Presentation is loading. Please wait.

Presentation is loading. Please wait.

Henric Johnson1 Chapter 7 WEB Security Henric Johnson Blekinge Institute of Technology, Sweden

Published byDominick Bennett Richards Modified over 8 years ago

Similar presentations

Presentation on theme: "Henric Johnson1 Chapter 7 WEB Security Henric Johnson Blekinge Institute of Technology, Sweden"— Presentation transcript:

1 Henric Johnson1 Chapter 7 WEB Security Henric Johnson Blekinge Institute of Technology, Sweden http://www.its.bth.se/staff/hjo/ henric.johnson@bth.se

2 Henric Johnson2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction (SET) Recommended Reading and WEB Sites

3 Henric Johnson3 Web Security Considerations The WEB is very visible. Complex software hide many security flaws. Web servers are easy to configure and manage. Users are not aware of the risks.

4 Henric Johnson4 Security facilities in the TCP/IP protocol stack

5 Henric Johnson5 SSL and TLS SSL was originated by Netscape TLS working group was formed within IETF First version of TLS can be viewed as an SSLv3.1

6 Henric Johnson6 SSL Architecture

7 Henric Johnson7 SSL Record Protocol Operation

8 Henric Johnson8 SSL Record Format

9 Henric Johnson9 SSL Record Protocol Payload

10 Henric Johnson10 Handshake Protocol The most complex part of SSL. Allows the server and client to authenticate each other. Negotiate encryption, MAC algorithm and cryptographic keys. Used before any application data are transmitted.

11 Henric Johnson11 Handshake Protocol Action

12 Henric Johnson12 四阶段 1 建立安全能力,确定: SSL 版本,密钥交换、 信息验证、加密的算法,压缩方法,有关密钥 生成的两个随机数 2 服务器密钥的交换和验证,客户验证了服务 器,如果需要,客户要知道服务器公钥 3 用户密钥的交换和验证,客户要由服务器进 行验证,客户和服务器都知道预备主密钥 4 终结与完成,客户和服务器都做好了交换数 据的准备

13 Henric Johnson13 Transport Layer Security The same record format as the SSL record format. Defined in RFC 2246. Similar to SSLv3. Differences in the: –version number –message authentication code –pseudorandom function –alert codes –cipher suites –client certificate types –certificate_verify and finished message –cryptographic computations –padding

14 Henric Johnson14 Secure Electronic Transactions An open encryption and security specification. Protect credit card transaction on the Internet. Companies involved: –MasterCard, Visa, IBM, Microsoft, Netscape, RSA, Terisa and Verisign Not a payment system. Set of security protocols and formats.

15 Henric Johnson15 SET Services Provides a secure communication channel in a transaction. Provides tust by the use of X.509v3 digital certificates. Ensures privacy.

16 Henric Johnson16 SET Overview Key Features of SET: –Confidentiality of information –Integrity of data –Cardholder account authentication –Merchant authentication

17 Henric Johnson17 SET Participants

18 Henric Johnson18 Sequence of events for transactions 1.The customer opens an account. 2.The customer receives a certificate. 3.Merchants have their own certificates. 4.The customer places an order. 5.The merchant is verified. 6.The order and payment are sent. 7.The merchant request payment authorization. 8.The merchant confirm the order. 9.The merchant provides the goods or service. 10.The merchant requests payments.

19 Henric Johnson19 Dual Signature

20 Henric Johnson20 Payment processing Cardholder sends Purchase Request

21 Henric Johnson21 Payment processing Merchant Verifies Customer Purchase Request

22 Henric Johnson22 Payment processing Payment Authorization: –Authorization Request –Authorization Response Payment Capture: –Capture Request –Capture Response

23 Henric Johnson23 Recommended Reading and WEB sites Drew, G. Using SET for Secure Electronic Commerce. Prentice Hall, 1999 Garfinkel, S., and Spafford, G. Web Security & Commerce. O’Reilly and Associates, 1997 MasterCard SET site Visa Electronic Commerce Site SETCo (documents and glossary of terms)

Download ppt "Henric Johnson1 Chapter 7 WEB Security Henric Johnson Blekinge Institute of Technology, Sweden"

Similar presentations

CP3397 ECommerce.

CP3397 ECommerce.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Cryptography and Network Security

Cryptography and Network Security
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
Chapter 8 Web Security.

Chapter 8 Web Security.
EE579T/6 #1 Spring 2003 © 2000-2003, Richard A. Stanley EE579T / CS525T Network Security 6: SSL and SET Prof. Richard A. Stanley.

EE579T/6 #1 Spring 2003 © , Richard A. Stanley EE579T / CS525T Network Security 6: SSL and SET Prof. Richard A. Stanley.
Secure Electronic Transaction (SET)

Secure Electronic Transaction (SET)
1 Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats –integrity –confidentiality.

1 Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats –integrity –confidentiality.
E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.

E-Commerce Security Technologies : Theft of credit card numbers Denial of service attacks (System not availability ) Consumer privacy (Confidentiality.
Network Security Lecture 26 Presented by: Dr. Munam Ali Shah.

Network Security Lecture 26 Presented by: Dr. Munam Ali Shah.
Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),

Cosc 4765 SSL/TLS and VPN. SSL and TLS We can apply this generally, but also from a prospective of web services. Multi-layered: –S-http (secure http),
Chapter 4 Getting Paid. Objectives Understand electronic payment systems Know why you need a merchant account Know how to get a merchant account Explain.

Chapter 4 Getting Paid. Objectives Understand electronic payment systems Know why you need a merchant account Know how to get a merchant account Explain.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: 102088 March 10, 2001.

E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Similar presentations

Ads by Google