This is power Point presentation This Prasentation contain some main topic Like 1)Secure Socket Layer(SSL): 2)Secure Electronic Transaction (SET): 3)

1. Application Hardening

2. Application Hardening
• Application hardening is the process of securing an application
against local and internet-base attacks.
• Application hardening is possible by removing the functions or
components that you don’t require. You can restrict access and make
sure the application is kept up-to-date with patches.
• Maintaining application security is very important because you need
to make application accessible to users. Most application have
problems of buffer overflows in legitimate user input field so patching
the application is only way to secure it from attack.

3. Application Patches:
• Application patches are supplied from the vendor who sells the
application. Who else has access to the source code? In some cases
like Apache, the vendor is operating system independent and they
provide an application with versions for many different operating
systems.
• Application patches are probably come in three varieties:
1) Hotfixes,
2) Patches,
3) Up-grades.

4. Hotfixes:
• Hotfixes are usually small sections of code, which is designed to fix a
specific problem. Example of hotfix is they may be released to address a
buffer overflow in the login routine for an application.
Patches:
• Patches are usually collections of fixes, they are likely to be much larger,
and they are usually released on a periodic basis or when adequate
problem have been addressed to permit a patch release.
Upgrades:
• Upgrades are another popular method of patching application, and they
are likely to be received with a more positive role than patches. The term
upgrade has a positive implication-you are moving up tp a better, more
functional and more secure application.

5. • Hence, the most vendors will release upgrades for fixes rather than
any new or enhanced functionality.
• Application patches can be provided directly from the vendor’s web
site or FTP site, or bye CD.
• A patch is nothing but a small binary application, when runs, it
automatically replace defective application binaries with updated
ones.
• Patches can change setting or modification in configuration files. Many
times, the patches are in a zipped archive of files with a set of
instructions which require the user or administrator to manually
replace faulty applications with the updations.
• There are some advanced applications which use automatic update
routines for example in operating system, the application will
automatically updated.

6. Web Servers:
• Web server are the most common Internet sever-side application in use.
• These are mainly designed to provide content and functionality to remove users
through a standard web browser.
• Web server are used for many different purposes like distribute news, sell about
every created product, conduct public sales, and show pictures of some functions
etc.
• Because of their popularity and creative use, web server have become extremely
popular targets for attackers.
• Web site are spoiled and the original content is replaced with something the
owner did not mean to display. E-commerce sites are attacked, and an attacker
steals credit card numbers, user information etc.
• Setting up a web server is made extremely easy by vendors. This is the main
reason of their popularity. But, vendors are always not providing good security
configurations as part of the default installation.
• Fortunately, a web server hardening is not that much difficult, let’s take an
example of most popular web server= IIS.

7. Internet Information Server(IIS):
• Now a days Microsoft’s Internet Information Server (IIS) is one of the most
popular web server applications. IIS come as a standard package with the
windows 2000 Server and Advanced Server Operating system. IIS can be loaded
at install time or added to the configuration later.
• Because of its popularity, IIS is a very popular target for attacker, and new
vulnerabilities and exploits are released on an almost weekly or even daily basis.
• For securing an IIS, the first step is to remove all simple files. To help user in
setting of sample files, which can be used bye user to examine and as reference
when constructing their web sites.
• But these sample files are full of vulnerabilities and holes, so they should never
be present on production web server.
• Sample files are stored in virtual and physical directories, so to remove IIS sample
application, remove the virtual and physical directories. For example , IIS samples
are present in Virtual Directory of IISS samples and it location is
C:InetpubIISsample.
• Next step in securing IIS is to set up the appropriate permissions for the web
server’s file and directories this is possible using Access Control Lists(ACLs).

8. • Web server are typically designed to give large access to public, the key is to limit the
user’s ability to browse or navigate out side the intended path. This will typically involve
removing permissions for the “everyone” group from certain files and directories.
• In some cases, you should never allow the “everyone” group to write and execute
permissions to the same directory. For that cases don’t allow users who have write
permissions for any of the web server’s directories.
• Another important part of the process of securing an IIS server is patches. Because IIS is
almost an integral part of the Windows Server operating system, the service packs for
the operating system may also contain patches and fixes for IIS.
• Also , Microsoft released security bulletins to address specific vulnerability that
discovered. In security bulletin there are links to the patch or hotfix that or manual step
an administrator can perform until a formal patch is released.
• Because of strong popularity of IIS it is very difficult for an administrator to keep pace
with all the discovered vulnerabilities and patches required to keep it up-to-date and
secure from attack.
• For securing IIS servers, Microsoft has developed two tools.
• URLScan is a ,monitoring utility and pre-processor that examines all incoming URLs and
reject any request for files, directories, or services outside scope of the web site.
• LockDown tools asks the administrator a series of questions to determine which features
are needed. Based on the answers, IIS LockDown can disable WebDAV, remove dynamic
script type associatioons, restore default security settings, and back up the IIS metabase
and ACLs.

9. Active Directory:
• Active directory allows only single login to multiple applications, data sources and system. It includes advanced encryption capabilities-
Kerberos and PKI.
• It is built around a database and it is know as schema. This schema contains information of networks objects- domains, server, workstations,
printers, group and users etc.
• All objects are placed into a domain and it can be used to control which user may access what objects.
• Each domain has its own security policies, administrative control, privileges, and relationships to other domains.
• Some domain have a hierarchical structure and it is know as forest. Here branching off the main domain is tree and it contain parent and
child domains.
• Another key features of active directory is delegation, it means the ability to puch some elective administrative controls users in each
domain.
• The enterprise-level administrative accounts are the root domain and local admin accounts are at child domain. So if you are a high level
admin in central office then you can grant local authority to local admin to add users, configure printers etc. in remote office. In many large
organizations such type of administrative control can very useful.
• Active directory objects uses an access control list (ACL) to check who can view the object, what type of attributes they can read, and what
action they can perform on the object.
• Many time administrators can give permissions to a specific folder by specifying that every subfolder or sub file must have the same
permission means that Access controls can be inherited or from a parent to a child in hierarchy.
• A global catalog stores a subset of information on all the objects which can be maintained by Active Directory. It is useful for many functions
like – user identification and email addresses etc. it should be available for Active Directory to function properly and should solve its
queries.
• Product like Microsoft uses the lightweight Directory Access Protocol to update and query the Active Directory. Here each object in
directory has a unique name in LDAP. It is an encrypted protocol, hence any host on the network can intercept and check the LDAP queries
and updates.
• The security of Active Directory is achieved by planning and using appropriate permissions.

10. Web Security Threats:
Threats Impact Actions
Integrity
• Modification of user data,
memory, massage traffic
• Trojan horse browser
• Information loss and
vulnerability all other threats
• Compromise of machine
• Use of cryptographic
• checksums

11. Web traffic Security Approaches:
• Different approaches are there to provide web security. Such approaches are similar in the
services but they differ from each other with respect to the scope of applicability and their
location in TCP/IP protocol stack. These difference are shown in following fig 6.2.1
• One way to provide web security is with the help of IPsec as show in fig 6.2.1(a). The advantage of
this approach is that it is transparent to end user applications and it will provide a general-
purpose solutions.
• IPsec contains a filtering capability hence the selected traffic may need the overhead of IPsec
processing.
• Another solution is to implement security jus above TCP, which is show in figure 6.2.1(b). The
example of this approach is Secure Socket Layer (SSL) and a Internet standard know as Transport
Layer Security (TLS).
• It provide two implementation choice for – SSL or TLS, it can be a part of the underlying protocol
suite and hence it is transparent to applications. SSL can be embedded in Netscape and Microsoft
explorer browsers are equipped with SSL, and many other web server have implemented the
protocol.
• In the particular application, Application-specific security services are included as shown in fig.
6.2.1(c)The benefit of this specific needs of given application.

12. Fig.6.2.1: Location of security facilities in the
TCP/IP Protocol Stack:
HTTP FTP SMTP
TCP
IP/IPsec
HTTP FTP SMTP
SSL or TLS
TCP
S/MINE PGP SET
Kerberos SMTP HTTP
UDP TCP
IP
(a) Network level
(b) Transport level
(c)Application level

13.  SSL Architecture:
• SSL is designed to make use of TCP and it is used to provide a consistent
end –to- end secure services. SSL is not a single protocol but it is a two
layer protocol .
• SSL Record Protocol – It is used to provide basic security services to
other higher layer protocol for example – Hyper text Transfer
protocol(HTTP). It provides the transfer services for Web client/server
interactions and HTTP can operate on top of SSL.
• There are three higher –layer protocol in SSL that are used in the
management of SSL exchanges. Those protocols are - the Handshake
Protocol, the Change Cipher Spec Protocol, and the Alert Protocol
 Secure Socket Layer(SSL):

14. • SSL has Following two important concept :
SSL Connection : A connection means to provide a suitable type of services. For SSL, these connections
are peer-to-peer relationships and the connections are transient. A connection is associated with one
session .
SSL Session : A session is an association between browser and a web server. These Sessions are
created by Handshake Protocol and it defines a set of cryptographic security parameters that can be
shared among multiple connections. The Session can be used to avoid the expensive negotiation of
new security parameters, which can be shared by multiple connections.
• There may be multiple secure connection between any pair of parties. There may also be multiple
simultaneous sessions between parties, but in practice, this feature is not used .
• Each session is associated with a number. When a session is established, there is a current operating
state for both read and write . Pending read and write states are created during the Handshake
Protocol . After successful conclusion of the Handshake Protocol, the pending states become the
current states.

15. The session state is defined by following parameters:
Session identifier - An arbitrary byte sequence chosen by the server to identify an active or resumable
session states .
Peer certificate – An X509.v3 certificate of the peer .This may be state to null .
Compression method - The algorithm used to compress data prior to encryption .
Cipher spec – Specifies encryption algorithm like DES and hash algorithm for example MD5 or SHA-1
used for MAC calculation . It also defines cryptography attributes such as the hash_size .
Master secret – 48-byte secret shared between the client and server.
Is resumable – A flag indicating whether the session can be used to initiate new connection .

16. A connection state is defined by following parameters:
Server and client random - A byte sequence chosen by the server and client for every connection .
Server write MAC secret - During MAC operation the secret key are used for sending data by the
server .
Client write MAC secret – The client uses the secret key of MAC operations for sending data .
Server write key – The encryption key for the encrypted data by the server and decrypted by the client
.
Client write key – The encryption key for the encrypted data by the client and decrypted by the server .
Initialization vectors – initialization vector is maintained for each key, when a block cipher in CBC mode
id used . The SSL Handshake Protocol first initializes this field and after that the final cipher text block
from each record is preserved for use as the IV with the following record.
Sequence numbers - For every connection , each party maintains separate sequence numbers for
every transmitted and received messages. When a party sends or receives a chance cipher spec
message then the appropriate sequence number is set to zero. These Sequence number should not
exceed 2^64-1 .

17. 1. SSL Record Protocol comes into picture after successful completion of Handshake
between client and server. It provides two services for SSL Connections .
• Confidentiality - it is achieved with the help of secret key . This key is defined as a shared secrete key by
the Handshake Protocol and it is used for conventional encryption of SSL payloads.
• Message Integrity – the Handshake Protocol defines a shared secret key and it is used to get a message
authentication code (MAC). MAC is used for showing the message integrity.
The overall operation of the SSL Record Protocol is shown in following steps. The SSL Record
Protocol gets an application message and performs following operational steps.
1. Fragmentation – the original application message is fragmented into blocks of 2^14 bytes (16384
bytes) or less.
2. Compression – the fragmented blocks are optionally Compression . The mechanisms should be loss-
loss and should not increase the content length by more than 1024 bytes.
3. Addition of Message Authentication Code (MAC) – the next step in processing is to calculate a
message authentication code (MAC) over the compressed data using a shared key .
4. Encrypted – the compressed plus the MAC is encrypted using symmentric encryption. Encryption may
not increase the content length by more than 1024 bytes, so that the total may not exceed 2^14 +
2048 .
Received data are decrypted , verified, decompressed, and reassembled and then delivered
to higher level users .

18. 2. Change Cipher Spec Protocol :
This protocol uses he SSL Record Protocol . This protocol consists of a single message of single byte with
value 1 .
The important purpose of the single byte message is that it will cause the pending state to be copied
into the current state and this updates the cipher suit which is to be used in the connection.
3. Alert Protocol :
This protocol is used to convey all SSL related alerts to the other end . As per current state , these alert
message are compressed and encrypted.
Here, every message consists of two bytes .
The first byte takes the value warning (1) or fatal (2) and it shows the severity of the message .
When there is a fatal error, SSL immediately closes the current connection where as other connection of
the same session can be continue. No new connection can b established in this same session .
The second byte of the alert message shows the specific alert .

19. • Following are some alert that are always fatal :
Unexpected_message – It indicate that the unappropriate message was received .
bad_record_mac – It indicate that an incorrect MAC was received.
Decompression_failure – It indicate that the decompression function receives improper input .
Handshake_error – It indicate that the Sender was unable to negotiate an acceptable set of security
parameters given the option available .
Illegal_parameter – It indicate that a field in handshake message is out of range or inconsistent with
other fields .

20. • The alert remainders are as follows :
close_notify – Notifies the recipient that the sender will not send any more message
on this connection . Each party is required to send a close_notify alert before the
write side of a connection .
no_notify – May be sent in response to a certificate request if no appropriate
certificate is available .
bad_certificate - a received certificate was corrupt.
unsupported_certificate – the type of received certificate is not supported .
certificate_revoked – a certificate that has been revoked by its signer .
certificate_expired – a certificate has expired .
certificate_unknown – some other unspecified issue arise in processing the
certificate , rendering it unacceptable .

21. 4. Handshake Protocol :
This protocol allows the server and client to authenticate each .
The initial exchange required establishing a logical connection between client and server and it has
following four phases :-
Phase 1 : Established Security Capabilities
• This phase is used to initiate a logical connection and to establish security capabilities including
protocol, version, session ID , cipher suite, compression method and initial random numbers .
Phase 2: Server Authentication and Key Exchange
• At the beginning of this phase if there is a need of authentication then the server will send its certificate
– the message consists of one or chain of X.509 certificate .
• The certificate message is needed for any agreed-on key exchange method .

22. Phase 3 : Client Authentication and Key Exchange
• After getting the “server_done” message, the client must verify the server’s certificate whether valid
or not if required and check that the “server-hello” parameter are acceptable .
• If all is perfect , then the client sends one or more messages back to the server . If the server asked for
a client’s certificate, then the client begins this phase by sending a certificate message. If suitable
certificate is not available then the client sends a “no_certificate” alert instead .
Phase 4 : Finish
• This is the end phase and tells the setting up of secure connections. In this phase client will send a
“change_ciphe_spec” message and it copies the pending CipherSpec into the current CipherSpec .
• After this client will immediately sends the finished message.
• This message verifies that the key exchange and authentication processes were either successful or
not .
• Now the Handshake is done successfully and the client and server can start their communication /
exchange .

23. • Secure Electronic Transaction (SET):
• SET is an open encryption and security specification that is designed to protect credit
card transactions on the internet.
• A wide range of companies were involved in developing the initial specification,
including IBM, Microsoft, Netscape, RSA, Terisa, and Verisign.
• SET is not a payment system but it is a set of security protocols and formats that
enables user to employ the existing credit card payment infrastructure on Internet, in a
secure manner.
• The SET provides three services:
oIt provides a secure communications channel among all parties involved in a e-
commerce transaction.
oIt provides authentication by the use of X.509v3 digital certificates.
oIt ensure privacy because the information is only available to parties in a transaction
when and where necessary.

24. • SET Overview:
1. Requirements :
The following are the requirements of business for secure payment processing with credit cards
over the Internet and other networks.
1. Confidentiality – it should provide confidentiality of payment and ordering information.
2. Integrity – it should ensure the integrity of all transmitted data over internet.
3. Authentication – it should provide authentication to tell that cardholder is a legitimate user of a
credit card account.
4. It should provide authentication so that a merchant can accept credit card transaction with a
financial institution.
5. It should ensure the use of the best security practices and system design techniques that will
protect all legitimate parties in an electronic commerce transaction process.
6. It should create a protocol which will not depends on transport security mechanisms and should
not prevents their use.
7.It should provide encourage and provide facility for interoperability between the software and
network providers.

25. SET Participants :
• Cardholder
o With the help of internet, consumers and corporate purchasers interact with merchants from personal
computer.
o A cardholder is an authorized entity who hold a payment card like MasterCard, Visa which has been issued by
an issuer.

26. o A merchant is a entity or organization which has goods or services that he wants to sell to the
cardholder. These types of goods and services are offered via a web site or by e-mail.
o A merchant who accepts payment cards should have a relationship with an acquirer.
• Issuer
o Issuer is a financial institution same like a bank. It provides the payment cards to the cardholder. The
cardholder can apply for Accounts by email and he can open it by email.
o The issuer, itself is responsible for the payment from the cardholder’s debt account.
• Merchant

27. • Acquirer
o It is also a financial institution but it establishes an account with a merchant.
Acquirer processes the payment card authorizations and payments.
o The Acquirer is important because the merchant accepts more than one credit card
brand but can not deal with multiple bankcard associations or with multiple
individual issuers.
o It gives an assurance to the merchant that the given cards account is valid, active
and the purchased amount is not exceeding the credit card limit.
o The acquirer will also provide a facility of the electronic transfer of payments to the
merchant’s account. After this, the issuer can reimburse the acquirer with the help
of payment network for electronic funds transfer.

28. • Payment Gateway
o This is a function operated by the acquirer or it can be taken up by an organization as a
dedicated function.
o The payment gateway process between SET and the existing bankcard payment networks
for authorization and payment function.
o The merchant exchanges SET messages with the payment gateway over the Internet. The
payment gateway in turn connects to the acquirer’s system using dedicated network line.
• Certification authority(CA)
o This is an entity that is trusted to issue public key certificates for cardholders, merchants,
and payment gateways.
o The success of SET will depend on the existence of a CA infrastructure available for this
purpose.

29. Key Features of SET:
SET incorporate following features to meet the requirements mentioned above-
i. Confidentiality of information
• Information of cardholder account and payment secured when it travels through the network.
• An interesting and important feature of SET is that it prevents the merchant from learning the
cardholder’s credit card number; this is only provided to the issuing bank. To provide
confidentiality conventional encryption by DES is used.
ii. Integrity of data
• Cardholder send payment information sent to merchants that includes order information,
personal data, and payment instructions. SET gives assurance that these message contents are
not altered in transit.
• RSA digital signatures, using SHA-1 hash codes, provide message integrity. Certain messages are
also protected by HMAC using SHA-1.

30. iii. Cardholder account authentication
• SET enables merchants to verify that a cardholder is a authorized user of a valid
card account number. SET uses digital certificates with RSA signatures for the
same purpose.
iv. Merchants authentication
• Cardholder verifies the relationship of merchant with a financial institution,
after enabling by SET. SET uses digital certificates with RSA signatures for this
purpose.
• SET provides only one choice for each cryptographic algorithm. This makes
sense, because SET is a single application with a single set of requirements.

31. Now we will see the sequence of events that are required for a transaction.
1. The customer opens a news credit account
The customer searches & then opens credit card account with a bank that will
provide a facility of electronic payment and SET process.
2. The customer receives a digital certificate
• After a identity verification process, the customer receives an digital certificates
which is signed from bank.
• The certificate is used to checks the customer’s RSA public key and the certificate’s
expiration date.
• This establishes a relationship between the customer’s key pair and the credit card
which is guaranteed by bank.

32. 3. Merchants have their own certificates
A merchant who accepts a certain brand of credit card must passes a
digital certificate.
4. The customer places his order
• In this process the customer first browse the merchant’s Web site to
select items and its price.
• Then the customer sends a list of the items to be purchased from web
site to the merchant. Now merchant returns the order from containing
the list of items, price of each item, a total price, and an order
number.

33. 5. The merchant is verified by certificate
The merchant also sends a copy of his digital certificate to the customer, so that the
customer can verify the merchant – he or she is dealing with a valid store.
6. The order and payment information are sent
• The customer sends the order and payment information to the merchant with the
customer’s certificate.
• The order confirms the purchase of the items from the order form. The payment information
contains credit card details.
• The payment information is encrypted so that it cannot be read by the merchant and the
customer’s certificate allows the merchant to verify the customer.

34. 7. The merchant requests payment authorization
• The merchant sends the details of payment information to the payment gateway and make a request
for authorization – to check the limit of customer’s available credit for this purchase.
8. The merchant confirms the order
• Then the merchant will send confirmation of the order to the customer.
9. The merchant provides the goods or service
• After confirmation, the merchant ships the goods or provides the service to the customer.
10. The merchant requests for the payment
• The request is sent to the payment gateway that will handles all of the
payment processing.