首页 诗词 字典 板报 句子 名言 友答 励志 学校 网站地图
当前位置: 首页 > 教程频道 > 网站开发 > Web前端 >

Network Security Essentials - Notes7. Web Security

2012-09-10 
Network Security Essentials -- Notes7. Web SecurityThree Approaches for Web Security:1.IP-Level Sec

Network Security Essentials -- Notes7. Web Security
Three Approaches for Web Security:  
  1.IP-Level Security
  2.SSL/TLS between TCP layer and Application Layer
  3.Application-Level Security, such as PGP over SMTP and SET Over HTTP

SSL/TLS
  1.History: SSL is originated by Netscape. But TLS is the Internet standard version of it. TLS is essentially SSLv3.1 and it's compatible with SSLv3

  2.Concept: SSL Connection & SSL Session
     a. Connection
     b. Session  --- Spans several connections
     c. Session State --- State of "still handshaking" &  State of "Handshaking done"
   
SSL is not a single protocol, but a set of protocols

   3.Protocol #1 -- Handshake Protocol (At the same layer of HTTP)
     a.It provides authentication service and negotiates algorithms/keys
     b.Used before application data is transmitted
     c.Handshake Steps:
        i.Phase1 -- Client says Hello
           request: client_hello + supported cyrptographic parameters
           response:server_hello + supported cyrptographic parameters
        ii.Phase2 -- Server sending certificate and key exchange request
          certificate + ask for key exchange + ask for client's certificate (optinal)
       iii.Phase3 --- Client validates server's certificates , sends symmertric key and sends certificates(optional)
        iv.Phase4 --- Client said "done" and server said "done"

   5.Protocol #2 -- Change Cipher Spec Protocol (At the same layer of HTTP)
        Change the session state to "Handshake done" when handshake is done

   6.Protocol #3 -- Alert Protocol(At the same layer of HTTP)
        Tells the peer that something is wrong, for example, "handshake-failure"

   7.Protocol #4 -- SSL Record Protocol (Between HTTP Layer and TCP Layer)
       a.Transmit of application data
       b.Provide confidentiality server and integrity service
       c.Msg Transformation Steps:
          i.Fragement
         ii.Compress (optional)
        iii.Add MAC -- encrypted with symmertric MAC key + hash
         iv.Encrypt the msg -- with another symmertric key
          v.Append SSL record header
       
SET: Secure electronic transaction
    1.Overview
      a. To protect credit card transactions on the Internet
      b. Not a payment system itself
      c. A set of security protocols and formats
      d. Security Services
         i.A secure communcations channel
        ii.Trust based on X.509 certificates
       iii.Information is only available to parties of the transaction
        iv.Information is transit only when necessary

    2.Security Features
      a.Confidentiality: Prevents the merchant from learning the card number
      b.Integrity:
            i.Digital Signature for OI (Order Information)
           ii.Digital Signature for PI (Payment Information)
          iii.Dual Signature to link OI and PI
      c.Merchant authenticates card number --- based on X.509 Certificate
      d.Cardholder authenticates Merchant and Payment Gateway  --- based on X.509 Certificate

    3.The Senario
      a.Players:
         i.Cardholder
        ii.Merchant
       iii.Issuing Bank
        iv.Acquring Bank
         v.Payment Gateway to existing bankcard payment network
        vi.CA
      b.Certificates Needed
         i.Cardhoder has a certificate signed by issuing bank
        ii.Merchant has two certificates: one for message signature, the other for symmertric exchange
       iii.Payment Gateway has a certificate. 
      c.A story
         i.Each party will validate other parties' certificate
        ii.Payment Information will be encrypted and the merchant can't decrypt it
       iii.Payment Information will be forwarded by Marchant to Payment Order Gateway to get validated(Authorization)
        iv.Merchant will last ask Payment Gateway to request payment.
       

热点排行