NSM 1st Ut
NSM 1st Ut
Web::- Web is a system with universally accepted standards for storing, retrieving,
formatting and displaying information using client/server architecture. The web
combines the text, hypermedia, graphics and sound. It can handle all types of
digital communication, making it easy to link resources that are far apart and it
uses GUI for easy viewing. It is based on a standard hypertext language called
HTML, which formats documents and incorporates dynamic links to other
documents stored in same or remote computers.
The www is structured with client and servers, where a client accesses services from the
server.
The server can either be local or available through a global network connection.
A local connection normally requires the connection over a local area network , but a
global connection normally requires the connection to a Internet Service Provider
These providers are often known as Internet access Provider (ISP), sometimes as
Interconnectivity providers (ICP).
Triveni A R SGL/CS, GWPT, Ramanagara Page 1
Network Security and Management(15CS62T)
They provide the mechanism to access the Internet and have required hardware and software
to connect from the user to the Internet. Example to access is
The foundation protocol of the www is the Hypertext Transfer Protocol (HTTP),
which can be used in any client-server application involving hypertext. The most
recently defined standard is HTTP 1.1 which has been defined by the IETF standard.
HTTP is a stateless protocol, where each is independent of any previous transaction. Thus,
when the transaction is finished, the TCP/IP connection is disconnected. The advantages of
being stateless are that it allows the rapid access of www pages over several widely distributed
servers. It uses the TCP protocol to establish a connection between a client and a server for
each transaction and then terminates the connection once the transaction completes
Initially, a client issues a request to a server which may include a prioritized list of
formats that it can handle.
A client’s www browser (the user agent) initially establishes a direct connection with
the destination server which contains the required www page.
To make this connection, the client initiates a TCP connection between the client and
the server. After this is established, the client then issues an HTTP request, such as the
specific command (the method), the URL, and possibly extra information such as
request parameters or client information.
When the server receives the request, it attempts to perform the requested action. It,
then, returns an HTTP response, which includes status information, a success/error
code, and extra information. After the client receives this, the TCP connection is
closed.
Clients are not aware of the security risks that exist and do not have the tools are
knowledge to take effective countermeasures.
Table 17.1 provides a summary of the types of security threats faced in using the web .
The various approaches have been considered for web security, which are similar in the
services they provide, but they differ with respect to their scope of applicability and
their relative location within the TCP/IP protocol stack.
Relative location of security facilities in the TCP/IP protocol stack is shown in
Figure12.3 and illustrates the difference.
Application layer
Transport layer
TCP, UDP
Network layer
IP/IPSec
12.3(a)Security provided at the network layer with IPSec
One way to provide web security is to use IP security as shown in Figure 12.3(a). The
advantage of using IPSec is that it is transparent to end users and applications and
provides a general purpose solution.
Application layer
Transport layer
TCP SSL/TSL
Network layer
IP/
Application layer
Transport layer
TCP, UDP
Network layer
IP
In the SSL family of protocols, a connection is a transport of information between two nodes
in a communication network.
Session identifier: An arbitrary byte sequence chosen by the server to identify an active or
resuming session state.
Peer certificate: An X509. V3 certificate of the peer. This of the state may be null.
Compression method: The algorithm used to compress the data prior to encryption.
Cipher spec: Specifies of the bulk data encryption algorithm and the hash algorithm used
MAC (Message Authentication Code) calculations.
Master secret: A 48-byte secret shared between the client and server.
Is resumable: A flag indicating whether the session is allowed to initiate new connections.
Server write MAC secret: The secret key used in calculating the MAC(Message
Authentication Code) value for the data sent by the server.
Client write MAC secret: The secret key used in calculating the MAC value for the data
sent by the client.
Server write key: The symmetric-key encryption key for data encrypted by the server and
decrypted by the client.
Client write key: The symmetric-key encryption key for data encrypted by the client and
decrypted by the server.
Initialization vectors: An initialization vector (IV) for each key used by a block cipher
operating in the CBC mode (cipher block changing mode) is maintained. The vectors are
initialized by the SSL Handshake Protocol. Subsequently, the final cipher text block from
each record is preserved for use as the IV with the following record.
Sequence numbers: Each party maintains separate sequence numbers for the transmitted and
received message through each connection. When a party sends or receives a change cipher
sec message, the appropriate sequence number is set to zero. Sequence number may not
exceed 2 64 -
Confidentiality
Message integrity
The operation of the SSL Record Protocol is shown in figure 12.5. It consists of the following five
steps.
Compression: This optional step requires loss less compression and carries the stipulation that the size
of the input block will not increase by more than 1024 bytes. (As you would expect, compression will,
in most cases, reduce the length of a block produced by the fragmentation step. But for very short
blocks, the length may increase.) SSL V3, the current version of SSL does not specify compression.
Adding MAC: This step computes, the MAC (Message Authentication Code)for the block. The MAC
is appended to the compressed message block.
Encryption: The compressed message and the MAC are encrypted using symmetric key encryption.
The encryption may be carried out with a block cipher such as 3DES or with a stream cipher such as
RC4-128, A number of choices are available for the encryption steps depending on the level of security
needed.
Appended SSL Record Header: Finally, an SSL header is pretended to the encrypted block. The
header consists of 8 bits for declaring the content type, 8 bits for declaring the major version used for
SSL, 8 bits for declaring the minor version used, and 16 bits for declaring the length of the compressed
plaintext (or the plaintext if not compression was used). Each output block produced by the SSL Record
Protocol is referred to as an SSL record. The length of a record is not to exceed 32,767 bytes.
Random: A 32-bit timestamp and 23-byte random field that together server as nonces during key
exchange to prevent replay attacks.
Passion ID: A variable length session identifier. A nonzero value indicates that the client wishes to
update the parameters of an existing connection or create a new connection on this session. A zero
value indicates that the client wishes to establish a new connection on a new session.
Cipher suite: A list of cryptographic algorithms supported by the client, in decreasing order of
preference.
The server responds with its server hello message that has a similar set of parameters. The server’s
response, as you would expect, includes the specific algorithms selected by the server from the client’s
lists for compression, authentication, and encryption.
The cipher suite parameters in the server hello message consist of two elements:
PHASE 2 handshaking is initiated by the server if server authentication is needed by the client.
The server sends to the client a certificate, message containing its one or more certificates
validating its public key.
This could be followed by a server-key-exchange message and a certificate-request message,
both from the server to the client.
The server-key exchange message could, from example, consist of the global Diffie-Hellman
values (a prime number and a primitive root of that number) and the servers Diffie-Hellman
public key.
Phase 2 handshaking ends when the server ends the client-a server hello message.
If client authentication is required, the client sends to the server the certificate message
containing one or more certificates validating its public key.
Next, the client sends to the server a mandatory client-key-exchange message that could, for
example, consist of a secret session key encrypted with the server’s public key.
This phase sends when the client sends to the server a certificate verify message to provide a
verification of its certificates if they are signed by a certificate authority.
PHASE 4 handshaking completes the setting up of a secure connection between the client and the
server.
The client sends to the server a change-cipher-spec message indicating that it is copying the
pending cipher spec into the client spec.
Next, the client sends to the server the finished message. As shown in above figure, the
server does the same vis-a-vis the client.
The change –cipher-spec message format must correspond to the change cipher spec
Protocol.
This protocol says that the message must consist of a single byte with a value of 1 indicating
the change.
The last of the SSL protocols, Alert Protocol, is used to convey SSL-related alerts to the peer
entity.
The native protocol that web clients and servers use to communicate is Hypertext Transfer
Protocol(HTTP).This protocol is ideal for open communicates. However in its native form, it
does not provide authentication or encryption features. Secure HTTP (S-HTTP) works in
conjunction with HTTP to enable clients and servers to engage in private and secure
transactions. It is essentially useful for encrypting form based information as it passes between
clients and servers .It should be noted that S-HTTP only encrypt HTTP levels message at the
application layer whereas SSL encrypts all data being passed between the client and server at
the IP socket level.
S-HTTP provides considerable flexibility in terms of what cryptographic algorithms and modes
of operation can be used. Also, as the need for authenticating among the internet and web
grows, users need to be authenticated before sending encrypted files to each other. with S-
HTTP, message may be protected using digital signatures, authentication ,and encryption.
During the initial contact, the sender and the receivers establish preferences for encrypting and
processing secure messages.
SET is an open encryption and security specification designed to protect credit card
transactions on the Internet. It is set of security protocols and formats that enable users to
employ the existing credit card payment infrastructure on an open network, such as the internet,
in a secure fashion. SET provides three services:
Secure transactions are critical for electronic commerce on the internet. Merchants
must automatically and safely collect and process payments from internet clients: therefore, a
secure protocol is required to support the activities of the credit card companies. SET is
designed to secure credit card transition by authenticating cardholder’s merchants and banks
by preserving the confidentiality of payment data. SET includes following features:
Requires digital signatures to verify that the customers, merchant, and bank or legitimate.
Uses multiparty messages that allow information to be encrypted directly to bank.
Prevent credit card numbers from getting in the wrong hands.
Requires integration into the credit card processing system.
SET includes a layer that negotiates the type of payment method, protocols and transports , this
task is the responsibility of the joint electronic payment initiative (JEPI).Payment method could
include credit cards , debit cards , electronic cash and cheques . Payment protocols such as SET
Triveni A R SGL/CS, GWPT, Ramanagara Page 10
Network Security and Management(15CS62T)
define the message format and sequence required for completion of the payment transaction.
Transport includes such protocols (S-HTTP).
If e –commerce is to succeed, a method must exist for consumer to use credit cards over the
internet. Credit card usage on the internet is still low, but is likely to grow in the feature SET
and SSL is used in the credit card transaction to provide security provisions. SSL encrypts a
credit card number and other information using a 40- bit key. Because of its size, this key can
be hacked; however, it may be adequate for some needs .Even though SSL credit card
information private while being transmitted, it does not addresses the issue of weather valid,
stolen or being used without permission. SET addresses these limitations among an “Electronic
Wallet” that can identify the users and validate the transaction. An electronic wallet is a type
of software application used by the consumers for securely storing purchasing information.
Furthermore, SET- based systems have an advantage over the mechanisms, in that SET adds
digital certificates that associate the card holders and merchant with a particular financial
institute and the visa and master card payment system.
Business Requirements
1. Provide authentication that a card holders is legitimate users of a credit card account
2. Provide authentication that a merchant can accept credit card transaction through its
relationship with a financial institution.
3. Provide confidentiality of payment and ordering information.
4. Ensure the integrity of all transmitted data.
5. Ensure the use of the best security practices and system design techniques to protect
all legitimate parties in an electronic commerce transaction.
6. Create a protocol that neither depends on transport security mechanism nor prevent
their use.
7. Facilitate and encourage interoperability among software and network providers.
SET PARTICIPANTS (SECURE ELECTRONIC TRANSACTION)
The following figure indicates the Participants in the SET System, which include the cardholder
and the merchants in addition to the issuer, acquirer, payment gateway, and a certification
authority.
Cardholder: in the Electronic Environment consumers, and corporate purchasers, interact with
merchants from personal computer over Internet. A Cardholder is an authorized holder of
payment card (e-g Master card, visa) that has been issued by an issuer.
Merchants: A merchants is a person or organization that has goods or Service (offered by web
site or by electronic mail) to the cardholder.
Issuer: This is the financial institution, such as a bank that provides the cardholder with the
payment card.
Acquirer : This is also financial institution that establishes an account with a merchants and
processes payment card authorizations and payments.
Payment gateway: This is the function is operated by the acquirer or designed third party that
processes merchant payment messages.
Triveni A R SGL/CS, GWPT, Ramanagara Page 11
Network Security and Management(15CS62T)
This payment gateway interfaces between SET and the exiting bankcard payment networks
for authorization & payment functions.
Certification Authority (CA) :This is an entity that is trusted to issue X.509 V3 public-key
certificates for cardholders, merchants and payment gateways.
1. The customer opens an account and obtains a credit card account either a bank that
supports electronic payment and SET.
2. These customers receive a certificate after suitable verification of identity. It
establishes a relationship between the customer's key pair and the credit card.
4. The customer places an order, which is accepted by the merchants. The order from
returned from the merchants includes the items, the costs, and an order number.
6. The customer sends the order, payment, and this certificate to the merchants.
10. The merchants request payment gateway, which handles all payment processing.