2. Web Security Threats
Threats Consequences Counter Measures
Integrity Modification of
user data, memory or message
traffic
Loss of Information,
Compromise of machine
Cryptographic of checksum
Confidentiality Eavesdropping on the Net
Theft of into from server/client
Info about Network
Configuration
Loss of
Information and Privacy
Encryption and Web Proxies
Denial of Service Killing of user Threads
Flooding machines with bogus
requests
Filling up Disk or Memory
Isolating machine by DNS attack
Prevent user from getting work
Done
Difficult to prevent
Authentication Impersonation of legitimate user Misrepresentation of user
Belief that false information is
valid
Cryptographic techniques
3. Security Facilities
HTTP FTP SMTP
TCP
IP / IPSec
HTTP FTP SMTP
SSL or TLS
TCP
IP
S/MIME PGP SET
Kerberos SMTP HTTP
UDP TCP
IP
Network Level Transport Level Application Level
4. Secure Socket Layer
SSL Architecture
Handshake
Protocol
Change Cipher
Spec Protocol
Alert Protocol HTTP
SSL Record Protocol
TCP
IP
5. Secure Socket Layer
Connection
Session
A connection is a transport that provides a suitable type of service.
For SSL its peer-to-peer relationship
They are transient.
Associated with one session.
Association between Client and Server
Created by handshake protocol
Defines security parameters
Shared among multiple connections
Avoid expensive negotiation of new security parameters
6. Secure Socket Layer
Session
Session Identifier
Peer Certificate
Compression Method
Cipher Spec
Master Secret
Is Resumable
Connection
Server and Client Random
Server write MAC secret
Client write MAC secret
Server write Key
Client Write Key
Initialization Vector
Sequence Number
Parameters
10. SSL Record Protocol
SSL Record Protocol Header
Content Type : The higher layer Protocol
Major Version : For SSlv3 its value is 3
Minor Version : For SSlv3 its value is 0
Compressed Length : The length of bytes of Plaintext fragment
15. SSL Change Cipher Specification Protocol
a single message.
causes pending state to become current.
hence updating the cipher suite in use.
16. SSL Alert Protocol
conveys SSL-related alerts to peer entity
Severity
warning or fatal
Specific alert
fatal: unexpected message, bad record mac, decompression failure,
handshake failure, illegal parameter
warning: close notify, no certificate, bad certificate, unsupported
certificate, certificate revoked, certificate expired, certificate unknown
compressed & encrypted like all SSL data
17. Secure Electronic Transaction
Business Requirements
• Provide confidentiality of PAYMENT and ORDERING info.
• Ensure the integrity of all TRANSMITTED data
• Provide authentication that a card holder is a LEGITIMATE user
• Provide authentication that a merchant can accept credit card
transaction
• Ensure the use of best security practices and system design
techniques
• Create protocol that doesn’t depends on transport security
mechanism.
18. Secure Electronic Transaction
Features of SET
• Confidentiality of INFORMATION
• Integrity of DATA
• Cardholder account authentication
• Merchant authentication
20. Secure Electronic Transaction
SET Transaction
1. customer opens account
2. customer receives a certificate
3. merchants have their own certificates
4. customer places an order
5. merchant is verified
6. order and payment are sent
7. merchant requests payment authorization
8. merchant confirms order
9. merchant provides goods or service
10.merchant requests payment
22. Secure Electronic Transaction
Dual Signature
• customer creates dual messages
• order information (OI) for merchant
• payment information (PI) for bank
• neither party needs details of other
• but must know they are linked