SlideShare a Scribd company logo

Lecture 6 web security

R
rajakhurram

Network Security Course (ET1318, ET2437) at Blekinge Institute of Technology, Karlskrona, Sweden

EducationTechnology
1 of 26
WEB Security
Outline • Web Security Considerations • Secure Socket Layer (SSL) and Transport Layer Security (TLS) • Secure Electronic Transaction (SET) 2
Web Security Considerations • The WEB is very visible. • Complex software hide many security flaws. • Web servers are easy to configure and manage. • Users are not aware of the risks. 3
Security facilities in the TCP/IP protocol stack Pretty Good Privacy (PGP): • a data encryption and decryption computer program • provides cryptographic privacy and authentication for data communication. • used for signing, encrypting and decrypting e-mails 4
Security facilities in the TCP/IP protocol stack • S/MIME (Secure/Multipurpose Internet Mail Extensions)  a standard for public key encryption and signing of MIME data.  provides the following cryptographic security services: – Authentication – message integrity – non-repudiation of origin (using digital signatures) – privacy – data security (using encryption) • Kerberos (the hound of Hades ):  computer network authentication protocol  allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner.  provides mutual authentication — both the user and the server verify each other's identity.
SSL and TLS • SSL was originated by Netscape • TLS working group was formed within IETF • First version of TLS can be viewed as an SSLv3.1 • SSL  SSL Architecture  SSL Record Protocol  Change Cipher Spec Protocol  Alert Protocol  Handshake Protocol 6
SSL Architecture • Not a single protocol but Two layers of protocols • Provides basic security services to higher layer protocosl e.g. HTTP operates on top of SSL • Three higher layer protocols are part of SSL 7
SSL session / SSL connection • Two important concepts : SSL connection and SSL session • SSL connection  Transport that provides a suitable type of service  A SSL connection is peer-to-peer relationship (transient)  Every SSL connection is associated with one session • SSL session  Association between a client and a server  Created by the Handshake Protocol  Define a set of cryptographic security parameters • States :  Session Established : Current operating state for recieve and send  Handshake Protocol: Pending State for recieve and send – If handshake successful, pending state  current operating state 8
SSL Record Protocol : Services • Two Services for SSL Connections 1. Confidentiality  Defines a shared secret key that is used for conventional encryption 2. Message Integrity – Defines a shared secret key that is used to form a message authentication code (MAC) • Compression  Lossless compression to shrink the message size – Defined as NULL in SSLv3 and current version of TLS 9
SSL Record Protocol : Operation • No distinction is made among various applications using SSL; the content of data is opaque to SSL Fragment: 214 bytes Compression: Optional Message Authentication Code: shared secret key is used to compute MAC Encryption: Symmetric 10
SSL Record Protocol : Operation • First Step Fragmentation: Each upper layer message is fragmented into block of 214 bytes (16384 bytes) or less • Second Step Compression: Optional step, must be lossless and may not increase the length by more than 1024 bytes • Third Step Message Authentication Code (MAC): shared secret key is used to compute MAC • Fourth Step Encryption: compressed message (if applied) and MAC are encrypted using symmetric encryption • Final Step Header Preparation. 11
SSL Record Format • Header consists of following :  Conten Type (8 bits) : Higher layer protocol used to process the enclosed fragment such as change_cipher_spec, alert, handshake and application data  Major Version (8 bits) : Major Version of SSL e.g. For SSL v3 = 3  Minor Version (8 bits) : Minor Version of SSL e.g. For SSL v3 = 0  Compressed Length (16 bits) : The length in bytes of plaintext or compressed fragment 12
SSL Change Cipher Spec Protocol • Uses SSL Record Protocol • Simplest one : Consists of a single message, which consists of single byte with value 1 • Purpose is to convert pending state into current state 13
Alert Protocol • Conveys SSL-related alerts to peer • Compressed and Encrypted • Consists of two bytes  The first byte indicates Alert Level (indicates severity) – Warning – Fatal • Will immediately terminate the connection • Alerts that always will be fatal  unexpected_message, bad_record_mac, decompression_failure, handshake_failure, illegal_parameter  The second bytes indicates the specific alert – Warning alerts • close_notify, no_certificate, bad_certificate, unsupported_certificate, certificate_revoked, certificate_expired, certificate_unknown 14
Handshake Protocol • The most complex part of SSL. • Server and client authenticate each other. • Server and client negotiate encryption, MAC algorithm and cryptographic keys. • Used before any application data is transmitted. • Message Format  Type: Indicate one of ten messages (e.g. Hello, certificate, key exchange)  Length: The length of message  Content: The parameters associated with this message 15
Handshake Protocol : Phases • Phase 1: Establish Security Capabilities  Initiate logical connection and establish security capabilities to be associated with it. • Phase 2: Server Authentication and Key Exchange  Sends a certificate (if authentication is required)  May send Server_Key_Exchange message • Phase 3: Client Authentication and Key Exchange  Client verify certificate from server and check server_hello parameters  May send a certificate (on request) or alert for no certificate or one or more message • Phase 4: Finish  Completes secure connection
Handshake Protocol Action 17
Transport Layer Security • The same record format as the SSL record format. • Defined in RFC 2246. • Similar to SSLv3. • Differences in the:  version number : major version 3, minor version 1  message authentication code  pseudo random function  alert codes  cipher suites : no longer support for Fortezza  client certificate types  certificate_verify and finished message  cryptographic computations  padding 18
Secure Electronic Transactions • An open encryption and security specification. • Protect credit card transaction on the Internet. • Companies involved:  MasterCard, Visa, IBM, Microsoft, Netscape, RSA, Terisa and Verisign • Set of security protocols and formats. 19
Secure Electronic Transactions • Key Features of SET:  Confidentiality of information  Integrity of data  Cardholder account authentication  Merchant authentication • SET Services  Provides a secure communication channel in a transaction.  Provides trust by the use of X.509v3 digital certificates.  Ensures privacy. 20
SET Participants 21
SET Participants • Card Holder: person who uses a payment card to purchase • Merchant: business or organization who sells goods or services to the cardholder in the case of a SET transaction over the internet. • Issuer: financial institution that provides the cardholder with payment card. The issuer responsibility to guarantee payment on behalf of its cardholder. • Acquirer: financial institution that processes payment card authorizations and payment for the merchant. The acquirer’s responsibility is to obtain payment authority from the cardholder’s issuer.
SET Participants • Payment Gateway: an institution that works on the behalf of the acquirer to process the merchant’s payment messages, including payment instruction from the cardholders. • Certificate Authority: The certificate authority provides certification for the merchant, cardholder, and payment gateway. Certification provides a means of assuring that the parties involved in a transaction
Sequence of events for transactions 1. The customer opens an account. 2. The customer receives a certificate. 3. Merchants have their own certificates. 4. The customer places an order. 5. The merchant is verified. 6. The order and payment are sent. 7. The merchant request payment authorization. 8. The merchant confirm the order. 9. The merchant provides the goods or service. 10. The merchant requests payments. 24
HTTPS • HTTP over SSL : combination of HTTP and SSL  RFC 2818 : HTTP Over TLS , no fundamental change in HTTP over SSL or TLS  Secure communication between Web browser and Web servers  Built into all modern Web browser  Web servers should support HTTPS communications • Connection Initiation  Client initiates a connection to server on appropriate port  Handshake is performed  Data is sent • Connection Closure  Client indicate closing of connection, Connection : close  Client must be able to cope with a situation, if a connection is terminated without close notification and issue security warning 25
SSH : Secure Shell (Reading Assignment)

Recommended

Electronic mail security
Electronic mail securityElectronic mail security
Electronic mail security
Dr.Florence Dayana
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash function
Mijanur Rahman Milon
 
SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS Handshake
Arpit Agarwal
 
Steganography ppt
Steganography pptSteganography ppt
Steganography ppt
Vikas Sharma
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
primeteacher32
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS Protocol
Devang Badrakiya
 
E-mail Security in Network Security NS5
E-mail Security in Network Security NS5E-mail Security in Network Security NS5
E-mail Security in Network Security NS5
koolkampus
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
Mohammed Adam
 

Recommended

Electronic mail security
Electronic mail securityElectronic mail security
Electronic mail security
Dr.Florence Dayana
 
Network security cryptographic hash function
Network security cryptographic hash functionNetwork security cryptographic hash function
Network security cryptographic hash function
Mijanur Rahman Milon
 
SSL/TLS Handshake
SSL/TLS HandshakeSSL/TLS Handshake
SSL/TLS Handshake
Arpit Agarwal
 
Steganography ppt
Steganography pptSteganography ppt
Steganography ppt
Vikas Sharma
 
Email Forensics
Email ForensicsEmail Forensics
Email Forensics
primeteacher32
 
SSL TLS Protocol
SSL TLS ProtocolSSL TLS Protocol
SSL TLS Protocol
Devang Badrakiya
 
E-mail Security in Network Security NS5
E-mail Security in Network Security NS5E-mail Security in Network Security NS5
E-mail Security in Network Security NS5
koolkampus
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) ProtocolWhat is SSL ? The Secure Sockets Layer (SSL) Protocol
What is SSL ? The Secure Sockets Layer (SSL) Protocol
Mohammed Adam
 
Steganography
SteganographySteganography
Steganography
Mayank Saxena
 
Email Security : PGP & SMIME
Email Security : PGP & SMIMEEmail Security : PGP & SMIME
Email Security : PGP & SMIME
Rohit Soni
 
CNS - Unit - 2 - Stream Ciphers and Block Ciphers
CNS - Unit - 2 - Stream Ciphers and Block CiphersCNS - Unit - 2 - Stream Ciphers and Block Ciphers
CNS - Unit - 2 - Stream Ciphers and Block Ciphers
Gyanmanjari Institute Of Technology
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
Krithika Nagarajan
 
Web Security
Web SecurityWeb Security
Web Security
Dr.Florence Dayana
 
Email security
Email securityEmail security
Email security
Indrajit Sreemany
 
Introduction to Digital signatures
Introduction to Digital signaturesIntroduction to Digital signatures
Introduction to Digital signatures
Rohit Bhat
 
Digital signature(Cryptography)
Digital signature(Cryptography)Digital signature(Cryptography)
Digital signature(Cryptography)
Soham Kansodaria
 
IP Security
IP SecurityIP Security
IP Security
Ambo University
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
Seema Goel
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
Arun Shukla
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication Codes
DarshanPatil82
 
IP Security
IP SecurityIP Security
IP Security
Keshab Nath
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanisms
priya_trehan
 
Message Authentication
Message AuthenticationMessage Authentication
Message Authentication
chauhankapil
 
Digital Signatures
Digital SignaturesDigital Signatures
Digital Signatures
Ehtisham Ali
 
XML Encryption
XML EncryptionXML Encryption
XML Encryption
Prabath Siriwardena
 
Ch20
Ch20Ch20
Ch20
Joe Christensen
 
Digital signature
Digital signatureDigital signature
Digital signature
Hossain Md Shakhawat
 
Digital signature
Digital signatureDigital signature
Digital signature
AJAL A J
 
Web Security
Web SecurityWeb Security
Web Security
ADIEFEH
 
web security
web securityweb security
web security
Chirag Patel
 

More Related Content

What's hot

Introduction to Digital signatures
Introduction to Digital signaturesIntroduction to Digital signatures
Introduction to Digital signatures
Rohit Bhat
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanisms
priya_trehan
 

What's hot (20)

Steganography
SteganographySteganography
Steganography
 
Email Security : PGP & SMIME
Email Security : PGP & SMIMEEmail Security : PGP & SMIME
Email Security : PGP & SMIME
 
CNS - Unit - 2 - Stream Ciphers and Block Ciphers
CNS - Unit - 2 - Stream Ciphers and Block CiphersCNS - Unit - 2 - Stream Ciphers and Block Ciphers
CNS - Unit - 2 - Stream Ciphers and Block Ciphers
 
Digital Signature
Digital SignatureDigital Signature
Digital Signature
 
Web Security
Web SecurityWeb Security
Web Security
 
Email security
Email securityEmail security
Email security
 
Introduction to Digital signatures
Introduction to Digital signaturesIntroduction to Digital signatures
Introduction to Digital signatures
 
Digital signature(Cryptography)
Digital signature(Cryptography)Digital signature(Cryptography)
Digital signature(Cryptography)
 
IP Security
IP SecurityIP Security
IP Security
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
Transport Layer Security (TLS)
Transport Layer Security (TLS)Transport Layer Security (TLS)
Transport Layer Security (TLS)
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication Codes
 
IP Security
IP SecurityIP Security
IP Security
 
Security Mechanisms
Security MechanismsSecurity Mechanisms
Security Mechanisms
 
Message Authentication
Message AuthenticationMessage Authentication
Message Authentication
 
Digital Signatures
Digital SignaturesDigital Signatures
Digital Signatures
 
XML Encryption
XML EncryptionXML Encryption
XML Encryption
 
Ch20
Ch20Ch20
Ch20
 
Digital signature
Digital signatureDigital signature
Digital signature
 
Digital signature
Digital signatureDigital signature
Digital signature
 

Viewers also liked

CCNA Routing Protocols
CCNA Routing ProtocolsCCNA Routing Protocols
CCNA Routing Protocols
Dsunte Wilson
 
CCNA Advanced Routing Protocols
CCNA Advanced Routing ProtocolsCCNA Advanced Routing Protocols
CCNA Advanced Routing Protocols
Dsunte Wilson
 

Viewers also liked (15)

Web Security
Web SecurityWeb Security
Web Security
 
web security
web securityweb security
web security
 
Network device management
Network device managementNetwork device management
Network device management
 
Routing to components
Routing to componentsRouting to components
Routing to components
 
Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2 Fundamental of Secure Socket Layer (SSL) | Part - 2
Fundamental of Secure Socket Layer (SSL) | Part - 2
 
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
Cryptography Simplified - Symmetric Key, Public Key, PKI, Digital Signature, ...
 
SSL Technology
SSL TechnologySSL Technology
SSL Technology
 
CCNA Routing Protocols
CCNA Routing Protocols CCNA Routing Protocols
CCNA Routing Protocols
 
2015.10.05 Updated > Network Device Development - Part 1: Switch
2015.10.05 Updated > Network Device Development - Part 1: Switch2015.10.05 Updated > Network Device Development - Part 1: Switch
2015.10.05 Updated > Network Device Development - Part 1: Switch
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
Introduction to Secure Sockets Layer
Introduction to Secure Sockets LayerIntroduction to Secure Sockets Layer
Introduction to Secure Sockets Layer
 
Dhcp ppt
Dhcp pptDhcp ppt
Dhcp ppt
 
CCNA Routing Protocols
CCNA Routing ProtocolsCCNA Routing Protocols
CCNA Routing Protocols
 
CCNA Advanced Routing Protocols
CCNA Advanced Routing ProtocolsCCNA Advanced Routing Protocols
CCNA Advanced Routing Protocols
 
Web Security
Web SecurityWeb Security
Web Security
 

Similar to Lecture 6 web security

Secure Socket Layer.ppt [ssl for websecurity]
Secure Socket Layer.ppt [ssl for websecurity]Secure Socket Layer.ppt [ssl for websecurity]
Secure Socket Layer.ppt [ssl for websecurity]
shashankmharse1533
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfSECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
NiharikaDubey17
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
Monodip Singha Roy
 

Similar to Lecture 6 web security (20)

Secure socket later
Secure socket laterSecure socket later
Secure socket later
 
Network Security Applications
Network Security ApplicationsNetwork Security Applications
Network Security Applications
 
ssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptxssl-tls-ipsec-vpn.pptx
ssl-tls-ipsec-vpn.pptx
 
Secure Socket Layer.ppt [ssl for websecurity]
Secure Socket Layer.ppt [ssl for websecurity]Secure Socket Layer.ppt [ssl for websecurity]
Secure Socket Layer.ppt [ssl for websecurity]
 
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdfSECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
SECURE SOCKET LAYER(SSL)_LECTURE SLIDES.pdf
 
SSL And TLS
SSL And TLS SSL And TLS
SSL And TLS
 
Network Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr ShivashankarNetwork Security_Module_2_Dr Shivashankar
Network Security_Module_2_Dr Shivashankar
 
SecureSocketLayer.ppt
SecureSocketLayer.pptSecureSocketLayer.ppt
SecureSocketLayer.ppt
 
Network Security- Secure Socket Layer
Network Security- Secure Socket LayerNetwork Security- Secure Socket Layer
Network Security- Secure Socket Layer
 
Unit08
Unit08Unit08
Unit08
 
Parallel and distributed computing .pptx
Parallel and distributed computing .pptxParallel and distributed computing .pptx
Parallel and distributed computing .pptx
 
Transport Layer Security
Transport Layer SecurityTransport Layer Security
Transport Layer Security
 
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.pptWEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
 
ch1 eriht eriotery erogyteip ergy7.ppt
ch1 eriht eriotery erogyteip ergy7.pptch1 eriht eriotery erogyteip ergy7.ppt
ch1 eriht eriotery erogyteip ergy7.ppt
 
Secure Socket Layer.pptx
Secure Socket Layer.pptxSecure Socket Layer.pptx
Secure Socket Layer.pptx
 
SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )SECURE SOCKET LAYER ( WEB SECURITY )
SECURE SOCKET LAYER ( WEB SECURITY )
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROYPPT ON WEB SECURITY BY MONODIP SINGHA ROY
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
 
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level SecurityCRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
CRYPTOGRAPHY AND NETWORK SECURITY- Transport-level Security
 
Network Security_Module_2.pdf
Network Security_Module_2.pdfNetwork Security_Module_2.pdf
Network Security_Module_2.pdf
 
PKI & SSL
PKI & SSLPKI & SSL
PKI & SSL
 

More from rajakhurram

Malicious software
Malicious softwareMalicious software
Malicious software
rajakhurram
 
Lecture malicious software
Lecture malicious softwareLecture malicious software
Lecture malicious software
rajakhurram
 
Lecture3a symmetric encryption
Lecture3a symmetric encryptionLecture3a symmetric encryption
Lecture3a symmetric encryption
rajakhurram
 
Lecture2 network attack
Lecture2 network attackLecture2 network attack
Lecture2 network attack
rajakhurram
 

More from rajakhurram (14)

Malicious software
Malicious softwareMalicious software
Malicious software
 
Lecture malicious software
Lecture malicious softwareLecture malicious software
Lecture malicious software
 
Lecture 12 malicious software
Lecture 12 malicious software Lecture 12 malicious software
Lecture 12 malicious software
 
Lecture 11 wifi security
Lecture 11 wifi securityLecture 11 wifi security
Lecture 11 wifi security
 
Lecture 10 intruders
Lecture 10 intrudersLecture 10 intruders
Lecture 10 intruders
 
Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication Lecture 9 key distribution and user authentication
Lecture 9 key distribution and user authentication
 
Lecture 7 certificates
Lecture 7 certificatesLecture 7 certificates
Lecture 7 certificates
 
Lecture 5 ip security
Lecture 5 ip securityLecture 5 ip security
Lecture 5 ip security
 
Lecture 4 firewalls
Lecture 4 firewallsLecture 4 firewalls
Lecture 4 firewalls
 
Lecture 3b public key_encryption
Lecture 3b public key_encryptionLecture 3b public key_encryption
Lecture 3b public key_encryption
 
Lecture3a symmetric encryption
Lecture3a symmetric encryptionLecture3a symmetric encryption
Lecture3a symmetric encryption
 
Lecture2 network attack
Lecture2 network attackLecture2 network attack
Lecture2 network attack
 
Lecture1 Introduction
Lecture1 Introduction Lecture1 Introduction
Lecture1 Introduction
 
Lecture 8 mail security
Lecture 8 mail securityLecture 8 mail security
Lecture 8 mail security
 

Recently uploaded

Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
AnaAcapella
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
Association for Project Management
 

Recently uploaded (20)

How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17How to Create and Manage Wizard in Odoo 17
How to Create and Manage Wizard in Odoo 17
 
REMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptxREMIFENTANIL: An Ultra short acting opioid.pptx
REMIFENTANIL: An Ultra short acting opioid.pptx
 
Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)Accessible Digital Futures project (20/03/2024)
Accessible Digital Futures project (20/03/2024)
 
Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)Jamworks pilot and AI at Jisc (20/03/2024)
Jamworks pilot and AI at Jisc (20/03/2024)
 
Spellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please PractiseSpellings Wk 3 English CAPS CARES Please Practise
Spellings Wk 3 English CAPS CARES Please Practise
 
How to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POSHow to Manage Global Discount in Odoo 17 POS
How to Manage Global Discount in Odoo 17 POS
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
Kodo Millet PPT made by Ghanshyam bairwa college of Agriculture kumher bhara...
 
Fostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the ClassroomFostering Friendships - Enhancing Social Bonds in the Classroom
Fostering Friendships - Enhancing Social Bonds in the Classroom
 
Python Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docxPython Notes for mca i year students osmania university.docx
Python Notes for mca i year students osmania university.docx
 
On National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan FellowsOn National Teacher Day, meet the 2024-25 Kenan Fellows
On National Teacher Day, meet the 2024-25 Kenan Fellows
 
Micro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdfMicro-Scholarship, What it is, How can it help me.pdf
Micro-Scholarship, What it is, How can it help me.pdf
 
Wellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptxWellbeing inclusion and digital dystopias.pptx
Wellbeing inclusion and digital dystopias.pptx
 
Understanding Accommodations and Modifications
Understanding Accommodations and ModificationsUnderstanding Accommodations and Modifications
Understanding Accommodations and Modifications
 
Single or Multiple melodic lines structure
Single or Multiple melodic lines structureSingle or Multiple melodic lines structure
Single or Multiple melodic lines structure
 
Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...Making communications land - Are they received and understood as intended? we...
Making communications land - Are they received and understood as intended? we...
 
Food safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdfFood safety_Challenges food safety laboratories_.pdf
Food safety_Challenges food safety laboratories_.pdf
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024Mehran University Newsletter Vol-X, Issue-I, 2024
Mehran University Newsletter Vol-X, Issue-I, 2024
 
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptxBasic Civil Engineering first year Notes- Chapter 4 Building.pptx
Basic Civil Engineering first year Notes- Chapter 4 Building.pptx
 

Lecture 6 web security

  • 2. Outline • Web Security Considerations • Secure Socket Layer (SSL) and Transport Layer Security (TLS) • Secure Electronic Transaction (SET) 2
  • 3. Web Security Considerations • The WEB is very visible. • Complex software hide many security flaws. • Web servers are easy to configure and manage. • Users are not aware of the risks. 3
  • 4. Security facilities in the TCP/IP protocol stack Pretty Good Privacy (PGP): • a data encryption and decryption computer program • provides cryptographic privacy and authentication for data communication. • used for signing, encrypting and decrypting e-mails 4
  • 5. Security facilities in the TCP/IP protocol stack • S/MIME (Secure/Multipurpose Internet Mail Extensions)  a standard for public key encryption and signing of MIME data.  provides the following cryptographic security services: – Authentication – message integrity – non-repudiation of origin (using digital signatures) – privacy – data security (using encryption) • Kerberos (the hound of Hades ):  computer network authentication protocol  allows nodes communicating over a non-secure network to prove their identity to one another in a secure manner.  provides mutual authentication — both the user and the server verify each other's identity.
  • 6. SSL and TLS • SSL was originated by Netscape • TLS working group was formed within IETF • First version of TLS can be viewed as an SSLv3.1 • SSL  SSL Architecture  SSL Record Protocol  Change Cipher Spec Protocol  Alert Protocol  Handshake Protocol 6
  • 7. SSL Architecture • Not a single protocol but Two layers of protocols • Provides basic security services to higher layer protocosl e.g. HTTP operates on top of SSL • Three higher layer protocols are part of SSL 7
  • 8. SSL session / SSL connection • Two important concepts : SSL connection and SSL session • SSL connection  Transport that provides a suitable type of service  A SSL connection is peer-to-peer relationship (transient)  Every SSL connection is associated with one session • SSL session  Association between a client and a server  Created by the Handshake Protocol  Define a set of cryptographic security parameters • States :  Session Established : Current operating state for recieve and send  Handshake Protocol: Pending State for recieve and send – If handshake successful, pending state  current operating state 8
  • 9. SSL Record Protocol : Services • Two Services for SSL Connections 1. Confidentiality  Defines a shared secret key that is used for conventional encryption 2. Message Integrity – Defines a shared secret key that is used to form a message authentication code (MAC) • Compression  Lossless compression to shrink the message size – Defined as NULL in SSLv3 and current version of TLS 9
  • 10. SSL Record Protocol : Operation • No distinction is made among various applications using SSL; the content of data is opaque to SSL Fragment: 214 bytes Compression: Optional Message Authentication Code: shared secret key is used to compute MAC Encryption: Symmetric 10
  • 11. SSL Record Protocol : Operation • First Step Fragmentation: Each upper layer message is fragmented into block of 214 bytes (16384 bytes) or less • Second Step Compression: Optional step, must be lossless and may not increase the length by more than 1024 bytes • Third Step Message Authentication Code (MAC): shared secret key is used to compute MAC • Fourth Step Encryption: compressed message (if applied) and MAC are encrypted using symmetric encryption • Final Step Header Preparation. 11
  • 12. SSL Record Format • Header consists of following :  Conten Type (8 bits) : Higher layer protocol used to process the enclosed fragment such as change_cipher_spec, alert, handshake and application data  Major Version (8 bits) : Major Version of SSL e.g. For SSL v3 = 3  Minor Version (8 bits) : Minor Version of SSL e.g. For SSL v3 = 0  Compressed Length (16 bits) : The length in bytes of plaintext or compressed fragment 12
  • 13. SSL Change Cipher Spec Protocol • Uses SSL Record Protocol • Simplest one : Consists of a single message, which consists of single byte with value 1 • Purpose is to convert pending state into current state 13
  • 14. Alert Protocol • Conveys SSL-related alerts to peer • Compressed and Encrypted • Consists of two bytes  The first byte indicates Alert Level (indicates severity) – Warning – Fatal • Will immediately terminate the connection • Alerts that always will be fatal  unexpected_message, bad_record_mac, decompression_failure, handshake_failure, illegal_parameter  The second bytes indicates the specific alert – Warning alerts • close_notify, no_certificate, bad_certificate, unsupported_certificate, certificate_revoked, certificate_expired, certificate_unknown 14
  • 15. Handshake Protocol • The most complex part of SSL. • Server and client authenticate each other. • Server and client negotiate encryption, MAC algorithm and cryptographic keys. • Used before any application data is transmitted. • Message Format  Type: Indicate one of ten messages (e.g. Hello, certificate, key exchange)  Length: The length of message  Content: The parameters associated with this message 15
  • 16. Handshake Protocol : Phases • Phase 1: Establish Security Capabilities  Initiate logical connection and establish security capabilities to be associated with it. • Phase 2: Server Authentication and Key Exchange  Sends a certificate (if authentication is required)  May send Server_Key_Exchange message • Phase 3: Client Authentication and Key Exchange  Client verify certificate from server and check server_hello parameters  May send a certificate (on request) or alert for no certificate or one or more message • Phase 4: Finish  Completes secure connection
  • 18. Transport Layer Security • The same record format as the SSL record format. • Defined in RFC 2246. • Similar to SSLv3. • Differences in the:  version number : major version 3, minor version 1  message authentication code  pseudo random function  alert codes  cipher suites : no longer support for Fortezza  client certificate types  certificate_verify and finished message  cryptographic computations  padding 18
  • 19. Secure Electronic Transactions • An open encryption and security specification. • Protect credit card transaction on the Internet. • Companies involved:  MasterCard, Visa, IBM, Microsoft, Netscape, RSA, Terisa and Verisign • Set of security protocols and formats. 19
  • 20. Secure Electronic Transactions • Key Features of SET:  Confidentiality of information  Integrity of data  Cardholder account authentication  Merchant authentication • SET Services  Provides a secure communication channel in a transaction.  Provides trust by the use of X.509v3 digital certificates.  Ensures privacy. 20
  • 22. SET Participants • Card Holder: person who uses a payment card to purchase • Merchant: business or organization who sells goods or services to the cardholder in the case of a SET transaction over the internet. • Issuer: financial institution that provides the cardholder with payment card. The issuer responsibility to guarantee payment on behalf of its cardholder. • Acquirer: financial institution that processes payment card authorizations and payment for the merchant. The acquirer’s responsibility is to obtain payment authority from the cardholder’s issuer.
  • 23. SET Participants • Payment Gateway: an institution that works on the behalf of the acquirer to process the merchant’s payment messages, including payment instruction from the cardholders. • Certificate Authority: The certificate authority provides certification for the merchant, cardholder, and payment gateway. Certification provides a means of assuring that the parties involved in a transaction
  • 24. Sequence of events for transactions 1. The customer opens an account. 2. The customer receives a certificate. 3. Merchants have their own certificates. 4. The customer places an order. 5. The merchant is verified. 6. The order and payment are sent. 7. The merchant request payment authorization. 8. The merchant confirm the order. 9. The merchant provides the goods or service. 10. The merchant requests payments. 24
  • 25. HTTPS • HTTP over SSL : combination of HTTP and SSL  RFC 2818 : HTTP Over TLS , no fundamental change in HTTP over SSL or TLS  Secure communication between Web browser and Web servers  Built into all modern Web browser  Web servers should support HTTPS communications • Connection Initiation  Client initiates a connection to server on appropriate port  Handshake is performed  Data is sent • Connection Closure  Client indicate closing of connection, Connection : close  Client must be able to cope with a situation, if a connection is terminated without close notification and issue security warning 25
  • 26. SSH : Secure Shell (Reading Assignment)

Editor's Notes

  1. http://www.informit.com/articles/article.aspx?p=26857&seqNum=3