Скачать презентацию ECE-6612 http www csc gatech edu copeland jac 6612 Prof John Скачать презентацию ECE-6612 http www csc gatech edu copeland jac 6612 Prof John

137ee750f8e2891c6c45ca8c566bcf98.ppt

  • Количество слайдов: 17

ECE-6612 http: //www. csc. gatech. edu/copeland/jac/6612/ Prof. John A. Copeland john. copeland@ece. gatech. edu ECE-6612 http: //www. csc. gatech. edu/copeland/jac/6612/ Prof. John A. Copeland john. [email protected] gatech. edu 404 894 -5177 fax 404 894 -0035 Office: Centergy 5138, VL-w 315 email or call for office visit, or call Kathy Cheek, 404 894 -5696 Chapter 7 a - Secure Socket Layer (SSL) and Secure Electronic Transactions (SET)

Process Application SSL Transport Layer (TCP, UDP) Router Buffers Packets that need to be Process Application SSL Transport Layer (TCP, UDP) Router Buffers Packets that need to be forwarded (based on IP address). IPsec Application SSL Transport Layer (TCP, UDP) IPsec Network Layer (IP) Network Layer E'net Data Link Layer Token Ring E'net Data Link Layer Ethernet Phys. Layer E'net Phys. Layer Network Layer Token Ring Phys. Layer Network Layer (IP) Token Ring Data-Link Layer Token Ring Phys. Layer 2

The combinations are called: HTTPS SFTP ESMTP TLS is Transport Layer Security (is not The combinations are called: HTTPS SFTP ESMTP TLS is Transport Layer Security (is not “IPsec Transport Level Security”) TLS is used for email (SMTP/TLS or POP/TLS or IMAP/TLS) SSL is used for secure Web access (HTTPS) Secure Shell, SSH, is Telnet + SSL + other features Secure Copy, SCP, copies files using SSH (no other FTP functions) 3

HTTPS SSL Encrypt HTTPS is HTTP with SSL (Secure Socket Layer). HTTPS uses the HTTPS SSL Encrypt HTTPS is HTTP with SSL (Secure Socket Layer). HTTPS uses the TLS/SSL default TCP port, which is TCP port 443 4

Fig. 7. 3 SSl Record Protocol Operation 5 Fig. 7. 3 SSl Record Protocol Operation 5

Time SSL Handshake - First Part Gray areas are optional in some circumstances. 6 Time SSL Handshake - First Part Gray areas are optional in some circumstances. 6

Time SSL Handshake - Second Part Gray areas are optional in some circumstances. 7 Time SSL Handshake - Second Part Gray areas are optional in some circumstances. 7

Wire. Shark* View of HTTPS (TLS = SSL) Connection *Capture Filter: ether host 00: Wire. Shark* View of HTTPS (TLS = SSL) Connection *Capture Filter: ether host 00: 0 d: 56: fe: 2 b: af

Programming with SSL NAME SSL - Open. SSL/TLS library [from UNIX “#man ssl”] DESCRIPTION Programming with SSL NAME SSL - Open. SSL/TLS library [from UNIX “#man ssl”] DESCRIPTION The Open. SSL ssl library implements the Secure Sockets Layer (SSL v 2/v 3) and Transport Layer Security (TLS v 1) protocols. It provides a rich API which is documented here. At first the library must be initialized; see SSL_library_init(3). [(3) ->use #man 3. . . ] Then an SSL_CTX object is created as a framework to establish TLS/SSL enabled connections (see SSL_CTX_new(3)). Various options regarding certificates, algorithms etc. can be set in this object. When a network connection has been created, it can be assigned to an SSL object. After the SSL object has been created using SSL_new(3), SSL_set_fd(3) or SSL_set_bio(3) can be used to associate the network connection with the object. Then the TLS/SSL handshake is performed using SSL_accept(3) or SSL_connect(3) respectively. SSL_read(3) and SSL_write(3) are used to read and write data on the TLS/SSL connection. SSL_shutdown(3) can be used to shut down the TLS/SSL connection. 9

SET (Secure Electronic Transactions) • Provides a secure communications channel among all the parties SET (Secure Electronic Transactions) • Provides a secure communications channel among all the parties involved in a transaction: Customer, Seller, Customer’s credit provider, Seller’s bank. • Provides trust by the use of X. 509 v 3 certificates. • Ensures privacy because information is only made available to the parties that need it. * Cardholder account authentication to the Merchant (Cardholder must have a Certificate issued by the credit company). Merchant may issue a temporary Certificate to issue the session is not high-jacked). * Verifies that Merchant has a business relationship with a financial institution. * Integrity of data customer sends to Merchant (order info tied to funds transfer). 10

SET - Steps in a Transaction 1. Customer opens account with credit (card) company SET - Steps in a Transaction 1. Customer opens account with credit (card) company or bank that supports SET. 2. Bank issues an X. 509 certificate to the Customer with RSA Public-Private Keys. 3. Merchant has two certificates, one for signing messages and one for key exchange. ---4. Customer places an order. 5. The Merchant sends the customer a copy of his certificate. 6. The Customer sends Order Information (OI) encrypted so the Merchant can read it, and Payment Information (PI) encrypted so the Merchant can not read it. --7. Merchant requests payment by sending PI to the “Payment Gateway” (who can decrypt it) and verifies Customer’s credit is good. 8. Merchant confirms the order to the Customer. 9. Merchant ships goods to Customer. 10. Merchant sends request for payment to the Payment Gateway which handles transfer of funds. 11

Secure Electronic Transactions (SET) 12 Secure Electronic Transactions (SET) 12

SET - Dual Signature Dual-Sig = E cus-private [ H( H(PI) || H(OI) ) SET - Dual Signature Dual-Sig = E cus-private [ H( H(PI) || H(OI) ) ] The Dual signature allows proof that: 1. Merchant has received Order Information. 2. Bank has received Payment Information and verified the Customer signature. 3. Customer has linked OI and PI and can prove later that PI was not related to a different purchase. 13

14 14

Customer’s Purchase Request 15 Customer’s Purchase Request 15

16 16

Threats to the Net Threats to the Net