Course: Information and Network Security

by Dr. Amir Mehmood

Web & Transport

Layer Security

This lecture slides are from Network Security Essential ,

William Stallings
 Web Security
• Web now widely used by business,
government, individuals
• but Internet & Web are vulnerable
• have a variety of threats
– integrity
– confidentiality
– denial of service
– authentication
• need added security mechanisms
SSL (Secure Socket Layer)
transport layer security service
originally developed by Netscape
version 3 designed with public input
subsequently became Internet
standard known as TLS (Transport
Layer Security)
uses TCP to provide a reliable end-to-
end service
 Transport Layer Security
(TLS)

The Internet Engineering Task

Force (IETF) standard called
Transport Layer Security (TLS) is
based on SSL.

4
TLS Fundamentals
“Transport Layer Security” protocol
Standard protocol for encrypting
Internet traffic Previously known as SSL
(Secure Sockets Layer)
TLS replaced SSL in 1999
Used for HTTPS (HTTP Secure) traffic
Supported by nearly every web browser

5
Purposes for TLS

Data integrity
Server (and client) authentication
Confidentiality

6
TCP/IP Protocol Suite
 The TCP/IP governs the transport and
routing of data over the Internet.
 Other protocols, such as the HyperText
Transport Protocol (HTTP), Lightweight
Directory Access Protocol (LDAP), or
Internet Messaging Access Protocol (IMAP),
run "on top of" TCP/IP in the sense that
they all use TCP/IP to support typical
application tasks such as displaying web
pages or running email servers.

7
TCP/IP Protocol Suite and
Security

8
Services Provided by TLS
TLS encrypts data so that no one who
intercepts is able to read it.
TLS can assure a client that they are
dealing with the real server they
intended to connect to.
TLS can prevent any unauthorized
clients from connecting to the server.
TLS prevents anyone from interfering
with data going to or coming from the
server.
9
Services Provided by TLS

TLS server authentication

TLS client authentication
An encrypted TLS connection

10
TLS Server Authentication
 TLS server authentication allows a user to
confirm a server's identity.
 TLS-enabled client software can use standard
techniques of public-key cryptography to check
that a server's certificate and public ID are
valid and have been issued by a certificate
authority (CA) listed in the client's list of
trusted CAs.
 This confirmation might be important if the
user, for example, is sending a credit card
number over the network and wants to check
the receiving server's identity.
11
TLS Client Authentication
 TLS client authentication allows a server to
confirm a user's identity.
 Using the same techniques as those used for
server authentication, SSL-enabled server
software can check that a client's certificate
and public ID are valid and have been issued
by a certificate authority (CA) listed in the
server's list of trusted CAs.
 This confirmation might be important if the
server, for example, is a bank sending
confidential financial information to a
customer and wants to check the recipient's
identity.
12
An encrypted TLS connection
 An encrypted TLS connection requires all
information sent between a client and a
server to be encrypted by the sending
software and decrypted by the receiving
software, thus providing a high degree of
confidentiality.
 Confidentiality is important for both parties
to any private transaction.

13
TLS Sub-protocols
The TLS
protocol
includes two
major sub-
protocols:
the TLS record
protocol
the TLS
handshake
protocol
14
The TLS Record Protocol
The TLS record protocol defines the
format used to transmit data
The TLS record protocols provides two
services for SSL connections:
 Confidentiality: The Handshake Protocol
defines a shared secret key that is used for
conventional encryption of TLS payloads
 Message Integrity: The Handshake Protocol
also defines a shared secret key that is used
to form a message authentication code
(MAC)
15
The TLS Handshake protocol
The most complex part of TLS is the Handshake
Protocol.
This protocol allows the server and client to
authenticate each other and to negotiate an
encryption and MAC algorithm and
cryptographic keys to be used to protect data
sent in a TLS record.
The Handshake Protocol is used before any
application data is transmitted.

16
17
 HTTPS
 HTTPS (HTTP over SSL)
combination of HTTP & SSL/TLS to secure
communications between browser & server
• documented in RFC2818
• no fundamental change using either SSL or TLS
 use https:// URL rather than http://
and port 443 rather than 80
 encrypts
URL, document contents, form data, cookies,
HTTP headers
 HTTPS Use
• connection initiation
– TLS handshake then HTTP request(s)
• connection closure
– have “Connection: close” in HTTP record
– TLS level exchange close_notify alerts
– can then close TCP connection
– must handle TCP close before alert exchange
 Secure Shell (SSH)
 protocol for secure network communications
designed to be simple & inexpensive
 SSH1 provided secure remote logon facility
replace TELNET & other insecure schemes
also has more general client/server capability
 SSH2 fixes a number of security flaws
 SSH clients & servers are widely available
 method of choice for remote login/ X tunnels
SSH Protocol Stack
 SSH Transport Layer Protocol
• server authentication occurs at transport
layer, based on server/host key pair(s)
– server authentication requires clients to know
host keys in advance
• packet exchange
– establish TCP connection
– can then exchange data
• identification string exchange, algorithm
negotiation, key exchange, end of key exchange,
service request
– using specified packet format
 Secure Electronic Transactions
(SET)
• open encryption & security specification
• to protect Internet credit card transactions
• developed in 1996 by Mastercard, Visa etc
• not a payment system
• rather a set of security protocols & formats
 Participants in Electronic
transaction
•Cardholder
•Merchant
•Issuer (e.g. bank )
•Acquirer
•Payment gateway (function of acquirer or third party)
•Certificate Authority
Now we can set the security requirements
 Key features of SET
• Confidentiality of information
-cardholder account & payment info
• Integrity of data
-payment info & instruction, personal data
• Card holder account authentication
• Merchant authentication
SET Components
 SET Transaction
1. customer opens account
2. customer receives a certificate
3. merchants have their own certificates (2 keys
signing message & key exchange)
4. customer places an order
5. merchant is verified (customer verify merchants
certificate)
6. order and payment are sent
7. merchant requests payment authorization
8. merchant confirms order
9. merchant provides goods or service
10. merchant requests payment to payment gateway
 SET services
SET provide three major services
• Secure communication channel among all
parties during transaction
• Provide trust by use of X.509v3 certificate
• Ensures privacy of participants
 Dual Signature
• customer creates dual messages
– order information (OI) for merchant
– payment information (PI) for bank
• neither party needs details of other
• but must know they are linked
• use a dual signature for this
– signed concatenated hashes of OI & PI
Dual signature construction
 Major SET Transactions
Some of the major transactions in SET are
as follows
• Purchase Request
• Payment Authorization
• Payment Capture
 Purchase Request – Customer

 It consists of 4 messages: Initiate

Request, Initiate Response, Purchase
request & purchase response
 Initiate request and response ensures customer
and merchants verifies certificates other details
 completes order and sends the purchase
request
Purchase Request – Customer
Purchase Request – Merchant
 Purchase Request – Merchant
1. verifies cardholder certificates using CA sigs
2. verifies dual signature using customer's public
signature key to ensure order has not been
tampered & it signed by cardholder's private key
3. processes order and forwards the payment
information to the payment gateway for
authorization
4. sends a purchase response to cardholder
 Payment Authorization
• Merchant sends an authorization request to
payment gateway with
• Purchase related information (customer)
PI, OI, dual signature, digital envelope
• Authorization-related information (merchant)
authorization block, digital envelope
• Certificates
card holder & merchant signature key, merchant
key exchange certificate
Payment Gateway Authorization
1. verifies all certificates
2. decrypts digital envelope of authorization block to
obtain symmetric key & then decrypts
3. verifies merchant's signature
4. decrypts digital envelope of payment block to get
key & then decrypts payment block
5. verifies dual signature on payment block
6. verifies transaction ID received from merchant and
from customer
7. requests & receives an authorization from issuer
8. sends authorization response back to merchant
 Payment Capture
• merchant sends payment gateway a
payment capture request
• gateway checks request
• then causes funds to be transferred to
merchants account
• notifies merchant using capture response
 Summary
• have considered:
– need for web security
– SSL/TLS transport layer security protocols
– SET
– secure credit card payment method