Unit: 4 Internet Security Protocol

4.1 Secure Socket Layer(SSL), Secure Hyper Text TransferProtocol(SHTTP)

Secure Socket Layer

SSL, which stands for Secure Socket Layer, is a cryptographic protocol designed to provide secure
communication over a computer network, especially the internet. SSL ensures that the data
exchanged between a user's web browser and a web server remains private and secure. SSL has
been succeeded by Transport Layer Security (TLS), but the terms SSL and TLS are often used
interchangeably. SSL provides security to the data that is transferred between web browser and
server. SSL encrypts the link between a web server and a browser which ensures that all data passed
between them remain private and free from attack.

Key Features and Components:

Encryption:

SSL uses cryptographic algorithms to encrypt data during transmission. When a user accesses a
website with SSL (HTTPS), a secure channel is established between the user's browser and the web
server. All data exchanged between them is encrypted, making it difficult for unauthorized parties to
understand or tamper with the information.

Authentication:

SSL provides a mechanism for authenticating the identity of the server (and optionally, the client).

Server Authentication: During the SSL handshake, the server presents a digital certificate to prove its
identity. The user's browser verifies this certificate with a trusted Certificate Authority (CA), ensuring
that the user is connecting to the intended server and not an impostor.

Client Authentication: In some cases, the server can request the client to provide a certificate for
authentication.

Data Integrity:

SSL ensures that the data being transmitted remains unchanged and has not been tampered with
during transmission. SSL uses cryptographic hash functions to create a message digest for each
message. These digests are exchanged during the SSL handshake and verified by both parties to
ensure data integrity.

SSL Handshake:

When a user connects to a website secured with SSL, an SSL handshake occurs. During the
handshake, the client and server negotiate the encryption algorithms and exchange cryptographic
keys. The server presents its digital certificate to the client, which the client verifies.

SSL/TLS Versions:

SSL has several versions, including SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2, and TLS 1.3. Successive
versions have addressed vulnerabilities and enhanced security features. TLS 1.3, the latest version, is
the most secure and efficient.

Use of Public Key Infrastructure (PKI):

Certificate Authorities (CAs): SSL relies on a PKI, where CAs issue digital certificates. Root Certificates:
Browsers come pre-installed with a set of root certificates from trusted CAs. These are used to verify
the authenticity of server certificates.

Advantages:

Confidentiality: SSL ensures that the data being transmitted is confidential and cannot be easily
intercepted.

Integrity: SSL guarantees the integrity of the data by detecting any tampering during transmission.

Authentication: Users can trust that they are connecting to the legitimate website and not a
malicious imposter.

Trustworthy E-commerce: SSL is crucial for securing online transactions, including e-commerce,
where sensitive financial information is exchanged.

Global Standard: SSL/TLS is a global standard, and its implementation is supported by all major web
browsers and servers.

Disadvantages:

Resource Overhead: The encryption and decryption processes can add some overhead to the
server's computational resources.

Certificate Costs: Obtaining an SSL certificate from a trusted CA may involve some costs, though
there are free options available.

Potential for Misconfigurations: Misconfigurations in SSL implementation can lead to vulnerabilities.

Regular checks and updates are essential.

Legacy Support: Older versions of SSL and weak cipher suites pose security risks. It's crucial to use
up-to-date protocols and configurations.
SSL is a cornerstone of secure communication on the internet. It provides a robust framework for
encrypting data, ensuring data integrity, and authenticating the parties involved in the
communication. The adoption of HTTPS (HTTP Secure) has become a standard practice for websites
that handle sensitive information, contributing to a safer online environment.

SHTTP

Secure HyperText Transfer Protocol (S-HTTP) is not a widely used or recognized standard, and its
implementation is not as prevalent as Secure Socket Layer (SSL).

S-HTTP was designed to secure individual messages or documents transmitted over HTTP, providing a
more granular approach to security compared to SSL/TLS. Unlike SSL/TLS, which secures entire
communication sessions, S-HTTP allows users to specify security settings on a per-document basis. S-
HTTP focuses on securing individual documents or messages rather than securing the entire session.
Users can choose to encrypt or sign specific documents based on their security requirements. S-HTTP
adds additional headers to the HTTP protocol to convey security-related information for individual
documents. S-HTTP operates at the application layer of the OSI model. It is essentially an extension
to the standard HTTP protocol to provide additional security features. S-HTTP was intended for
situations where securing specific documents or messages was more important than securing the
entire communication session. Users could choose which documents to secure and in what manner.

Limitations and challenges:

• Limited Adoption:

S-HTTP did not gain widespread acceptance compared to SSL/TLS. The lack of a widely accepted
standard and support in major web browsers contributed to its limited adoption.

• Complexity

While offering document-level security, the approach of S-HTTP introduced complexity for users and
developers. The lack of standardization could lead to interoperability challenges across different
systems.

• SSL/TLS Dominance:

The widespread adoption of SSL/TLS as the standard for securing internet communication
overshadowed the development and implementation of S-HTTP.

In summary, S-HTTP was an early attempt to address security concerns at a more granular level than
SSL/TLS by focusing on securing individual documents or messages. However, due to the dominance
and broader acceptance of SSL/TLS, S-HTTP did not achieve widespread adoption. SSL/TLS,
particularly in the form of HTTPS, remains the standard for securing communication over the
internet.

4.2 Time Stamping Protocol (TSP), Electronic transaction (SET), SSL vs. SET, 3-D Secure
Protocol, Electronic Money, E-mail Security, WAP Security
Time Stamping Protocol (TSP)

Time stamping protocol is a cryptographic method used to verify the existence of digital data at a
specific point in time. It involves a trusted third party, known as a Time Stamp Authority (TSA), which
issues time stamps. These time stamps are essentially certificates that bind a hash of the data to a
specific time, proving that the data existed at or before that time.

How Does It Work?

1. Data Hashing: The user generates a hash of the data they want to timestamp. A hash is a
unique digital fingerprint of the data.
2. Time Stamp Request: The user sends a request to the TSA, including the data hash.
3. Time Stamp Generation: The TSA receives the request and generates a time stamp token.
This token contains: The data hash, A unique serial number, The current time, A digital
signature from the TSA
4. Time Stamp Verification: To verify the time stamp, the recipient checks the TSA's digital
signature using the TSA's public key. The recipient also recalculates the hash of the data and
compares it with the hash in the time stamp token.

Key Points:

Trusted Third Party: The TSA plays a crucial role in ensuring the integrity of the time stamping
process.

Hashing: Hashing ensures that the data has not been tampered with since the time stamp was
generated.

Digital Signatures: Digital signatures provide authenticity and non-repudiation, guaranteeing that the
time stamp was issued by the TSA.

Applications of Time Stamping Protocol:

Legal and Regulatory Compliance: Proving the existence of documents at a specific time for legal
purposes. Meeting regulatory requirements for data retention and audit trails.

Digital Signatures: Ensuring that a digital signature was valid at the time it was created.

Intellectual Property Protection: Proving the creation date of intellectual property, such as software
or creative works.

Data Integrity: Verifying the integrity of data over time.

Electronic transaction (SET)

SET is a security protocol that enhances online payment security and integrity, especially those
involving debit and credit cards. SET protects electronic payments by encrypting personal card details
and authenticating users through digital certificates. SET ensures that only authorised parties can
access sensitive information and that transactions are not tampered with. SET is not a payment
system, but a security framework that can be linked with existing payment systems. It is founded on
the principles of Public Key Infrastructure (PKI). PKI relies on the use of both public and private keys
to secure data through encryption and decryption, alongside digital certificates. This plays a crucial
role in authenticating the parties engaged in the transaction.

Secure Electric transection participants

1. Cardholder

A cardholder is an authorised user of a payment card, such as a MasterCard or Visa, issued by a

financial institution. The cardholder can utilise the card to make purchases from merchants who
accept the card as a form of payment. The cardholder is also the owner of the card account, which is
used to track transactions and card balance.

2. Merchant

A merchant is an entity that sells goods or services to cardholders. To accept online payments,
merchants must establish a relationship with an acquirer. This allows them to process payment
transactions from customers securely.

3. Issuer

An issuer is a financial organisation, such as a bank, that provides payment cards to cardholders.
Issuers are responsible for managing the debt incurred by the cardholder.

4. Acquirer

An acquirer is a financial organisation that collaborates with merchants to process payment

authorisations and transactions. Acquirers facilitate electronic fund transfers to merchant accounts,
enabling seamless online payments.

5. Payment Gateway

A payment gateway intermediates between SET and card payment networks. It facilitates
communication between merchants and acquirers for payment authorisation, ensuring secure and
efficient online transactions.

6. Certification Authority

A certification authority is a trusted entity providing public-key certificates to cardholders, payment

gateways and merchants. These certificates ensure the security and authenticity of all the
participants involved in the SET process.

How does it work?

1. Customer Account Setup

You must open a credit card account with a bank supporting electronic payments and the SET
protocol. You can visit the bank’s website or contact customer service to do so.

2. Certificate Issuance to Customer

Once your identity is verified, you will receive a digital certificate from a trusted Certificate Authority
(CA). This certificate contains essential details such as your name, public key, expiry date and
certificate number. The CA ensures the authenticity and integrity of this certificate.

3. Merchant Certificate

To establish trustworthiness, merchants also obtain a digital certificate. This certificate verifies their
identity and allows them to accept credit cards from certain issuers for secure electronic
transactions.

4. Placing an Order

Browse through the merchant’s website and select the items you wish to buy. This creates a record
of your order on the merchant’s site.

5. Merchant Verification

To assure authenticity, merchants send you their digital certificates, along with the order details. This
helps you identify valid and authorised merchants.

6. Order and Payment Details

Next, you securely transmit your encrypted order and payment details to the merchant using your
digital certificate for identification. The merchant cannot read this information but can verify your
identity through your digital certificate.

7. Payment Authorisation Request

The merchant forwards the payment details to the payment gateway through an acquirer. They
request payment authorisation from the payment gateway, which acts as an intermediary between
the merchant and your credit card issuer.

8. Payment Gateway Authorisation

The payment gateway cross-verifies your credit card information with the issuer for authorising or
rejecting the payment request. This verification process ensures online payment security by
confirming that your credit card is valid and has sufficient funds.
9. Order Confirmation

Upon successful payment authorisation, the merchant confirms the order, providing payment
authorisation details and purchase information.

10. Goods and Services Provision

Once the order is confirmed, the merchant provides the requested goods or services. This can
include shipping physical products or granting access to digital content.

11. Payment Request by Merchant

Finally, after providing goods or services, the merchant requests payment from the payment
gateway. The payment gateway interacts with various financial organisations, including the credit
card issuer, acquirer and clearing house, to facilitate fund transfer from your account to the
merchant’s account.

Security Architecture of Secure Electronic Transaction

1. SET Digital Certificates

Digital certificates are issued by trusted third parties called Certificate Authorities, which verify the
identity and public key of the certificate holder. Cardholder certificates are assigned to you by your
card issuer, such as a bank or credit card company. These certificates contain your name, account
number, expiration date, and public key. Cardholder certificates allow you to prove your identity and
payment information to merchants and payment gateways, reducing the threat of fraud and identity
theft.

2. SET Dual Signatures

Digital signatures are utilised for card authentication during transactions. Each transaction generates
encrypted digital signatures for the merchant, customer and associated financial institutions. This
secures the transaction by encrypting order information with the merchant’s public key and payment
information with the acquiring bank’s public key.

3. SET Digital Wallet

SET activates your digital wallet through a password-based self-authentication process to enable
secure payments. After authentication, your device sends the purchase and payment details to the
merchant. Upon successful authentication, the issuing bank provides payment authorisation to the
acquiring bank, hence informing the merchant of the success of the transaction.
SSL vs. SET

SSL SET

SSL secures communication between browsers and SET secures credit card payments and
servers. Merchants manage both order and hides customer payment details from
payment details. merchants.

It developed by Netscape for secure online It developed by MasterCard and Visa for
transactions. safe card payments.

Developed by MasterCard and Visa for safe card Requires verification by both CAs and
payments. financial institutions.

It can secure emails, websites, and other It has limited to online financial
applications. transactions only.

Merchants can view the cardholder’s payment Card details are hidden from merchants,
information. ensuring privacy.

It is easy to implement and suitable for small It is harder to implement and more
businesses. expensive to set up.

Harder to implement and more expensive to set Stronger encryption of 1024-bit for
up. financial security

3-D Secure Protocol:

3DS is a security protocol that allows users to be authenticated. This adds an extra degree of security
to payment card transactions in card-not-present instances. It was created to enable cardholders to
verify their identity to avoid payment fraud, unlawful transactions, and chargebacks. 3D Secure is a
security protocol designed to enhance the safety of online card transactions by adding an extra layer
of authentication beyond just the card number, expiration date, and CVV. It's often referred to as
"two-factor authentication" for online payments.

How Does 3D Secure Work?

 1. Initiation: When you make an online purchase, the merchant sends your card details to the
payment gateway. The payment gateway recognizes that 3D Secure is enabled for your card
and redirects you to your bank's authentication page.
2. Authentication: Your bank's page prompts you to verify your identity using a secondary
method, such as:

Password: Entering a unique password associated with your card.

One-Time Password (OTP): Receiving a code via SMS or email and entering it on the page.

Biometric Authentication: Using fingerprint or facial recognition.

3. Authorization: If the authentication is successful, your bank authorizes the transaction, and
you're redirected back to the merchant's website to complete the purchase.

The "3D" in 3D Secure

The "3D" refers to the three domains involved in the process:

1. Cardholder Domain: You, the cardholder, providing your authentication credentials.

2. Merchant Domain: The online store where you're making the purchase.
3. Issuer Domain: Your bank, which verifies your identity and authorizes the transaction.

Benefits of 3D Secure

Reduced Fraud: By adding an extra layer of security, 3D Secure significantly reduces the risk of
unauthorized transactions.

Increased Trust: For both merchants and customers, 3D Secure builds trust in online transactions.
Reduced Chargebacks: If a transaction is flagged as potentially fraudulent, 3D Secure can help reduce
chargebacks for merchants.

Liability Shift: In many cases, 3D Secure shifts the liability for fraudulent transactions from the
merchant to the card issuer.

Electronic Money

Electronic money, also known as e-money, is a digital form of currency stored on electronic devices.
It represents a claim on a monetary value issued by an electronic money institution. E-money is
backed by fiat currency, meaning it is regulated by a central authority.

How does e-money work?

Funding: To use e-money, you need to fund your electronic wallet. This can be done by transferring
funds from your bank account or by exchanging cash for e-money.

Storage: The e-money is stored on a digital device, such as a smartphone, smart card, or computer.

Transactions: You can use your e-money to make purchases online or in-store. When you make a
purchase, the e-money is transferred from your electronic wallet to the merchant's account.

Types of e-money:

Prepaid cards: These are cards that are loaded with a specific amount of money. They can be used for
online purchases, in-store purchases, or to withdraw cash from ATMs.

Mobile wallets: These are apps that allow you to store and use e-money on your smartphone. They
can be used for a variety of purposes, such as making online purchases, paying bills, and transferring
money to other people.

Cryptocurrencies: These are decentralized digital currencies that are not backed by any government
or central bank. They are often used for online transactions and investments.

Advantages of e-money:

Convenience: E-money is easy to use and can be used for a variety of purposes.

Security: E-money is often more secure than cash, as it is less likely to be lost or stolen.

Efficiency: E-money transactions are typically faster and more efficient than traditional payment
methods.

Cost-effective: E-money can be a more cost-effective way to make payments, as there are often no
transaction fees associated with its use.

Disadvantages of e-money:

Security risks: E-money can be vulnerable to hacking and other cyberattacks.

Privacy concerns: The use of e-money can raise privacy concerns, as it can be used to track your
spending habits.

Technical issues: E-money transactions can be disrupted by technical problems, such as power
outages or internet connectivity issues.

Regulation: The use of e-money is subject to government regulation, which can change over time.

Email security

Email security refers to the steps where we protect the email messages and the information that
they contain from unauthorized access, and damage. It involves ensuring the confidentiality,
integrity, and availability of email messages, as well as safeguarding against phishing attacks, spam,
viruses, and another form of malware. It can be achieved through a combination of technical and
non-technical measures.

Some standard technical measures include the encryption of email messages to protect their
contents, the use of digital signatures to verify the authenticity of the sender, and email filtering
systems to block unwanted emails and malware, and the non-technical measures may include
training employees on how to recognize and respond to phishing attacks and other email security
threats, establishing policies and procedures for email use and management, and conducting regular
security audits to identify and address vulnerabilities.

Why is email security important?

Protection Against Cyberattacks: Email is a top goal for cybercriminals. Malware, phishing attacks,
and other threats often arrive via email. In fact, 94% of malware is delivered through email channels.
By implementing robust email security measures, organizations can defend against these threats.

Reducing Risk: Cybersecurity incidents can have devastating consequences, including financial losses,
operational disruptions, and damage to an organization’s reputation. Effective email security helps
protect your brand, reputation, and bottom line.

Compliance: Email security ensures compliance with data protection laws like GDPR and HIPAA. By
safeguarding sensitive information, organizations avoid legal fines and other intangible costs
associated with cyberattacks.

Productivity Enhancement: With email security in place, disruptions caused by threats like phishing
emails are minimized. This allows organizations to focus more on business growth and less on
handling security incidents.

Benefits of Email Security

Shielding Against Phishing and Spoofing Attacks: Email security isn’t just about tech jargon; it’s like
having a digital bodyguard. It helps spot and tackle threats like phishing or spoofing. These sneaky
attacks can lead to serious breaches and even unleash malware or other nasty viruses.
Locking Down Data: Think of email encryption as a virtual vault. It keeps sensitive info—like credit
card numbers, bank accounts, and employee details—safe from prying eyes. No more accidental
leaks or costly data breaches!

Whispers Only: Secure email encryption ensures that only the right people get the message. It’s like
passing a secret note in class—except the teacher won’t intercept it. Your confidential content stays
confidential.

Spotting the Bad Apples: Email security acts like a spam filter on steroids. It sniffs out malicious or
spammy emails that might sneak past regular defenses. No more falling for those “You’ve won a
million dollars!” scams!

Top-Secret Protection: Imagine your company’s secrets—intellectual property, financial records, and
classified info—wrapped in a digital force field. Email security shields them from cyber villains like
hackers and cybercriminals.

Real-Time Guardian: Zero-day exploits? Not on our watch! Email security solutions provide real-time
protection. It’s like having a superhero squad that fights off malware and spam before they even
knock on your inbox.

Locking Up Identity Theft: Email encryption keeps attackers from swiping your login credentials or
personal data. No more compromised accounts or identity theft nightmares.

Steps should be taken to Secure Email

Choose a secure password: Password must be at least 12 characters long, and contains uppercase
and lowercase letters, digits, and special characters.

Two-factor authentication: Activate the two-factor authentication, which adds an additional layer of
security to your email account by requiring a code in addition to your password.

Use encryption: It encrypts your email messages so that only the intended receiver can decipher
them. Email encryption can be done by using the programs like PGP or S/MIME.

Keep your software up to date. Ensure that the most recent security updates are installed on your
operating system and email client.

Beware of phishing scams: Hackers try to steal your personal information by pretending as someone
else in phishing scams. Be careful of emails that request private information or have suspicious links
because these are the resources of the phishing attack.

Choose a trustworthy email service provider: Search for a service provider that protects your data
using encryption and other security measures.

Use a VPN: Using a VPN can help protect our email by encrypting our internet connection and
disguising our IP address, making it more difficult for hackers to intercept our emails.

Upgrade Your Application Regularly: People now frequently access their email accounts through
apps, although these tools are not perfect and can be taken advantage of by hackers. A cybercriminal
might use a vulnerability, for example, to hack accounts and steal data or send spam mail. Because of
this, it’s important to update your programs frequently

WAP Security

WAP is a protocol that is introduced in 1999, which stands for Wireless application protocol. It offers
Internet communications over wireless devices, such as mobile phones.

WAP Model

In the mobile device, the user opens the web browser and access the website and visit webpages
accordingly. The mobile device forwards the URL request to a WAP gateway through the network
using the WAP protocol. Then, the WAP gateway refers to this request over the internet after
translating it into a conventional HTTP URL request. The specified Web server accepts the request
and processes the request. Then, it returns the response to the mobile device in the WML file
through the WAP gateway that will be displayed in the web browser on the device.

WAP Protocol stack

1. Application Layer (WAE)

The Wireless Application Environment contains content development programming languages like
WML and mobile device specifications. It functions much like a JavaScript and holds the tools that
wireless Internet content developers use. It includes scripting languages such as WML and
WMLScript that are used in conjunction with WML.

2. Session Layer (WSP)

It determines the session will be connection-oriented or connectionless between the device and the
network and offers a reconnection and fast connection suspension. The data is passed both ways
between the network and the device in the connection-oriented session. Then, WSP forwards the
packet to the next layer WTP (Wireless Transaction Protocol). When the information is being
streamed or broadcast from the network to the device, commonly, the connectionless session is
used. Then, WSP forwards the packet to the WDP (Wireless Datagram Protocol) layer

3. Transaction Layer (WTP)

The Wireless Transaction Protocol offers transaction support. It is a part of TCP/IP and runs on top of
UDP, which stands for User Datagram Protocol.

4. Security Layer (WTLS)

The Wireless Transport Layer Security provides security in terms of data integrity, privacy and
authentication that help to save your data. It also has the ability to work like Transport Layer Security.
Also, it contains security features that have Transport Layer Security.

5. Transport Layer (WDP)

With the network carrier layer, the Wireless Datagram Protocol functions in conjunction and presents
a constant data format to higher layers of WAP protocol stack

Components of WAP

There are three major components of the WAP, which are as follows:

1. Protocol Support

IP networks: Protocols supported contains the HTTP (known as WP-HTTP), TLS, and the wireless
"profiled" versions of TCP (known as WP-TCP).

Non-IP networks: It includes four layers: Wireless Transport Layer Security, Wireless Datagram
Protocol, Wireless Session Protocol, and Wireless Transaction Protocol.

2. Application Environment

WML Specification: WML stands for Wireless Markup Language, based on XML and XHTML.

WMLScript Specification: A scripting language that is used for running code on clients.

WAP Micro Browser: Especially, it is designed to control the WAP device. WAP devices make capable
of operating in a limited resource environment with the help of a WAP micro-browser.
3. Services and Capabilities

Customization of User Profile: On the basis of client device capabilities and user preferences, WAP
enables servers to customize content delivered to users.

Telephony Support: Wireless application protocol allows telephone services to be operated from
within a data environment. As a result, WAP phones can function as web devices and integrated
voice.