Network security and cryptography

Unit - 3

Internet security protocols -

Introduction to Internet Security Protocols

In today’s computer network world, internet security has achieved great importance. Since
internet technology is vast and encompasses many years, there are various aspects associated
with internet security. Various security mechanisms exist for specialized internet services like
email, electronic commerce, and payment, wireless internet, etc. To provide the security to this
internet various protocols have been used like SSL (Secure Socket Layer), TLS ( Transport Layer
Security), etc.

Various Internet Security Protocols

Given below are the various protocols:

1. SSL Protocol
SSL Protocol stands for Secure Socket Layer protocol, which is an internet security protocol
used for exchanging the information between a web browser and a web server in a secure
manner. It provides two basic security services like authentication and confidentiality. SSL
protocol has become the world’s most popular web security mechanism, all major web
browsers support SSL. Secure socket layer protocol is considered as an additional layer in
TCP/IP protocol suite. It is located between the application layer and the transport layer. SSL
has three sub protocols namely Handshake Protocol, Record Protocol, and Alert Protocol.
OpenSSL is an open source implementation of the Secure Socket Layer protocol. OpenSSL is
subject to four remotely exploitable buffer overflow. Buffer overflow vulnerabilities allow
attackers to execute arbitrary code on the target computer with a privilege level of OpenSSL
process as well as providing opportunities for launching a denial of service attack.

2. TLS Protocol
TLS stands for Transport Layer Security, which is an internet security protocol. TLS is an IETF
standardization initiative whose goal is to come out with an internet standard version of SSL.
To standardized SSL, Netscape handed the protocol to IETF. The idea and implementation are
quite similar. Transport layer security protocol uses a pseudo random function to create a
master secret. TLS also has three sub protocols same as SSL protocol – Handshake Protocol,
Record Protocol, and Alert Protocol. In Handshake Protocol some details are changed, Record
Protocol uses HMAC, Alert protocol newly added features like record overflow, Unknown CA,
Decryption failed, Decode error, Access denied, Export restrictions, Protocol version,
insufficient security, internal error. Transport layer security is defined in RFC 2246.

3. SHTTP
SHTTP stands for Secure HyperText Transfer Protocol, is a set of security mechanism defined
for protecting internet traffic. It also includes data entry forms and internet based transaction.
Services provided by SHTTP are quite similar to SSL protocol. Secure HyperText Transfer
Protocol works at the application layer, and therefore tightly coupled with HTTP. SHTTP
supports both authentication and encryption of HTTP traffic between the client and the server.
Encryption and digital signature format used in SHTTP have the origins in the PEM (Privacy
Enhanced Mail) protocol. SHTTP works at the level of an individual message. It can encrypt
and sign an individual message.

4. SET Protocol
SET Protocol stands for Secure Electronic Transaction protocol is an open encryption and
security mechanism designed for protecting the eCommerce transaction over the internet. SET
is not a payment system, it is a security protocol used over the internet for secure transaction.
The SET protocol provides the following services:
---SET provides authentication by using digital certificates.
---It provides a secure communication channel among all parties involved in an eCommerce
transaction.
---It ensures confidentiality because the information is only available for parties involved in a
transaction and that too only when and where required.

The SET protocol includes the following participants:

---Cardholder: It is an authorized holder of payment card such as visa card, Master card.
---Merchant: It is a specific person or organization who wants to sell goods and services to
the cardholder.
---Issuer: It is a financial institution which provides payment card to the cardholder.
---Acquirer: It is a financial institution which has a relationship with merchants for processing
payment card Authorization and payments.
---Payment Gateway: It acts as an interface between SET and existing card payment networks
for payment Authorization.
---Certification Authority: It is an authority that is trusted to provide a public key certificate
to cardholder, merchant, and payment gateways.
5. PEM Protocol
PEM Protocol stands for privacy enhanced mail, used for email security over the internet. If we

adopted by IAB ( Internet Architecture Board) to provide secure electronic mail communication

over the internet. It was initially developed by the IRTF (Internet Research Task Force) PSRG

(Privacy Security Research Group). Then they handed over the PEM to the IETF (Internet

Engineering Task Force) PEM working group Privacy Enhanced Mail protocol is described in

four specific documents RFC 1421, RFC 1422, RFC 1423, and RFC 1424. It supports

cryptographic functions namely encryption, nonrepudiation, and message integrity.

6. PGP Protocol
PGP Protocol stands for Pretty Good Privacy, which we developed by Phil Zimmerman. PGP

protocol is easy to use and free including its source code documentation. It also supports the

basic requirements of cryptography. However, for those organizations that require support, a

low-cost commercial version Of PGP protocol is available from an organization called viacrypt.

PGP protocol becomes extremely popular and more widely used as compared to PEM

protocol. PGP protocol support cryptography like encryption, Non-repudiation, and message

integrity.

The Time-Stamp Protocol, or TSP is a cryptographic protocol for

certifying timestamps using X.509 certificates and public key infrastructure. The timestamp is the
signer's assertion that a piece of electronic data existed at or before a particular time. The protocol is
defined in RFC 3161. One application of the protocol is to show that a digital signature was issued
before a point in time, for example before the corresponding certificate was revoked.
The TSP protocol is an example of trusted timestamping. It has been extended to create the ANSI
ASC X9.95 Standard.
Protocol
In the protocol a Time Stamp Authority (TSA) is a trusted third party that can provide a timestamp
to be associated with a hashed version of some data. It is a request-response protocol, where the
request contains a hash of the data to be signed. This is sent to the TSA and the response contains a
Time Stamp Token (TST) which itself includes the hash of the data, a unique serial number, a
timestamp and a digital signature. The signature is generated using the private key of the TSA. The
protocol can operate over a number of different transports, including email, TCP sockets or HTTP.
When presented with a TST, someone may verify that the data existed at the timestamp in the TST
by verifying the signature using the public key of the TSA and that the hash of the data matches that
included in the TST.

What is SSL?
SSL, or Secure Sockets Layer, is an encryption-based Internet security protocol. It was first developed by

Netscape in 1995 for the purpose of ensuring privacy, authentication, and data integrity in Internet

communications. SSL is the predecessor to the modern TLS encryption used today.
A website that implements SSL/TLS has "HTTPS" in its URL instead of "HTTP."

How does SSL/TLS work?

In order to provide a high degree of privacy, SSL encrypts data that is transmitted across the web.

This means that anyone who tries to intercept this data will only see a garbled mix of characters

that is nearly impossible to decrypt.

 SSL initiates an authentication process called a handshake between two communicating devices

to ensure that both devices are really who they claim to be.

SSL also digitally signs data in order to provide data integrity, verifying that the data is not

tampered with before reaching its intended recipient.

There have been several iterations of SSL, each more secure than the last. In 1999 SSL was updated to

become TLS.

Why is SSL/TLS important?

Originally, data on the Web was transmitted in plaintext that anyone could read if they intercepted the

message. For example, if a consumer visited a shopping website, placed an order, and entered their credit

card number on the website, that credit card number would travel across the Internet unconcealed.

SSL was created to correct this problem and protect user privacy. By encrypting any data that goes

between a user and a web server, SSL ensures that anyone who intercepts the data can only see a

scrambled mess of characters. The consumer's credit card number is now safe, only visible to the

shopping website where they entered it.

SSL also stops certain kinds of cyber attacks: It authenticates web servers, which is important because

attackers will often try to set up fake websites to trick users and steal data. It also prevents attackers from

tampering with data in transit, like a tamper-proof seal on a medicine container.

Are SSL and TLS the same thing?

SSL is the direct predecessor of another protocol called TLS (Transport Layer Security). In 1999 the Internet

Engineering Task Force (IETF) proposed an update to SSL. Since this update was being developed by the

IETF and Netscape was no longer involved, the name was changed to TLS. The differences between the

final version of SSL (3.0) and the first version of TLS are not drastic; the name change was applied to

signify the change in ownership.

Since they are so closely related, the two terms are often used interchangeably and confused. Some

people still use SSL to refer to TLS, others use the term "SSL/TLS encryption" because SSL still has so

much name recognition.

Is SSL still up to date?

SSL has not been updated since SSL 3.0 in 1996 and is now considered to be deprecated. There are

several known vulnerabilities in the SSL protocol, and security experts recommend discontinuing its use. In

fact, most modern web browsers no longer support SSL at all.

TLS is the up-to-date encryption protocol that is still being implemented online, even though many

people still refer to it as "SSL encryption." This can be a source of confusion for someone shopping for
security solutions. The truth is that any vendor offering "SSL" these days is almost certainly providing TLS

protection, which has been an industry standard for over 20 years. But since many folks are still searching

for "SSL protection," the term is still featured prominently on many product pages.

What is an SSL certificate?

SSL can only be implemented by websites that have an SSL certificate (technically a "TLS certificate"). An

SSL certificate is like an ID card or a badge that proves someone is who they say they are. SSL certificates

are stored and displayed on the Web by a website's or application's server.

One of the most important pieces of information in an SSL certificate is the website's public key.

The public key makes encryption and authentication possible. A user's device views the public key and

uses it to establish secure encryption keys with the web server. Meanwhile the web server also has a

private key that is kept secret; the private key decrypts data encrypted with the public key.

Certificate authorities (CA) are responsible for issuing SSL certificates.

What are the types of SSL certificates?

There are several different types of SSL certificates. One certificate can apply to a single website or several

websites, depending on the type:

Single-domain: A single-domain SSL certificate applies to only one domain (a "domain" is the

name of a website, like www.cloudflare.com).

Wildcard: Like a single-domain certificate, a wildcard SSL certificate applies to only one domain.

However, it also includes that domain's subdomains. For example, a wildcard certificate could cover

www.cloudflare.com, blog.cloudflare.com, and developers.cloudflare.com, while a single-domain

certificate could only cover the first.

Multi-domain: As the name indicates, multi-domain SSL certificates can apply to multiple

unrelated domains.

SSL certificates also come with different validation levels. A validation level is like a background check, and

the level changes depending on the thoroughness of the check.

Domain Validation: This is the least-stringent level of validation, and the cheapest. All a business

has to do is prove they control the domain.

Organization Validation: This is a more hands-on process: The CA directly contacts the person or

business requesting the certificate. These certificates are more trustworthy for users.

Extended Validation: This requires a full background check of an organization before the SSL

certificate can be issued.

How can a business obtain an SSL certificate?

Cloudflare offers free SSL certificates for any business. A website protected by Cloudflare can activate SSL

with a few clicks. Websites may need to set up an SSL certificate on their origin server as well: this

article has further instructions.

Secure Socket Layer (SSL)

Secure Socket Layer (SSL) provides security to the data that is transferred between web browser and
server. SSL encrypts the link between a web server and a browser which ensures that all data passed
between them remain private and free from attack.

Secure Socket Layer Protocols:

SSL record protocol

Handshake protocol
Change-cipher spec protocol
Alert protocol

SSL Protocol Stack:

SSL Record Protocol:

SSL Record provides two services to SSL connection.

Confidentiality
Message Integrity
In the SSL Record Protocol application data is divided into fragments. The fragment is compressed and
then encrypted MAC (Message Authentication Code) generated by algorithms like SHA (Secure Hash
Protocol) and MD5 (Message Digest) is appended. After that encryption of the data is done and in last SSL
header is appended to the data.
Handshake Protocol:

Handshake Protocol is used to establish sessions. This protocol allows the client and server to authenticate
each other by sending a series of messages to each other. Handshake protocol uses four phases to complete
its cycle.

Phase-1: In Phase-1 both Client and Server send hello-packets to each other. In this IP session,
cipher suite and protocol version are exchanged for security purposes.
Phase-2: Server sends his certificate and Server-key-exchange. The server end phase-2 by sending
the Server-hello-end packet.
Phase-3: In this phase, Client replies to the server by sending his certificate and Client-exchange-
key.
Phase-4: In Phase-4 Change-cipher suite occurred and after this Handshake Protocol ends.
 SSL Handshake Protocol Phases diagrammatic representation

Change-cipher Protocol:

This protocol uses the SSL record protocol. Unless Handshake Protocol is completed, the SSL record
Output will be in a pending state. After the handshake protocol, the Pending state is converted into the
current state.
Change-cipher protocol consists of a single message which is 1 byte in length and can have only one value.
This protocol’s purpose is to cause the pending state to be copied into the current state.

Alert Protocol:
This protocol is used to convey SSL-related alerts to the peer entity. Each message in this protocol contains
2 bytes.

The level is further classified into two parts:

Warning (level = 1):

This Alert has no impact on the connection between sender and receiver. Some of them are:

Bad certificate: When the received certificate is corrupt.

No certificate: When an appropriate certificate is not available.
Certificate expired: When a certificate has expired.
Certificate unknown: When some other unspecified issue arose in processing the certificate, rendering it
unacceptable.
Close notify: It notifies that the sender will no longer send any messages in the connection.

Fatal Error (level = 2):

This Alert breaks the connection between sender and receiver. The connection will be stopped, cannot be
resumed but can be restarted. Some of them are :

Handshake failure: When the sender is unable to negotiate an acceptable set of security parameters given
the options available.
Decompression failure: When the decompression function receives improper input.
Illegal parameters: When a field is out of range or inconsistent with other fields.
Bad record MAC: When an incorrect MAC was received.
Unexpected message: When an inappropriate message is received.

The second byte in the Alert protocol describes the error.

Silent Features of Secure Socket Layer:

 The advantage of this approach is that the service can be tailored to the specific needs of the given
application.
Secure Socket Layer was originated by Netscape.
SSL is designed to make use of TCP to provide reliable end-to-end secure service.
This is a two-layered protocol.

Versions of SSL:

SSL 1 – Never released due to high insecurity.

SSL 2 – Released in 1995.
SSL 3 – Released in 1996.
TLS 1.0 – Released in 1999.
TLS 1.1 – Released in 2006.
TLS 1.2 – Released in 2008.
TLS 1.3 – Released in 2018.

What is Transport Layer Security (TLS)?

Transport Layer Security, or TLS, is a widely adopted security protocol designed to facilitate privacy and

data security for communications over the Internet. A primary use case of TLS is encrypting the

communication between web applications and servers, such as web browsers loading a website. TLS can

also be used to encrypt other communications such as email, messaging, and voice over IP (VoIP). In this

article we will focus on the role of TLS in web application security.

TLS was proposed by the Internet Engineering Task Force (IETF), an international standards organization,

and the first version of the protocol was published in 1999. The most recent version is TLS 1.3, which was

published in 2018.

What is the difference between TLS and SSL?

TLS evolved from a previous encryption protocol called Secure Sockets Layer (SSL), which was developed

by Netscape. TLS version 1.0 actually began development as SSL version 3.1, but the name of the protocol

was changed before publication in order to indicate that it was no longer associated with Netscape.

Because of this history, the terms TLS and SSL are sometimes used interchangeably.

What is the difference between TLS and HTTPS?

HTTPS is an implementation of TLS encryption on top of the HTTP protocol, which is used by all websites

as well as some other web services. Any website that uses HTTPS is therefore employing TLS encryption.

Why should businesses and web applications use the TLS

protocol?

TLS encryption can help protect web applications from data breaches and other attacks. Today, TLS-

protected HTTPS is a standard practice for websites. The Google Chrome browser gradually cracked down

on non-HTTPS sites, and other browsers have followed suit. Everyday Internet users are more wary of

websites that do not feature the HTTPS padlock icon.

What does TLS do?

There are three main components to what the TLS protocol accomplishes: Encryption, Authentication, and

Integrity.

Encryption: hides the data being transferred from third parties.

Authentication: ensures that the parties exchanging information are who they claim to be.

Integrity: verifies that the data has not been forged or tampered with.

How does TLS work?

For a website or application to use TLS, it must have a TLS certificate installed on its origin server (the
certificate is also known as an "SSL certificate" because of the naming confusion described above). A TLS

certificate is issued by a certificate authority to the person or business that owns a domain. The certificate

contains important information about who owns the domain, along with the server's public key, both of

which are important for validating the server's identity.

A TLS connection is initiated using a sequence known as the TLS handshake. When a user navigates to a

website that uses TLS, the TLS handshake begins between the user's device (also known as

the client device) and the web server.

During the TLS handshake, the user's device and the web server:

Specify which version of TLS (TLS 1.0, 1.2, 1.3, etc.) they will use

Decide on which cipher suites (see below) they will use

Authenticate the identity of the server using the server's TLS certificate

Generate session keys for encrypting messages between them after the handshake is complete

The TLS handshake establishes a cipher suite for each communication session. The cipher suite is a set of

algorithms that specifies details such as which shared encryption keys, or session keys, will be used for

that particular session. TLS is able to set the matching session keys over an unencrypted channel thanks to

a technology known as public key cryptography.

The handshake also handles authentication, which usually consists of the server proving its identity to the

client. This is done using public keys. Public keys are encryption keys that use one-way encryption,

meaning that anyone with the public key can unscramble the data encrypted with the server's private key

to ensure its authenticity, but only the original sender can encrypt data with the private key. The server's

public key is part of its TLS certificate.

Once data is encrypted and authenticated, it is then signed with a message authentication code (MAC).

The recipient can then verify the MAC to ensure the integrity of the data. This is kind of like the tamper-

proof foil found on a bottle of aspirin; the consumer knows no one has tampered with their medicine

because the foil is intact when they purchase it.

How does TLS affect web application performance?

The latest versions of TLS hardly impact web application performance at all.

Because of the complex process involved in setting up a TLS connection, some load time and
computational power must be expended. The client and server must communicate back and forth several

times before any data is transmitted, and that eats up precious milliseconds of load times for web

applications, as well as some memory for both the client and the server.

However, there are technologies in place that help to mitigate potential latency created by the TLS

handshake. One is TLS False Start, which lets the server and client start transmitting data before the TLS

handshake is complete. Another technology to speed up TLS is TLS Session Resumption, which allows

clients and servers that have previously communicated to use an abbreviated handshake.

These improvements have helped to make TLS a very fast protocol that should not noticeably affect load

times. As for the computational costs associated with TLS, they are mostly negligible by today’s standards.

TLS 1.3, released in 2018, has made TLS even faster. TLS handshakes in TLS 1.3 only require one round trip

(or back-and-forth communication) instead of two, shortening the process by a few milliseconds. When

the user has connected to a website before, the TLS handshake has zero round trips, speeding it up still

further.

Secure Hypertext Transfer Protocol (S-HTTP) is an obsolete alternative to

the HTTPS protocol for encrypting web communications carried over the
Internet. It was developed by Eric Rescorla and Allan M. Schiffman at EIT in
[1]
1994 and published in 1999 as RFC 2660.
[2]
Even though S-HTTP was first to market, Netscape's dominance of the
browser market led to HTTPS becoming the de facto method for securing
web communications.

Comparison to HTTP over TLS

S-HTTP encrypts only the served page data and submitted data like POST
fields, leaving the initiation of the protocol unchanged. Because of this, S-
HTTP could be used concurrently with HTTP (unsecured) on the same port,
as the unencrypted header would determine whether the rest of the
transmission is encrypted.
In contrast, HTTP over TLS wraps the entire communication
within Transport Layer Security (TLS; formerly SSL), so the encryption
starts before any protocol data is sent. This creates a name-based virtual
hosting "chicken and egg" issue with determining which DNS name was
intended for the request.
This means that HTTPS implementations without Server Name
Indication (SNI) support require a separate IP address per DNS name, and all
HTTPS implementations require a separate port (usually 443 vs. HTTP's
[3]
standard 80) for unambiguous use of encryption (treated in most browsers
as a separate URI scheme, https://).

As documented in RFC 2817, HTTP can also be secured by

implementing HTTP/1.1 Upgrade headers and upgrading to TLS. Running
HTTP over TLS negotiated in this way does not have the implications of
HTTPS with regards to name-based virtual hosting (no extra IP addresses,
ports, or URI space). However, few implementations support this method.
In S-HTTP, the desired URL is not transmitted in the cleartext headers, but
left blank; another set of headers is present inside the encrypted payload. In
HTTP over TLS, all headers are inside the encrypted payload and the server
application does not generally have the opportunity to gracefully recover
from TLS fatal errors (including 'client certificate is untrusted' and 'client
certificate is expired').

Time Stamping Protocols:

The timestamp protocols ensures that each transaction in the system has in advance a
timestamp that has been associated with each transaction that is being helpful to the
transaction to be executed in the system that time only.
It is most helpful in the case when large number of concurrent processes are running in
the system simultaneously. So, it assign a unique timestamp to each transaction in the
system with the help of ts counter.
ts counter:
ts counter is a counter that is used for time-stamping protocols. It increment its value
by 1 when each commit operation has been occur in the system. If a transaction Ti has
been assigned timestamp TS[Ti], and a new transaction enters in the system, then it
must hold a condition that TS[Ti]<TS[Ti].

Secure Electronic Transaction (SET) Protocol

Secure Electronic Transaction or SET is a system that ensures the security and integrity of
electronic transactions done using credit cards in a scenario. SET is not some system that enables
payment but it is a security protocol applied to those payments. It uses different encryption and
hashing techniques to secure payments over the internet done through credit cards. The SET
protocol was supported in development by major organizations like Visa, Mastercard, Microsoft
which provided its Secure Transaction Technology (STT), and Netscape which provided the
technology of Secure Socket Layer (SSL).
SET protocol restricts the revealing of credit card details to merchants thus keeping hackers and
thieves at bay. The SET protocol includes Certification Authorities for making use of standard
Digital Certificates like X.509 Certificate.
Before discussing SET further, let’s see a general scenario of electronic transactions, which includes
client, payment gateway, client financial institution, merchant, and merchant financial institution.

Requirements in SET :
The SET protocol has some requirements to meet, some of the important requirements are :
 It has to provide mutual authentication i.e., customer (or cardholder) authentication by confirming if
the customer is an intended user or not, and merchant authentication.
It has to keep the PI (Payment Information) and OI (Order Information) confidential by appropriate
encryptions.
It has to be resistive against message modifications i.e., no changes should be allowed in the content
being transmitted.
SET also needs to provide interoperability and make use of the best security mechanisms.
Participants in SET :
In the general scenario of online transactions, SET includes similar participants:

1stCardholder – customer
2ndIssuer – customer financial institution
3rdMerchant
4thAcquirer – Merchant financial
5thCertificate authority – Authority that follows certain standards and issues certificates(like
X.509V3) to all other participants.
SET functionalities :
Provide Authentication
Merchant Authentication – To prevent theft, SET allows customers to check previous
relationships between merchants and financial institutions. Standard X.509V3 certificates are
used for this verification.
Customer / Cardholder Authentication – SET checks if the use of a credit card is done by an
authorized user or not using X.509V3 certificates.
Provide Message Confidentiality: Confidentiality refers to preventing unintended people from
reading the message being transferred. SET implements confidentiality by using encryption
techniques. Traditionally DES is used for encryption purposes.
Provide Message Integrity: SET doesn’t allow message modification with the help of signatures.
Messages are protected against unauthorized modification using RSA digital signatures with SHA-1
and some using HMAC with SHA-1,
Dual Signature :
The dual signature is a concept introduced with SET, which aims at connecting two information pieces
meant for two different receivers :
Order Information (OI) for merchant
Payment Information (PI) for bank

You might think sending them separately is an easy and more secure way, but sending them in a connected
form resolves any future dispute possible. Here is the generation of dual signature:

Where,

PI stands for payment information

OI stands for order information

PIMD stands for Payment Information Message Digest

OIMD stands for Order Information Message Digest

 POMD stands for Payment Order Message Digest

H stands for Hashing

E stands for public key encryption

KPc is customer's private key

|| stands for append operation

Dual signature, DS= E(KPc, [H(H(PI)||H(OI))])

Purchase Request Generation :

The process of purchase request generation requires three inputs:

Payment Information (PI)

Dual Signature
Order Information Message Digest (OIMD)
The purchase request is generated as follows:
Here,

PI, OIMD, OI all have the same meanings as before.

The new things are :

EP which is symmetric key encryption

Ks is a temporary symmetric key

KUbank is public key of bank

CA is Cardholder or customer Certificate

Digital Envelope = E(KUbank, Ks)

Purchase Request Validation on Merchant Side :
The Merchant verifies by comparing POMD generated through PIMD hashing with POMD generated
through decryption of Dual Signature as follows:

Since we used Customer’s private key in encryption here we use KUC which is the public key of the
customer or cardholder for decryption ‘D’.

Payment Authorization and Payment Capture :

Payment authorization as the name suggests is the authorization of payment information by the merchant
which ensures payment will be received by the merchant. Payment capture is the process by which a
merchant receives payment which includes again generating some request blocks to gateway and payment
gateway in turn issues payment to the merchant.
Difference between Secure Socket Layer (SSL) and Secure
Electronic Transaction (SET)
Socket Layer (SSL):

Secure Socket Layer (SSL) is the normal security technology for establishing an associate encrypted link
between an internet server and a browser. This link ensures that each knowledge passed between the online
server and browsers stays personal and integral. SSL is associate trade normal and is employed by
numerous websites for the protection of their online transactions with their customers. SSL permits
counseling like Social Security numbers, MasterCard numbers, or login credentials to be transmitted
firmly.

Secure Electronic Transaction (SET):

Secure Electronic dealings (SET) could be a system for making certain the safety of economic transactions
on the web. it was supported at the start by Mastercard, Visa, Microsoft, Netscape, and others. With SET, a
user is given an associate degree electronic case (digital certificate) and dealings are conducted and verified
employing a combination of digital certificates and digital signatures among the client, a merchant, and also
the purchaser’s bank during a means that ensures privacy and confidentiality. SET makes use of Netscape’s
Secure Sockets Layer (SSL), Microsoft’s Secure dealings Technology (STT), and Terisa System’s Secure
machine-readable text Transfer Protocol (S-HTTP). SET uses some however not all aspects of Public Key
Infrastructure (PKI).

Difference between Secure Socket Layer (SSL) and Secure Electronic Transaction (SET):

S. No. Secure Socket Layer Secure Electronic Transaction

1. Basics- Basics-

SSL is an encryption mechanism for order SET is a very comprehensive protocol. It

taking, queries, and other applications and
is available on the customer’s browser. It
does not protect against all security hazards
and is naturally simple and widely used.
SSL is a protocol for general-purpose
secure message exchange. SSL protocol
may use a certificate, but the payment
provides privacy, integration, and
authenticity. It is not used frequently due to
its complexity and the need for a special
card reader by the user. It may be
abandoned if it is not simplified. SET is
tailored to the credit card payment to the
merchant. SET protocols hide the
S. No. Secure Socket Layer
gateway is not available. So, the merchant
needs to receive both the ordering
information and credit card information
because the capturing process should be
generated by the merchant. SSL protocol
has been the industry standard for securing
internet communication.
2. Developed by-
SSL protocol was developed by Netscape
for the secure online transaction.
3. Working-
SSL uses a combination of public-key and
symmetric-key encryption to safeguard data
transactions. The handshake technique is
used by the SSL protocol, which permits
the server to verify its identity to the client.
In case of unsuccessful authentication, the
connection will not be formed.
4. Integrity-
The technique of Hash functions is used for
this purpose.
5. Acceptability-
Its acceptability is more as compared to
SET.
6. Functionality-
The Secure Sockets Layer (SSL) is not a
payment protocol. SSL encrypts the
communication channel between the
cardholder and the merchant website and is
not backed by any financial institution. As
Secure Electronic Transaction
customer’s credit card information from
merchant and also hides the order
information from banks to protect privacy
called a dual signature. The SET protocol
is complex and more secure.
Developed by-
The SET protocol was jointly developed by
MasterCard and visa to secure web
browsers for a bank card transaction.
Working-
The dual signature mechanism is deployed
by SET to safeguard a transaction. To use
an e-commerce site, SET requires the
purchase of software. The design of the
protocol necessitates the client’s
installation of an e-wallet.
Integrity-
The technique of digital signatures is used
for this purpose.
Acceptability-
SET acceptability is less because it’s
necessary to build an open PKI.
Functionality-
SET was created with the sole purpose of
securing and ultimately guaranteeing a
payment transaction. For example, increase
in the possibilities for online retail growth
only when consumer confidence grows in
S. No. Secure Socket Layer Secure Electronic Transaction

a result, SSL is unable to ensure the online shopping.

security of a transaction.

7. Encryption- Encryption-

The purpose of SSL lies in prevention of
data tampering in client/server applications
and has considerably weaker encryption,
with a maximum of 128-bit encryption.
SET, which was created expressly to
address the security of all parties involved
in an electronic payment transaction, uses
1024-bit encryption throughout the
transaction.

8. Authentication- Authentication-

SSL certificates are not endorsed by any
financial institution or payment brand
association, so they cannot effectively
validate all parties.
Here, all parties get authentication to the
transaction because SET’s certificates are
backed not just by a Certificate Authority,
but also by financial institutions and
MasterCard International.

9. Security- Security-

SSL only protects the cardholder and the
merchant, which is insufficient to prevent
fraud. SSL transactions, in other words, are
never assured.
SET enables transaction security from the
cardholder’s desktop to the merchant via
bank approvals and back through the
gateway, leaving an indisputable audit trail
and, as a result, a guaranteed transaction.

Electronic Money (e-money): Definition, Uses, Safety Issues

What Is Electronic Money?
Electronic money refers to money that exists in banking computer systems that may be used to
facilitate electronic transactions. Although its value is backed by fiat currency and may, therefore, be
exchanged into a physical, tangible form, electronic money is primarily used for electronic transactions
due to the sheer convenience of this methodology.

KEY TAKEAWAYS
Electronic money is currency that is stored in banking computer systems.
Electronic money is backed by fiat currency, which distinguishes it from cryptocurrency.
Various companies allow for transactions to be made with electronic money, such as Square or
PayPal.
 The prevalence of electronic money has led to the diminishing use of physical currency.
Although electronic money is often considered safer and more transparent than physical currency, it
is not without its risks.
How Electronic Money Works
Electronic money is used for transactions on a global basis. While it may be exchanged for fiat
currency (which, incidentally, distinguishes it from cryptocurrencies), electronic money is most
commonly utilized through electronic banking systems and monitored through electronic processing.
Because a mere fraction of the currency is utilized in physical form, the vast percentage of it is housed
in bank vaults and is backed by central banks.

For this reason, a primary function of the U.S. Federal Reserve and its 12 supporting banks is to
manage the fiat currency in physical form and control the money supply through monetary policies and
open market operations.

Because of the transparency that is inherent to electronic money, many have speculated that the
increase of its use could lead to a significant decrease in inflation risk.

Special Considerations
Currency in Circulation
Electronic money can be held in various places. Most individuals and businesses store their money
with banks that provide electronic records of the cash on deposit. However, prepaid cards and digital
wallets like PayPal and Square likewise allow users to deposit fiat currency for electronic money. Such
companies will make their profit by charging a percentage on any amount that is withdrawn from
accounts or converted from electronic money back into fiat currency.

Electronic Payment Processing

Many Americans process transactions electronically in a multitude of ways. This includes receiving
paychecks through direct deposits, moving money from one account to another via electronic fund
transfers, or spending money with credit cards and debit cards

While physical currency is still advantageous in certain situations, its role has gradually diminished
over time. Many consumers and businesses believe electronic money is more secure and convenient
because it cannot be misplaced, and it is widely accepted by merchants nationwide. The U.S. financial
market has consequently established a robust infrastructure for transacting electronic money, which is
primarily facilitated through payment processing networks, such as Visa and Mastercard.

Banks and financial institutions partner with electronic money networking processors to issue their
customers branded network cards that facilitate these electronic transactions from bank accounts to
merchants. Electronic money is also easily transacted through e-commerce, letting consumers
conveniently shop for goods and services online.

Criticisms of Electronic Money

Although electronic money is quickly becoming the norm and is often hailed as the more secure and
transparent alternative to physical currency, this does not mean that it comes without its own set of
risks and vulnerabilities. For instance, fraud becomes an issue when money can be transferred from one
party to another without the necessity for the physical verification of the original owner’s true identity.

Electronic transactions also lend themselves to being more discreet and, thus, easier to hide from the
IRS, making electronic money a potential and unwilling accomplice to tax evasion. Lastly, the
computer systems that are responsible for carrying out electronic transactions are not perfect, meaning
that electronic money transactions can sometimes go awry simply due to system error.

A Digital Wallet for All Your Web3 Needs

From crypto to NFTs and beyond, accessing a wealth of DeFi platforms is simpler than you might
think. With OKX, a leading digital asset financial service provider, you can access world-class
security as you trade and store assets. You can also connect existing wallets and win up to $10,000
when you complete a deposit of more than $50 through a crypto purchase or top-up within 30 days of
registration. Learn more and sign up today.

What Is Email Security?

To understand what is email security properly, why and when one need it. An email is a
window that hackers use to penetrate your computer systems. Just as you have insect
screens on windows to prevent pests from entering your home, you can install software to
secure the access and content of your email accounts. Such collective measures define
email security.
Individuals, as well as business organizations, can use these services to protect overall
access to either one or their entire enterprise accounts.
Email Security Features
Email security services provide various types of email security solutions. Some of the
principal email security features are as follows.

Spam Filters
A significant proportion of emails that you receive daily are marketing emails. These
emails clog the email inbox in such a way that you almost miss out on some of the official
or essential emails. Secondly, cybercriminals take advantage of these marketing emails by
pushing in their phishing emails, as well. An unsuspecting user might open such emails
and click on the malicious links provided in the phishing email. It could lead to severe
repercussions like compromising one’s financial details such as bank accounts, credit card
numbers, and so on.
Installing spam filters can help in separating these marketing and phishing emails by
directing them to a distinctive email inbox. In this way, your regular email inbox does not
get clogged. Secondly, you do not miss any crucial business email.
A vital email security feature is that you can schedule the deletion of spam emails at fixed
intervals. They can be deleted automatically without needing to open them.
Anti-virus Protection
Spam filters play the role of separating the spam emails from the regular ones. However,
these emails remain in the inbox for a specific period following which they get deleted
automatically. There is always a likelihood of the user accessing the spam email inbox and
opening these email attachments.
Hackers send malicious content through such email attachments and spurious links in the
messages. If a user unwittingly clicks on such links or downloads such files, there are
chances of viruses spreading to their information systems. The right way to deal with such
situations is to have robust anti-virus protection. This software program scans each
incoming and outgoing email for malicious content and blocks their entry or exit, as the
case may be. Hence, it offers better protection than the spam filters because it identifies
and eliminates these viruses that can create havoc with the computer network systems.
Image & Content Control
Hackers use emails for phishing purposes. The email attachments can contain files, links,
and even images. There have been numerous phishing instances in recent times where
cybercriminals managed to transmit malicious software through images. Therefore, it
becomes vital for email security services to protect the systems by scanning images, as
well. It is one of the most crucial aspects of email security in information security.
Data Encryption
Your email data is at its most vulnerable position when it is in transit. Generally, it is
transmitted in an open format. It allows cybercriminals to intercept these messages in
transit and use them to lift confidential data. You could have spam filters installed on your
system to identify and segregate spam emails. You could also have anti-virus protection in
place. However, these email security features are of little use when you expose your
email content when it is in transit.
The ideal solution is to encrypt the data sent through email. It is one of the major topics
of importance regarding email security in cryptography systems. This security feature
ensures that your outgoing emails are data encrypted in all respects, thereby not allowing
any leeway for the hacker to infiltrate them. Advanced cryptography features safeguard
the encryption of the recipient’s details and email message headers, as well. Therefore,
the cybercriminals do not have any means to know either the contents or the details of the
recipients of your emails.
Encrypting your emails entails that you make it difficult for hackers to access the contents
of the emails. Every business organization, or for that matter, every individual, should have
this email security feature installed on their computer network. It is one of the best ways to
avoid becoming victims of phishing attempts.

Final Word
Cybercriminals are becoming smarter by the day. They are inventing new ways of
hacking into computer networks all over the world. Therefore, one should be a couple of
steps ahead of these hackers. Adopting different types of email security solutions can
significantly help you in your endeavor. Phishing attempts have become common today.
With the growth in the usage of computers in daily activities, it is natural for cybercriminals
to up their ante, as well. Hence, one should adopt proactive means of securing one’s
emails. The aforementioned email security features should be the ideal solutions.

END