Transcript Protocols Used in Internet Security

Protocols Used in Internet Security
Deptt. of Commerce
Government College, Dera Bassi
Protocols Used in Internet Security
E-commerce Community has taken great Steps
to adopt security protocols and standards,
which are necessary to make the traditionally
unsecured channels, such as the internet,
attractive to the average consumer. Let us
discuss some main and widely used protocols.
Types of Protocols
 Secure Socket Layer (SSL)
 Secure Hypertext Transfer Protocol (SHTTP)
 Secure Electronic Transaction (SET)
Secure Socket Layer (SSL)
 What is SSL?
 How does SSL work?
 What can SSL do?
What is SSL?
 A protocol developed by Netscape.
 It is a whole new layer of protocol which operates
above the Internet TCP protocol and below high-level
application protocols.
What is SSL?
What Can SSL Do?
 SSL uses TCP/IP on behalf of the higher-level protocols.
 Allows an SSL-enabled server to authenticate itself to an
SSL-enabled client;
 Allows the client to authenticate itself to the server;
 Allows both machines to establish an encrypted
connection.
What Does SSL Concern?
 SSL server authentication.
 SSL client authentication. (optional)
 An encrypted SSL connection or Confidentiality. This
protects against electronic eavesdropper.
 Integrity. This protects against hackers.
How does SSL Work?
 How a client and a server create a secure connection?
 The SSL protocol uses RSA public key cryptography for
Internet Security.
 Public key encryption uses a pair of asymmetric keys for
encryption and decryption.
How does SSL Work?
 Each pair of keys consists of a public key and a
private key. The public key is made public by
distributing it widely; the private key is always kept
secret.
 Data encrypted with the public key can be decrypted
only with the private key, and vice versa.
Secure-HTTP (S-HTTP)
 Secure HTTP (S-HTTP) extends the Hypertext Transfer
Protocol (HTTP).
 When HTTP was developed, it was developed for a Web
that was simple, that did not have dynamic graphics, that
did not require, at that time, hard encryption for end-toend transactions that have since developed.
 As the Web became popular for businesses users realized
that current HTTP protocols needed more cryptographic
and graphic improvements if it were to remain the ecommerce backbone it had become.
 Each S-HTTP file is either encrypted, contains a digital
certificate, or both.
 S-HTTP design provides for secure communications,
primarily commercial transactions, between a HTTP client
and a server.
 It does this through a wide variety of mechanisms to
provide for confidentiality, authentication, and integrity
while separating policy from mechanism.
 HTTP messages contain two parts: the header and the
body of the message. The header contains instructions to
the recipients (browser and server) on how to process
the message’s body
 During the transfer transaction, both the client browser
and the server, use the information contained in the
HTTP header to negotiate formats they will use to
transfer the requested information.
 The S-HTTP protocol extends this negotiation between
the client browser and the server to include the
negotiation for security matters. Hence S-HTTP uses
additional headers for message encryption, digital
certificates and authentication in the HTTP format which
contains additional instructions on how to decrypt the
message body ( see both headers)
Secure Electronic Transactions – SET
 a protocol designed to protect credit card transactions on
the Internet
 initiated and promoted by MasterCard and Visa
 many companies were involved in the development of the
specifications (IBM, Microsoft, Netscape, RSA, VeriSign,
…)
 the SET specification consists of three books:
1. Business Description
2. Programmer’s Guide
3. Formal Protocol Definition
 around 1000 pages
SET services
 confidentiality
 cardholder account and payment information is secured as it travels across the
network
 cardholder account and payment information (e.g., credit card number) is hidden
from the merchant too !
 integrity
 messages cannot be altered in transit in an undetectable way
 based on digital signatures
 cardholder account authentication
 merchant can verify that the client is a legitimate user of the card
 based on X.509 certificates
 merchant authentication
 client can authenticate the merchant and check if it is authorized to accept
payment cards
 based on X.509 certificates
Model
merchant
cardholder
order info + payment instruction
ack + services
Internet
authorization
request
authorization capture
response +
request
capture token
payment
gateway
payment network
money transfer
issuer
acquirer
capture
response
SET participants
 cardholder
 wants to buy something from a merchant on the Internet
 authorized holder of payment card issued by an issuer
 merchant
 sells goods/services via a Web site or by e-mail
 has a relationship with an acquirer
 issuer
 issues payment cards
 responsible for the payment of the dept of the cardholders
 acquirer
 maintains accounts for merchants
 processes payment card authorizations and payments
 transfers money to the merchant account, reimbursed by the issuer
 payment gateway
 interface between the Internet and the existing bankcard payment network
for authorization and payment functions
 CAs
Dual signature
 links two messages that are intended for two different
recipients
data1
K-1X
hash
hash
data2
hash
data1
data2
sign