Post on 08-Aug-2015
secure sockets layer protocol (SSL) for e-
commerceBy
Ramathan HashmAbdullatif Mohammed
Shahab M.Ali
Topics.. • Web Security• SSL (Secure Socket Layer)• Uses Public Key Scheme.• SSL Architecture .• SSL Record Protocol.• SSL Change Cipher Spec Protocol.• SSL Alert Protocol.• SSL Handshake Protocol• Security protocols used in Ecommerce• Reference..
SSL for E-Commerce2
SSL for E-Commerce3
Web Security
• Web now widely used by business, government, individuals.• but Internet & Web are vulnerable.• have a variety of threats.• integrity• confidentiality• Availability • authentication
• need added security mechanisms.
SSL for E-Commerce4
SSL (Secure Socket Layer)
• It is introduced in 1995 by Netscape as a components of its popular Navigator browser and as a means of providing privacy with respect to information being transmitted between a user’s browser and the target server, typically that of a merchant.
• A channel is the two way-way communication stream established between the browser and the server, and the definition of a channel security indicates three basic requirements:• The channel is reliable.• The channel is private.• The channel is authenticated.
SSL for E-Commerce5
Uses Public Key Scheme.
• Each client-server pair uses.• 2 public keys
• one for client (browser)• created when browser is installed on client machine
• one for server (http server)• created when server is installed on server hardware
• 2 private keys• one for client browser• one for server (http server)
SSL for E-Commerce7
SSL Architecture (continued)
• SSL session• an association between client & server• created by the Handshake Protocol• define a set of cryptographic parameters• may be shared by multiple SSL connections
• SSL connection• a transient, peer-to-peer, communications link• associated with 1 SSL session
SSL for E-Commerce8
SSL Record Protocol..
• confidentiality• using symmetric encryption with a shared secret key defined by Handshake
Protocol• IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128• message is compressed before encryption
• message integrity• using a MAC (Message Authentication Code) created using a shared secret
key and a short message
SSL for E-Commerce9
SSL Change Cipher Spec Protocol• Change Cipher Spec Protocol layer in SSL.• one of 3 SSL specific protocols which use the SSL Record protocol.• The change cipher spec message is sent by both the client and
server.• The message consists of a single byte of value 1.• The change cipher spec message is normally sent at the end of the
SSL handshake.
SSL for E-Commerce10
SSL Alert Protocol• Each message in this protocol consists of two bytes (Figure). The first byte takes
the value warning(1) or fatal(2) to convey the severity of the message.• If the level is fatal, SSL immediately terminates the connection. • The second byte contains a code that indicates the specific alert.
• First, we list those alerts that are always fatal (definitions from the SSL specification):
SSL for E-Commerce11
SSL Handshake Protocol
• Allows server & client to:• authenticate each other• to negotiate encryption & MAC algorithms• to negotiate cryptographic keys to be used
• comprises a series of messages in phases• Establish Security Capabilities• Server Authentication and Key Exchange• Client Authentication and Key Exchange• Finish
SSL for E-Commerce14
SSL: Where is it used?
• SSL is Everywhere!• Browsers• Email• Routers• Automobile Communications• Sensors• Smart Power Meters
• And much more!!
SSL for E-Commerce15
How many web site use SSL?
• Alexa Top 1M Sites• 120,000 Use SSL (12%)
12%
88%
Info Graphic
sslno sll
SSL for E-Commerce16
Security protocols used in E-commerce• In Ecommerce whether with SSL or SET, usually uses payment credit
and debit card infrastructure.• The three major players in this infrastructure: customers, merchants
and financial institutions. • We will see that SSL provides security for communication between
the first two players (the customer and the merchant), while SET provides security for communication among all three players.
SSL for E-Commerce18
Reference..
• Cryptography and Network Security Four Edition by William Stallings.
• Cryptography Network Security (Behrouz Forouzan)