HTTP Protocol

• Hyper Text Transfer Protocol

• Used on the Internet

• Based on Request-Response Model

 Static Web Page

Web Web
Browse Step 1: HTTP Request Server
r

Step 2: HTTP Response

Sample HTTP Interaction
Web Web
Browser Server

HTTP Request

GET /files/new/image1 HTTP/1.1

Accept: image/gif
Accept: image/jpeg

HTTP Response

HTTP /1.1 200 OK

Date: Tue, 19-06-02 15:58:10 GMT
Server: MyServer
Content-length: 3010

… (Actual data for the image)

 Dynamic Web Page
• Client sends HTTP Request

• Server executes a program

• Server sends back an HTTP Response

 Dynamic Web Page

Web Web
Browser Step 1: HTTP Request Server

Step 4: HTTP Response

Step 3: The Step 2: Invokes an

program executes application
and produces program in
HTML output response to the
HTTP request
 Active Web Page
• Client sends HTTP Request

• Server sends back HTML Page and a

Client-side Program

• Examples: Applet, ActiveX Control

 Active Web Page

Web Web
Browse Step 1: HTTP Request Server
r

Step 2: HTTP Response

Contains
Step 3: Browser
interprets HTML page
and also executes the
HTML Page Small Program
program
….. …..
….. …..
 TCP/IP
• Transmission Control Protocol/Internet
Protocol

• Convention for communication on the

Internet

• Consists of five layers of software

 TCP/IP Layers
Layer Number Layer Name

5 (Highest) Application

4 Transport

3 Internet

2 Data link

1 (Lowest) Physical
TCP/IP Layers - Pictorially
Application Layer

Transport Layer

Internet Layer

Data Link Layer

Physical Layer
 TCP/IP Concept
• All layers except physical layer
communicate with adjacent layers on the
same computer

• Physical layer is the only layer where actual

transmission between two computers
happens
 TCP/IP Communication
X Intermediate nodes Y

Communication link

Application Application
Transport Transport
Network Network Network Network Network
Data Link Data Link Data Link Data Link Data Link
Physical Physical Physical Physical Physical
Data Exchange using TCP/IP
Layers
X Y

L5 data Application L5 data

L5 data H4 Transport L5 data H4

L4 data H3 Internet L4 data H3

L3 data H2 Data link L3 data H2

010101010100010101010010 Physical 010101010100010101010010

Transmission medium
 Secure Socket Layer (SSL)
• World’s most widely used security
mechanism on the Internet
• It provides Authentication and
Confidentiality
• Secures communication between a client
and a server
• Located between the Application and
Transport Layers of TCP/IP protocol suite
 Secure Socket Layer (SSL)
• SSL was first used by Netscape.
– To ensure security of data sent through HTTP,
LDAP or POP3.
• Uses TCP to provide reliable end-to-end
secure service.
• In general, SSL can be used for secure data
transfer for any network service running
over TCP/IP.
Position of SSL in TCP/IP
Application Layer

SSL Layer
Transport Layer
Internet Layer

Data Link Layer

Physical Layer
 Data Exchange including SSL
X Y

L5 data Application L5 data

L5 data SH SSL L5 data SH

L5 data H4 Transport L5 data H4

L4 data H3 Internet L4 data H3

L3 data H2 Data Link L3 data H2

010101010100010101010010 Physical 010101010100010101010010

Transmission medium
 SSL Sub-Protocols
• Handshake Protocol

• Record Protocol

• Alert Protocol
SSL Handshake Message Format

Type Length Content

1 byte 3 bytes 1 or more bytes

 SSL Handshake Messages
Message Type Parameters

Hello request None

Client hello Version, Random number, Session id, Cipher suite, Compression
method
Server hello Version, Random number, Session id, Cipher suite, Compression
method
Certificate Chain of X.509V3 certificates

Server key exchange Parameters, signature

Certificate request Type, authorities

Server hello done None

Certificate verify Signature

Client key exchange Parameters, signature

Finished Hash value

 SSL Handshake Process

Web
Web
Browser 1. Establish security capabilities Server

2. Server authentication and key

exchange

3. Client authentication and key

exchange

4. Finish
SSL Handshake – Phase 1

Web Web
Brows Step 1: Client hello Server
er

Step 2: Server hello

SSL Handshake – Phase 2

Step 1: Certificate

Web Web
Brows Step 2: Server key exchange Server
er

Step 3: Certificate request

Step 4: Server hello done

SSL Handshake – Phase 3

Web Step 1: Certificate Web

Server Browse
r

Step 2: Client key exchange

Step 3: Certificate verify

SSL Handshake – Phase 4

1. Change cipher specs

Web Web
Brows 2. Finished Server
er

Step 3: Change cipher specs

Step 4: Finished
SSL Record Protocol
Application data

Fragmentation

Compression

Addition of MAC

Encryption

Append header
 SSL Record Protocol

Content type Major version Minor version Compressed length

E
n
c
r
Plain text (optionally compressed)
y
p
t
e MAC (0, 16, or 20 bytes)
d
 SHTTP
• Not as popular as SSL

• Encrypts individual messages

• Almost obsolete
SHTTP and SSL Positions
Application Layer, SHTTP

SSL Layer

Transport Layer

Internet Layer

Data Link Layer

Physical Layer
 Time Stamping Protocol (TSP)
• Digital version of a notary service

• Prove that a document existed at a specific

date and time

• Time Stamping Authority (TSA) is used

Time Stamping Protocol – Step 1

Clien TSA
t

Original Message Message

message Digest Digest
… Algorithm …
Time Stamping Protocol – Step 2

Client Step 2: Time Stamping Request

TSA

Message
Digest
…
Time Stamping Protocol – Step 3

Client Step 3: Time Stamping Response

TSA

…
…
…
 Secure Electronic Transaction
(SET)
• Used for securing credit card payments on
the Internet

• Merchant does not get to know the credit

card details of the cardholder

• Requires software set up on the client as

well as server
SET – Dual Signature Concept

PI H PIMD

H POMD E
+

OI H OIMD
Dual Signature
(DS)
 SET Model
Please verify the Please verify the
cardholder’s certificate merchant’s certificate
Certificate
Authority Group

You can act as a CA You can act as a CA

Certificate Certificate
Authority Authority
A B

Request for Merchant’s Cardholder’s Request for a

a certificate Certificate Certificate certificate

Purchase Response

Merchant Cardholder
Purchase Request

Authorization Request

Payment
Gateway
Authorization Response
 SSL versus SET
Issue SSL SET

Main aim Exchange of data in an encrypted E-commerce related payment

form mechanism

Certification Two parties exchange certificates All the involved parties must be
certified by a trusted third party

Authentication Mechanisms in place, but not Strong mechanisms for

very strong authenticating all the parties
involved

Risk of merchant fraud Possible, since customer gives Unlikely, since customer gives
financial data to merchant financial data to payment
gateway

Risk of customer fraud Possible, no mechanisms exist if Customer has to digitally sign
a customer refuses to pay later payment instructions

Action in case of customer fraud Merchant is liable Payment gateway is liable

Practical usage High Low at the moment, expected to

grow
 Electronic Money
• Digital version of money

• Takes the form of computer disk files

• Can be identified/anonymous, online/offline

 Model of Electronic Money
Cus 1. The customer opens an account with the bank as usual. Ban
tom 2. When the customer needs some electronic money (say $100), he sends an k
er email to the bank, requesting for the same. This email is encrypted.
3. The bank authenticates the message, and when sure, debits the customer’s
account with the amount requested for.
4. The bank sends the money as a computer file (which contains an extremely
huge random number) to the customer. This file is also encrypted. The amount
could come in multiple denominations (say 10 files, each representing $10).

Cus When the customer wants to make purchases using electronic money, he sends the necessary Mer
tom file(s) to the merchant. This data exchange is also encrypted. cha
er nt

Mer The merchant then sends the file(s) to the bank, which verifies them, and credits the Ban
cha merchant’s account with that much of money. k
nt
 Electronic Money – Step 1

Bank Custom
er

$100 %^^A

Original Encrypt Encrypt with Twice-

message with Bank’s customer’s encrypted
private key public key data
 Electronic Money – Step 2

Customer

%^^A $100

Received Decrypt with Decrypt with Original

message customer’s banks’ public message
private key key
 Identified Electronic Money
• Bank can track customer’s spending

• Can lead to privacy concerns

• Very simple to implement

 Identified Electronic Money

$100 1. Bank generates the serial

Bank SR100 Customer number and sends it along with
the electronic money to the
customer.

$100 2. The customer spends the

Customer SR100 Merchant money – so the merchant has it
now.

3. The merchant now wants to

$100 encash the electronic money from
Merchant SR100 Bank
the bank. The money still has the
same serial number.
 Anonymous Electronic Money
• Bank cannot track customer’s spending

• Safe from privacy concerns

• Slightly complex to implement

 Anonymous Electronic Money
Original Blinded
1. The customer generates a random
number Number
number, and from it, creates another number
Customer PQP1 8A8C called as blinded number.

2. The customer sends the blinded number to

the bank.
Customer 8A8C Bank
3. The bank sends the electronic money
$100 along with the blinded number to the
Bank 8A8C Customer customer.

4. During an actual transaction, the customer

$100 does not use the blinded number. Instead, he
Customer PQP1 Merchant
uses the original number.

$100 5. The merchant and the bank now have the

Merchant Bank original number – they cannot trace the
PQP1
money, as they do not know the relationship
between the original number and the blinded
number!
 Double Spending Problem
• Customer can spend the same piece of
electronic money more than once

• Who is liable in such a fraud?

• Dangerous – best avoided

 Double Spending Problem

$10 Merchant 1

Customer spends
the money once STOP!!!

$10 Merchant 2
Bank
Customer spends
the same money
again
 Email concept
• Consists of two main parts
– Header
– Body

• Securing emails
– PEM
– PGP
– S/MIME
 Email Header and Body
From: John Smith ([email protected])
To: Cherry ([email protected]) Headers
Subject: Accepting the offer
Date: 4 March 2002

Dear Cherry,

I have decided to accept your offer. Body

Regards.

John
 Simple Mail Transport Protocol
(SMTP)
• Protocol in TCP/IP Application Layer

• Used for email communication between

email servers of the sender and the receiver

• Simple to understand
Email Transmission using SMTP

Internet
Pull

Email Email Email

Sender Receiver
Sender’s Receiver’s
SMTP server SMTP server
 Email Example
S: 220 hotmail.com Simple Mail Transfer Service Ready
C: HELO yahoo.com
S: 250 hotmail.com

C: MAIL FROM: <[email protected]>

S: 250 OK

C: RCPT TO: <[email protected]>

S: 250 OK

C: RCPT TO: <[email protected]>

S: 250 OK

C: DATA
S: 354 Start mail input; end with <CR><LF><LF>
C: … actual contents of the message …
C: ……
C: ……
C: <CR><LF><LF>
S: 250 OK

C: QUIT
S: 221 hotmail.com Service closing transmission channel
PEM Security Features

Privacy Enhanced Mail

(PEM)

Encryption Non- Message

repudiation integrity
PEM Operations

1. Canonical Conversion

2. Digital Signature

3. Encryption

4. Base 64 encoding
 Base-64 Encoding Concept

01010101010101000011000101011111001001… Input bit stream

01010101… 00010101 … 00010101 … Divided into 24-bit blocks

010101 010000 111110 001011 Each 24-bit divided into four 6-bit
blocks

01010110 01000011 11111010 00101100 6-bit block mapped to 8-bit

block
PGP Security Features

Privacy Enhanced Mail

(PGP)

Encryption Non- Message

repudiation integrity
PGP Operations
1. Digital Signature

2. Compression

3. Encryption

4. Enveloping

5. Base 64 encoding
Lempel-Ziv Algorithm (Zip)

What is your name? My name is Atul. Original string

1. A = is 2. B = name Variable creation

and assignment

What 1 your 2? My 2 1 Atul. Compressed

string
 Multipurpose Internet Mail
Extensions (MIME)
• Traditional email communication is text-
only

• Modern email communication demands

multimedia (sound, video, pictures, etc)

• Enhancements provided in the form of

MIME
 MIME Extensions to Email
From: Atul Kahate <[email protected]>
To: Amit Joshi<[email protected]>
Subject: Cover image for the book
MIME-Version: 1.0
Content-Type: image/gif

<Actual image data in the binary form such as R019a0asdjas0 …>

Type
S/MIME Content Types
Sub-type Description

Multipart Signed A clear signed message consisting of the message and the
digital signature.

Application PKCS#7 MIME A signed MIME entity.

Signed Data

PKCS#7 MIME An enveloped MIME entity.

Enveloped Data

PKCS#7 MIME An entity that contains only digital certificates.

Degenerate
Signed Data
PKCS#7 The content type of the signature subpart of a
Signature multipart/signed message.

PKCS#10 MIME A certificate registration request.

 S/MIME Functionalities
Functionality Description

Enveloped data Consists of encrypted content of any type, and the encryption key
encrypted with the receiver’s public key.

Signed data Consists of a message digest encrypted with the sender’s private key.
The content and the digital signature are both Base-64 encoded.

Clear-signed data Similar to Signed data. However, only the digital signature is Base-64
encoded.

Signed and Signed-only and Enveloped-only entities can be combined, so that the
Enveloped data Enveloped data can be signed, or the Signed/Clear-signed data can be
enveloped.
 Wireless Security
• Wireless communication protocols are
becoming popular

• Concerns regarding wireless security are

being raised

• How to secure Wireless Application

Protocol (WAP)?
Mobile Phone and Internet

HTTP Web
Request (Origin)
WAP
server
Request

WAP HTTP
Response Response

WAP Gateway
 WAP Security
• Wireless Transport Layer Security (WTLS)

• Similar to SSL in concept

• Conversions between WTLS and SSL lead

to security concerns
WAP Stack

Application Layer (WAE)

Session Layer (WSP)

Transaction Layer (WTP)

Security Layer (WTLS)

Transport Layer (WDP)

Physical Layer (Wireless)

 WTLS Security

Web
(Origin)
server

Wireless Interne
Operator t
Network

WAP WAP
Client WTLS Gateway SSL
Security Security
 3-D Secure
Issuer Domain Interoperability Domain
Acquirer Domain
1
Cardholder Merchant
6
Plug in
10
7
9 2

8 Visa/MasterCard Directory 5
3
Access
Control
4
12
Authentication History

Acquirer
Visa /MasterCard Net

Issuer
 PGP – Key Ring

Alice’s key ring, where she Alice’s key ring, where she
holds her own public- holds only the public keys of the
private key pairs. other PGP users in the system
 PGP Certificates

Digital Certificate
Atul
User: Jui
…
Issued by: Atul
Jui

Digital Certificate
Anita
User: Jui
…
Issued by: Anita
 Introducer Trust
Digital Certificate

Atul User: Jui

Trust: Full
…
Issued by: Atul
Jui

Digital Certificate
Anita
User: Jui
Trust: Partial
…
Issued by: Anita

Digital Certificate Digital Certificate

User: Anita Harsh User: Harsh

Trust: Partial Trust: None
… …
Issued by: Harsh Issued by: Jui
 Certificate Trust
Background information: Atul and Anita have issued certificates to Jui. Jui sends these certificates to
Harsh, so that Harsh can extract Jui’s public key out of any of those certificates and use it in
communication with Jui. However, Harsh does not trust Atul at all, but trusts Anita fully.

Digital Certificate
Atul
User: Jui
Trust: Full
… Jui
Issued by: Atul
Digital Certificate
Anita
User: Jui C1
Trust: Partial
… C2
Issued by: Anita

User Issuer Certificate trust C1 Harsh

Jui Atul None
Jui Anita Complete
C2

Result: When Jui sends the two certificates (issued by Atul and Anita to her) to Harsh, Harsh adds them
to his database of certificates. It is actually the ring of public keys of other users, as discussed earlier.
Apart from adding them there, Harsh records the fact that it does not want to trust Jui’s certificate issued
by Atul (since Harsh does not trust Atul), but wants to trust Jui’s certificate issued by Anita (since Harsh
trusts Anita).