SlideShare a Scribd company logo

web security

Chirag Patel, profile picture
Chirag Patel

This document discusses various aspects of web security including common threats, countermeasures, security facilities, Secure Socket Layer (SSL) architecture and protocols, and the Secure Electronic Transaction (SET) protocol. It outlines threats like integrity issues, confidentiality breaches, denial of service attacks and authentication problems. It then describes countermeasures like encryption, web proxies, and cryptographic techniques. It provides details on SSL components like sessions, connections, record protocol, handshake protocol and cipher specifications. Finally, it outlines the business requirements and features of SET for secure online transactions.

Engineering
Related topics:
Network SecurityWeb Security Overview
1 of 22
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
Web Security
Web Security Threats Threats Consequences Counter Measures Integrity Modification of user data, memory or message traffic Loss of Information, Compromise of machine Cryptographic of checksum Confidentiality Eavesdropping on the Net Theft of into from server/client Info about Network Configuration Loss of Information and Privacy Encryption and Web Proxies Denial of Service Killing of user Threads Flooding machines with bogus requests Filling up Disk or Memory Isolating machine by DNS attack Prevent user from getting work Done Difficult to prevent Authentication Impersonation of legitimate user Misrepresentation of user Belief that false information is valid Cryptographic techniques
Security Facilities HTTP FTP SMTP TCP IP / IPSec HTTP FTP SMTP SSL or TLS TCP IP S/MIME PGP SET Kerberos SMTP HTTP UDP TCP IP Network Level Transport Level Application Level
Secure Socket Layer SSL Architecture Handshake Protocol Change Cipher Spec Protocol Alert Protocol HTTP SSL Record Protocol TCP IP
Secure Socket Layer Connection Session A connection is a transport that provides a suitable type of service. For SSL its peer-to-peer relationship They are transient. Associated with one session. Association between Client and Server Created by handshake protocol Defines security parameters Shared among multiple connections Avoid expensive negotiation of new security parameters
Secure Socket Layer Session Session Identifier Peer Certificate Compression Method Cipher Spec Master Secret Is Resumable Connection Server and Client Random Server write MAC secret Client write MAC secret Server write Key Client Write Key Initialization Vector Sequence Number Parameters
Secure Socket Layer Protocols SSL Record Protocol Handshake Protocol Change Cipher Spec Protocol Alert Protocol
SSL Record Protocol Provides Confidentiality Message Integrity
SSL Record Protocol Hash( MAC_write_secret ||pad_2 || hash(MAC_write_secret || pad_1 || seq_num || SSLCompressed.type || SSLCompressed.length || SSLCompressed.fragment ) )
SSL Record Protocol SSL Record Protocol Header Content Type : The higher layer Protocol Major Version : For SSlv3 its value is 3 Minor Version : For SSlv3 its value is 0 Compressed Length : The length of bytes of Plaintext fragment
SSL Handshake Protocol
SSL Handshake Protocol
SSL Handshake Protocol
SSL Handshake Protocol
SSL Change Cipher Specification Protocol a single message. causes pending state to become current. hence updating the cipher suite in use.
SSL Alert Protocol conveys SSL-related alerts to peer entity Severity warning or fatal Specific alert fatal: unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter warning: close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown compressed & encrypted like all SSL data
Secure Electronic Transaction Business Requirements • Provide confidentiality of PAYMENT and ORDERING info. • Ensure the integrity of all TRANSMITTED data • Provide authentication that a card holder is a LEGITIMATE user • Provide authentication that a merchant can accept credit card transaction • Ensure the use of best security practices and system design techniques • Create protocol that doesn’t depends on transport security mechanism.
Secure Electronic Transaction Features of SET • Confidentiality of INFORMATION • Integrity of DATA • Cardholder account authentication • Merchant authentication
Secure Electronic Transaction SET Participants
Secure Electronic Transaction SET Transaction 1. customer opens account 2. customer receives a certificate 3. merchants have their own certificates 4. customer places an order 5. merchant is verified 6. order and payment are sent 7. merchant requests payment authorization 8. merchant confirms order 9. merchant provides goods or service 10.merchant requests payment
Secure Electronic Transaction SET Transaction
Secure Electronic Transaction Dual Signature • customer creates dual messages • order information (OI) for merchant • payment information (PI) for bank • neither party needs details of other • but must know they are linked

More Related Content

PPTX
Transport Layer Security (TLS)
Arun Shukla
 
PPT
Web Security
Ram Dutt Shukla
 
PPTX
Web Security and SSL - Secure Socket Layer
Akhil Nadh PC
 
PDF
SSL/TLS
pavansmiles
 
PDF
Web Security
Dr.Florence Dayana
 
PDF
SSL Secure socket layer
Ahmed Elnaggar
 
PPT
Lecture 6 web security
rajakhurram
 
PPT
Secure Socket Layer
Naveen Kumar
 
Transport Layer Security (TLS)
Arun Shukla
 
Web Security
Ram Dutt Shukla
 
Web Security and SSL - Secure Socket Layer
Akhil Nadh PC
 
SSL/TLS
pavansmiles
 
Web Security
Dr.Florence Dayana
 
SSL Secure socket layer
Ahmed Elnaggar
 
Lecture 6 web security
rajakhurram
 
Secure Socket Layer
Naveen Kumar
 

What's hot (20)

PPT
SSL & TLS Architecture short
Avirot Mitamura
 
PPT
Security
majstors
 
PPTX
Securing TCP connections using SSL
Sagar Mali
 
PPT
Web Security
Ram Dutt Shukla
 
PPTX
Secure Socket Layer
Abhishek Gupta
 
PPTX
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
Monodip Singha Roy
 
PPTX
SSL overview
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
PDF
SSl/TLS Analysis
Duduman Bogdan Vlad
 
PPTX
Secure Socket Layer (SSL)
Samip jain
 
PPTX
Secure Socket Layer
Pina Parmar
 
PPT
SSL
theekuchi
 
PPT
Secure Socket Layer (SSL)
amanchaurasia
 
PPTX
Introduction to SSL and How to Exploit & Secure
Brian Ritchie
 
PPTX
Ssl in a nutshell
Frank Kelly
 
DOCX
S/MIME
maria azam
 
PPT
Ssl (Secure Sockets Layer)
Asad Ali
 
PPSX
Secure socket layer
Nishant Pahad
 
PPT
What is SSL ? The Secure Sockets Layer (SSL) Protocol
Mohammed Adam
 
PDF
Basics of ssl
n|u - The Open Security Community
 
PPT
SSL
Duy Do Phan
 
SSL & TLS Architecture short
Avirot Mitamura
 
Security
majstors
 
Securing TCP connections using SSL
Sagar Mali
 
Web Security
Ram Dutt Shukla
 
Secure Socket Layer
Abhishek Gupta
 
PPT ON WEB SECURITY BY MONODIP SINGHA ROY
Monodip Singha Roy
 
SSL overview
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
 
SSl/TLS Analysis
Duduman Bogdan Vlad
 
Secure Socket Layer (SSL)
Samip jain
 
Secure Socket Layer
Pina Parmar
 
SSL
theekuchi
 
Secure Socket Layer (SSL)
amanchaurasia
 
Introduction to SSL and How to Exploit & Secure
Brian Ritchie
 
Ssl in a nutshell
Frank Kelly
 
S/MIME
maria azam
 
Ssl (Secure Sockets Layer)
Asad Ali
 
Secure socket layer
Nishant Pahad
 
What is SSL ? The Secure Sockets Layer (SSL) Protocol
Mohammed Adam
 
Basics of ssl
n|u - The Open Security Community
 
SSL
Duy Do Phan
 
Ad

Similar to web security (20)

PDF
Vtu network security(10 ec832) unit 5 notes.
Jayanth Dwijesh H P
 
PDF
Network Security_Module_2_Dr Shivashankar
Dr. Shivashankar
 
PPT
Web securiy - Network security essentials
ssuser000e54
 
DOCX
Unit 6
Vinod Kumar Gorrepati
 
PPTX
Module2 PPrwgerbetytbteynyunyunythyhtyT.pptx
ThanushB1
 
PDF
BAIT1103 Chapter 4
limsh
 
PPT
2 - IP Security2 - IP Security2 - IP Security2 - IP Security
lixir25483
 
PPTX
Network Security- Secure Socket Layer
Dr.Florence Dayana
 
PPTX
Secure Sockets Layer (SSL)
BGSBU Rajouri
 
PPTX
Secure Socket Layer.pptx
Jenish Prajapati
 
PPT
Web security
Subhash Basistha
 
PDF
Network Security_Module_2.pdf
Dr. Shivashankar
 
PPT
ngrubksgj.pptdagji;jgisofjapfjagiahguhkg
jayewi2029
 
PPT
Secure socket later
Muhammad Ahmad Nazar
 
PPTX
ssl-tls-ipsec-vpn.pptx
jithu26327
 
PPT
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
SonukumarRawat
 
PPTX
1643129870-internet-security.pptx
MARIA401634
 
PPTX
SECURE SOCKET LAYER ( WEB SECURITY )
Monodip Singha Roy
 
PPTX
SSL And TLS
Ghanshyam Patel
 
PPTX
Ssl (Secure Socket Layer)
Sandeep Gupta
 
Vtu network security(10 ec832) unit 5 notes.
Jayanth Dwijesh H P
 
Network Security_Module_2_Dr Shivashankar
Dr. Shivashankar
 
Web securiy - Network security essentials
ssuser000e54
 
Unit 6
Vinod Kumar Gorrepati
 
Module2 PPrwgerbetytbteynyunyunythyhtyT.pptx
ThanushB1
 
BAIT1103 Chapter 4
limsh
 
2 - IP Security2 - IP Security2 - IP Security2 - IP Security
lixir25483
 
Network Security- Secure Socket Layer
Dr.Florence Dayana
 
Secure Sockets Layer (SSL)
BGSBU Rajouri
 
Secure Socket Layer.pptx
Jenish Prajapati
 
Web security
Subhash Basistha
 
Network Security_Module_2.pdf
Dr. Shivashankar
 
ngrubksgj.pptdagji;jgisofjapfjagiahguhkg
jayewi2029
 
Secure socket later
Muhammad Ahmad Nazar
 
ssl-tls-ipsec-vpn.pptx
jithu26327
 
WEB SECURITY CRYPTOGRAPHY PPTeriu8t erhiut.ppt
SonukumarRawat
 
1643129870-internet-security.pptx
MARIA401634
 
SECURE SOCKET LAYER ( WEB SECURITY )
Monodip Singha Roy
 
SSL And TLS
Ghanshyam Patel
 
Ssl (Secure Socket Layer)
Sandeep Gupta
 
Ad

Recently uploaded (20)

PDF
TFEC-4-2020-Design-Guide-for-Timber-Roof-Trusses.pdf
AinieButt1
 
PPTX
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
PDF
composite construction of structures.pdf
AinieButt1
 
PPTX
additive manufacturing of ss316l using mig welding
premcdr7799
 
PDF
Automation-in-Manufacturing-Chapter-Introduction.pdf
pcmth867
 
PPTX
Geodesy 1.pptx...............................................
abhi1361yadav
 
PPTX
Welding lecture in detail for understanding
sahilpoonia10
 
PDF
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
PPTX
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
PDF
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
PDF
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
DOCX
573137875-Attendance-Management-System-original
AYUSHMANAV
 
PDF
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
PPT
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
PDF
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
PDF
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
PPTX
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PDF
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
PPTX
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
PPTX
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
TFEC-4-2020-Design-Guide-for-Timber-Roof-Trusses.pdf
AinieButt1
 
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
composite construction of structures.pdf
AinieButt1
 
additive manufacturing of ss316l using mig welding
premcdr7799
 
Automation-in-Manufacturing-Chapter-Introduction.pdf
pcmth867
 
Geodesy 1.pptx...............................................
abhi1361yadav
 
Welding lecture in detail for understanding
sahilpoonia10
 
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
Enhancing Cyber Defense Against Zero-Day Attacks using Ensemble Neural Networks
IJCNCJournal
 
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
573137875-Attendance-Management-System-original
AYUSHMANAV
 
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
SM_6th-Sem__Cse_Internet-of-Things.pdf IOT
smceramu
 
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 

web security

  • 2. Web Security Threats Threats Consequences Counter Measures Integrity Modification of user data, memory or message traffic Loss of Information, Compromise of machine Cryptographic of checksum Confidentiality Eavesdropping on the Net Theft of into from server/client Info about Network Configuration Loss of Information and Privacy Encryption and Web Proxies Denial of Service Killing of user Threads Flooding machines with bogus requests Filling up Disk or Memory Isolating machine by DNS attack Prevent user from getting work Done Difficult to prevent Authentication Impersonation of legitimate user Misrepresentation of user Belief that false information is valid Cryptographic techniques
  • 3. Security Facilities HTTP FTP SMTP TCP IP / IPSec HTTP FTP SMTP SSL or TLS TCP IP S/MIME PGP SET Kerberos SMTP HTTP UDP TCP IP Network Level Transport Level Application Level
  • 4. Secure Socket Layer SSL Architecture Handshake Protocol Change Cipher Spec Protocol Alert Protocol HTTP SSL Record Protocol TCP IP
  • 5. Secure Socket Layer Connection Session A connection is a transport that provides a suitable type of service. For SSL its peer-to-peer relationship They are transient. Associated with one session. Association between Client and Server Created by handshake protocol Defines security parameters Shared among multiple connections Avoid expensive negotiation of new security parameters
  • 6. Secure Socket Layer Session Session Identifier Peer Certificate Compression Method Cipher Spec Master Secret Is Resumable Connection Server and Client Random Server write MAC secret Client write MAC secret Server write Key Client Write Key Initialization Vector Sequence Number Parameters
  • 7. Secure Socket Layer Protocols SSL Record Protocol Handshake Protocol Change Cipher Spec Protocol Alert Protocol
  • 9. SSL Record Protocol Hash( MAC_write_secret ||pad_2 || hash(MAC_write_secret || pad_1 || seq_num || SSLCompressed.type || SSLCompressed.length || SSLCompressed.fragment ) )
  • 10. SSL Record Protocol SSL Record Protocol Header Content Type : The higher layer Protocol Major Version : For SSlv3 its value is 3 Minor Version : For SSlv3 its value is 0 Compressed Length : The length of bytes of Plaintext fragment
  • 15. SSL Change Cipher Specification Protocol a single message. causes pending state to become current. hence updating the cipher suite in use.
  • 16. SSL Alert Protocol conveys SSL-related alerts to peer entity Severity warning or fatal Specific alert fatal: unexpected message, bad record mac, decompression failure, handshake failure, illegal parameter warning: close notify, no certificate, bad certificate, unsupported certificate, certificate revoked, certificate expired, certificate unknown compressed & encrypted like all SSL data
  • 17. Secure Electronic Transaction Business Requirements • Provide confidentiality of PAYMENT and ORDERING info. • Ensure the integrity of all TRANSMITTED data • Provide authentication that a card holder is a LEGITIMATE user • Provide authentication that a merchant can accept credit card transaction • Ensure the use of best security practices and system design techniques • Create protocol that doesn’t depends on transport security mechanism.
  • 18. Secure Electronic Transaction Features of SET • Confidentiality of INFORMATION • Integrity of DATA • Cardholder account authentication • Merchant authentication
  • 20. Secure Electronic Transaction SET Transaction 1. customer opens account 2. customer receives a certificate 3. merchants have their own certificates 4. customer places an order 5. merchant is verified 6. order and payment are sent 7. merchant requests payment authorization 8. merchant confirms order 9. merchant provides goods or service 10.merchant requests payment
  • 22. Secure Electronic Transaction Dual Signature • customer creates dual messages • order information (OI) for merchant • payment information (PI) for bank • neither party needs details of other • but must know they are linked