300 likes | 647 Views
SSL and E-commerce Security. g z2155 Guangwei Zhang. E-commerce. US e-Commerce and Online Retail sales projected to have reached $204 billion, an increase of 17 percent over 2007. Part of our life now. E-commerce Security Issue. Security issue is the top concern in the e-commerce
E N D
SSL and E-commerce Security gz2155 Guangwei Zhang
E-commerce US e-Commerce and Online Retail sales projected to have reached $204 billion, an increase of 17 percent over 2007 Part of our life now
E-commerce Security Issue • Security issue is the top concern in the e-commerce • Most people tend to fear that the website compromise their personal information. • People may not use e-commerce websites just because of the worry about security and privacy
Three Kinds of Security Threats • Server part • Client part • Network part
Security Issues of Servers • Server install important software and store valuable information. • Firewall is used
Security Issues of Clients • The systems of clients have inherent insecurity. • Virus problem • Trojan problem • fatal to e-commerce
Security Issues of Network • The information transmitted can be viewed by others • The information can be modified during transmission • The two sides of the transaction don’t meet with each other • SSL can solve these problems
SSL Introduction • Secure Sockets Layer • It has another name now, TSL • Transport Layer Security • Cryptographic protocols that provide securities for communications over the network
Cite from "Inside SSL: the secure sockets layer protocol“ by Chou, W
Features of SSL • Application protocol independent • Does not specify the detailed mechanism
Responsibilities of SSL • Authenticate Server • Authenticate Client(Optional) • Encrypt the message sent between the client and the server. • Detect tampering data
Two Sub Protocols • SSL record protocol • Defines the format used to transmit data • SSL handshake protocol • Establish an SSL connection. • Negotiate the encryption mechanism
SSL Record Protocol • When transmitting message, it fragments , compresses and encrypts the data, and transmit it. • When receiving message, it decrypts, verifies, decompress, and reassembles the data, then delivered to the higher level
SSL Handshake Protocol • Change cipher spec protocol • notify the recipient there is transition in ciphering strategies • Alert protocol • warning and fatal • Handshake protocol • How messages are exchanged to establish a SSL connection
SSL and Encryption Chou, W. "Inside SSL: the secure sockets layer protocol"
Comparison of two algorithms Public Key Private Key • asymmetric encryption • public key needn’t to be encrypted • based on mathematical problems that are easier to generate rather than to solve • symmetric encryption • private key needs to be kept secret
History of SSL TLS 1.1 was released in April. 2006 TLS 1.2 was released in August 2008
Other approaches to network securities • Parallel Security Protocol Application-Specific Security Security within Core Protocols
SSL Limitation • Doesn’t protect the IP or TCP headers • Manipulating users, SSL cannot guarantee that the person using the certificate is the person to whom the certificate was issued. • Cannot support UDP protocol • Depend on whether encryption algorithms themselves have weaknesses • Cannot provide an important service called nonrepudiation. (Guarantee that the sender of a message cannot later deny having sent the message and that the recipient cannot deny having received the message. This is part of the digital signature. )