web security notes........................
kuldeepkumar206502
6 views
22 slides
Sep 16, 2025
Slide 1 of 22
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
About This Presentation
ch07
Slide Content
Henric Johnson 1
Chapter 7
WEB Security
Henric Johnson
Blekinge Institute of Technology, Sweden
http://www.its.bth.se/staff/hjo/
[email protected]
Chapter 7
WEB Security
Henric Johnson
Blekinge Institute of Technology, Sweden
http://www.its.bth.se/staff/hjo/
[email protected]
Henric Johnson 2
Outline
•Web Security Considerations
•Secure Socket Layer (SSL) and
Transport Layer Security (TLS)
•Secure Electronic Transaction (SET)
•Recommended Reading and WEB Sites
Outline
•Web Security Considerations
•Secure Socket Layer (SSL) and
Transport Layer Security (TLS)
•Secure Electronic Transaction (SET)
•Recommended Reading and WEB Sites
Henric Johnson 3
Web Security Considerations
•The WEB is very visible.
•Complex software hide many security
flaws.
•Web servers are easy to configure
and manage.
•Users are not aware of the risks.
Web Security Considerations
•The WEB is very visible.
•Complex software hide many security
flaws.
•Web servers are easy to configure
and manage.
•Users are not aware of the risks.
Henric Johnson 4
Security facilities in the
TCP/IP protocol stack
Security facilities in the
TCP/IP protocol stack
Henric Johnson 5
SSL and TLS
•SSL was originated by Netscape
•TLS working group was formed within
IETF
•First version of TLS can be viewed as
an SSLv3.1
SSL and TLS
•SSL was originated by Netscape
•TLS working group was formed within
IETF
•First version of TLS can be viewed as
an SSLv3.1
Henric Johnson 6
SSL Architecture
SSL Architecture
Henric Johnson 7
SSL Record Protocol Operation
SSL Record Protocol Operation
Henric Johnson 8
SSL Record Format
SSL Record Format
Henric Johnson 9
SSL Record Protocol
Payload
SSL Record Protocol
Payload
Henric Johnson 10
Handshake Protocol
•The most complex part of SSL.
•Allows the server and client to
authenticate each other.
•Negotiate encryption, MAC algorithm
and cryptographic keys.
•Used before any application data are
transmitted.
Handshake Protocol
•The most complex part of SSL.
•Allows the server and client to
authenticate each other.
•Negotiate encryption, MAC algorithm
and cryptographic keys.
•Used before any application data are
transmitted.
Henric Johnson 11
Handshake Protocol Action
Handshake Protocol Action
Henric Johnson 12
Transport Layer Security
•The same record format as the SSL record format.
•Defined in RFC 2246.
•Similar to SSLv3.
•Differences in the:
–version number
–message authentication code
–pseudorandom function
–alert codes
–cipher suites
–client certificate types
–certificate_verify and finished message
–cryptographic computations
–padding
Transport Layer Security
•The same record format as the SSL record format.
•Defined in RFC 2246.
•Similar to SSLv3.
•Differences in the:
–version number
–message authentication code
–pseudorandom function
–alert codes
–cipher suites
–client certificate types
–certificate_verify and finished message
–cryptographic computations
–padding
Henric Johnson 13
Secure Electronic Transactions
•An open encryption and security
specification.
•Protect credit card transaction on the
Internet.
•Companies involved:
–MasterCard, Visa, IBM, Microsoft,
Netscape, RSA, Terisa and Verisign
•Not a payment system.
•Set of security protocols and formats.
Secure Electronic Transactions
•An open encryption and security
specification.
•Protect credit card transaction on the
Internet.
•Companies involved:
–MasterCard, Visa, IBM, Microsoft,
Netscape, RSA, Terisa and Verisign
•Not a payment system.
•Set of security protocols and formats.
Henric Johnson 14
SET Services
•Provides a secure communication
channel in a transaction.
•Provides tust by the use of X.509v3
digital certificates.
•Ensures privacy.
SET Services
•Provides a secure communication
channel in a transaction.
•Provides tust by the use of X.509v3
digital certificates.
•Ensures privacy.
Henric Johnson 15
SET Overview
•Key Features of SET:
–Confidentiality of information
–Integrity of data
–Cardholder account authentication
–Merchant authentication
SET Overview
•Key Features of SET:
–Confidentiality of information
–Integrity of data
–Cardholder account authentication
–Merchant authentication
Henric Johnson 16
SET Participants
SET Participants
Henric Johnson 17
Sequence of events for
transactions
1.The customer opens an account.
2.The customer receives a certificate.
3.Merchants have their own certificates.
4.The customer places an order.
5.The merchant is verified.
6.The order and payment are sent.
7.The merchant request payment authorization.
8.The merchant confirm the order.
9.The merchant provides the goods or service.
10.The merchant requests payments.
Sequence of events for
transactions
1.The customer opens an account.
2.The customer receives a certificate.
3.Merchants have their own certificates.
4.The customer places an order.
5.The merchant is verified.
6.The order and payment are sent.
7.The merchant request payment authorization.
8.The merchant confirm the order.
9.The merchant provides the goods or service.
10.The merchant requests payments.
Henric Johnson 18
Dual Signature
H(OI))]||)(([ PIHHEDS
cKR
Dual Signature
H(OI))]||)(([ PIHHEDS
cKR
Henric Johnson 19
Payment processing
Cardholder sends Purchase Request
Payment processing
Cardholder sends Purchase Request
Henric Johnson 20
Payment processing
Merchant Verifies Customer Purchase Request
Payment processing
Merchant Verifies Customer Purchase Request
Henric Johnson 21
Payment processing
•Payment Authorization:
–Authorization Request
–Authorization Response
•Payment Capture:
–Capture Request
–Capture Response
Payment processing
•Payment Authorization:
–Authorization Request
–Authorization Response
•Payment Capture:
–Capture Request
–Capture Response
Henric Johnson 22
Recommended Reading and
WEB sites
•Drew, G. Using SET for Secure Electronic
Commerce. Prentice Hall, 1999
•Garfinkel, S., and Spafford, G. Web
Security & Commerce. O’Reilly and
Associates, 1997
•MasterCard SET site
•Visa Electronic Commerce Site
•SETCo (documents and glossary of terms)
Recommended Reading and
WEB sites
•Drew, G. Using SET for Secure Electronic
Commerce. Prentice Hall, 1999
•Garfinkel, S., and Spafford, G. Web
Security & Commerce. O’Reilly and
Associates, 1997
•MasterCard SET site
•Visa Electronic Commerce Site
•SETCo (documents and glossary of terms)
Tags
Categories
TechnologyDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 6
- Slides 22
- Age 76 days
Related Slideshows
11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
44 views
10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
45 views
13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
36 views
11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
33 views
21
Know for Certain
DaveSinNM
19 views
17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
23 views