Network Security Essentials — Notes7. Web Security

Three Approaches for Web Security:  

  1.IP-Level Security

  2.SSL/TLS between TCP layer and Application Layer

  3.Application-Level Security, such as PGP over SMTP and SET Over HTTP


  1.History: SSL is originated by Netscape. But TLS is the Internet standard version of it. TLS is essentially SSLv3.1 and it’s compatible with SSLv3

  2.Concept: SSL Connection & SSL Session

     a. Connection

     b. Session  — Spans several connections

     c. Session State — State of "still handshaking" &  State of "Handshaking done"


SSL is not a single protocol, but a set of protocols

   3.Protocol #1 — Handshake Protocol (At the same layer of HTTP)

     a.It provides authentication service and negotiates algorithms/keys

     b.Used before application data is transmitted

     c.Handshake Steps:

        i.Phase1 — Client says Hello

           request: client_hello + supported cyrptographic parameters

           response:server_hello + supported cyrptographic parameters

        ii.Phase2 — Server sending certificate and key exchange request

          certificate + ask for key exchange + ask for client’s certificate (optinal)

       iii.Phase3 — Client validates server’s certificates , sends symmertric key and sends certificates(optional)

        iv.Phase4 — Client said "done" and server said "done"

   5.Protocol #2 — Change Cipher Spec Protocol (At the same layer of HTTP)

        Change the session state to "Handshake done" when handshake is done

   6.Protocol #3 — Alert Protocol(At the same layer of HTTP)

        Tells the peer that something is wrong, for example, "handshake-failure"

   7.Protocol #4 — SSL Record Protocol (Between HTTP Layer and TCP Layer)

       a.Transmit of application data

       b.Provide confidentiality server and integrity service

       c.Msg Transformation Steps:


         ii.Compress (optional)

        iii.Add MAC — encrypted with symmertric MAC key + hash

         iv.Encrypt the msg — with another symmertric key

          v.Append SSL record header


SET: Secure electronic transaction


      a. To protect credit card transactions on the Internet

      b. Not a payment system itself

      c. A set of security protocols and formats

      d. Security Services

         i.A secure communcations channel

        ii.Trust based on X.509 certificates

       iii.Information is only available to parties of the transaction

        iv.Information is transit only when necessary

    2.Security Features

      a.Confidentiality: Prevents the merchant from learning the card number


            i.Digital Signature for OI (Order Information)

           ii.Digital Signature for PI (Payment Information)

          iii.Dual Signature to link OI and PI

      c.Merchant authenticates card number — based on X.509 Certificate

      d.Cardholder authenticates Merchant and Payment Gateway  — based on X.509 Certificate

    3.The Senario




       iii.Issuing Bank

        iv.Acquring Bank

         v.Payment Gateway to existing bankcard payment network


      b.Certificates Needed

         i.Cardhoder has a certificate signed by issuing bank

        ii.Merchant has two certificates: one for message signature, the other for symmertric exchange

       iii.Payment Gateway has a certificate. 

      c.A story

         i.Each party will validate other parties’ certificate

        ii.Payment Information will be encrypted and the merchant can’t decrypt it

       iii.Payment Information will be forwarded by Marchant to Payment Order Gateway to get validated(Authorization)

        iv.Merchant will last ask Payment Gateway to request payment.


Leave a Comment

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.