DATA ENCRYPTION & SECURITY

Contents
• E-Commerce
• E-Commerce - Security Systems
• Measures to ensure Security
• Web Security and Protocols/Security Protocols in Internet
 E-Commerce

• E-commerce is the process of buying and selling tangible products

and services online.

• It involves more than one party along with the exchange of data or
currency to process a transaction.

• It is part of the greater industry that is known as electronic

business (E-business), which involves all of the processes
required to run a company online.
 E-Commerce - Security Systems

• Security is an essential part of any transaction that takes place over the internet.
• Customers will lose his/her faith in e-business if its security is compromised.
• Following are the essential requirements for safe e-payments/transactions:
Confidentiality: Information should not be accessible to an unauthorized
person. It should not be intercepted during the transmission.
Integrity: Information should not be altered during its transmission over the
network.
 E-Commerce - Security Systems

Availability: Information should be available wherever and whenever

required within a time limit specified.

Authenticity: There should be a mechanism to authenticate a user

before giving him/her an access to the required information.

Non-reputability: It is the protection against the denial of service. Once

a sender sends a message, the sender should not be able to deny sending
the message. Similarly, the recipient of message should not be able to
deny the receipt.
 E-Commerce - Security Systems

Encryption: Information should be encrypted and decrypted only

by an authorized user.

Auditability: Data should be recorded in such a way that it can be

audited for integrity requirements.
 Measures to Ensure Security

• Encryption: It is a very effective and practical way to safeguard the data being
transmitted over the network.

• Digital Signature: Digital signature ensures the authenticity of the

information. A digital signature is an authentication mechanism that enables
the creator of the message to attach a code that acts as a signature.

• Security Certificates: A security certificate is a small data file used as an

Internet security technique through which the identity and authenticity of a
website or Web application is established.
 Web Security and Protocols

• We will discuss here some of the popular protocols used over the internet to
ensure secured online transactions:
• Secure Socket Layer (SSL)
• Transport Layer Security (TLS)
• Hypertext Transfer Protocol Secure (HTTPS)
• Hypertext Transfer Protocol (HTTP)
• Secure Electronic Transaction (SET)
• Internet Protocol Security (IPsec)
 Secure Socket Layer (SSL)

• SSL, or Secure Sockets Layer, is an encryption-based Internet security

protocol.
• It was first developed by Netscape in 1995 for the purpose of ensuring privacy,
authentication, and data integrity in Internet communications.
• It is the most commonly used protocol and is widely used across the industry.
• "https://" is to be used for HTTP URLs with SSL, where as "http:/" is to be
used for HTTP URLs without SSL.
 Secure Socket Layer (SSL)

• There have been several iterations of SSL, each more secure than
the last.
• In 1999 SSL was updated to become TLS.
• It meets following security requirements:
 Authentication

 Encryption

 Integrity

 Non-reputability
 How does SSL work?

• In order to provide a high degree of privacy, SSL encrypts data that is

transmitted across the web. This means that anyone who tries to intercept this
data will only see a garbled (unclear) mix of characters that is nearly impossible
to decrypt.

• SSL initiates an authentication process called a handshake between two

communicating devices to ensure that both devices are really who they claim to
be.

• SSL also digitally signs data in order to provide data integrity, verifying that
the data is not tampered with before reaching its intended recipient.
 Why SSL Important

• Originally, data on the Web was transmitted in plaintext that

anyone could read if they intercepted the message.
• For example, if a consumer visited a shopping website, placed an
order, and entered their credit card number on the website, that
credit card number would travel across the Internet unconcealed.
• SSL was created to correct this problem and protect user privacy.
• By encrypting any data that goes between a user and a web server,
SSL ensures that anyone who intercepts the data can only see a
scrambled mess of characters.
 Why SSL Important

• The consumer's credit card number is now safe, only visible to the
shopping website where they entered it.

• SSL also stops certain kinds of cyber attacks: It authenticates web

servers, which is important because attackers will often try to set
up fake websites to trick users and steal data.

• It also prevents attackers from tampering with data.

 Objective of SSL

• The goals of SSL are as follows −

Data integrity − Information is safe from tampering. The SSL Record

Protocol, SSL Handshake Protocol, SSL Change CipherSpec Protocol, and SSL
Alert Protocol maintain data privacy.

Client-server authentication − The SSL protocol authenticates the client and

server using standard cryptographic procedures.

SSL is the forerunner of Transport Layer Security (TLS), a cryptographic

technology for secure data transfer over the Internet.
SSL Protocol Stack
 SSL Certificate

• SSL can only be implemented by websites that have an SSL

certificate (technically a "TLS certificate").

• An SSL certificate is like an ID card or a badge that proves someone is

who they say they are.

• SSL certificates are stored and displayed on the Web by a website's or

application's server.

• One of the most important pieces of information in an SSL certificate is

the website's public key.
 SSL Certificate

• The public key makes encryption and authentication possible.

• A user's device views the public key and uses it to establish secure encryption
keys with the web server.

• Meanwhile the web server also has a private key that is kept secret; the private
key decrypts data encrypted with the public key.

• Certificate Authorities (CA) are responsible for issuing SSL certificates.

 Types of SSL Certificate

• There are several different types of SSL certificates. One certificate can
apply to a single website or several websites, depending on the type:
• Single-domain: A single-domain SSL certificate applies to only one
domain (a "domain" is the name of a website, like www.cloudflare.com).
• Wildcard: Like a single-domain certificate, a wildcard SSL certificate
applies to only one domain. However, it also includes that domain's
subdomains. For example, a wildcard certificate could cover
www.cloudflare.com, blog.cloudflare.com, and developers.cloudflare.com,
while a single-domain certificate could only cover the first.
• Multi-domain: As the name indicates, multi-domain SSL certificates can
apply to multiple unrelated domains.
 Types of SSL Certificate

• SSL certificates also come with different validation levels. A

validation level is like a background check, and the level changes
depending on the thoroughness of the check.
• Domain Validation: This is the least-stringent level of validation,
and the cheapest. All a business has to do is prove they control the
domain.
• Organization Validation: This is a more hands-on process: The CA
directly contacts the person or business requesting the certificate.
These certificates are more trustworthy for users.
• Extended Validation: This requires a full background check of an
organization before the SSL certificate can be issued.
 SSL TLS
SSL is a complex protocol to
TLS is a simpler protocol.
implement.
TLS has four versions, of
SSL has three versions, of
which the TLS 1.3 version is
which SSL 3.0 is the latest.
the latest

All SSL protocol versions are TLS protocol offers high

vulnerable to attacks. security.

SSL uses a message

TLS uses a hash-based
authentication code (MAC)
message authentication code
after message encryption for
in its record protocol.
data integrity

TLS employs a pseudo-

SSL uses message digest to
random function to create a
create a master secret.
master secret.
 SSL and TLS release

• Here’s the full history of SSL and TLS releases:

 SSL 1.0 – never publicly released due to security issues.
 SSL 2.0 – released in 1995. Deprecated in 2011. Has known security issues.
 SSL 3.0 – released in 1996. Deprecated in 2015. Has known security issues.
 TLS 1.0 – released in 1999 as an upgrade to SSL 3.0. Planned deprecation in
2020.
 TLS 1.1 – released in 2006. Planned deprecation in 2020.
 TLS 1.2 – released in 2008.
 TLS 1.3 – released in 2018.
 Transport Layer Security (TLS)

• TLS was proposed by the Internet Engineering Task Force (IETF),

an international standards organization, and the first version of the
protocol was published in 1999.

• The most recent version is TLS 1.3, which was published in 2018.

• Transport Layer Security, or TLS, is a widely adopted security

protocol designed to facilitate privacy and data security for
communications over the Internet.
 Transport Layer Security (TLS)

• A primary use of TLS is encrypting the communication between

web applications and servers, such as web browsers loading a
website.

• TLS can also be used to encrypt other communications such as

email, messaging, and voice over IP (VoIP).
 What does TLS do?

• There are three main components to what the TLS protocol

accomplishes: Encryption, Authentication, and Integrity.

Encryption: hides the data being transferred from third parties.

Authentication: ensures that the parties exchanging information are who they
claim to be.

Integrity: verifies that the data has not been forged or tampered with.
 How does TLS work?

• For a website or application to use TLS, it must have a TLS

certificate installed on its origin server (the certificate is also
known as an "SSL certificate“).
• A TLS certificate is issued by a certificate authority to the person
or business that owns a domain.
• The certificate contains important information about who owns
the domain, along with the server's public key, both of which are
important for validating the server's identity.
 How does TLS work?

• A TLS connection is initiated using a sequence known as the TLS handshake.

• When a user navigates to a website that uses TLS, the TLS handshake begins
between the user's device (also known as the client device) and the web server.

• During the TLS handshake, the user's device and the web server:
 Specify which version of TLS (TLS 1.0, 1.2, 1.3, etc.) they will use

 Decide on which cipher suites they will use

 Authenticate the identity of the server using the server's TLS certificate

 Generate session keys for encrypting messages between them after the handshake is
complete
 How does TLS work?

• The TLS handshake establishes a cipher suite for each communication session.

• The cipher suite is a set of algorithms that specifies details such as which
shared encryption keys, or session keys, will be used for that particular session.

• TLS is able to set the matching session keys over an unencrypted channel
thanks to a technology known as public key cryptography.

• The handshake also handles authentication, which usually consists of the

server proving its identity to the client.
 How does TLS work?

• This is done using public keys.

• Public keys are encryption keys that use one-way encryption, meaning
that anyone with the public key can unscramble the data encrypted with
the server's private key to ensure its authenticity, but only the original
sender can encrypt data with the private key.
• The server's public key is part of its TLS certificate.
• Once data is encrypted and authenticated, it is then signed with a
message authentication code (MAC).
• The recipient can then verify the MAC to ensure the integrity of the data.
 Why should businesses and web applications use the TLS
protocol?

• TLS encryption can help protect web applications from data breaches and other
attacks.

• Today, TLS-protected HTTPS is a standard practice for websites.

• The Google Chrome browser gradually cracked down on non-HTTPS sites,

and other browsers have followed suit.

• Everyday Internet users are more wary of websites that do not feature the
HTTPS padlock icon.
 Benefits of TLS

• There are several benefits of TLS:

 Encryption: TLS/SSL can help to secure transmitted data using encryption.

 Interoperability: TLS/SSL works with most web browsers, including

Microsoft Internet Explorer and on most operating systems and web servers.

 Algorithm flexibility: TLS/SSL provides operations for authentication

mechanism, encryption algorithms and hashing algorithm that are used
during the secure session.
 Benefits of TLS

• Ease of Deployment: Many applications TLS/SSL temporarily

on a windows server 2003 operating systems.

• Ease of Use: Because we implement TLS/SSL beneath the

application layer, most of its operations are completely invisible
to client.