SlideShare a Scribd company logo

Lecture 6 web security

R
rajakhurram

Network Security Course (ET1318, ET2437) at Blekinge Institute of Technology, Karlskrona, Sweden

EducationTechnology
1 of 26
WEB Security
Outline • Web Security Considerations • Secure Socket Layer (SSL) and Transport Layer Security (TLS) • Secure Electronic Transaction (SET) 2
Web Security Considerations • The WEB is very visible. • Complex software hide many security flaws. • Web servers are easy to configure and manage. • Users are not aware of the risks. 3
Security facilities in the TCP/IP protocol stack Pretty Good Privacy (PGP): • a data encryption and decryption computer program • provides cryptographic privacy and authentication for data communication. • used for signing, encrypting and decrypting e-mails 4
Security facilities in the TCP/IP protocol stack • S/MIME (Secure/Multipurpose Internet Mail Extensions)  a standard for public key encryption and signing of MIME data.  provides the following cryptographic security services: – Authentication – message integrity – non-repudiation of origin (using digital signatures) – privacy – data security (using encryption) • Kerberos (the hound of Hades ):  computer network authentication protocol  allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner.  provides mutual authentication — both the user and the server verify each other's identity.
SSL and TLS • SSL was originated by Netscape • TLS working group was formed within IETF • First version of TLS can be viewed as an SSLv3.1 • SSL  SSL Architecture  SSL Record Protocol  Change Cipher Spec Protocol  Alert Protocol  Handshake Protocol 6
SSL Architecture • Not a single protocol but Two layers of protocols • Provides basic security services to higher layer protocosl e.g. HTTP operates on top of SSL • Three higher layer protocols are part of SSL 7
SSL session / SSL connection • Two important concepts : SSL connection and SSL session • SSL connection  Transport that provides a suitable type of service  A SSL connection is peer-to-peer relationship (transient)  Every SSL connection is associated with one session • SSL session  Association between a client and a server  Created by the Handshake Protocol  Define a set of cryptographic security parameters • States :  Session Established : Current operating state for recieve and send  Handshake Protocol: Pending State for recieve and send – If handshake successful, pending state  current operating state 8
SSL Record Protocol : Services • Two Services for SSL Connections 1. Confidentiality  Defines a shared secret key that is used for conventional encryption 2. Message Integrity – Defines a shared secret key that is used to form a message authentication code (MAC) • Compression  Lossless compression to shrink the message size – Defined as NULL in SSLv3 and current version of TLS 9
SSL Record Protocol : Operation • No distinction is made among various applications using SSL; the content of data is opaque to SSL Fragment: 214 bytes Compression: Optional Message Authentication Code: shared secret key is used to compute MAC Encryption: Symmetric 10
SSL Record Protocol : Operation • First Step Fragmentation: Each upper layer message is fragmented into block of 214 bytes (16384 bytes) or less • Second Step Compression: Optional step, must be lossless and may not increase the length by more than 1024 bytes • Third Step Message Authentication Code (MAC): shared secret key is used to compute MAC • Fourth Step Encryption: compressed message (if applied) and MAC are encrypted using symmetric encryption • Final Step Header Preparation. 11
SSL Record Format • Header consists of following :  Conten Type (8 bits) : Higher layer protocol used to process the enclosed fragment such as change_cipher_spec, alert, handshake and application data  Major Version (8 bits) : Major Version of SSL e.g. For SSL v3 = 3  Minor Version (8 bits) : Minor Version of SSL e.g. For SSL v3 = 0  Compressed Length (16 bits) : The length in bytes of plaintext or compressed fragment 12
SSL Change Cipher Spec Protocol • Uses SSL Record Protocol • Simplest one : Consists of a single message, which consists of single byte with value 1 • Purpose is to convert pending state into current state 13
Alert Protocol • Conveys SSL-related alerts to peer • Compressed and Encrypted • Consists of two bytes  The first byte indicates Alert Level (indicates severity) – Warning – Fatal • Will immediately terminate the connection • Alerts that always will be fatal  unexpected_message, bad_record_mac, decompression_failure, handshake_failure, illegal_parameter  The second bytes indicates the specific alert – Warning alerts • close_notify, no_certificate, bad_certificate, unsupported_certificate, certificate_revoked, certificate_expired, certificate_unknown 14
Handshake Protocol • The most complex part of SSL. • Server and client authenticate each other. • Server and client negotiate encryption, MAC algorithm and cryptographic keys. • Used before any application data is transmitted. • Message Format  Type: Indicate one of ten messages (e.g. Hello, certificate, key exchange)  Length: The length of message  Content: The parameters associated with this message 15
Handshake Protocol : Phases • Phase 1: Establish Security Capabilities  Initiate logical connection and establish security capabilities to be associated with it. • Phase 2: Server Authentication and Key Exchange  Sends a certificate (if authentication is required)  May send Server_Key_Exchange message • Phase 3: Client Authentication and Key Exchange  Client verify certificate from server and check server_hello parameters  May send a certificate (on request) or alert for no certificate or one or more message • Phase 4: Finish  Completes secure connection
Handshake Protocol Action 17
Transport Layer Security • The same record format as the SSL record format. • Defined in RFC 2246. • Similar to SSLv3. • Differences in the:  version number : major version 3, minor version 1  message authentication code  pseudo random function  alert codes  cipher suites : no longer support for Fortezza  client certificate types  certificate_verify and finished message  cryptographic computations  padding 18
Secure Electronic Transactions • An open encryption and security specification. • Protect credit card transaction on the Internet. • Companies involved:  MasterCard, Visa, IBM, Microsoft, Netscape, RSA, Terisa and Verisign • Set of security protocols and formats. 19
Secure Electronic Transactions • Key Features of SET:  Confidentiality of information  Integrity of data  Cardholder account authentication  Merchant authentication • SET Services  Provides a secure communication channel in a transaction.  Provides trust by the use of X.509v3 digital certificates.  Ensures privacy. 20
SET Participants 21
SET Participants • Card Holder: person who uses a payment card to purchase • Merchant: business or organization who sells goods or services to the cardholder in the case of a SET transaction over the internet. • Issuer: financial institution that provides the cardholder with payment card. The issuer responsibility to guarantee payment on behalf of its cardholder. • Acquirer: financial institution that processes payment card authorizations and payment for the merchant. The acquirer’s responsibility is to obtain payment authority from the cardholder’s issuer.
SET Participants • Payment Gateway: an institution that works on the behalf of the acquirer to process the merchant’s payment messages, including payment instruction from the cardholders. • Certificate Authority: The certificate authority provides certification for the merchant, cardholder, and payment gateway. Certification provides a means of assuring that the parties involved in a transaction
Sequence of events for transactions 1. The customer opens an account. 2. The customer receives a certificate. 3. Merchants have their own certificates. 4. The customer places an order. 5. The merchant is verified. 6. The order and payment are sent. 7. The merchant request payment authorization. 8. The merchant confirm the order. 9. The merchant provides the goods or service. 10. The merchant requests payments. 24
HTTPS • HTTP over SSL : combination of HTTP and SSL  RFC 2818 : HTTP Over TLS , no fundamental change in HTTP over SSL or TLS  Secure communication between Web browser and Web servers  Built into all modern Web browser  Web servers should support HTTPS communications • Connection Initiation  Client initiates a connection to server on appropriate port  Handshake is performed  Data is sent • Connection Closure  Client indicate closing of connection, Connection : close  Client must be able to cope with a situation, if a connection is terminated without close notification and issue security warning 25
SSH : Secure Shell (Reading Assignment)

Recommended

Information and network security 13 playfair cipher
Information and network security 13 playfair cipherInformation and network security 13 playfair cipher
Information and network security 13 playfair cipher
Vaibhav Khanna
 
Internet Key Exchange Protocol
Internet Key Exchange ProtocolInternet Key Exchange Protocol
Internet Key Exchange Protocol
Prateek Singh Bapna
 
Non repudiation
Non repudiationNon repudiation
Non repudiation
Jasleen Khalsa
 
Database security
Database securityDatabase security
Database security
MaryamAsghar9
 
PGP S/MIME
PGP S/MIMEPGP S/MIME
PGP S/MIME
Sou Jana
 
About Steganography
About SteganographyAbout Steganography
About Steganography
Sudhansh Gupta
 
Homomorphic encryption in cloud computing final
Homomorphic encryption in cloud computing finalHomomorphic encryption in cloud computing final
Homomorphic encryption in cloud computing final
Santanu Das Saan
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Pina Parmar
 

Recommended

Information and network security 13 playfair cipher
Information and network security 13 playfair cipherInformation and network security 13 playfair cipher
Information and network security 13 playfair cipher
Vaibhav Khanna
 
Internet Key Exchange Protocol
Internet Key Exchange ProtocolInternet Key Exchange Protocol
Internet Key Exchange Protocol
Prateek Singh Bapna
 
Non repudiation
Non repudiationNon repudiation
Non repudiation
Jasleen Khalsa
 
Database security
Database securityDatabase security
Database security
MaryamAsghar9
 
PGP S/MIME
PGP S/MIMEPGP S/MIME
PGP S/MIME
Sou Jana
 
About Steganography
About SteganographyAbout Steganography
About Steganography
Sudhansh Gupta
 
Homomorphic encryption in cloud computing final
Homomorphic encryption in cloud computing finalHomomorphic encryption in cloud computing final
Homomorphic encryption in cloud computing final
Santanu Das Saan
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Pina Parmar
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
Stephane Potier
 
Steganography Project
Steganography Project Steganography Project
Steganography Project
Uttam Jain
 
Kerberos
KerberosKerberos
Kerberos
Sutanu Paul
 
Hashing
HashingHashing
Hashing
Hossain Md Shakhawat
 
Cryptographic tools
Cryptographic toolsCryptographic tools
Cryptographic tools
CAS
 
Steganography and watermarking
Steganography and watermarkingSteganography and watermarking
Steganography and watermarking
sudip nandi
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
Mohammed Adam
 
Cryptographic Hashing Functions
Cryptographic Hashing FunctionsCryptographic Hashing Functions
Cryptographic Hashing Functions
Yusuf Uzun
 
STEGANOGRAPHY PRESENTATION SLIDES
STEGANOGRAPHY PRESENTATION SLIDESSTEGANOGRAPHY PRESENTATION SLIDES
STEGANOGRAPHY PRESENTATION SLIDES
Lovely Mnadal
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attack
Rayudu Babu
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
Kathirvel Ayyaswamy
 
Authentication Protocols
Authentication ProtocolsAuthentication Protocols
Authentication Protocols
Trinity Dwarka
 
Image encryption and decryption
Image encryption and decryptionImage encryption and decryption
Image encryption and decryption
Aashish R
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
kusum sharma
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
Naveen Kumar
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication Codes
DarshanPatil82
 
Block Cipher and its Design Principles
Block Cipher and its Design PrinciplesBlock Cipher and its Design Principles
Block Cipher and its Design Principles
SHUBHA CHATURVEDI
 
Chapter 3 Basic Cryptography
Chapter 3 Basic CryptographyChapter 3 Basic Cryptography
Chapter 3 Basic Cryptography
Dr. Ahmed Al Zaidy
 
Steganography
SteganographySteganography
Steganography
Bahaa Aladdin
 
multilevel security Database
multilevel security Database multilevel security Database
multilevel security Database
VrundaBhavsar
 
Web Security
Web SecurityWeb Security
Web Security
ADIEFEH
 
web security
web securityweb security
web security
Chirag Patel
 

More Related Content

What's hot

Steganography Project
Steganography Project Steganography Project
Steganography Project
Uttam Jain
 
Cryptographic Hashing Functions
Cryptographic Hashing FunctionsCryptographic Hashing Functions
Cryptographic Hashing Functions
Yusuf Uzun
 
STEGANOGRAPHY PRESENTATION SLIDES
STEGANOGRAPHY PRESENTATION SLIDESSTEGANOGRAPHY PRESENTATION SLIDES
STEGANOGRAPHY PRESENTATION SLIDES
Lovely Mnadal
 

What's hot (20)

An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 
Steganography Project
Steganography Project Steganography Project
Steganography Project
 
Kerberos
KerberosKerberos
Kerberos
 
Hashing
HashingHashing
Hashing
 
Cryptographic tools
Cryptographic toolsCryptographic tools
Cryptographic tools
 
Steganography and watermarking
Steganography and watermarkingSteganography and watermarking
Steganography and watermarking
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
 
Cryptographic Hashing Functions
Cryptographic Hashing FunctionsCryptographic Hashing Functions
Cryptographic Hashing Functions
 
STEGANOGRAPHY PRESENTATION SLIDES
STEGANOGRAPHY PRESENTATION SLIDESSTEGANOGRAPHY PRESENTATION SLIDES
STEGANOGRAPHY PRESENTATION SLIDES
 
SQL Injection attack
SQL Injection attackSQL Injection attack
SQL Injection attack
 
CRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITYCRYPTOGRAPHY AND NETWORK SECURITY
CRYPTOGRAPHY AND NETWORK SECURITY
 
Authentication Protocols
Authentication ProtocolsAuthentication Protocols
Authentication Protocols
 
Image encryption and decryption
Image encryption and decryptionImage encryption and decryption
Image encryption and decryption
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.ppt
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication Codes
 
Block Cipher and its Design Principles
Block Cipher and its Design PrinciplesBlock Cipher and its Design Principles
Block Cipher and its Design Principles
 
Chapter 3 Basic Cryptography
Chapter 3 Basic CryptographyChapter 3 Basic Cryptography
Chapter 3 Basic Cryptography
 
Steganography
SteganographySteganography
Steganography
 
multilevel security Database
multilevel security Database multilevel security Database
multilevel security Database
 

Viewers also liked

CCNA Routing Protocols
CCNA Routing ProtocolsCCNA Routing Protocols
CCNA Routing Protocols
Dsunte Wilson
 
CCNA Advanced Routing Protocols
CCNA Advanced Routing ProtocolsCCNA Advanced Routing Protocols
CCNA Advanced Routing Protocols
Dsunte Wilson
 

Viewers also liked (14)

Web Security
Web SecurityWeb Security
Web Security
 
web security
web securityweb security
web security
 
Network device management
Network device managementNetwork device management
Network device management
 
Routing to components
Routing to componentsRouting to components
Routing to components
 
Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2
 
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
 
SSL Technology
SSL TechnologySSL Technology
SSL Technology
 
CCNA Routing Protocols
CCNA Routing Protocols CCNA Routing Protocols
CCNA Routing Protocols
 
2015.10.05 Updated > Network Device Development - Part 1: Switch
2015.10.05 Updated > Network Device Development - Part 1: Switch2015.10.05 Updated > Network Device Development - Part 1: Switch
2015.10.05 Updated > Network Device Development - Part 1: Switch
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
 
Dhcp ppt
Dhcp pptDhcp ppt
Dhcp ppt
 
CCNA Routing Protocols
CCNA Routing ProtocolsCCNA Routing Protocols
CCNA Routing Protocols
 
CCNA Advanced Routing Protocols
CCNA Advanced Routing ProtocolsCCNA Advanced Routing Protocols
CCNA Advanced Routing Protocols
 
Web Security
Web SecurityWeb Security
Web Security
 

Similar to Lecture 6 web security

Secure Socket Layer.ppt [ssl for websecurity]
Secure Socket Layer.ppt [ssl for websecurity]Secure Socket Layer.ppt [ssl for websecurity]
Secure Socket Layer.ppt [ssl for websecurity]
shashankmharse1533
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfSECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
NiharikaDubey17
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
Monodip Singha Roy
 

Similar to Lecture 6 web security (20)

Secure socket later
Secure socket laterSecure socket later
Secure socket later
 
Web Security
Web SecurityWeb Security
Web Security
 
Network Security Applications
Network Security ApplicationsNetwork Security Applications
Network Security Applications
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptx
 
Secure Socket Layer.ppt [ssl for websecurity]
Secure Socket Layer.ppt [ssl for websecurity]Secure Socket Layer.ppt [ssl for websecurity]
Secure Socket Layer.ppt [ssl for websecurity]
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfSECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
 
Network Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarNetwork Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr Shivashankar
 
SecureSocketLayer.ppt
SecureSocketLayer.pptSecureSocketLayer.ppt
SecureSocketLayer.ppt
 
Network Security- Secure Socket Layer
Network Security- Secure Socket LayerNetwork Security- Secure Socket Layer
Network Security- Secure Socket Layer
 
Unit08
Unit08Unit08
Unit08
 
Parallel and distributed computing .pptx
Parallel and distributed computing .pptxParallel and distributed computing .pptx
Parallel and distributed computing .pptx
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptWEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
 
ch1 eriht eriotery erogyteip ergy7.ppt
ch1 eriht eriotery erogyteip ergy7.pptch1 eriht eriotery erogyteip ergy7.ppt
ch1 eriht eriotery erogyteip ergy7.ppt
 
Secure Socket Layer.pptx
Secure Socket Layer.pptxSecure Socket Layer.pptx
Secure Socket Layer.pptx
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
 
Network Security_Module_2.pdf
Network Security_Module_2.pdfNetwork Security_Module_2.pdf
Network Security_Module_2.pdf
 

More from rajakhurram

Malicious software
Malicious softwareMalicious software
Malicious software
rajakhurram
 
Lecture malicious software
Lecture malicious softwareLecture malicious software
Lecture malicious software
rajakhurram
 
Lecture3a symmetric encryption
Lecture3a symmetric encryptionLecture3a symmetric encryption
Lecture3a symmetric encryption
rajakhurram
 
Lecture2 network attack
Lecture2 network attackLecture2 network attack
Lecture2 network attack
rajakhurram
 

More from rajakhurram (14)

Malicious software
Malicious softwareMalicious software
Malicious software
 
Lecture malicious software
Lecture malicious softwareLecture malicious software
Lecture malicious software
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software
 
Lecture 11 wifi security
Lecture 11 wifi securityLecture 11 wifi security
Lecture 11 wifi security
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
 
Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication
 
Lecture 7 certificates
Lecture 7 certificatesLecture 7 certificates
Lecture 7 certificates
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip security
 
Lecture 4 firewalls
Lecture 4 firewallsLecture 4 firewalls
Lecture 4 firewalls
 
Lecture 3b public key_encryption
Lecture 3b public key_encryptionLecture 3b public key_encryption
Lecture 3b public key_encryption
 
Lecture3a symmetric encryption
Lecture3a symmetric encryptionLecture3a symmetric encryption
Lecture3a symmetric encryption
 
Lecture2 network attack
Lecture2 network attackLecture2 network attack
Lecture2 network attack
 
Lecture1 Introduction
Lecture1 Introduction Lecture1 Introduction
Lecture1 Introduction
 
Lecture 8 mail security
Lecture 8 mail securityLecture 8 mail security
Lecture 8 mail security
 

Recently uploaded

The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
heathfieldcps1
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
QucHHunhnh
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
negromaestrong
 

Recently uploaded (20)

Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 
Holdier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdfHoldier Curriculum Vitae (April 2024).pdf
Holdier Curriculum Vitae (April 2024).pdf
 
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-IIFood Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
Food Chain and Food Web (Ecosystem) EVS, B. Pharmacy 1st Year, Sem-II
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
The basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptxThe basics of sentences session 3pptx.pptx
The basics of sentences session 3pptx.pptx
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Class 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdfClass 11th Physics NEET formula sheet pdf
Class 11th Physics NEET formula sheet pdf
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin ClassesMixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
Mixin Classes in Odoo 17 How to Extend Models Using Mixin Classes
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
2024-NATIONAL-LEARNING-CAMP-AND-OTHER.pptx
 
Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
Ecological Succession. ( ECOSYSTEM, B. Pharmacy, 1st Year, Sem-II, Environmen...
 
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural ResourcesEnergy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
Energy Resources. ( B. Pharmacy, 1st Year, Sem-II) Natural Resources
 
Asian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptxAsian American Pacific Islander Month DDSD 2024.pptx
Asian American Pacific Islander Month DDSD 2024.pptx
 
psychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docxpsychiatric nursing HISTORY COLLECTION .docx
psychiatric nursing HISTORY COLLECTION .docx
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 

Lecture 6 web security

  • 2. Outline • Web Security Considerations • Secure Socket Layer (SSL) and Transport Layer Security (TLS) • Secure Electronic Transaction (SET) 2
  • 3. Web Security Considerations • The WEB is very visible. • Complex software hide many security flaws. • Web servers are easy to configure and manage. • Users are not aware of the risks. 3
  • 4. Security facilities in the TCP/IP protocol stack Pretty Good Privacy (PGP): • a data encryption and decryption computer program • provides cryptographic privacy and authentication for data communication. • used for signing, encrypting and decrypting e-mails 4
  • 5. Security facilities in the TCP/IP protocol stack • S/MIME (Secure/Multipurpose Internet Mail Extensions)  a standard for public key encryption and signing of MIME data.  provides the following cryptographic security services: – Authentication – message integrity – non-repudiation of origin (using digital signatures) – privacy – data security (using encryption) • Kerberos (the hound of Hades ):  computer network authentication protocol  allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner.  provides mutual authentication — both the user and the server verify each other's identity.
  • 6. SSL and TLS • SSL was originated by Netscape • TLS working group was formed within IETF • First version of TLS can be viewed as an SSLv3.1 • SSL  SSL Architecture  SSL Record Protocol  Change Cipher Spec Protocol  Alert Protocol  Handshake Protocol 6
  • 7. SSL Architecture • Not a single protocol but Two layers of protocols • Provides basic security services to higher layer protocosl e.g. HTTP operates on top of SSL • Three higher layer protocols are part of SSL 7
  • 8. SSL session / SSL connection • Two important concepts : SSL connection and SSL session • SSL connection  Transport that provides a suitable type of service  A SSL connection is peer-to-peer relationship (transient)  Every SSL connection is associated with one session • SSL session  Association between a client and a server  Created by the Handshake Protocol  Define a set of cryptographic security parameters • States :  Session Established : Current operating state for recieve and send  Handshake Protocol: Pending State for recieve and send – If handshake successful, pending state  current operating state 8
  • 9. SSL Record Protocol : Services • Two Services for SSL Connections 1. Confidentiality  Defines a shared secret key that is used for conventional encryption 2. Message Integrity – Defines a shared secret key that is used to form a message authentication code (MAC) • Compression  Lossless compression to shrink the message size – Defined as NULL in SSLv3 and current version of TLS 9
  • 10. SSL Record Protocol : Operation • No distinction is made among various applications using SSL; the content of data is opaque to SSL Fragment: 214 bytes Compression: Optional Message Authentication Code: shared secret key is used to compute MAC Encryption: Symmetric 10
  • 11. SSL Record Protocol : Operation • First Step Fragmentation: Each upper layer message is fragmented into block of 214 bytes (16384 bytes) or less • Second Step Compression: Optional step, must be lossless and may not increase the length by more than 1024 bytes • Third Step Message Authentication Code (MAC): shared secret key is used to compute MAC • Fourth Step Encryption: compressed message (if applied) and MAC are encrypted using symmetric encryption • Final Step Header Preparation. 11
  • 12. SSL Record Format • Header consists of following :  Conten Type (8 bits) : Higher layer protocol used to process the enclosed fragment such as change_cipher_spec, alert, handshake and application data  Major Version (8 bits) : Major Version of SSL e.g. For SSL v3 = 3  Minor Version (8 bits) : Minor Version of SSL e.g. For SSL v3 = 0  Compressed Length (16 bits) : The length in bytes of plaintext or compressed fragment 12
  • 13. SSL Change Cipher Spec Protocol • Uses SSL Record Protocol • Simplest one : Consists of a single message, which consists of single byte with value 1 • Purpose is to convert pending state into current state 13
  • 14. Alert Protocol • Conveys SSL-related alerts to peer • Compressed and Encrypted • Consists of two bytes  The first byte indicates Alert Level (indicates severity) – Warning – Fatal • Will immediately terminate the connection • Alerts that always will be fatal  unexpected_message, bad_record_mac, decompression_failure, handshake_failure, illegal_parameter  The second bytes indicates the specific alert – Warning alerts • close_notify, no_certificate, bad_certificate, unsupported_certificate, certificate_revoked, certificate_expired, certificate_unknown 14
  • 15. Handshake Protocol • The most complex part of SSL. • Server and client authenticate each other. • Server and client negotiate encryption, MAC algorithm and cryptographic keys. • Used before any application data is transmitted. • Message Format  Type: Indicate one of ten messages (e.g. Hello, certificate, key exchange)  Length: The length of message  Content: The parameters associated with this message 15
  • 16. Handshake Protocol : Phases • Phase 1: Establish Security Capabilities  Initiate logical connection and establish security capabilities to be associated with it. • Phase 2: Server Authentication and Key Exchange  Sends a certificate (if authentication is required)  May send Server_Key_Exchange message • Phase 3: Client Authentication and Key Exchange  Client verify certificate from server and check server_hello parameters  May send a certificate (on request) or alert for no certificate or one or more message • Phase 4: Finish  Completes secure connection
  • 18. Transport Layer Security • The same record format as the SSL record format. • Defined in RFC 2246. • Similar to SSLv3. • Differences in the:  version number : major version 3, minor version 1  message authentication code  pseudo random function  alert codes  cipher suites : no longer support for Fortezza  client certificate types  certificate_verify and finished message  cryptographic computations  padding 18
  • 19. Secure Electronic Transactions • An open encryption and security specification. • Protect credit card transaction on the Internet. • Companies involved:  MasterCard, Visa, IBM, Microsoft, Netscape, RSA, Terisa and Verisign • Set of security protocols and formats. 19
  • 20. Secure Electronic Transactions • Key Features of SET:  Confidentiality of information  Integrity of data  Cardholder account authentication  Merchant authentication • SET Services  Provides a secure communication channel in a transaction.  Provides trust by the use of X.509v3 digital certificates.  Ensures privacy. 20
  • 22. SET Participants • Card Holder: person who uses a payment card to purchase • Merchant: business or organization who sells goods or services to the cardholder in the case of a SET transaction over the internet. • Issuer: financial institution that provides the cardholder with payment card. The issuer responsibility to guarantee payment on behalf of its cardholder. • Acquirer: financial institution that processes payment card authorizations and payment for the merchant. The acquirer’s responsibility is to obtain payment authority from the cardholder’s issuer.
  • 23. SET Participants • Payment Gateway: an institution that works on the behalf of the acquirer to process the merchant’s payment messages, including payment instruction from the cardholders. • Certificate Authority: The certificate authority provides certification for the merchant, cardholder, and payment gateway. Certification provides a means of assuring that the parties involved in a transaction
  • 24. Sequence of events for transactions 1. The customer opens an account. 2. The customer receives a certificate. 3. Merchants have their own certificates. 4. The customer places an order. 5. The merchant is verified. 6. The order and payment are sent. 7. The merchant request payment authorization. 8. The merchant confirm the order. 9. The merchant provides the goods or service. 10. The merchant requests payments. 24
  • 25. HTTPS • HTTP over SSL : combination of HTTP and SSL  RFC 2818 : HTTP Over TLS , no fundamental change in HTTP over SSL or TLS  Secure communication between Web browser and Web servers  Built into all modern Web browser  Web servers should support HTTPS communications • Connection Initiation  Client initiates a connection to server on appropriate port  Handshake is performed  Data is sent • Connection Closure  Client indicate closing of connection, Connection : close  Client must be able to cope with a situation, if a connection is terminated without close notification and issue security warning 25
  • 26. SSH : Secure Shell (Reading Assignment)

Editor's Notes

  1. http://www.informit.com/articles/article.aspx?p=26857&seqNum=3