|
|
|
|
|
|
Lesson#28
|
SECURE SOCKET LAYER-SSL
|
|
|
|
SSL is a protocol developed by Netscape Communications. SSL is
built into many browsers. It operates at
the TCP/IP layer of the OSI model, and uses a combination of
symmetric and asymmetric cryptography. If
there appears the word “https” in a URL, (e.g,
https://www.microsoft.com) it indicates that the web server
hosting this web site is SSL enabled. So, if a client machine is
configured for SSL then any exchange of
information between such a client and the web server would be in
the encrypted form.
To configure a client machine for SSL following steps are
required:
Internet Explorer:Tools menu->Internet options->Advanced tab->
Security (use SSL option can be
checked)
SSL Handshake
SSL supports a variety of encryption algorithm and
authentication methods. The combination of algorithms
and methods is called a cipher suite. When a client connects to
an SSL server, the SSL handshake begins,
which means that the two negotiate a cipher suite selecting the
strongest suite the two have in common.
Thus, the handshake establishes the protocols that will be used
during the communication, selects
cryptographic algorithms and authenticates the parties using
digital certificates.
To start the SSL handshake process, a client sends a message to
the server, the server responds and sends its
digital certificate that authenticates its public key. The
client (customer’s browser) generates a secret
symmetric key for the session. The client encrypts the secret
key using the public key that it has just
received and transmits it to the server. The server decrypts the
message using its private key and now has
the secret or symmetric key. Further communication between the
customer’s browser and the merchant’s
server can now be encrypted and decrypted using the secret
session key.
SSL is commonly applied in online shopping as the customer puts
in his/her credit/debit card information
on the web form for payment purposes. If the web client and the
server are SSL enabled, the SSL
handshake would begin when the client enters the URL starting
with “https”. This handshake can be
accomplished in seconds. The web form opens before the client.
The client enters information in the text
boxes of the form and on pressing ‘submit’ all such information
is automatically encrypted with the agreed
secret or session key. This secured/encrypted information
travels across the internet and is retrieved by the
server side where it is automatically decrypted with the help of
same secret or session key. Even if someone
intercepts the information, he cannot make any sense out of it
because of encryption.
The greatest advantage of SSL is its simplicity. Since SSL is
built into many browsers, no special encryption
software is required either on the client or the server side.
However, a drawback of SSL is that the merchant
can store credit/debit card information after decryption that
can be accessed by unauthorized parties from
the merchant’s database.
122
The process of SSL handshake is also explained in Fig. 1 below:
Fig. 1
Secure Electronic Transaction (SET)
The drawback in SSL that the credit card/debit card information
remains with the merchant led to the
development of a more sophisticated protocol called SET. It was
developed in 1997 jointly by Visa,
MasterCard, Netscape and Microsoft. There are four entities
involved in a SET transaction – cardholder,
merchant, and certification authority and payment gateway. The
role of payment gateway is to connect
entities on the internet with those which are not on the
internet such as the electronic network of banks (see
fig. 2 below). Payment gateway provides the security of data
transmission to/from the acquirer bank.
Merchants must have special SET software to process
transactions. Customers must have digital wallet
software that stores certificates and card information.
Client sends
“hello” message
Client sends
response
Session
SSL Client (browser)
Server responds
With “hello” message
Session
Send encryption algorithms
and key length
SSL Server
Send server certificate
containing server’s public key
Send client certificate and
encrypted private session key
Send data between client and
server using private shared key
Server receives client
response and
initiates session
123
Debit Card
Debit Card
Automated Clearing
House
Payer’s
Bank
Acquirer
Bank
Payer Payee
Internet
Debit Card
Debit Card
Certification
Authority
Payment
Gateway
Fig. 2
Dual Signature in SET
SET hides customer’s credit card information from merchants and
hides order information from banks to
protect privacy. This scheme is called Dual Signature.
A dual signature is created by combining two message digests and
creating a new digest called Dual
Signature Message Digest (DSMD). Fig. 3 below explains how the
scheme of dual signatures is
implemented in SET.
Buyer/Bidder Merchant
or Auction house
Acquirer Bank
•Encrypted message authorizing
payment to the auction
house if offer is
accepted, but no details
about what item is bought
•MD2 and DSMD
encrypted with
Bidder’s private key
1a
Offer for Items
4
•Encrypted message includes
amount offered on the item,
but no account information
•MD1 encrypted with Bidder’s
private key
1b
•Decrypt message
with auction house
private key
•Decrypt MD1 with
bidder’s public key
•Determine
whether to
accept bid
2
•Decrypt account information with acquirer private key
•Decrypt offer acceptance message with acquirer private
key
•Decrypt MD2 and DSMD with bidder’s public key
•Decrypt MD1 from step no. 3 with auction house’s public
key
•Concatenate MD1 and MD2
•Recompute dual signature and verify against DSMD sent
by bidder
•Encrypted
message that
offer is accepted
from bidder
•MD1 encrypted
with auction
house’s private
key
3
4
Fig. 3
124
SET software on the customer side splits the order information
from the account information. MDI is the
message digest obtained by applying hash function on the order
information. MD2 is the message digest
obtained by applying hash function on the account information.
Both, MD1 and MD2 are concatenated and
a third message digest, DSMD, is obtained by again applying the
hash function on the concatenated
message digests. The order information or the offer for items is
forwarded to the merchant/auction house
in an encrypted form along with its message digest (MD1) signed
with the private key of the buyer/bidder
(step 1b). The
merchant/auction house decrypts the order information/offer and verifies the
signatures of
the buyer/bidder through his/her digital certificate
(step 2).
If the order/offer is acceptable to the
merchant then the merchant signs the received MD1 with
merchant’s private key and sends it to the
acquirer bank along with an encrypted letter of acceptance to
the offer (step3).
On the other hand, the
buyer sends the text based account information (credit card
details) to the acquirer in an encrypted form.
The buyer also sends MD2 (message digest related to account
information) and DSMD to the acquirer bank
signed with his/her private key
(step 1a).
The acquirer bank decrypts this information. Mainly, the acquirer
bank receives four pieces of information as follows
(step 4):
MD1 from merchant/auction house related to order information
Account information in encrypted form from the buyer
MD2 related to account information from the buyer
DSMD from the buyer
Acquirer bank concatenates MD1 and MD2 and applies the hash
function to compute a message digest.
Note that if this message digest is the same as the DSMD
received by the acquirer, it ensures that a
particular order information or offer is related to particular
account information. At the same time, we have
achieved our purpose that the order information should not reach
the bank and the account information
(credit card no. etc.) should not reach the merchant/auction
house.
SETCo.
SETCo. is a company formed to lead the implementation and
promotion of SET specifications It ensures
that the vendors of SET software comply with the requirements
laid down by its originators. A merchant
holds certificate from card brand indicating that the merchant
is authorized to accept credit card payment.
The customer holds certificate from the card issuing bank. SETCo
acts as a root certification authority in
the certification hierarchy (see Fig. 4 below)
SETCo
Card Issuer Bank
Customer
Card Brand
Merchant
Fig. 4
125
SSL vs. SET
SSL only handles secured transmission of credit card no. but SET
is designed to handle the whole
transaction in a secured manner using dual signatures.
SSL is a general purpose protocol built into the browser,
whereas SET requires software on, both,
the client and the merchant side.
SET uses a hierarchy of certificates for authentication.
SET is complex and distribution of certificates is sometimes not
stable.
SET increases transaction cost.
SET transactions are slower than SSL.
SET uses a payment gateway for secured transmission of
information.
E-Business
An e-business is defined as a company/entity that has an online
presence. E-businesses that have the ability
to sell, trade, barter or transact over the web can be
considered as e-commerce businesses. An e-business
model is defined by a company’s policy, operations, technology
and ideology.
Advantages of E-business
Some of the major advantages of an e-business as compared to a
traditional business are as under:
Personalized service
High-quality customer service
No inventory cost
Worldwide reach of the business
Electronic catalogues (convenient and quick transaction)
Bulk transactions
Improved supply chain management
|
|
|
|
|