Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS – E-commerce Technologies – Lecture 07

Published byAubrey Tate Modified over 5 years ago

Similar presentations

Presentation on theme: "CS – E-commerce Technologies – Lecture 07"— Presentation transcript:

1 CS 090.3 – E-commerce Technologies – Lecture 07
HTTPS

2 Security Primer All concepts related to security are discussed in a high level context. For actual implementation consult RFC 2818 : HTTP Over TLS

3 Problems with HTTP End User Web Server

4 Steal Data End User Web Server

5 Redirect Spoof/Websites
Using "HTTP" any middle-man between you and the website can serve you ANY content they want. Your home router (possibly compromised) Your ISP Your Local Government Upside-down-ternet

6 Impersonate Website End User Web Server

7 Impersonate Users End User Web Server

8 Solution: HTTPS HTTP over SSL (Before 1999) / HTTP over Transport Layer Security (After 1999) HTTPS = HTTP + TLS TLS (Transport Layer Security) The name was changed from SSL to avoid any legal issues with Netscape so that the protocol could be open and free

9 HTTPS Overview Certificate Validation
Public Key Encryption of a Symmetric Key (Slow) Symmetric Key encryption of messages. (Fast)

10 Key Exchange Algorithm

11 Key Exchange Algorithm
The above video explains a key exchange algorithm called Diffie–Hellman key exchange. (D-H) HTTPS uses a another key exchange algorithm called Rivest-Shamir-Adleman (RSA) mainly because RSA is more widely supported. D-H uses the discrete logarithm problem in its encryption. RSA uses the integer factorization problem in its encryption.

12 Public Key Encryption Public Key Used ONLY to encrypt Private key
Used ONLY to decrypt

13 Symmetric Key Encryption
One keys for both encryption and decryption. Symmetric key encryption is used when you have already established keys beforehand. It is orders of magnitude faster than public key encryption. Limited in Scope To get the best of both technologies, HTTPS uses public key encryption to agree on a symmetric key. The symmetric key is then used to encrypt all further communications.

14 Encryption (Two types)
Public Key Symmetric Lock + Key Anyone with the public key (lock) can ONLY encrypt messages. Anyone with the private key (key) can ONLY decrypt messages. You share your public key so anyone can send you secrets. Examples: D-H, RSA Key Anyone with the key can encrypt and decrypt messages. They can also duplicate the key. Examples: AES, 3DES

15 Man In the Middle Attacks
Problem: The person in the middle is not just listening on our communications like Eve, they can actively participate. Not just an insecure channel— It is a hostile channel Hi, I am google.com Let's exchange keys End User google.com

16 Certificate Authority (CA)
On your computer is a set of certificates that were installed at the same time as the OS. These are called Root Certificates, your operating system trusts these providers.

17 Digital Certificate/Signature
Certificates and Signatures work as reversed lock+key encryption. Signatures are private. (encrypt) Certificates are public. (decrypt) Anyone can read the contents of a certificate, but only a person with the private key can write a message. Signatures prevent impersonation.

18 Certificate Authority can be trusted
Hi, I am verisign. Here's my public key so you can send me encrypted messages. –versign.com verisign.com using TLS please Open Copy End User verisign.com Image Credits: Certificate - Sarah Abraham CC 3.0 License: Key – MisterMatt~commonswiki CC BY-SA 3.0:

19 Signatures Prevent Impersonation
Hi, I am verisign. Here's my public key so you can send me encrypted messages. –versign.com verisign.com using TLS please End User verisign.com

20

21 CA's can vouch for other servers
Hi, I am google.com. Here's my public key so you can send me encrypted messages. It is signed by [CA] –google.com [CA] google.com using TLS please End User google.com

22 How did the public key get signed?
To validate ownership of google.com: 1. Put this message "2336" on google.com/2403. 2. Send a copy of your signed public key, and 3. Sign this message "7e50cs0". Can you vouch for me? google.com [CA] Checks google.com/2403 7e50cs0

23 Server's can vouch recursively
Hi, I am ?????.com. Here's my public key. It is signed by [CA3]. [CA2] has signed for [CA3]. [CA] has signed for [CA2]. I've also include certificates from [CA3] and [CA2] [CA] ?????.com using TLS please End User ?????.com

24 Signed Public Keys are TLS Certificates
A TLS Certificate and a signed public key contain the same information. CA signature server CA's public key expiration public key for website certificate authority

25 Revisit the first example
verisign.com using TLS please End User verisign.com

26 Extended Validation Certificate
Most websites that implement SSL look like this Some websites may pay extra money annually to Certificate Authority's to get Extended Validation. This involves having the CA verify your legal entity exists annually. You get a cool upgrade on the address bar though

27 TLS Resources SSL Diagram
The First Few Milliseconds of an HTTPS Connection TLS 1.2 RFC HTTPS RFC

28 Lets Encrypt Let's Encrypt is a certificate authority that launched in 2016 that provides free certificates for TLS.

29 Extra Notes SSH (Secure Shell) does not use TLS, it uses its own technology under the hood.

Download ppt "CS – E-commerce Technologies – Lecture 07"

Similar presentations

CP3397 ECommerce.

CP3397 ECommerce.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.
Digital Signatures. Anononymity and the Internet.

Digital Signatures. Anononymity and the Internet.
Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.

Mar 19, 2002Mårten Trolin1 This lecture On the assignment Certificates and key management SSL/TLS –Introduction –Phases –Commands.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)

6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)
Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.

Mar 4, 2003Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities.
8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.

8-1 What is network security? Confidentiality: only sender, intended receiver should “understand” message contents m sender encrypts message m receiver.
Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.

Symmetric Key Distribution Protocol with Hybrid Crypto Systems Tony Nguyen.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.

Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
Computer Science Public Key Management Lecture 5.

Computer Science Public Key Management Lecture 5.
Cryptography 101 Frank Hecker

Cryptography 101 Frank Hecker
How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/1.1 200 OK.

How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/ OK.
Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.

Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.
254542 Networks Management and Security Lecture 3.

Networks Management and Security Lecture 3.
Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.

Digital Envelopes, Secure Socket Layer and Digital Certificates By: Anthony and James.
Cryptography (2) University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.

Cryptography (2) University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
Symmetric Cryptography, Asymmetric Cryptography, and Digital Signatures.

Symmetric Cryptography, Asymmetric Cryptography, and Digital Signatures.
Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?

Encryption Questions answered in this lecture: How does encryption provide privacy? How does encryption provide authentication? What is public key encryption?

Similar presentations

Ads by Google