Professional Documents
Culture Documents
Explain The Client/server Architecture of Web. - 10: Unit - V Web Security
Explain The Client/server Architecture of Web. - 10: Unit - V Web Security
Web Security
Network Layer:
o The advantage of using IPSec is that it is transparent to end users and applications
and provides a general-purpose solution.
o IPSec includes a filtering capability so that only selected traffic need incur the
overhead of IPSec processing.
Transport Layer:
o Secure Sockets Layer (SSL) and its improved version known as Transport Layer
Security (TLS) are part of the underlying protocol suite and transparent to
applications.
o SSL can be embedded in specific packages. For example, Netscape and Microsoft
Explorer browser come equipped with SSL, and most Web servers have implemented
the protocol.
Application Layer:
o Application-specific security services are embedded within the particular application.
o The advantage of this approach is that the service can be tailored to the specific needs
of a given application.
o Examples: Secure Electronic Transaction (SET), Secure/Multipurpose Internet Mail
Extension (S/MIME), Pretty Good Privacy (PGP).
=== * ===
Explain the importance of SSL/TLS for secure web services. – 10
SSL provides transport layer security.
SSL/TLS allows for either server-only authentication or server-client authentication.
In Server-only authentication,
o The client receives the server’s certificate.
o The client verifies the server’s certificate and generates a secret key that it
then encrypts with the server’s public key.
o The client sends the encrypted secret key to the server; the server decrypts it
with its own private key and subsequently uses the client-generated secret key
to encrypt the message meant form the client.
The message exchanges between client and server can be explained in four phases:
Phase 1: Establish Security Capabilities
Phase 2: Server Authentication and Key Exchange
Phase 3: Client Authentication and Key Exchange
Phase 4: Finish
At this point the handshake is complete and the client and server may begin to exchange
application layer data.
=== * ===
OR
Explain SSL handshake protocol – 10
Handshake Protocol
The Handshake Protocol allows the server and client to authenticate each other and to
negotiate an encryption and MAC algorithm and cryptographic keys to be used to
protect data sent in an SSL record.
The Handshake Protocol is used before any application data are transmitted.
The Handshake Protocol consists of a series of messages exchanged by client and
server.
Each message has three fields:
o Type: Indicates different types of message exchanged between client and server.
o Length: The length of the message in bytes.
o Content: This field explain the parameters associated with this each message
The message exchanges between client and server can be explained in four phases:
Phase 1: Establish Security Capabilities
Phase 2: Server Authentication and Key Exchange
Phase 3: Client Authentication and Key Exchange
Phase 4: Finish
Different Steps of four phases of TLS Handshake Protocol is summarized below:
1. The client sends a "Client hello" message to the server, along with the client's random
value and supported cipher suites.
2. The server responds by sending a "Server hello" message to the client, along with the
server's random value.
3. The server sends its certificate to the client for authentication and may request a
certificate from the client. The server sends the "Server hello done" message.
4. If the server has requested a certificate from the client, the client sends it.
5. The client creates a random Pre-Master Secret and encrypts it with the public key
from the server's certificate, sending the encrypted Pre-Master Secret to the server.
6. The server receives the Pre-Master Secret. The server and client each generate the
Master Secret and session keys based on the Pre-Master Secret.
7. The client sends "Change cipher spec" notification to server to indicate that the client
will start using the new session keys for hashing and encrypting messages. Client also
sends "Client finished" message.
Describe the SET components and their relationships. (Or Describe SET Participants) –
10
Cardholder: A cardholder is an authorized holder of a payment card (e.g.,
MasterCard, Visa) that has been issued by an issuer.
Merchant: A merchant is a person or organization that has goods or services to sell
to the cardholder.
Issuer: This is a financial institution, such as a bank, that provides the card holder
with the payment card.
Acquirer: This is a financial institution that establishes an account with a merchant
and processes payment card authorizations and payments.
Payment gateway: This is a third party that processes merchant payment messages.
The payment gateway interfaces between SET and the existing bankcard payment
network for authorization and payment functions.
Certification authority (CA): This is an entity that is trusted to issue X.509v3
public-key certificates for cardholders, merchants, and payment gateways.