Professional Documents
Culture Documents
NSC Unit - 3 - 221210 - 134942
NSC Unit - 3 - 221210 - 134942
Unit - 3
In today’s computer network world, internet security has achieved great importance. Since
internet technology is vast and encompasses many years, there are various aspects associated
with internet security. Various security mechanisms exist for specialized internet services like
email, electronic commerce, and payment, wireless internet, etc. To provide the security to this
internet various protocols have been used like SSL (Secure Socket Layer), TLS ( Transport Layer
Security), etc.
1. SSL Protocol
SSL Protocol stands for Secure Socket Layer protocol, which is an internet security protocol
used for exchanging the information between a web browser and a web server in a secure
manner. It provides two basic security services like authentication and confidentiality. SSL
protocol has become the world’s most popular web security mechanism, all major web
browsers support SSL. Secure socket layer protocol is considered as an additional layer in
TCP/IP protocol suite. It is located between the application layer and the transport layer. SSL
has three sub protocols namely Handshake Protocol, Record Protocol, and Alert Protocol.
OpenSSL is an open source implementation of the Secure Socket Layer protocol. OpenSSL is
subject to four remotely exploitable buffer overflow. Buffer overflow vulnerabilities allow
attackers to execute arbitrary code on the target computer with a privilege level of OpenSSL
process as well as providing opportunities for launching a denial of service attack.
2. TLS Protocol
TLS stands for Transport Layer Security, which is an internet security protocol. TLS is an IETF
standardization initiative whose goal is to come out with an internet standard version of SSL.
To standardized SSL, Netscape handed the protocol to IETF. The idea and implementation are
quite similar. Transport layer security protocol uses a pseudo random function to create a
master secret. TLS also has three sub protocols same as SSL protocol – Handshake Protocol,
Record Protocol, and Alert Protocol. In Handshake Protocol some details are changed, Record
Protocol uses HMAC, Alert protocol newly added features like record overflow, Unknown CA,
Decryption failed, Decode error, Access denied, Export restrictions, Protocol version,
insufficient security, internal error. Transport layer security is defined in RFC 2246.
3. SHTTP
SHTTP stands for Secure HyperText Transfer Protocol, is a set of security mechanism defined
for protecting internet traffic. It also includes data entry forms and internet based transaction.
Services provided by SHTTP are quite similar to SSL protocol. Secure HyperText Transfer
Protocol works at the application layer, and therefore tightly coupled with HTTP. SHTTP
supports both authentication and encryption of HTTP traffic between the client and the server.
Encryption and digital signature format used in SHTTP have the origins in the PEM (Privacy
Enhanced Mail) protocol. SHTTP works at the level of an individual message. It can encrypt
and sign an individual message.
4. SET Protocol
SET Protocol stands for Secure Electronic Transaction protocol is an open encryption and
security mechanism designed for protecting the eCommerce transaction over the internet. SET
is not a payment system, it is a security protocol used over the internet for secure transaction.
The SET protocol provides the following services:
---SET provides authentication by using digital certificates.
---It provides a secure communication channel among all parties involved in an eCommerce
transaction.
---It ensures confidentiality because the information is only available for parties involved in a
transaction and that too only when and where required.
---Cardholder: It is an authorized holder of payment card such as visa card, Master card.
---Merchant: It is a specific person or organization who wants to sell goods and services to
the cardholder.
---Issuer: It is a financial institution which provides payment card to the cardholder.
---Acquirer: It is a financial institution which has a relationship with merchants for processing
payment card Authorization and payments.
---Payment Gateway: It acts as an interface between SET and existing card payment networks
for payment Authorization.
---Certification Authority: It is an authority that is trusted to provide a public key certificate
to cardholder, merchant, and payment gateways.
5. PEM Protocol
PEM Protocol stands for privacy enhanced mail, used for email security over the internet. If we
adopted by IAB ( Internet Architecture Board) to provide secure electronic mail communication
over the internet. It was initially developed by the IRTF (Internet Research Task Force) PSRG
(Privacy Security Research Group). Then they handed over the PEM to the IETF (Internet
Engineering Task Force) PEM working group Privacy Enhanced Mail protocol is described in
four specific documents RFC 1421, RFC 1422, RFC 1423, and RFC 1424. It supports
6. PGP Protocol
PGP Protocol stands for Pretty Good Privacy, which we developed by Phil Zimmerman. PGP
protocol is easy to use and free including its source code documentation. It also supports the
basic requirements of cryptography. However, for those organizations that require support, a
low-cost commercial version Of PGP protocol is available from an organization called viacrypt.
PGP protocol becomes extremely popular and more widely used as compared to PEM
protocol. PGP protocol support cryptography like encryption, Non-repudiation, and message
integrity.
What is SSL?
SSL, or Secure Sockets Layer, is an encryption-based Internet security protocol. It was first developed by
Netscape in 1995 for the purpose of ensuring privacy, authentication, and data integrity in Internet
communications. SSL is the predecessor to the modern TLS encryption used today.
A website that implements SSL/TLS has "HTTPS" in its URL instead of "HTTP."
This means that anyone who tries to intercept this data will only see a garbled mix of characters
to ensure that both devices are really who they claim to be.
SSL also digitally signs data in order to provide data integrity, verifying that the data is not
There have been several iterations of SSL, each more secure than the last. In 1999 SSL was updated to
become TLS.
message. For example, if a consumer visited a shopping website, placed an order, and entered their credit
card number on the website, that credit card number would travel across the Internet unconcealed.
SSL was created to correct this problem and protect user privacy. By encrypting any data that goes
between a user and a web server, SSL ensures that anyone who intercepts the data can only see a
scrambled mess of characters. The consumer's credit card number is now safe, only visible to the
SSL also stops certain kinds of cyber attacks: It authenticates web servers, which is important because
attackers will often try to set up fake websites to trick users and steal data. It also prevents attackers from
Engineering Task Force (IETF) proposed an update to SSL. Since this update was being developed by the
IETF and Netscape was no longer involved, the name was changed to TLS. The differences between the
final version of SSL (3.0) and the first version of TLS are not drastic; the name change was applied to
people still use SSL to refer to TLS, others use the term "SSL/TLS encryption" because SSL still has so
several known vulnerabilities in the SSL protocol, and security experts recommend discontinuing its use. In
TLS is the up-to-date encryption protocol that is still being implemented online, even though many
people still refer to it as "SSL encryption." This can be a source of confusion for someone shopping for
security solutions. The truth is that any vendor offering "SSL" these days is almost certainly providing TLS
protection, which has been an industry standard for over 20 years. But since many folks are still searching
for "SSL protection," the term is still featured prominently on many product pages.
SSL certificate is like an ID card or a badge that proves someone is who they say they are. SSL certificates
One of the most important pieces of information in an SSL certificate is the website's public key.
The public key makes encryption and authentication possible. A user's device views the public key and
uses it to establish secure encryption keys with the web server. Meanwhile the web server also has a
private key that is kept secret; the private key decrypts data encrypted with the public key.
Single-domain: A single-domain SSL certificate applies to only one domain (a "domain" is the
Wildcard: Like a single-domain certificate, a wildcard SSL certificate applies to only one domain.
However, it also includes that domain's subdomains. For example, a wildcard certificate could cover
Multi-domain: As the name indicates, multi-domain SSL certificates can apply to multiple
unrelated domains.
SSL certificates also come with different validation levels. A validation level is like a background check, and
Domain Validation: This is the least-stringent level of validation, and the cheapest. All a business
Organization Validation: This is a more hands-on process: The CA directly contacts the person or
business requesting the certificate. These certificates are more trustworthy for users.
Extended Validation: This requires a full background check of an organization before the SSL
with a few clicks. Websites may need to set up an SSL certificate on their origin server as well: this
Confidentiality
Message Integrity
In the SSL Record Protocol application data is divided into fragments. The fragment is compressed and
then encrypted MAC (Message Authentication Code) generated by algorithms like SHA (Secure Hash
Protocol) and MD5 (Message Digest) is appended. After that encryption of the data is done and in last SSL
header is appended to the data.
Handshake Protocol:
Handshake Protocol is used to establish sessions. This protocol allows the client and server to authenticate
each other by sending a series of messages to each other. Handshake protocol uses four phases to complete
its cycle.
Phase-1: In Phase-1 both Client and Server send hello-packets to each other. In this IP session,
cipher suite and protocol version are exchanged for security purposes.
Phase-2: Server sends his certificate and Server-key-exchange. The server end phase-2 by sending
the Server-hello-end packet.
Phase-3: In this phase, Client replies to the server by sending his certificate and Client-exchange-
key.
Phase-4: In Phase-4 Change-cipher suite occurred and after this Handshake Protocol ends.
SSL Handshake Protocol Phases diagrammatic representation
Change-cipher Protocol:
This protocol uses the SSL record protocol. Unless Handshake Protocol is completed, the SSL record
Output will be in a pending state. After the handshake protocol, the Pending state is converted into the
current state.
Change-cipher protocol consists of a single message which is 1 byte in length and can have only one value.
This protocol’s purpose is to cause the pending state to be copied into the current state.
Alert Protocol:
This protocol is used to convey SSL-related alerts to the peer entity. Each message in this protocol contains
2 bytes.
This Alert breaks the connection between sender and receiver. The connection will be stopped, cannot be
resumed but can be restarted. Some of them are :
Handshake failure: When the sender is unable to negotiate an acceptable set of security parameters given
the options available.
Decompression failure: When the decompression function receives improper input.
Illegal parameters: When a field is out of range or inconsistent with other fields.
Bad record MAC: When an incorrect MAC was received.
Unexpected message: When an inappropriate message is received.
Versions of SSL:
Transport Layer Security, or TLS, is a widely adopted security protocol designed to facilitate privacy and
data security for communications over the Internet. A primary use case of TLS is encrypting the
communication between web applications and servers, such as web browsers loading a website. TLS can
also be used to encrypt other communications such as email, messaging, and voice over IP (VoIP). In this
TLS was proposed by the Internet Engineering Task Force (IETF), an international standards organization,
and the first version of the protocol was published in 1999. The most recent version is TLS 1.3, which was
published in 2018.
by Netscape. TLS version 1.0 actually began development as SSL version 3.1, but the name of the protocol
was changed before publication in order to indicate that it was no longer associated with Netscape.
Because of this history, the terms TLS and SSL are sometimes used interchangeably.
HTTPS is an implementation of TLS encryption on top of the HTTP protocol, which is used by all websites
as well as some other web services. Any website that uses HTTPS is therefore employing TLS encryption.
protocol?
TLS encryption can help protect web applications from data breaches and other attacks. Today, TLS-
protected HTTPS is a standard practice for websites. The Google Chrome browser gradually cracked down
on non-HTTPS sites, and other browsers have followed suit. Everyday Internet users are more wary of
Integrity.
Authentication: ensures that the parties exchanging information are who they claim to be.
Integrity: verifies that the data has not been forged or tampered with.
For a website or application to use TLS, it must have a TLS certificate installed on its origin server (the
certificate is also known as an "SSL certificate" because of the naming confusion described above). A TLS
certificate is issued by a certificate authority to the person or business that owns a domain. The certificate
contains important information about who owns the domain, along with the server's public key, both of
A TLS connection is initiated using a sequence known as the TLS handshake. When a user navigates to a
website that uses TLS, the TLS handshake begins between the user's device (also known as
During the TLS handshake, the user's device and the web server:
Specify which version of TLS (TLS 1.0, 1.2, 1.3, etc.) they will use
Authenticate the identity of the server using the server's TLS certificate
Generate session keys for encrypting messages between them after the handshake is complete
The TLS handshake establishes a cipher suite for each communication session. The cipher suite is a set of
algorithms that specifies details such as which shared encryption keys, or session keys, will be used for
that particular session. TLS is able to set the matching session keys over an unencrypted channel thanks to
client. This is done using public keys. Public keys are encryption keys that use one-way encryption,
meaning that anyone with the public key can unscramble the data encrypted with the server's private key
to ensure its authenticity, but only the original sender can encrypt data with the private key. The server's
Once data is encrypted and authenticated, it is then signed with a message authentication code (MAC).
The recipient can then verify the MAC to ensure the integrity of the data. This is kind of like the tamper-
proof foil found on a bottle of aspirin; the consumer knows no one has tampered with their medicine
Because of the complex process involved in setting up a TLS connection, some load time and
computational power must be expended. The client and server must communicate back and forth several
times before any data is transmitted, and that eats up precious milliseconds of load times for web
applications, as well as some memory for both the client and the server.
However, there are technologies in place that help to mitigate potential latency created by the TLS
handshake. One is TLS False Start, which lets the server and client start transmitting data before the TLS
handshake is complete. Another technology to speed up TLS is TLS Session Resumption, which allows
clients and servers that have previously communicated to use an abbreviated handshake.
These improvements have helped to make TLS a very fast protocol that should not noticeably affect load
times. As for the computational costs associated with TLS, they are mostly negligible by today’s standards.
TLS 1.3, released in 2018, has made TLS even faster. TLS handshakes in TLS 1.3 only require one round trip
(or back-and-forth communication) instead of two, shortening the process by a few milliseconds. When
the user has connected to a website before, the TLS handshake has zero round trips, speeding it up still
further.
Requirements in SET :
The SET protocol has some requirements to meet, some of the important requirements are :
It has to provide mutual authentication i.e., customer (or cardholder) authentication by confirming if
the customer is an intended user or not, and merchant authentication.
It has to keep the PI (Payment Information) and OI (Order Information) confidential by appropriate
encryptions.
It has to be resistive against message modifications i.e., no changes should be allowed in the content
being transmitted.
SET also needs to provide interoperability and make use of the best security mechanisms.
Participants in SET :
In the general scenario of online transactions, SET includes similar participants:
1stCardholder – customer
2ndIssuer – customer financial institution
3rdMerchant
4thAcquirer – Merchant financial
5thCertificate authority – Authority that follows certain standards and issues certificates(like
X.509V3) to all other participants.
SET functionalities :
Provide Authentication
Merchant Authentication – To prevent theft, SET allows customers to check previous
relationships between merchants and financial institutions. Standard X.509V3 certificates are
used for this verification.
Customer / Cardholder Authentication – SET checks if the use of a credit card is done by an
authorized user or not using X.509V3 certificates.
Provide Message Confidentiality: Confidentiality refers to preventing unintended people from
reading the message being transferred. SET implements confidentiality by using encryption
techniques. Traditionally DES is used for encryption purposes.
Provide Message Integrity: SET doesn’t allow message modification with the help of signatures.
Messages are protected against unauthorized modification using RSA digital signatures with SHA-1
and some using HMAC with SHA-1,
Dual Signature :
The dual signature is a concept introduced with SET, which aims at connecting two information pieces
meant for two different receivers :
Order Information (OI) for merchant
Payment Information (PI) for bank
You might think sending them separately is an easy and more secure way, but sending them in a connected
form resolves any future dispute possible. Here is the generation of dual signature:
Where,
Since we used Customer’s private key in encryption here we use KUC which is the public key of the
customer or cardholder for decryption ‘D’.
Secure Socket Layer (SSL) is the normal security technology for establishing an associate encrypted link
between an internet server and a browser. This link ensures that each knowledge passed between the online
server and browsers stays personal and integral. SSL is associate trade normal and is employed by
numerous websites for the protection of their online transactions with their customers. SSL permits
counseling like Social Security numbers, MasterCard numbers, or login credentials to be transmitted
firmly.
Secure Electronic dealings (SET) could be a system for making certain the safety of economic transactions
on the web. it was supported at the start by Mastercard, Visa, Microsoft, Netscape, and others. With SET, a
user is given an associate degree electronic case (digital certificate) and dealings are conducted and verified
employing a combination of digital certificates and digital signatures among the client, a merchant, and also
the purchaser’s bank during a means that ensures privacy and confidentiality. SET makes use of Netscape’s
Secure Sockets Layer (SSL), Microsoft’s Secure dealings Technology (STT), and Terisa System’s Secure
machine-readable text Transfer Protocol (S-HTTP). SET uses some however not all aspects of Public Key
Infrastructure (PKI).
Difference between Secure Socket Layer (SSL) and Secure Electronic Transaction (SET):
1. Basics- Basics-
gateway is not available. So, the merchant customer’s credit card information from
needs to receive both the ordering merchant and also hides the order
information and credit card information information from banks to protect privacy
because the capturing process should be called a dual signature. The SET protocol
generated by the merchant. SSL protocol is complex and more secure.
has been the industry standard for securing
internet communication.
SSL protocol was developed by Netscape The SET protocol was jointly developed by
for the secure online transaction. MasterCard and visa to secure web
browsers for a bank card transaction.
3. Working- Working-
SSL uses a combination of public-key and The dual signature mechanism is deployed
symmetric-key encryption to safeguard data by SET to safeguard a transaction. To use
transactions. The handshake technique is an e-commerce site, SET requires the
used by the SSL protocol, which permits purchase of software. The design of the
the server to verify its identity to the client. protocol necessitates the client’s
In case of unsuccessful authentication, the installation of an e-wallet.
connection will not be formed.
4. Integrity- Integrity-
The technique of Hash functions is used for The technique of digital signatures is used
this purpose. for this purpose.
5. Acceptability- Acceptability-
6. Functionality- Functionality-
The Secure Sockets Layer (SSL) is not a SET was created with the sole purpose of
payment protocol. SSL encrypts the securing and ultimately guaranteeing a
communication channel between the payment transaction. For example, increase
cardholder and the merchant website and is in the possibilities for online retail growth
not backed by any financial institution. As only when consumer confidence grows in
S. No. Secure Socket Layer Secure Electronic Transaction
7. Encryption- Encryption-
The purpose of SSL lies in prevention of SET, which was created expressly to
data tampering in client/server applications address the security of all parties involved
and has considerably weaker encryption, in an electronic payment transaction, uses
with a maximum of 128-bit encryption. 1024-bit encryption throughout the
transaction.
8. Authentication- Authentication-
SSL certificates are not endorsed by any Here, all parties get authentication to the
financial institution or payment brand transaction because SET’s certificates are
association, so they cannot effectively backed not just by a Certificate Authority,
validate all parties. but also by financial institutions and
MasterCard International.
9. Security- Security-
SSL only protects the cardholder and the SET enables transaction security from the
merchant, which is insufficient to prevent cardholder’s desktop to the merchant via
fraud. SSL transactions, in other words, are bank approvals and back through the
never assured. gateway, leaving an indisputable audit trail
and, as a result, a guaranteed transaction.
KEY TAKEAWAYS
Electronic money is currency that is stored in banking computer systems.
Electronic money is backed by fiat currency, which distinguishes it from cryptocurrency.
Various companies allow for transactions to be made with electronic money, such as Square or
PayPal.
The prevalence of electronic money has led to the diminishing use of physical currency.
Although electronic money is often considered safer and more transparent than physical currency, it
is not without its risks.
How Electronic Money Works
Electronic money is used for transactions on a global basis. While it may be exchanged for fiat
currency (which, incidentally, distinguishes it from cryptocurrencies), electronic money is most
commonly utilized through electronic banking systems and monitored through electronic processing.
Because a mere fraction of the currency is utilized in physical form, the vast percentage of it is housed
in bank vaults and is backed by central banks.
For this reason, a primary function of the U.S. Federal Reserve and its 12 supporting banks is to
manage the fiat currency in physical form and control the money supply through monetary policies and
open market operations.
Because of the transparency that is inherent to electronic money, many have speculated that the
increase of its use could lead to a significant decrease in inflation risk.
Special Considerations
Currency in Circulation
Electronic money can be held in various places. Most individuals and businesses store their money
with banks that provide electronic records of the cash on deposit. However, prepaid cards and digital
wallets like PayPal and Square likewise allow users to deposit fiat currency for electronic money. Such
companies will make their profit by charging a percentage on any amount that is withdrawn from
accounts or converted from electronic money back into fiat currency.
While physical currency is still advantageous in certain situations, its role has gradually diminished
over time. Many consumers and businesses believe electronic money is more secure and convenient
because it cannot be misplaced, and it is widely accepted by merchants nationwide. The U.S. financial
market has consequently established a robust infrastructure for transacting electronic money, which is
primarily facilitated through payment processing networks, such as Visa and Mastercard.
Banks and financial institutions partner with electronic money networking processors to issue their
customers branded network cards that facilitate these electronic transactions from bank accounts to
merchants. Electronic money is also easily transacted through e-commerce, letting consumers
conveniently shop for goods and services online.
Electronic transactions also lend themselves to being more discreet and, thus, easier to hide from the
IRS, making electronic money a potential and unwilling accomplice to tax evasion. Lastly, the
computer systems that are responsible for carrying out electronic transactions are not perfect, meaning
that electronic money transactions can sometimes go awry simply due to system error.
Spam Filters
A significant proportion of emails that you receive daily are marketing emails. These
emails clog the email inbox in such a way that you almost miss out on some of the official
or essential emails. Secondly, cybercriminals take advantage of these marketing emails by
pushing in their phishing emails, as well. An unsuspecting user might open such emails
and click on the malicious links provided in the phishing email. It could lead to severe
repercussions like compromising one’s financial details such as bank accounts, credit card
numbers, and so on.
Installing spam filters can help in separating these marketing and phishing emails by
directing them to a distinctive email inbox. In this way, your regular email inbox does not
get clogged. Secondly, you do not miss any crucial business email.
A vital email security feature is that you can schedule the deletion of spam emails at fixed
intervals. They can be deleted automatically without needing to open them.
Anti-virus Protection
Spam filters play the role of separating the spam emails from the regular ones. However,
these emails remain in the inbox for a specific period following which they get deleted
automatically. There is always a likelihood of the user accessing the spam email inbox and
opening these email attachments.
Hackers send malicious content through such email attachments and spurious links in the
messages. If a user unwittingly clicks on such links or downloads such files, there are
chances of viruses spreading to their information systems. The right way to deal with such
situations is to have robust anti-virus protection. This software program scans each
incoming and outgoing email for malicious content and blocks their entry or exit, as the
case may be. Hence, it offers better protection than the spam filters because it identifies
and eliminates these viruses that can create havoc with the computer network systems.
Image & Content Control
Hackers use emails for phishing purposes. The email attachments can contain files, links,
and even images. There have been numerous phishing instances in recent times where
cybercriminals managed to transmit malicious software through images. Therefore, it
becomes vital for email security services to protect the systems by scanning images, as
well. It is one of the most crucial aspects of email security in information security.
Data Encryption
Your email data is at its most vulnerable position when it is in transit. Generally, it is
transmitted in an open format. It allows cybercriminals to intercept these messages in
transit and use them to lift confidential data. You could have spam filters installed on your
system to identify and segregate spam emails. You could also have anti-virus protection in
place. However, these email security features are of little use when you expose your
email content when it is in transit.
The ideal solution is to encrypt the data sent through email. It is one of the major topics
of importance regarding email security in cryptography systems. This security feature
ensures that your outgoing emails are data encrypted in all respects, thereby not allowing
any leeway for the hacker to infiltrate them. Advanced cryptography features safeguard
the encryption of the recipient’s details and email message headers, as well. Therefore,
the cybercriminals do not have any means to know either the contents or the details of the
recipients of your emails.
Encrypting your emails entails that you make it difficult for hackers to access the contents
of the emails. Every business organization, or for that matter, every individual, should have
this email security feature installed on their computer network. It is one of the best ways to
avoid becoming victims of phishing attempts.
Final Word
Cybercriminals are becoming smarter by the day. They are inventing new ways of
hacking into computer networks all over the world. Therefore, one should be a couple of
steps ahead of these hackers. Adopting different types of email security solutions can
significantly help you in your endeavor. Phishing attempts have become common today.
With the growth in the usage of computers in daily activities, it is natural for cybercriminals
to up their ante, as well. Hence, one should adopt proactive means of securing one’s
emails. The aforementioned email security features should be the ideal solutions.
END