Ssl for e commerce

secure sockets layer protocol (SSL) for e-

commerceBy

Ramathan HashmAbdullatif Mohammed

Shahab M.Ali

Topics.. • Web Security• SSL (Secure Socket Layer)• Uses Public Key Scheme.• SSL Architecture .• SSL Record Protocol.• SSL Change Cipher Spec Protocol.• SSL Alert Protocol.• SSL Handshake Protocol• Security protocols used in Ecommerce• Reference..

SSL for E-Commerce2

SSL for E-Commerce3

Web Security

• Web now widely used by business, government, individuals.• but Internet & Web are vulnerable.• have a variety of threats.• integrity• confidentiality• Availability • authentication

• need added security mechanisms.

SSL for E-Commerce4

SSL (Secure Socket Layer)

• It is introduced in 1995 by Netscape as a components of its popular Navigator browser and as a means of providing privacy with respect to information being transmitted between a user’s browser and the target server, typically that of a merchant.

• A channel is the two way-way communication stream established between the browser and the server, and the definition of a channel security indicates three basic requirements:• The channel is reliable.• The channel is private.• The channel is authenticated.

SSL for E-Commerce5

Uses Public Key Scheme.

• Each client-server pair uses.• 2 public keys

• one for client (browser)• created when browser is installed on client machine

• one for server (http server)• created when server is installed on server hardware

• 2 private keys• one for client browser• one for server (http server)

SSL for E-Commerce6

SSL Architecture .

SSL for E-Commerce7

SSL Architecture (continued)

• SSL session• an association between client & server• created by the Handshake Protocol• define a set of cryptographic parameters• may be shared by multiple SSL connections

• SSL connection• a transient, peer-to-peer, communications link• associated with 1 SSL session

SSL for E-Commerce8

SSL Record Protocol..

• confidentiality• using symmetric encryption with a shared secret key defined by Handshake

Protocol• IDEA, RC2-40, DES-40, DES, 3DES, Fortezza, RC4-40, RC4-128• message is compressed before encryption

• message integrity• using a MAC (Message Authentication Code) created using a shared secret

key and a short message

SSL for E-Commerce9

SSL Change Cipher Spec Protocol• Change Cipher Spec Protocol layer in SSL.• one of 3 SSL specific protocols which use the SSL Record protocol.• The change cipher spec message is sent by both the client and

server.• The message consists of a single byte of value 1.• The change cipher spec message is normally sent at the end of the

SSL handshake.

SSL for E-Commerce10

SSL Alert Protocol• Each message in this protocol consists of two bytes (Figure). The first byte takes

the value warning(1) or fatal(2) to convey the severity of the message.• If the level is fatal, SSL immediately terminates the connection. • The second byte contains a code that indicates the specific alert.

• First, we list those alerts that are always fatal (definitions from the SSL specification):


SSL Handshake Protocol

• Allows server & client to:• authenticate each other• to negotiate encryption & MAC algorithms• to negotiate cryptographic keys to be used

• comprises a series of messages in phases• Establish Security Capabilities• Server Authentication and Key Exchange• Client Authentication and Key Exchange• Finish


TI

ME


SSL: Where is it used?

• SSL is Everywhere!• Browsers• Email• Routers• Automobile Communications• Sensors• Smart Power Meters

• And much more!!


How many web site use SSL?

• Alexa Top 1M Sites• 120,000 Use SSL (12%)

12%

88%

Info Graphic

sslno sll


Security protocols used in E-commerce• In Ecommerce whether with SSL or SET, usually uses payment credit

and debit card infrastructure.• The three major players in this infrastructure: customers, merchants

and financial institutions. • We will see that SSL provides security for communication between

the first two players (the customer and the merchant), while SET provides security for communication among all three players.


E-commerce site that use SSL.

• Amazon• ebay• Paypal• payoneer• And more ..


Reference..

• Cryptography and Network Security Four Edition by William Stallings.

• Cryptography Network Security (Behrouz Forouzan)


End ….

• Any Question?

Ssl for e commerce

Internet

Transcript of Ssl for e commerce