web security web security
play

Web Security: Web Security: Secure Electronic Transaction Secure - PowerPoint PPT Presentation

Dec 09, 2022 •233 likes •483 views

Web Security: Web Security: Secure Electronic Transaction Secure Electronic Transaction Cunsheng Cunsheng Ding Ding HKUST, Hong Kong, CHI NA HKUST, Hong Kong, CHI NA Secure Elect ronic Transact ions An applicat ion-layer secur it y

  1. Web Security: Web Security: Secure Electronic Transaction Secure Electronic Transaction Cunsheng Cunsheng Ding Ding HKUST, Hong Kong, CHI NA HKUST, Hong Kong, CHI NA

  2. Secure Elect ronic Transact ions • An applicat ion-layer secur it y mechanism, consist ing of a set of pr ot cols. • Pr ot ect cr edit car d t r ansact ion on t he I nt er net . • Companies involved: – Mast erCard, Visa, I BM, Microsof t , Net scape, RSA, Terisa and Verisign • Not a payment syst em. • I t has a complex specif icat ion: – described in 3 books, wit h 971 pages1 C. Ding -- COMP685C-- L25 2

  3. SET Services • Provides a secure communicat ion channel in a t ransact ion. • Provides t ust by t he use of X.509v3 digit al cert if icat es. • Ensures privacy and dat a int egirit y. C. Ding -- COMP685C-- L25 3

  4. SET Overview • Key Feat ures of SET: – Conf ident ialit y of inf ormat ion – I nt egr it y of dat a – Car dholder account aut hent icat ion – Mer chant aut hent icat ion C. Ding -- COMP685C-- L25 4

  5. SET Part icipant s • Cardholder, Merchant • I ssuer: car dholder’s bank • Acquirer: Merchant ’s bank • Payment Gateway : Oper at ed by t he Acquir er f or payment pr ocessing. • Certif icate Authority (CA) : A t r ust ed aut hor it y t hat issues X.509v3 public-key cer t if icat es f or car dholder s, mer chant s, and payment gat eways. C. Ding -- COMP685C-- L25 5

  6. SET Part icipant s C. Ding -- COMP685C-- L25 6

  7. St eps f or t ransact ions • Cust omers opens t he account and receive a cer t if icat e f r om t he CA • Merchant s have t heir own cert if icat es • Cust omer places an or der • Mer chant is ver if ied by Cust omer • Or der and payment ar e sent • Mer chant r equest s payment aut hor izat ion • Mer chant conf ir ms or der and pr ovides goods or service • Mer chant r equest s payment C. Ding -- COMP685C-- L25 7

  8. Dual Signat ure • Pur pose is t o link t wo messages t hat ar e int ended f or t wo dif f er ent r ecipient s • Mer chant does not need t o know cust omer’s cr edit car d number • Bank does not need t o know cust omer’s order det ails • But bot h it ems must be linked t o r esolve any disput es if required C. Ding -- COMP685C-- L25 8

  9. Const ruct ion of Dual Signat ure PIMD PI (c) H K d Dual POMD Signature || H D OIMD H OI PIMD = PI message digest PI = Payment Information OIMD = OI message digest OI = Order Information POMD = Payment order message digest H = Hash function(SHA-1) D = Decryption (c) K d || = Concatenation = Customer’s private signature key C. Ding -- COMP685C-- L25 9

  10. Phase 1 1.1 I nit ial r equest (I D, nonce) Mer chant Cer t if icat e, 1.3 init ial r esponse 1.2 Verif y merchant 1.5 Verif y Cust omer Or der & Payment I nf or m. 1.4 C. Ding -- COMP685C-- L25 10

  11. I nit ial Request and Response I nitial Request I nitial Response • A signed response: – The nonce f rom t he • The brand (kind, grade) cust omer, anot her nonce of t he credit card t he f or t he cust omer t o cust omer is using. ret urn in t he next • An I D assigned t o t his message. request / response pair – A t ransact ion I D. f or ident if ying t his pair. • Merchant ’s signat ur e cert if icat e. • A nonce used t o ensure t imeliness. • Payment gat eway’s key exchange cert if icat e. C. Ding -- COMP685C-- L25 11

  12. Cust omer Verif ies Merchant • The Cust omer t hen uses t he Merchant ’s public signat ure key t o verif y t he signat ure of t he merchant . Remar k: The det ailed ver if icat ion depends on t he underlying (signing, verif icat ion) algor it hms C. Ding -- COMP685C-- L25 12

  13. Purchase request Request message PI Passed on by merchant to payment + Digital Envelope E gateway + + PIMD Dual Signature K s + Received by OI + merchant OIMD E + Dual Signature (b) + Cardholder certificate K e K s = Temporary symmetric key (b) K e = Bank’s public key-exchange key E = Encryption (RSA for asymmetric; DES for symmetric) C. Ding -- COMP685C-- L25 13

  14. Payment / Order Relat ed I nf ormat ion • Payment -relat ed • Or der -relat ed • The PI : payment I nf • The OI • The dual signat ur e • The dual signat ur e • The OI MD • The PI MD – OI message digest – PI message digest • The digit al envelope – it cont ains secret key C. Ding -- COMP685C-- L25 14

  15. Verif icat ion of Purchase Request and Cust omer by Merchant : Pict orial Request message E = Encryption (RSA) (c) K e = Customer’s public key Passed on by merchant to payment + Digital Envelope gateway + POMD PIMD || H + OI Compare H OIMD + Dual Signature E POMD + Cardholder certificate (c) Ke C. Ding -- COMP685C-- L25 15

  16. Phase 2 Aut hor izat ion Request C. Ding -- COMP685C-- L25 16

  17. Aut hor izat ion Request : Mer chant ==> Payment Gat eway • Payment -relat ed • Aut horizat ion-relat ed • The PI : payment I nf • An aut horizat ion block: – t ransact ion I D, signed • The dual signat ure wit h merchant ’s privat e • The OI MD key, and encrypt ed wit h a – OI message digest session key generat ed by t he merchant . • The digit al envelope • A digit al envelope: – session key encrypt ed Cardholder’s cert if icat e wit h t he gat eway’s public key. C. Ding -- COMP685C-- L25 17

  18. The f ollow-up by t he Gat eway • Verif y all cert if icat es. • Decrypt s t he digit al envelop of t he aut horizat ion block t o obt ain t he session key and t hen decrypt s t he aut horizat ion block. • Verif ies t he merchant ’s signat ure on t he aut horizat ion block. • Decrypt s t he digit al envelope of t he payment block t o obt ain t he symmet ric key and t hen decrypt t he payment block. • Verif ies t hat t he t ransact ion I D received f rom t he merchant mat ches t hat in t he PI received (indirect ly) f rom t he cust omer. C. Ding -- COMP685C-- L25 18

  19. Phase 3 Request s and receives an aut horizat ion f rom t he issuer C. Ding -- COMP685C-- L25 19

  20. Phase 4 Aut horizat ion Response C. Ding -- COMP685C-- L25 20

  21. Aut horizat ion Response • Authorization- Related I nf ormation: – aut horizat ion block, signed wit h gat eway’s privat e key and encrypt ed wit h a session key generat ed by t he Gat eway. – An envelope, t he session key encrypt ed wit h t he merchant ’s public key. • Capture token inf ormation: – This inf ormat ion will be used t o ef f ect payment lat er. – I t has t he same f orm as t he aut horizat ion-relat ed inf ormat ion above. • Certif icate: The gat eway’s signat ure key cert if icat e. C. Ding -- COMP685C-- L25 21

  22. Phases 5 and 6 • Phase 5: • Phase 6: Payment capt ur e – Merchant delivers goods af t er get t ing – involves all part ies. t he aut horizat ion – Det ails omit t ed. response f rom t he payment gat eway. C. Ding -- COMP685C-- L25 22

  23. Securit y • SET has been developed t o make t rading via t he I nt ernet secure. • I t ensures: – That bot h part ies are "genuine". – That t he cust omer is prot ect ed against misuse of payment cards. – That alt erat ions cannot be made t o orders wit hout being discovered. – That orders can only be read by t he cust omer and t he company concerned. – That payment inf ormat ion can only be read by t he acquirer and t he cust omer. C. Ding -- COMP685C-- L25 23

  24. Ref erences • W. St allings, Cr ypt ogr aphy and Net wor k Secur it y 3/ e, Pear son, 2003 • S. Macgregor, Web Securit y & Commer ce. Cambr idge, MA: O’Reilly and Associat es, 1997. • G. Dr ew, Using SET f or Secur e Elect r onic Commer ce, Upper Saddle River, NJ : Prent ice Hall, 1999. C. Ding -- COMP685C-- L25 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann & Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday & Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
DNSSEC Deployment: From End-Customer to Content ION San Diego December 11, 2012

DNSSEC Deployment: From End-Customer to Content ION San Diego December 11, 2012

DNSSEC Deployment: From End-Customer to Content ION San Diego December 11, 2012 www.internetsociety.org/deploy360/ Our Panel Today Moderator: Dan York, Internet Society Panelists: Jim Galvin, Afilias Rick Lamb, ICANN Cricket Liu,

772 views • 41 slides
The ABCs of School Debt Financing Basic School Debt: Financing Mechanisms Part 2 Prepared

The ABCs of School Debt Financing Basic School Debt: Financing Mechanisms Part 2 Prepared

California Debt and Investment Advisory Commission and California Association of School Business Officials The ABCs of School Debt Financing Basic School Debt: Financing Mechanisms Part 2 Prepared by Dawn Vincent, January 2008 515 South

1.14k views • 68 slides
RAD Completion Certification Presented by HUDs Office of Recapitalization: Isabella

RAD Completion Certification Presented by HUDs Office of Recapitalization: Isabella

Overview of the RAD Completion Certification Presented by HUDs Office of Recapitalization: Isabella Cabbagestalk, Branch Chief, Closing & Post-Closing July 3, 2019 Agenda What is the RAD Completion Certification Requirements

347 views • 15 slides
FOR PHAs AND RAD TRANSACTIONS December 2015 Structure Tax Credit Syndication Limited

FOR PHAs AND RAD TRANSACTIONS December 2015 Structure Tax Credit Syndication Limited

LOW-INCOME HOUSING TAX CREDIT CLOSINGS FOR PHAs AND RAD TRANSACTIONS December 2015 Structure Tax Credit Syndication Limited partnership structure General partner owns just 0.01%, but controls and operates the project Passive

439 views • 26 slides
Related Party Transactions Audit and Appraiser Requirements 21 March 2018 EAD Regulation

Related Party Transactions Audit and Appraiser Requirements 21 March 2018 EAD Regulation

Related Party Transactions Audit and Appraiser Requirements 21 March 2018 EAD Regulation Development Team Outline Key audit aspects of the new rules What independent auditors should be looking for Impact of a modified audit

467 views • 43 slides
Bitcoin Selfish Mining Marie Vasek Secure Electric Commerce (some slides heavily inspired by Dr.

Bitcoin Selfish Mining Marie Vasek Secure Electric Commerce (some slides heavily inspired by Dr.

Bitcoin Selfish Mining Marie Vasek Secure Electric Commerce (some slides heavily inspired by Dr. Moore) s k c a t t a g n i d l o h h t i w k c o l b y r a r o p m e T n i o c t i B Bitcoin Selfish

567 views • 14 slides
Low Overhead Concurrency Control for Partitioned Main Memory Databases Evan P. C. Jones

Low Overhead Concurrency Control for Partitioned Main Memory Databases Evan P. C. Jones

Low Overhead Concurrency Control for Partitioned Main Memory Databases Evan P. C. Jones Daniel J. Abadi Samuel Madden Banks Payment Processing Airline Reservations E-Commerce Web 2.0 Problem :

1.09k views • 81 slides
Quarterly Supplementary Materials October 24 th , 2017 Revenue Structure Yandex Revenue Breakdown

Quarterly Supplementary Materials October 24 th , 2017 Revenue Structure Yandex Revenue Breakdown

Quarterly Supplementary Materials October 24 th , 2017 Revenue Structure Yandex Revenue Breakdown 1 , MM RUB, % 25,000 23,438 22,119 22,104 7% 20,652 5% 5% 19,293 6% 20,000 18,094 18,040 4% 16,473 3% 24% 4% 15,439 25% 24% 4%

544 views • 9 slides

More recommend