Three Approaches for Web Security:
1.IP-Level Security
2.SSL/TLS between TCP layer and Application Layer
3.Application-Level Security, such as PGP over SMTP and SET Over HTTP
SSL/TLS
1.History: SSL is originated by Netscape. But TLS is the Internet standard version of it. TLS is essentially SSLv3.1 and it's compatible with SSLv3
2.Concept: SSL Connection & SSL Session
a. Connection
b. Session --- Spans several connections
c. Session State --- State of "still handshaking" & State of "Handshaking done"
SSL is not a single protocol, but a set of protocols
3.Protocol #1 -- Handshake Protocol (At the same layer of HTTP)
a.It provides authentication service and negotiates algorithms/keys
b.Used before application data is transmitted
c.Handshake Steps:
i.Phase1 -- Client says Hello
request: client_hello + supported cyrptographic parameters
response:server_hello + supported cyrptographic parameters
ii.Phase2 -- Server sending certificate and key exchange request
certificate + ask for key exchange + ask for client's certificate (optinal)
iii.Phase3 --- Client validates server's certificates , sends symmertric key and sends certificates(optional)
iv.Phase4 --- Client said "done" and server said "done"
5.Protocol #2 -- Change Cipher Spec Protocol (At the same layer of HTTP)
Change the session state to "Handshake done" when handshake is done
6.Protocol #3 -- Alert Protocol(At the same layer of HTTP)
Tells the peer that something is wrong, for example, "handshake-failure"
7.Protocol #4 -- SSL Record Protocol (Between HTTP Layer and TCP Layer)
a.Transmit of application data
b.Provide confidentiality server and integrity service
c.Msg Transformation Steps:
i.Fragement
ii.Compress (optional)
iii.Add MAC -- encrypted with symmertric MAC key + hash
iv.Encrypt the msg -- with another symmertric key
v.Append SSL record header
SET: Secure electronic transaction
1.Overview
a. To protect credit card transactions on the Internet
b. Not a payment system itself
c. A set of security protocols and formats
d. Security Services
i.A secure communcations channel
ii.Trust based on X.509 certificates
iii.Information is only available to parties of the transaction
iv.Information is transit only when necessary
2.Security Features
a.Confidentiality: Prevents the merchant from learning the card number
b.Integrity:
i.Digital Signature for OI (Order Information)
ii.Digital Signature for PI (Payment Information)
iii.Dual Signature to link OI and PI
c.Merchant authenticates card number --- based on X.509 Certificate
d.Cardholder authenticates Merchant and Payment Gateway --- based on X.509 Certificate
3.The Senario
a.Players:
i.Cardholder
ii.Merchant
iii.Issuing Bank
iv.Acquring Bank
v.Payment Gateway to existing bankcard payment network
vi.CA
b.Certificates Needed
i.Cardhoder has a certificate signed by issuing bank
ii.Merchant has two certificates: one for message signature, the other for symmertric exchange
iii.Payment Gateway has a certificate.
c.A story
i.Each party will validate other parties' certificate
ii.Payment Information will be encrypted and the merchant can't decrypt it
iii.Payment Information will be forwarded by Marchant to Payment Order Gateway to get validated(Authorization)
iv.Merchant will last ask Payment Gateway to request payment.