
are transmitted.
Henric Johnson 10
Handshake Protocol
Action

Henric Johnson 11
Transport Layer
Security
• The same record format as the SSL record format.
• Defined in RFC 2246.
• Similar to SSLv3.
• Differences in the:
– version number
– message authentication code
– pseudorandom function
– alert codes
– cipher suites
– client certificate types
– certificate_verify and finished message
– cryptographic computations
– padding

Henric Johnson 12
Secure Electronic
Transactions
• An open encryption and security
specification.
• Protect credit card transaction on the
Internet.
• Companies involved:
– MasterCard, Visa, IBM, Microsoft,
Netscape, RSA, Terisa and Verisign
• Not a payment system.
• Set of security protocols and formats.
Henric Johnson 13
SET Services
• Provides a secure communication
channel in a transaction.
• Provides tust by the use of
X.509v3 digital certificates.
• Ensures privacy.

Henric Johnson 14
SET Overview
• Key Features of SET:
– Confidentiality of information
– Integrity of data
– Cardholder account
authentication
– Merchant authentication

Henric Johnson 15
SET Participants

Henric Johnson 16
Sequence of events for
transactions
1. The customer opens an account.
2. The customer receives a certificate.
3. Merchants have their own certificates.
4. The customer places an order.
5. The merchant is verified.
6. The order and payment are sent.
7. The merchant request payment authorization.
8. The merchant confirm the order.
9. The merchant provides the goods or service.
10. The merchant requests payments.

Henric Johnson 17
Dual Signature
DS EKRc [ H ( H ( PI ) || H(OI))]

Henric Johnson 18
Payment processing

Cardholder sends Purchase Request


Henric Johnson 19
Payment processing

Merchant Verifies Customer Purchase


Request Henric Johnson 20
Payment processing
• Payment Authorization:
– Authorization Request
– Authorization Response
• Payment Capture:
– Capture Request
– Capture Response

Henric Johnson 21
Recommended Reading
and WEB sites
• Drew, G. Using SET for Secure Electronic
Commerce. Prentice Hall, 1999
• Garfinkel, S., and Spafford, G. Web
Security & Commerce. O’Reilly and
Associates, 1997
• MasterCard SET site
• Visa Electronic Commerce Site
• SETCo (documents and glossary of
terms)
Henric Johnson 22

You might also like