Chapter 7 - Secure Socket Layer (SSL) Network Security Spring 2017 Chapter 7 - Secure Socket Layer (SSL) and Secure Electronic Transactions (SET) http://www.faisalakhan.info/classes/ faisal.khan@buitms.edu.pk Office: SS Block, BUITEMS

Router SSL SSL Process Process Application Application Buffers Packets that Transport need to be forwarded Transport Layer (based on IP address). Layer (TCP,UDP) (TCP,UDP) Network Network Network Network Layer (IP) Layer Layer Layer (IP) Token Ring E'net Data Token Ring E'net Data Link Layer Link Layer Data-Link Layer Data Link Layer Token Ring Token Ring Ethernet E'net Phys. Phys. Layer Layer Phys. Layer Phys. Layer 2

SSL is Secure Socket Layer and TLS is Transport Layer Security SSL and TLS are above the transport layer, it is part of the Application Layer SSL is Secure Socket Layer and TLS is Transport Layer Security SSL and TLS are used interchangeably SSL is used for secure Web access (HTTPS) (now uses TLS v.3) Secure Shell, SSH, is Telnet + SSL + other features Secure Copy, SCP, copies files using SSH (SFTP has FTP functions) 3

Web Browser or Web Server HTTPS Encrypt HTTPS is HTTP with SSL (Secure Socket Layer). HTTPS uses the TLS/SSL default TCP port, port 443 :"Network Security Essentials: Applications and Standards," Prentice Hall, by Wm. Stallings 4

Fig. 7.3 SSL Record Protocol Operation Header 5

SSL Handshake - First Part Time Gray areas are optional in some circumstances. 6

SSL Handshake - Second Part Client Server Time Gray areas are optional in some circumstances. 7

SET (Secure Electronic Transactions) • Provides a secure communications channel among all the parties involved in a transaction: Customer, Seller, Customer’s credit provider, Seller’s bank. • Provides trust by the use of X.509v3 certificates. • Ensures privacy because information is only made available to the parties that need it. * Cardholder account authentication to the Merchant (Cardholder must have a Certificate issued by the credit company). Merchant may issue a temporary Certificate to issue the session is not hijacked). * Verifies Merchant's relationship with financial institution. * Integrity of data customer sends to Merchant (order info tied to funds transfer). 8

SET - Steps in a Transaction 1. Customer opens account with credit company or bank. 2. Bank issues X.509 cert. to the Customer with RSA Keys. 3. Merchant has two certificates, signing and key exchange. ---- 4. Customer places an order. 5. The Merchant sends the customer a copy of his certificate. 6. The Customer sends Order Information (OI) encrypted so the Merchant can read it, and Payment Information (PI) encrypted so the Merchant can not read it. --- 7. Merchant requests payment by sending PI to the “Payment Gateway” (who can decrypt it) and verifies Customer’s credit. 8. Merchant confirms the order to the Customer. 9. Merchant ships goods to Customer. 10. Merchant sends request for payment to the Payment Gateway which handles transfer of funds. 9

Secure Electronic Transactions (SET) 10

Dual-Sig = E cus-private [ H( H(PI) || H(OI) ) ] SET - Dual Signature Dual-Sig = E cus-private [ H( H(PI) || H(OI) ) ] The Dual signature allows proof that: 1. Merchant has received Order Information. 2. Bank has received Payment Information and verified the Customer signature. 3. Customer has linked OI and PI and can prove later that PI was not related to a different purchase. Bob orders a book and a TV from Scam, Inc. Scam, Inc ships Bob the book, and then sends the PI for the TV joined with the OI for the book to the Bank. How does Bob prove to the Bank that he did not order a book with a TV price, when Scam, Inc shows the Bank the OI for the book? 11

12

Customer’s Purchase Request Encrypted with Bank’s Public Key 13

14