Presentation is loading. Please wait.

Presentation is loading. Please wait.

From Web Security by Lincoln pp – 35-51

Published byMeredith Payne Modified over 6 years ago

Similar presentations

Presentation on theme: "From Web Security by Lincoln pp – 35-51"— Presentation transcript:

1 From Web Security by Lincoln pp – 35-51
2019/1/15 SSL and SET From Web Security by Lincoln pp – 35-51

2 Security Review – where is SET and SSL
SSL and SET IPsec - Internet Protocol security Link secuirty - in line encryptor 2019/1/15

3 SSL- Secure Sockets Layer
Secure Sockets Layer (SSL) is the dominant protocol for encrypting general communications between browser and server 2019/1/15

4 SET (Secure Electronic Transactions)
It is a specialised protocol for safeguarding credit-card-based transaction. 2019/1/15

5 SSL It is a flexible, general-purpose encryption system.
No need to memorise It is a flexible, general-purpose encryption system. It was introduced in 1994 in the Netscape Navigator browser. There have been three versions of SSL SSL1: used internally in Netscape and was never released due to serious flaws. SSL2: was incorporated into Netscape Navigator versions 1.0 through 2.X, but was cracked by two College students. SSL3: a version that addresses the problems of version 2It is a flexible, general-purpose encryption system. 2019/1/15

6 SSL Cracked Yes In 1995, a French used a cipherpunk using a brute force attack to attack the secret message. In 9/1995, two Berkey students found that the session keys were predictable. IIt uses 40 bits and is not secure, as it takes 3.5 hours using brute force (try all combinations). In 10/1995, some students used packet sniffer technology to modify the binary as it passed through the newtrok. 2019/1/15

7 How about the current status?
SSL It is now the focal point of Internet Standards activity by the Internet Engineering Task Force (IETF). The proposed Transport layer security protocol is based on SSL version 3. 2019/1/15

8 SSL Characteristics SSL protocol operates at TCP/IP transport layer, TCP layer (or layer 4 in ISO/OSI model). One layer below application It works with NTTP (news), HTTP (web) and SMTP ( ) This gives SSL flexibility and protocol independence. 2019/1/15

9 SSL and S-HTTP – ssl needs a site certificate
TCP IPSec IP 2019/1/15

10 Example – when filling in the confidential information
2019/1/15

11 More example – you request this service http://subscribe. usatoday
SSL is turned on 2019/1/15

12 More example – once you hit scribe, it changes to https to encrypt your private information. 2019/1/15

13 Features of SSL SSL was put at the transport layer so that it is not specifically for the HTTP protocol. It is not as efficient for Web browsing. SSL connection must use TCP/IP socket. However, SSL is flexible to use any DES, cipher block, triple DES, RC2 or RC4 (no need to memorise the term) here. 2019/1/15

14 SSL Cipher Suites Suite Strength SSL version Description DES-CBC3-MD5
No need to memorise Suite Strength SSL version Description DES-CBC3-MD5 Very high V2 and 3 Triple DES, MD5 hash an 168 bit session key RC4-MD5 High RC4, MD5 hash and 128-bit key Exp-DES-CBC-SHA low V 3 Export grade RC4, MD5 5 2019/1/15

15 What is the benefit of SSL?
If you want to send a message through an untrusted network, you have to encrypt it prior to sending, as you fear that your data will be modified/tapped by unauthorised users. With the SSL, it provides the built-in data encryption, which means that you DON”T need to encrypt it. untrusted area No need to encrypt, but you need to apply for a site certificate System will encrypt for you. 2019/1/15

16 Once SSL is in place. All are encrypted.
The URL of the requested document The contents of the requested document The contents of any submitted fill-out forms Cookies sent from browser to server Cookies sent from server to browser The contents of the HTTP header (You need to understand that all are encrypted, no nee to memorise all of them.) 2019/1/15

17 SSL handshake SSL handshake means the communication between client and server It consists of nine steps that authenticate the two parties and create a shared session key. The goal of the protocol is to authenticate the server and optionally the client using a secret symmetric key that both used for encryption. 2019/1/15

18 SSL Handshake from pp 40 – 41 Web security
Client sends client-hello message   server acknowledges with server-hello message  Server sends its certificates  Server requestsclients’ certificate Client sends its certificate  Client sends ClientKeyExchange message  Client sends a Certificate Verify message   Both send ChangeCipherSpec messages   Both send Finished messages  Server Client Certificate Certificate 2019/1/15

19 Things to note Once both the client and server switch into encrypted mode, both will use the session key to symmetrically encrypt subsequent transmissions in both direction. The session key only lasts for this transaction and will be different for the next transaction It uses symmetric encryption (note that public/private is asymmetric key). 2019/1/15

20 Example – I used the Sniffer to capture from my PC. (https://subscribe
Example – I used the Sniffer to capture from my PC. ( SSL Version 3 2019/1/15

21 SET - Secure Electronic Transaction
SET stands for Secure Electronic Transaction and is a protocol jointly developed by Visa, Mastercard, Netscape and Microsoft. SET is a specific protocol that was designed to support secure credit and debit card transaction between customers and merchants. 2019/1/15

22 Credit Card and its relationship
Customer Merchant product Pay Pay Money Card issued bank Merchant’s bank 2019/1/15

23 SET’s services It supports four basic services, namely, 1) authentication, 2) confidentially, 3) message integrity and 4) linkage. It handles real-time transactions, batch transaction and installment payments. 2019/1/15

24 SET’s four services Authentication: It means all the parties (card holder, merchant, merchant bank, card issued bank) in the transaction are authenticated using digital signatures Confidentially: The transaction is encrypted so that other cannot tap/modify the information. Message integrity: The transaction cannot be tampered with by devious individuals to alter the account number or the amount of transaction Linkage: SET allows a message sent to one party to contain an attachment that can be read only by another customer. 2019/1/15

25 SET product covers (no need to memorise all of them)
Cardholder registration Merchant registration Purchase requests Payment authorisation Payment capture (funds transfer between banks) Chargebacks (refunds to consumers for disputed charges) Credits Credits reversals Debit card 2019/1/15

26 Why not use SSL? SSL is a general protocol and it encrypts the message between customer and merchant. However, it cannot resolve the issue between others such as checking the validity of card number, credit/debit the money, actual transaction. This must be handled between bank and customer, bank and merchant and bank to bank etc. 2019/1/15

27 SET – how it works prodct
Customer browses and decides to buy  SET sends order and payment information  7  Merchant completes order prodct 3. Merchant forwards payment information to bank  Bank authorises payment  8. Merchant captures transaction  9. Issuer sends credit card bill information  Bank checks with issuer for payment authorisation.  Issuers authorises payment.  2019/1/15

28 Authentication steps in SET
SSL uses a pair of keys (private/public keys, 2 keys) for encryption and digital signature. SET uses two pairs of keys (4 keys), one pair for encryption, while the other for digital signature. This applies to merchant, merchant’s bank and card issuing bank. It uses Secure hash Algorithm (SHA) which produces 160-bit hash, the private/public key uses RSA (1024 bit) algorithm. 2019/1/15

29 Other Digital Payments
First virtual: it is designed for low- to medium- priced software sales, fee-for-service information purchases over the Internet. The consumer must first signs up for virtual account through on-line application form. Cybercash: a product of the CyberCash Corporations, is a SET like systems for credit/debit card transactions Digicash: A product of Netherlands-based Digicash systems. It is a digital cash system that works for phone cards. 2019/1/15

30 Summary SSL is a general purpose protocol between browser and server, current version is 3. SET is a special protocol among customer, merchant, card issuing bank and merchant’s bank SSL uses a pair of keys for encryption and digital signature SET uses two pairs of keys for separating encryption and digital signature SET’s limitation is that it only works with credit/debit card. 2019/1/15

31 Quiz (week 1 – 6) Next Week Using SSL – Secure Socket Layer
Chapter 4 – pp Quiz (week 1 – 6) 2019/1/15

Download ppt "From Web Security by Lincoln pp – 35-51"

Similar presentations

CP3397 ECommerce.

CP3397 ECommerce.
1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.

1 Lecture 17: SSL/TLS history, architecture basic handshake session initiation/resumption key computation negotiating cipher suites application: SET.
Cryptography and Network Security

Cryptography and Network Security
Secure Socket Layer.

Secure Socket Layer.
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:
Electronic Transaction Security (E-Commerce)

Electronic Transaction Security (E-Commerce)
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17
SSL/PKI/SET CIS345 Spring 2003 OSI – Open Systems Interconnection.

SSL/PKI/SET CIS345 Spring 2003 OSI – Open Systems Interconnection.
Chapter 8 Web Security.

Chapter 8 Web Security.
Cryptography 101 Frank Hecker

Cryptography 101 Frank Hecker
Supporting Technologies III: Security 11/16 Lecture Notes.

Supporting Technologies III: Security 11/16 Lecture Notes.
1 Web Security. 2 Web Concepts Client/Server Applications Communication Channels TCP/IP.

1 Web Security. 2 Web Concepts Client/Server Applications Communication Channels TCP/IP.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Secure Electronic Transaction (SET)

Secure Electronic Transaction (SET)
SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.
Electronic Payments E-payment methods –Credit cards –Electronic funds transfer (EFT) –E-payments Smart cards Digital cash and script Digital checks E-billing.

Electronic Payments E-payment methods –Credit cards –Electronic funds transfer (EFT) –E-payments Smart cards Digital cash and script Digital checks E-billing.

Similar presentations

Ads by Google