Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Slides:

Advertisements

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Advertisements

CP3397 ECommerce.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Cryptography and Network Security

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

Principles of Information Security, 2nd edition1 Cryptography.

Electronic Transaction Security (E-Commerce)

Cryptography and Network Security Chapter 17

1 Encryption What is EncryptionWhat is Encryption Types of EncryptionTypes of Encryption.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

Chapter 8 Web Security.

Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)

Electronic Payment Systems University of Palestine University of Palestine Eng. Wisam Zaqoot Eng. Wisam Zaqoot March 2010 March 2010 ITSS 4201 Internet.

Supporting Technologies III: Security 11/16 Lecture Notes.

How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/ OK.

Lecture 12 Electronic Business (MGT-485). Recap – Lecture 11 E-Commerce Security Environment Security Threats in E-commerce Technology Solutions.

Chapter 14 Encryption: A Matter Of Trust. Awad –Electronic Commerce 2/e © 2004 Pearson Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic.

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

Electronic Payments E-payment methods –Credit cards –Electronic funds transfer (EFT) –E-payments Smart cards Digital cash and script Digital checks E-billing.

Securing Electronic Transactions University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Cryptography, Authentication and Digital Signatures

E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your.

Introduction to Secure Sockets Layer (SSL) Protocol Based on:

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.

Cryptography and Network Security (CS435) Part Fourteen (Web Security)

Web Security : Secure Socket Layer Secure Electronic Transaction.

Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.

Internet Security. 2 PGP is a security technology which allows us to send that is authenticated and/or encrypted. Authentication confirms the identity.

1 SSL - Secure Sockets Layer The Internet Engineering Task Force (IETF) standard called Transport Layer Security (TLS) is based on SSL.

1 Security Protocols in the Internet Source: Chapter 31 Data Communications & Networking Forouzan Third Edition.

Cryptography (2) University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Gold Coast Campus School of Information Technology 2003/16216/3112INT Network Security 1Copyright © Griffith University, INT / 3112INT Network.

Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.

1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.

Mar 28, 2003Mårten Trolin1 This lecture Certificates and key management Non-interactive protocols –PGP SSL/TLS –Introduction –Phases –Commands.

Chapter 7 : Web Security Lecture #1-Week 12 Dr.Khalid Dr. Mohannad Information Security CIT 460 Information Security Dr.Khalid Dr. Mohannad 1.

1 E-cash Model Ecash Bank Client Wallet Merchant Software stores coins makes payments accepts payments Goods, Receipt Pay coins sells items accepts payments.

Encryption and Security Tools for IA Management Nick Hornick COSC 481 Spring 2007.

Henric Johnson1 Chapter 7 WEB Security Henric Johnson Blekinge Institute of Technology, Sweden

SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.

Cryptography and Network Security

Cryptography and Network Security

The Secure Sockets Layer (SSL) Protocol

Unit 8 Network Security.

Electronic Payment Security Technologies

Cryptography and Network Security

Integrated Security System

Presentation transcript:

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding

Security protocols used in Ecommerce We already studied various security technologies: Encryption Authentication Key distribution Message integrity Digital signature We also studied how these techniques are used in securing electronic transactions. Here we will continue by studying some security protocols used in Ecommerce.

Security protocols used in Ecommerce Since 1990s a lot of schemes appeared but only a few of them succeeded and became widely implemented. Among the most successful are SSL and SET. 1- Secure Socket Layer protocol (SSL) is used by the vast majority of internet secure transactions. SSL is implemented in all popular browsers and web servers. Furthermore, it is the basis of the the Transport Layer Security (TLS) protocol. 2- Secure Electronic Transactions protocol (SET) which is competing with SSL.

Security protocols used in Ecommerce In Ecommerce whether with SSL or SET, usually uses payment credit and debit card infrastructure. The three major players in this infrastructure: customers, merchants and financial institutions. We will see that SSL provides security for communication between the first two players (the customer and the merchant), while SET provides security for communication among all three players.

Secure Socket Layer protocol (SSL) SSL was originally designed by Netscape. It was developed to provide encryption and authentication between a web client and a web server. SSL begins with a handshake phase that consists of two main steps: Negotiating the encryption algorithm Authenticating identity (optional) After that, encrypted data can be sent.

Secure Socket Layer protocol (SSL) Negotiating the encryption algorithm: SSL session begins with a negotiation between the client and the server about the cipher suite. The cipher suite includes the public key encryption algorithms, symmetric key encryption algorithms, hash functions and key sizes to be used. The client tells the server which cipher suites it has available, and the server chooses the best mutually acceptable cipher suite.

Secure Socket Layer protocol (SSL) Authenticating the server: It is an optional step, but in ecommerce, it is always a good idea to authenticate the server. To authenticate the server, the server presents its public key certificate to the client. If this certificate is valid, the client can be sure about the identity of the server and the organization that owns it. Practically, the SSL enabled browser maintains a list of trusted Certification Authorities (CAs) with the public keys of these CAs.

Secure Socket Layer protocol (SSL) The client and the server exchange information that allows them to agree on the secret key. For example, with RSA, the client uses the server's public key, obtained from the public key certificate, to encrypt the session key information. The client sends the encrypted session key information to the server. Only the server can decrypt this message since the server's private key is required for this decryption. In some cases the server needs to authenticate the client.

Overview of the handshake phase of SSL

Secure Socket Layer protocol (SSL) Both the client and the server now have access to the same session key. With each message, they use the cryptographic hash function (chosen in the first step of the negotiation process), to use it in digital signature. They use the session key and the session key algorithm (chosen in the first step of the negotiation process), to encrypt the data and the message digest.

Secure Socket Layer protocol (SSL) Notes about SSL: SSL is the basis of the TLS too. SSL and TLS are not limited to web applications. In fact, they can be used for authentication and data encryption in IMAP mail access. SSL can be seen as a layer between the application layer and the transport layer. On the sender side, It receives data (for example http messages) from the application layer and encrypts it before directing the encrypted data to a TCP socket. The opposite happens at the receiver side.

Exercise: Check the certificates accredited by your browser. For example, if you use Internet Explorer 7 choose : Tools -> Internet Options -> Content -> Certificates.

Limitations of SSL in E-commerce: SSL is popular today. SSL enabled servers and browsers provide a popular platform for card transactions. In spite of that, SSL was not developed specifically for card payment, but instead for generic secure communication between a client and a server.

Limitations of SSL in E-commerce: The generic design of SSL may cause problems. For example, by using SSL we can authenticate the customer and the merchant, but we can’t be sure whether the merchant is authorized to accept payment, nor whether the customer is authorized to pay money. SSL also doesn’t tie a client to a specific card. For these reasons we need a protocol that handles authentication and authorization for card payments transactions. The answer was the SET protocol.

Secure Electronic Transaction Protocol (SET) SET was developed in 1996 by Visa, MasterCard, Microsoft, Netscape, IBM among others. This protocol was designed specifically to secure card payment transactions over the internet. It encrypts payment related messages. SET can’t be used for general purposes like encrypting arbitrary text of images. SET involves all three players in E-payment (who are they?).

Secure Electronic Transaction Protocol (SET) In SET all three players must have certificates. The customer’s and merchant’s certificates are issued by their banks in order to assure that they are permitted to make/receive payments by cards. In a SET transaction, the customers card number is passed to the merchant’s bank. This number is never seen by the merchant as plaintext.

Secure Electronic Transaction Protocol (SET)

SET is extremely secure since: All players must hold trusted certificates. All parties are authenticated. SET provides privacy, merchant will never see the customer’s card number. SET provides data integrity SET provides customer non-repudiation guarantee SET provides customer and merchant authorization.

Secure Electronic Transaction Protocol (SET) To handle SET, the customer needs to have an “e-wallet”, which is a software that runs the client side of the SET protocol and stores customer payment-card information.

Why SET failed to win market? The disadvantages of SET: SET is not easy to implement. SET requires the customer to install an e-wallet. It is expensive to integrate with legacy applications. It is more secure than what is usually needed.