2 Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerablehave a variety of threatsintegrityconfidentialitydenial of serviceauthenticationneed added security mechanisms
3 SSL (Secure Socket Layer) transport layer security serviceoriginally developed by Netscapeversion 3 designed with public inputsubsequently became Internet standard known as TLS (Transport Layer Security)uses TCP to provide a reliable end-to-end serviceSSL has two layers of protocolsSSL probably most widely used Web security mechanism. Its implemented at the Transport layer; cf IPSec at Network layer; or various Application layer mechanisms eg. S/MIME & SET (later).
5 SSL Architecture SSL session SSL connection an association between client & servercreated by the Handshake Protocoldefine a set of cryptographic parametersmay be shared by multiple SSL connectionsSSL connectiona transient, peer-to-peer, communications linkassociated with 1 SSL session
6 SSL Record Protocol confidentiality message integrity using symmetric encryption with a shared secret key defined by Handshake ProtocolIDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128message is compressed before encryptionmessage integrityusing a MAC with shared secret keysimilar to HMAC but with different paddingSSL Record Protocol defines these two services for SSL connections.
7 SSL Change Cipher Spec Protocol one of 3 SSL specific protocols which use the SSL Record protocola single messagecauses pending state to become currenthence updating the cipher suite in use
8 SSL Alert Protocol conveys SSL-related alerts to peer entity severity warning or fatalspecific alertunexpected message, bad record mac, decompression failure, handshake failure, illegal parameterclose notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknowncompressed & encrypted like all SSL data
9 SSL Handshake Protocol allows server & client to:authenticate each otherto negotiate encryption & MAC algorithmsto negotiate cryptographic keys to be usedcomprises a series of messages in phasesEstablish Security CapabilitiesServer Authentication and Key ExchangeClient Authentication and Key ExchangeFinish
11 TLS (Transport Layer Security) IETF standard RFC 2246 similar to SSLv3with minor differencesin record format version numberuses HMAC for MACa pseudo-random function expands secretshas additional alert codessome changes in supported cipherschanges in certificate negotiationschanges in use of padding
12 Secure Electronic Transactions (SET) open encryption & security specificationto protect Internet credit card transactionsdeveloped in 1996 by Mastercard, Visa etcnot a payment systemrather a set of security protocols & formatssecure communications amongst partiestrust from use of X.509v3 certificatesprivacy by restricted info to those who need it
14 SET Transaction customer opens account customer receives a certificate merchants have their own certificatescustomer places an ordermerchant is verifiedorder and payment are sentmerchant requests payment authorizationmerchant confirms ordermerchant provides goods or servicemerchant requests payment
15 Dual Signature customer creates dual messages order information (OI) for merchantpayment information (PI) for bankneither party needs details of otherbut must know they are linkeduse a dual signature for thissigned concatenated hashes of OI & PI
18 Purchase Request – Merchant verifies cardholder certificates using CA sigsverifies dual signature using customer's public signature key to ensure order has not been tampered with in transit & that it was signed using cardholder's private signature keyprocesses order and forwards the payment information to the payment gateway for authorization (described later)sends a purchase response to cardholder
19 Payment Gateway Authorization verifies all certificatesdecrypts digital envelope of authorization block to obtain symmetric key & then decrypts authorization blockverifies merchant's signature on authorization blockdecrypts digital envelope of payment block to obtain symmetric key & then decrypts payment blockverifies dual signature on payment blockverifies that transaction ID received from merchant matches that in PI received (indirectly) from customerrequests & receives an authorization from issuersends authorization response back to merchant
20 Payment Capturemerchant sends payment gateway a payment capture requestgateway checks requestthen causes funds to be transferred to merchants accountnotifies merchant using capture response
21 Summary have considered: need for web security SSL/TLS transport layer security protocolsSET secure credit card payment protocols