Scribd
Upload
2 views31 pages

Chapter 6 Application and Web Security

Chapter 6 discusses application and web security, covering topics such as application hardening, patches, web servers, and active directory. It highlights the importance of securing web applications against various threats and introduces security protocols like SSL and TLS for secure communications. Additionally, it explains the Secure Electronic Transaction (SET) protocol, which protects credit card transactions online.

Uploaded by

maheshlondhe873
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
2 views31 pages

Chapter 6 Application and Web Security

Chapter 6 discusses application and web security, covering topics such as application hardening, patches, web servers, and active directory. It highlights the importance of securing web applications against various threats and introduces security protocols like SSL and TLS for secure communications. Additionally, it explains the Secure Electronic Transaction (SET) protocol, which protects credit card transactions online.

Uploaded by

maheshlondhe873
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 31

Chapter 6

Application and Web


Security
10 Marks

Yogesh A. Pawar
Content
 Application hardening
 Application patches
 web servers
 Active directory
 Web security threats
 Web traffic security approaches
 Secure socket layer
 Transport layer security
 Secure Electronic transaction.
Mar 29, 2025 Yogesh A. Pawar 2
Application Hardening
 Application hardening is a securing an
application against local and Internet-based
attacks.
 We can remove functions of application that we
does not need.
 Most applications have problems of buffer
overflows in legitimate user input fields.
 So patching the application is only way to
secure it from attack.
Mar 29, 2025 Yogesh A. Pawar 3
Application patches
Hotfixes
 Hotfixes are usually small section of code, which
is designed to fix a specific problem.
Patches
 Patches are usually collections of fixes, they are
likely to be much larger, and they are usually
released on a periodic basis
Upgrades
Mar 29, 2025 Yogesh A. Pawar 4
Web Servers
 Data is stored in the form of HTML pages
 Clients can access through client side
application program such as web browser.
 Communication between web server and
browser done by using HTTP protocol.
 Provide the content and functionality to
remote user.
Mar 29, 2025 Yogesh A. Pawar 5
Active Directory
 Allow a single login access to multiple
application, data sources and systems that
include advance encryption capabilities like
Kerberos and PKI.
 Contains information about network objects
like domains, server, workstation, printers,
groups and users.
 Every object is placed into a domain where it
can be used to control which user may access to
which object.
Mar 29, 2025 Yogesh A. Pawar 6
Active Directory
 Every domain has its own security policies,
administrative control, privileges and
relationship with other domain.
 Hierarchical structure of domain is known as
forest.
 Microsoft uses a Lightweight Directory Access
Protocol (LDAP) to update and query active
directory.

Mar 29, 2025 Yogesh A. Pawar 7


Web Security

Web now widely used by business,
government, individuals

But Internet & Web are vulnerable

Have a variety of threats

Integrity

Confidentiality

Denial of service

Authentication

Need added security mechanisms
Mar 29, 2025 Yogesh A. Pawar 8
Mar 29, 2025 Yogesh A. Pawar 9
Web Traffic Security
Approaches

Mar 29, 2025 Yogesh A. Pawar 10


SSL (Secure Socket
Layer)

Transport layer security service

Originally developed by Netscape

Version 3 designed with public input

Subsequently became Internet standard known
as TLS (Transport Layer Security)

Uses TCP to provide a reliable end-to-end
service

SSL has two layers of protocols
Mar 29, 2025 Yogesh A. Pawar 11
SSL (Secure Socket
Layer)
 Lower layer is SSL Record Protocol
 provides basic security services to various higher
layer protocols
 Three higher-layer protocols
 Handshake Protocol,
 The Change Cipher Spec Protocol, and
 The Alert Protocol

Mar 29, 2025 Yogesh A. Pawar 12


SSL Architecture

Mar 29, 2025 Yogesh A. Pawar 13


L5 Data L5 Data

L5 Data SH L5 Data SH

L5 Data H4 L5 Data H4

L4 Data H3 L4 Data H3

L3 Data H2 L3 Data H2

01011011 01011011
Mar 29, 2025 Yogesh A. Pawar 14
SSL Architecture

SSL connection

A transport that provides suitable type of service

A transient, peer-to-peer, communications link

Associated with one SSL session

SSL session

An association between client & server

Created by the Handshake Protocol

Define a set of cryptographic parameters,

which may be shared by multiple SSL connections
Mar 29, 2025 Yogesh A. Pawar 15
A session state is defined by the
following parameters
 Peer certificate: An X509.v3 certificate of the peer.
 Compression method: algorithm used to compress
 Cipher spec: data encryption algo, hash algo.
 Master secret: 48-byte secret shared between the
client and server
 Is resumable: A flag indicating whether session
can be used to initiate new connection

Mar 29, 2025 Yogesh A. Pawar 16


A connection state is defined by
the following parameters
 Server and client random: byte sequence
 Server write MAC secret: The secret key used in MAC
 Client write MAC secret: The secret key used in MAC
 Server write key: The secret encryption key for data
encrypted by the server and decrypted by the client.
 Client write key: The symmetric encryption key for data
encrypted by the client and decrypted by the server.
 Initialization vectors (IV) is maintained for each key
 Sequence numbers
Mar 29, 2025 Yogesh A. Pawar 17
SSL Record Protocol
Services

Confidentiality

Using symmetric encryption with a shared secret
key defined by Handshake Protocol

AES, IDEA, RC2-40, DES-40, DES, 3DES,
Fortezza, RC4-40, RC4-128

Message is compressed before encryption

Message integrity

Using a MAC with shared secret key

Similar to HMAC but with different padding
Mar 29, 2025 Yogesh A. Pawar 18
SSL Record Protocol
Operation

Mar 29, 2025 Yogesh A. Pawar 19


SSL Change Cipher Spec
Protocol

One of 3 SSL specific protocols which use the
SSL Record protocol

A single message

Causes pending state to become current

Hence updating the cipher suite in use

Mar 29, 2025 Yogesh A. Pawar 20


SSL Alert Protocol

Conveys SSL-related alerts to peer entity

Severity

Warning or fatal

Specific alert

Fatal: unexpected message, bad record mac,
decompression failure, handshake failure, illegal
parameter

Warning: close notify, no certificate, bad certificate,
unsupported certificate, certificate revoked, certificate
expired, certificate unknown

Compressed & encrypted like all SSL data
Mar 29, 2025 Yogesh A. Pawar 21
SSL Handshake Protocol
 Allows server & client to:

Authenticate each other

To negotiate encryption & MAC algorithms

To negotiate cryptographic keys to be used
 comprises a series of messages in phases
1. Establish Security Capabilities
2. Server Authentication and Key Exchange
3. Client Authentication and Key Exchange
4. Finish
Mar 29, 2025 Yogesh A. Pawar 22
SSL
Handshak
e Protocol

Mar 29, 2025 Yogesh A. Pawar 23


TLS (Transport Layer
Security)

IETF standard RFC 2246 similar to SSLv3

Ensures privacy between communication
appl.

With minor differences

In record format version number

Uses HMAC for MAC

Has additional alert codes

Some changes in supported ciphers

Changes in certificate types & negotiations

Changes in crypto computations & padding
Mar 29, 2025 Yogesh A. Pawar 24
 TLS Record Protocol
 It provides connection security with some encryption
method such as DES.
 TLS Handshake Protocol
 Allow server and client to authenticate each other.
 Message Authentication Code
HMACK(M)= H[(K+ XOR opad) ||H[(K+ XOR ipad)||M]]
 Pseudorandom function
 Alert codes
Mar 29, 2025 Yogesh A. Pawar 25
Secure Electronic
transaction
 SET is open encryption and security specification that is
designed to protect credit card transaction on internet.
 SET is not payment system but it is set of security
protocols and formats that enables user to employ the
credit card specification on internet.
 It provide three services
 It provides a secure communication channel for all parties.
 It provides authentication by using X.509 V3 digital
certificate
 It ensures the privacy because the information is only
available to parties when it required.
Mar 29, 2025 Yogesh A. Pawar 26
SET Overview
 Provide confidentiality of payment and ordering
information
 Ensure the integrity of all transmitted data
 Provide authentication that a cardholder is a
legitimate user of a credit card account
 Provide authentication that a merchant can
accept credit card transactions through its
relationship with financial institution

Mar 29, 2025 Yogesh A. Pawar 27


SET Overview
 Ensure the use of the best security practices and
system design techniques to protect all
legitimate parties in an electronic commerce
transaction
 Create a protocol that neither depends on
transport security mechanisms nor prevents
their use
 Facilitate and encourage interoperability among
software and network providers
Mar 29, 2025 Yogesh A. Pawar 28
Mar 29, 2025 Yogesh A. Pawar 29
SET Participants
Cardholder: A cardholder is an authorized holder
of a payment card that has been issued by an
issuer.
Merchant: A merchant is a person or org that has
goods and services to sell to the cardholder.
Issuer: This is a financial institution, such as a
bank, that provides the cardholder with the
payment card.

Mar 29, 2025 Yogesh A. Pawar 30


SET Participants
Acquirer:
A financial institution that
establishes an account with a merchant and
processes payment card authorizations and
payments.
Certification Authority (CA):
This is an entity that is trusted to issue
X509v3 public-key certificates for
cardholders, merchants, and payment
gateways.
Mar 29, 2025 Yogesh A. Pawar 31

You might also like