Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Published bySuzan Hodge Modified over 8 years ago

Similar presentations

Presentation on theme: "Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding."— Presentation transcript:

1 Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding

2 Security protocols used in Ecommerce We already studied various security technologies: Encryption Authentication Key distribution Message integrity Digital signature We also studied how these techniques are used in securing electronic transactions. Here we will continue by studying some security protocols used in Ecommerce.

3 Security protocols used in Ecommerce Since 1990s a lot of schemes appeared but only a few of them succeeded and became widely implemented. Among the most successful are SSL and SET. 1- Secure Socket Layer protocol (SSL) is used by the vast majority of internet secure transactions. SSL is implemented in all popular browsers and web servers. Furthermore, it is the basis of the the Transport Layer Security (TLS) protocol. 2- Secure Electronic Transactions protocol (SET) which is competing with SSL.

4 Security protocols used in Ecommerce In Ecommerce whether with SSL or SET, usually uses payment credit and debit card infrastructure. The three major players in this infrastructure: customers, merchants and financial institutions. We will see that SSL provides security for communication between the first two players (the customer and the merchant), while SET provides security for communication among all three players.

5 Secure Socket Layer protocol (SSL) SSL was originally designed by Netscape. It was developed to provide encryption and authentication between a web client and a web server. SSL begins with a handshake phase that consists of two main steps: Negotiating the encryption algorithm Authenticating identity (optional) After that, encrypted data can be sent.

6 Secure Socket Layer protocol (SSL) Negotiating the encryption algorithm: SSL session begins with a negotiation between the client and the server about the cipher suite. The cipher suite includes the public key encryption algorithms, symmetric key encryption algorithms, hash functions and key sizes to be used. The client tells the server which cipher suites it has available, and the server chooses the best mutually acceptable cipher suite.

7 Secure Socket Layer protocol (SSL) Authenticating the server: It is an optional step, but in ecommerce, it is always a good idea to authenticate the server. To authenticate the server, the server presents its public key certificate to the client. If this certificate is valid, the client can be sure about the identity of the server and the organization that owns it. Practically, the SSL enabled browser maintains a list of trusted Certification Authorities (CAs) with the public keys of these CAs.

8 Secure Socket Layer protocol (SSL) The client and the server exchange information that allows them to agree on the secret key. For example, with RSA, the client uses the server's public key, obtained from the public key certificate, to encrypt the session key information. The client sends the encrypted session key information to the server. Only the server can decrypt this message since the server's private key is required for this decryption. In some cases the server needs to authenticate the client.

9 Overview of the handshake phase of SSL

10 Secure Socket Layer protocol (SSL) Both the client and the server now have access to the same session key. With each message, they use the cryptographic hash function (chosen in the first step of the negotiation process), to use it in digital signature. They use the session key and the session key algorithm (chosen in the first step of the negotiation process), to encrypt the data and the message digest.

11 Secure Socket Layer protocol (SSL) Notes about SSL: SSL is the basis of the TLS too. SSL and TLS are not limited to web applications. In fact, they can be used for authentication and data encryption in IMAP mail access. SSL can be seen as a layer between the application layer and the transport layer. On the sender side, It receives data (for example http messages) from the application layer and encrypts it before directing the encrypted data to a TCP socket. The opposite happens at the receiver side.

12 Exercise: Check the certificates accredited by your browser. For example, if you use Internet Explorer 7 choose : Tools -> Internet Options -> Content -> Certificates.

13 Limitations of SSL in E-commerce: SSL is popular today. SSL enabled servers and browsers provide a popular platform for card transactions. In spite of that, SSL was not developed specifically for card payment, but instead for generic secure communication between a client and a server.

14 Limitations of SSL in E-commerce: The generic design of SSL may cause problems. For example, by using SSL we can authenticate the customer and the merchant, but we can’t be sure whether the merchant is authorized to accept payment, nor whether the customer is authorized to pay money. SSL also doesn’t tie a client to a specific card. For these reasons we need a protocol that handles authentication and authorization for card payments transactions. The answer was the SET protocol.

15 Secure Electronic Transaction Protocol (SET) SET was developed in 1996 by Visa, MasterCard, Microsoft, Netscape, IBM among others. This protocol was designed specifically to secure card payment transactions over the internet. It encrypts payment related messages. SET can’t be used for general purposes like encrypting arbitrary text of images. SET involves all three players in E-payment (who are they?).

16 Secure Electronic Transaction Protocol (SET) In SET all three players must have certificates. The customer’s and merchant’s certificates are issued by their banks in order to assure that they are permitted to make/receive payments by cards. In a SET transaction, the customers card number is passed to the merchant’s bank. This number is never seen by the merchant as plaintext.

17 Secure Electronic Transaction Protocol (SET)

18 SET is extremely secure since: All players must hold trusted certificates. All parties are authenticated. SET provides privacy, merchant will never see the customer’s card number. SET provides data integrity SET provides customer non-repudiation guarantee SET provides customer and merchant authorization.

19 Secure Electronic Transaction Protocol (SET) To handle SET, the customer needs to have an “e-wallet”, which is a software that runs the client side of the SET protocol and stores customer payment-card information.

20 Why SET failed to win market? The disadvantages of SET: SET is not easy to implement. SET requires the customer to install an e-wallet. It is expensive to integrate with legacy applications. It is more secure than what is usually needed.

Download ppt "Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding."

Similar presentations

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.

Chapter 10 Encryption: A Matter of Trust. Awad –Electronic Commerce 1/e © 2002 Prentice Hall 2 OBJECTIVES What is Encryption? Basic Cryptographic Algorithm.
CP3397 ECommerce.

CP3397 ECommerce.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Cryptography and Network Security

Cryptography and Network Security
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Principles of Information Security, 2nd edition1 Cryptography.

Principles of Information Security, 2nd edition1 Cryptography.
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
1 Encryption What is EncryptionWhat is Encryption Types of EncryptionTypes of Encryption.

1 Encryption What is EncryptionWhat is Encryption Types of EncryptionTypes of Encryption.
EECC694 - Shaaban #1 lec #16 Spring2000 5-4-2000 Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
Chapter 8 Web Security.

Chapter 8 Web Security.
Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)

Digital Certificates Public Key Deception Digital Certificates Certificate Authorities Public Key Infrastructures (PKIs)
Electronic Payment Systems University of Palestine University of Palestine Eng. Wisam Zaqoot Eng. Wisam Zaqoot March 2010 March 2010 ITSS 4201 Internet.

Electronic Payment Systems University of Palestine University of Palestine Eng. Wisam Zaqoot Eng. Wisam Zaqoot March 2010 March 2010 ITSS 4201 Internet.

Similar presentations

Ads by Google