Secure Sockets Layer (SSL)

& Secure Electronic Transactions (SET)

Lecture by
Dr.C.S.Warnekar
 SSL (Secure Socket Layer)
TCP: provides a reliable end-to-end service.
TCP combined with SSL provides a reliable & secure
end-to-end service.
SSL:- A cryptographic protocol designed to provide
communication security over the Internet.
SSL originally developed by Netscape; subsequently
became Internet standard known as Transport Layer
Security( TLS).
HTTPS: HTTP over SSL
SSL has two layers of protocols
 Architecture of SSL protocols
Consists of two layers of protocols
 SSL Record Protocol Services
SSL Record Protocol provides two services.
Message integrity
using a MAC with a shared secret key
similar to HMAC but with different padding
hash functions: MD5, SHA-1
Message confidentiality
using symmetric encryption with a shared secret
key
Encryption algorithms: AES, IDEA, RC2-40,
DES-40, DES, 3DES, RC4-40, RC4-128
SSL Record Protocol Operation

214 bytes

(optional; default: null)

 SSL Protocol
SSL Connection
Peer-to-peer transport
Transient
Associated with one session
SSL Session
Association between client and server.
1 session = 1 or more connections.
Created by Handshake protocol
Defines security parameters shared across connections
 SSL Session and Connection
SSL was designed to work with HTTP 1.0
which tended to open a lot of TCP connections
between the same client and server.
SSL assumes a session is a relatively long-
lived thing from which many (transient)
connections can be cheaply derived.

7
 SSL Session
Created by the Handshake Protocol.
Parameters:
Session ID
Compression method
Cipher spec (encryption and hash algorithm)
Master secret
Is resumable

8
 SSL Connection
Based on an underlying TCP connection
Associated with a session
Parameters:
Server and client random
Server and client write MAC secret
Server and client write secret
Server and client IV (if CBC is used)
Sequence number
Closed by a close_notify from each side
9
 SSL Handshake Protocol
Allows server & client to:
authenticate each other
to negotiate encryption & MAC algorithms and keys
Comprises a series of messages exchanged in
phases:
1. Establish Security Capabilities (to agree on
encryption, MAC, and key-exchange algorithms)
2. Server Authentication and Key Exchange
3. Client Authentication and Key Exchange
4. Finish
SSL Handshake
Stallings
Figure 17.6
 Secure Electronic Transactions (SET)

Developed by Mastercard, Visa in1996

Web-based credit card transactions
Open encryption
A set of protocols
Not a payment system
SET Illustrated
 SET Transaction
1) Client opens an account
2) Customer receives a certificate; Signed by
the bank issuing the card
3) Merchants have their own certificates, used
in authenticating merchants
4) Customer places an Order, sends an order
form to the merchant
 SET Transaction continued 1
5) Merchant is verified:- Merchant returns the
OI with its Certificate.
6) Customer knows he is dealing with a valid
merchant
7) The order and payment are sent; Payment
contains credit card details
8) Merchant requests payment authorization;
Check customers available credit
 SET Transaction continued 2
9) Merchant confirms order
10)Merchant provides goods or services
11)Merchant requests payment
 Dual signature
Need to sign the order and payment
Customer needs to link these two
Does not want to provide payment info. to
the merchant
Does not want to provide order info.to the
bank for privacy
How? By dual signing..
Block Diagram of Dual signature
Dual signature Formulation
Customer generates DS by
DS = Eprivate(H(H(PI)||H(OI))
Merchant can verify by checking
H(PIMD||H(OI)) and Dpublic(DS)
Bank can verify by checking
H(H(PI)||OIMD)) and Dpublic(DS)
Credit Card Process: Buyer
Credit Card Process: Seller