chapter 7
DESCRIPTION
Chapter 7. WEB Security. Henric Johnson Blekinge Institute of Technology, Sweden http://www.its.bth.se/staff/hjo/ [email protected]. Outline. Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction (SET) - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Chapter 7](https://reader030.vdocuments.mx/reader030/viewer/2022032606/56812cd1550346895d918c2d/html5/thumbnails/1.jpg)
Henric Johnson 1
Chapter 7
WEB Security
Henric Johnson
Blekinge Institute of Technology, Sweden
http://www.its.bth.se/staff/hjo/
![Page 2: Chapter 7](https://reader030.vdocuments.mx/reader030/viewer/2022032606/56812cd1550346895d918c2d/html5/thumbnails/2.jpg)
Henric Johnson 2
Outline
• Web Security Considerations• Secure Socket Layer (SSL) and
Transport Layer Security (TLS)• Secure Electronic Transaction
(SET)• Recommended Reading and WEB
Sites
![Page 3: Chapter 7](https://reader030.vdocuments.mx/reader030/viewer/2022032606/56812cd1550346895d918c2d/html5/thumbnails/3.jpg)
Henric Johnson 3
Web Security Considerations
• The WEB is very visible.• Complex software hide many
security flaws.• Web servers are easy to configure
and manage.• Users are not aware of the risks.
![Page 4: Chapter 7](https://reader030.vdocuments.mx/reader030/viewer/2022032606/56812cd1550346895d918c2d/html5/thumbnails/4.jpg)
Henric Johnson 4
Security facilities in the TCP/IP protocol stack
![Page 5: Chapter 7](https://reader030.vdocuments.mx/reader030/viewer/2022032606/56812cd1550346895d918c2d/html5/thumbnails/5.jpg)
Henric Johnson 5
SSL and TLS
• SSL was originated by Netscape• TLS working group was formed
within IETF• First version of TLS can be viewed
as an SSLv3.1
![Page 6: Chapter 7](https://reader030.vdocuments.mx/reader030/viewer/2022032606/56812cd1550346895d918c2d/html5/thumbnails/6.jpg)
Henric Johnson 6
SSL Architecture
![Page 7: Chapter 7](https://reader030.vdocuments.mx/reader030/viewer/2022032606/56812cd1550346895d918c2d/html5/thumbnails/7.jpg)
Henric Johnson 7
SSL Record Protocol Operation
![Page 8: Chapter 7](https://reader030.vdocuments.mx/reader030/viewer/2022032606/56812cd1550346895d918c2d/html5/thumbnails/8.jpg)
Henric Johnson 8
SSL Record Format
![Page 9: Chapter 7](https://reader030.vdocuments.mx/reader030/viewer/2022032606/56812cd1550346895d918c2d/html5/thumbnails/9.jpg)
Henric Johnson 9
SSL Record Protocol Payload
![Page 10: Chapter 7](https://reader030.vdocuments.mx/reader030/viewer/2022032606/56812cd1550346895d918c2d/html5/thumbnails/10.jpg)
Henric Johnson 10
Handshake Protocol
• The most complex part of SSL.• Allows the server and client to
authenticate each other.• Negotiate encryption, MAC
algorithm and cryptographic keys.• Used before any application data
are transmitted.
![Page 11: Chapter 7](https://reader030.vdocuments.mx/reader030/viewer/2022032606/56812cd1550346895d918c2d/html5/thumbnails/11.jpg)
Henric Johnson 11
Handshake Protocol Action
![Page 12: Chapter 7](https://reader030.vdocuments.mx/reader030/viewer/2022032606/56812cd1550346895d918c2d/html5/thumbnails/12.jpg)
Henric Johnson 12
Transport Layer Security
• The same record format as the SSL record format.• Defined in RFC 2246.• Similar to SSLv3.• Differences in the:
– version number– message authentication code– pseudorandom function– alert codes– cipher suites – client certificate types– certificate_verify and finished message– cryptographic computations– padding
![Page 13: Chapter 7](https://reader030.vdocuments.mx/reader030/viewer/2022032606/56812cd1550346895d918c2d/html5/thumbnails/13.jpg)
Henric Johnson 13
Secure Electronic Transactions
• An open encryption and security specification.
• Protect credit card transaction on the Internet.
• Companies involved:– MasterCard, Visa, IBM, Microsoft,
Netscape, RSA, Terisa and Verisign• Not a payment system.• Set of security protocols and formats.
![Page 14: Chapter 7](https://reader030.vdocuments.mx/reader030/viewer/2022032606/56812cd1550346895d918c2d/html5/thumbnails/14.jpg)
Henric Johnson 14
SET Services
• Provides a secure communication channel in a transaction.
• Provides tust by the use of X.509v3 digital certificates.
• Ensures privacy.
![Page 15: Chapter 7](https://reader030.vdocuments.mx/reader030/viewer/2022032606/56812cd1550346895d918c2d/html5/thumbnails/15.jpg)
Henric Johnson 15
SET Overview
• Key Features of SET:– Confidentiality of information– Integrity of data– Cardholder account
authentication– Merchant authentication
![Page 16: Chapter 7](https://reader030.vdocuments.mx/reader030/viewer/2022032606/56812cd1550346895d918c2d/html5/thumbnails/16.jpg)
Henric Johnson 16
SET Participants
![Page 17: Chapter 7](https://reader030.vdocuments.mx/reader030/viewer/2022032606/56812cd1550346895d918c2d/html5/thumbnails/17.jpg)
Henric Johnson 17
Sequence of events for transactions
1. The customer opens an account.2. The customer receives a certificate.3. Merchants have their own certificates.4. The customer places an order.5. The merchant is verified.6. The order and payment are sent.7. The merchant request payment authorization.8. The merchant confirm the order.9. The merchant provides the goods or service.10.The merchant requests payments.
![Page 18: Chapter 7](https://reader030.vdocuments.mx/reader030/viewer/2022032606/56812cd1550346895d918c2d/html5/thumbnails/18.jpg)
Henric Johnson 18
Dual Signature
H(OI))]||)(([ PIHHEDScKR
![Page 19: Chapter 7](https://reader030.vdocuments.mx/reader030/viewer/2022032606/56812cd1550346895d918c2d/html5/thumbnails/19.jpg)
Henric Johnson 19
Payment processing
Cardholder sends Purchase Request
![Page 20: Chapter 7](https://reader030.vdocuments.mx/reader030/viewer/2022032606/56812cd1550346895d918c2d/html5/thumbnails/20.jpg)
Henric Johnson 20
Payment processing
Merchant Verifies Customer Purchase Request
![Page 21: Chapter 7](https://reader030.vdocuments.mx/reader030/viewer/2022032606/56812cd1550346895d918c2d/html5/thumbnails/21.jpg)
Henric Johnson 21
Payment processing
• Payment Authorization:– Authorization Request– Authorization Response
• Payment Capture:– Capture Request– Capture Response
![Page 22: Chapter 7](https://reader030.vdocuments.mx/reader030/viewer/2022032606/56812cd1550346895d918c2d/html5/thumbnails/22.jpg)
Henric Johnson 22
Recommended Reading and WEB sites
• Drew, G. Using SET for Secure Electronic Commerce. Prentice Hall, 1999
• Garfinkel, S., and Spafford, G. Web Security & Commerce. O’Reilly and Associates, 1997
• MasterCard SET site• Visa Electronic Commerce Site• SETCo (documents and glossary of
terms)