Unit 4

Cryptography

By:-
Bhumika Doshi
Secure Electronic Transaction (SET)
Protocol
• Secure Electronic Transaction or SET is a system that ensures the security and integrity of
electronic transactions done using credit cards in a scenario.
• SET is not some system that enables payment but it is a security protocol applied to those
payments.
• It uses different encryption and hashing techniques to secure payments over the internet done
through credit cards.
• The SET protocol was supported in development by major organizations like Visa, Mastercard,
and Microsoft which provided its Secure Transaction Technology (STT), and Netscape which
provided the technology of Secure Socket Layer (SSL).
• SET protocol restricts the revealing of credit card details to merchants thus keeping hackers and
thieves at bay.
• The SET protocol includes Certification Authorities for making use of standard Digital
Certificates like X.509 Certificate.
Secure Electronic Transaction (SET)
Protocol
Requirements in SET
• It has to provide mutual authentication i.e., customer (or cardholder)
authentication by confirming if the customer is an intended user or
not, and merchant authentication.
• It has to keep the PI (Payment Information) and OI (Order
Information) confidential by appropriate encryptions.
• It has to be resistive against message modifications i.e., no changes
should be allowed in the content being transmitted.
• SET also needs to provide interoperability and make use of the best
security mechanisms.
Participants in SET
1.Cardholder – customer
2.Issuer – customer financial institution
3.Merchant
4.Acquirer – Merchant financial
5.Certificate authority – Authority that follows certain standards and
issues certificates(like X.509V3) to all other participants.
SET functionalities:
• Provide Authentication
• Merchant Authentication – To prevent theft, SET allows customers to check previous
relationships between merchants and financial institutions. Standard X.509V3 certificates
are used for this verification.
• Customer / Cardholder Authentication – SET checks if the use of a credit card is done by
an authorized user or not using X.509V3 certificates.
• Provide Message Confidentiality: Confidentiality refers to preventing unintended
people from reading the message being transferred. SET implements confidentiality
by using encryption techniques. Traditionally DES is used for encryption purposes.
• Provide Message Integrity: SET doesn’t allow message modification with the help
of signatures. Messages are protected against unauthorized modification using RSA
digital signatures with SHA-1 and some using HMAC with SHA-1,
• Dual Signature: The dual signature is a concept introduced with SET, which aims
at connecting two information pieces meant for two different receivers :
• Order Information (OI) for merchant
• Payment Information (PI) for bank
Dual Signature
Purchase Request Generation
• The process of purchase request generation requires three inputs:
• Payment Information (PI)
• Dual Signature
• Order Information Message Digest (OIMD)
Purchase Request Generation
Purchase Request Validation on Merchant
Side:
Payment Authorization and Payment
Capture
• Payment authorization as the name suggests is the authorization of
payment information by the merchant which ensures payment will be
received by the merchant. Payment capture is the process by which a
merchant receives payment which includes again generating some
request blocks to gateway and payment gateway in turn issues
payment to the merchant.
Disadvantages of Secure Electronic
Exchange
• At the point when SET was first presented in 1996 by the SET consortium (Visa,
Mastercard, Microsoft, Verisign, and so forth), being generally taken on inside the
following couple of years was normal. Industry specialists additionally anticipated
that it would immediately turn into the key empowering influence of worldwide
internet business. Notwithstanding, this didn’t exactly occur because of a few
serious weaknesses in the convention.
• The security properties of SET are better than SSL and the more current TLS,
especially in their capacity to forestall web based business extortion. Be that as it
may, the greatest downside of SET is its intricacy. SET requires the two clients and
traders to introduce extraordinary programming – – card perusers and advanced
wallets – – implying that exchange members needed to finish more jobs to carry
out SET. This intricacy likewise dialed back the speed of web based business
exchanges. SSL and TLS don’t have such issues.
Secure Socket Layer (SSL)

• Secure Socket Layer (SSL) provides security to the data that is

transferred between web browser and server. SSL encrypts the link
between a web server and a browser which ensures that all data passed
between them remain private and free from attack.

Secure Socket Layer Protocols:

• SSL record protocol
• Handshake protocol
• Change-cipher spec protocol
• Alert protocol
SSL Record Protocol

• SSL Record provides two services to SSL connection.

• Confidentiality
• Message Integrity
• In the SSL Record Protocol application data is divided into fragments.
The fragment is compressed and then encrypted MAC (Message
Authentication Code) generated by algorithms like SHA (Secure Hash
Protocol) and MD5 (Message Digest) is appended.
• After that encryption of the data is done and in last SSL header is
appended to the data.
Handshake Protocol
• Handshake Protocol is used to establish sessions. This protocol allows the client and
server to authenticate each other by sending a series of messages to each other.
Handshake protocol uses four phases to complete its cycle.
• Phase-1: In Phase-1 both Client and Server send hello-packets to each other. In this
IP session, cipher suite and protocol version are exchanged for security purposes.
• Phase-2: Server sends his certificate and Server-key-exchange. The server end phase-
2 by sending the Server-hello-end packet.
• Phase-3: In this phase, Client replies to the server by sending his certificate and
Client-exchange-key.
• Phase-4: In Phase-4 Change-cipher suite occurs and after this the Handshake Protocol
ends.
Handshake Protocol
Salient Features of Secure Socket Layer

• The advantage of this approach is that the service can be tailored to the
specific needs of the given application.
• Secure Socket Layer was originated by Netscape.
• SSL is designed to make use of TCP to provide reliable end-to-end
secure service.
• This is a two-layered protocol.
Characteristics of Secure Socket Layer
• SSL (Secure Sockets Layer) certificate is a digital certificate used to secure and verify the identity of a website or an online service. The
certificate is issued by a trusted third-party called a Certificate Authority (CA), who verifies the identity of the website or service before
issuing the certificate.
• The SSL certificate has several important characteristics that make it a reliable solution for securing online transactions:
1. Encryption: The SSL certificate uses encryption algorithms to secure the communication between the website or service and its users.
This ensures that the sensitive information, such as login credentials and credit card information, is protected from being intercepted and
read by unauthorized parties.
2. Authentication: The SSL certificate verifies the identity of the website or service, ensuring that users are communicating with the
intended party and not with an impostor. This provides assurance to users that their information is being transmitted to a trusted entity.
3. Integrity: The SSL certificate uses message authentication codes (MACs) to detect any tampering with the data during transmission.
This ensures that the data being transmitted is not modified in any way, preserving its integrity.
4. Non-repudiation: SSL certificates provide non-repudiation of data, meaning that the recipient of the data cannot deny having received
it. This is important in situations where the authenticity of the information needs to be established, such as in e-commerce transactions.
5. Public-key cryptography: SSL certificates use public-key cryptography for secure key exchange between the client and server. This
allows the client and server to securely exchange encryption keys, ensuring that the encrypted information can only be decrypted by the
intended recipient.
6. Session management: SSL certificates allow for the management of secure sessions, allowing for the resumption of secure sessions
after interruption. This helps to reduce the overhead of establishing a new secure connection each time a user accesses a website or
service.
7. Certificates issued by trusted CAs: SSL certificates are issued by trusted CAs, who are responsible for verifying the identity of the
website or service before issuing the certificate. This provides a high level of trust and assurance to users that the website or service they
are communicating with is authentic and trustworthy
S.No. WEP WPA
01. WEP stands for Wired Equivalent Privacy. WPA stands for Wi-Fi Protected Access.

It is a security protocol for wireless networks which It is a security protocol which is used in securing
02. provides data confidentiality comparable to a wireless networks and designed to replace the WEP
traditional wired network. protocol.

03. Wired Equivalent Privacy (WEP) was introduced in Wi-Fi Protected Access (WPA) was developed by the
1999 means before WPA. Wi-Fi Alliance in 2003 means after WEP.

04. It provides wireless security through the use of an It provides wireless security through the use of a
encryption key. password.

05. Data Privacy (Encryption) method is Rivest Cipher 4 Data Privacy (Encryption) method is Rivest Cipher 4
(RC4). (RC4) and Temporal Key Integrity Protocol (TKIP).

06. Authentication method in WEP is Open system Authentication method in WPA is WPA-PSK and
authentication or shared key authentication. WPA-Enterprise.

07. Data integrity is provided through CRC 32. Data integrity is provided through Message integrity
code.

08. It uses 40 bit key and 24 bit random number. WPA key is 256 bit key.

09. Key management is not provided in WEP. Key management is provided through 4 way
handshaking mechanism.

10. In WEP no protection against reply attacks. In WPA sequence counter is implemented for reply
protection.

11. It is possible to deploy on current hardware It is possible to deploy on both previous and current
infrastructure. hardware infrastructure.
IPSec{Internet Protocol Security}
• What is IPSec?
• IPSec is a set of communication rules or protocols for setting up
secure connections over a network. Internet Protocol (IP) is the
common standard that determines how data travels over the internet.
IPSec adds encryption and authentication to make the protocol more
secure. For example, it scrambles the data at its source and
unscrambles it at its destination. It also authenticates the source of the
data.
What are the uses of IPSec?

• Provide router security when sending data across the public internet.
• Encrypt application data.
• Authenticate data quickly if the data originates from a known sender.
• Protect network data by setting up encrypted circuits, called IPsec
tunnels, that encrypt all data sent between two endpoints.
• Organizations use IPSec to protect against replay attacks. A replay
attack, or man-in-the-middle attack, is an act of intercepting and
altering ongoing transmission by routing data to an intermediary
computer. IPSec protocol assigns a sequential number to each data
packet and performs checks to detect signs of duplicate packets.
What is IPSec encryption?

• IPSec encryption is a software function that scrambles data to protect its

content from unauthorized parties. Data is encrypted by an encryption
key, and a decryption key is needed to unscramble the information.
IPSec supports various types of encryptions, including AES, Blowfish,
Triple DES, ChaCha, and DES-CBC.
• IPSec uses asymmetric and symmetric encryption to provide speed and
security during data transfer. In asymmetric encryption, the encryption
key is made public while the decryption key is kept private. Symmetric
encryption uses the same public key for encrypting and decrypting data.
IPSec establishes a secure connection with asymmetric encryption and
switches to symmetric encryption to speed up data transfer.
How does IPSec work?

• Computers exchange data with the IPSec protocol through the following steps.
1.The sender computer determines if the data transmission requires IPSec
protection by verifying against its security policy. If it does, the computer
initiates secure IPSec transmission with the recipient computer.
2.Both computers negotiate the requirements to establish a secure connection.
This includes mutually agreeing on the encryption, authentication, and other
security association (SA) parameters.
3.The computer sends and receives encrypted data, validating that it came from
trusted sources. It performs checks to ensure the underlying content is reliable.
4.Once the transmission is complete or the session has timed out, the computer
ends the IPSec connection.
What are the IPSec protocols?
• IPSec protocols send data packets securely. A data packet is a specific structure that formats and prepares
information for network transmission. It consists of a header, payload, and trailer.
• A header is a preceding section that contains instructional information for routing the data packet to the correct
destination.
• Payload is a term that describes the actual information contained within a data packet.
• The trailer is additional data appended to the tail of the payload to indicate the end of the data packet.
• Some IPSec protocols are given below.
• Authentication header (AH)
• The authentication header (AH) protocol adds a header that contains sender authentication data and protects the
packet contents from modification by unauthorized parties. It alerts the recipient of possible manipulations of the
original data packet. When receiving the data packet, the computer compares the cryptographic hash calculation
from the payload with the header to ensure both values match. A cryptographic hash is a mathematical function
that summarizes data into a unique value.
• Encapsulating security payload (ESP)
• Depending on the selected IPSec mode, the encapsulating security payload (ESP) protocol performs encryption on
the entire IP packet or only the payload. ESP adds a header and trailer to the data packet upon encryption.
• Internet key exchange (IKE)
• Internet key exchange (IKE) is a protocol that establishes a secure connection between two devices on the internet.
Both devices set up security association (SA), which involves negotiating encryption keys and algorithms to
What are IPSec modes?

• IPSec operates in two different modes with different degrees of protection.

• Tunnel
• The IPSec tunnel mode is suitable for transferring data on public networks as
it enhances data protection from unauthorized parties. The computer encrypts
all data, including the payload and header, and appends a new header to it.
• Transport
• IPSec transport mode encrypts only the data packet's payload and leaves the IP
header in its original form. The unencrypted packet header allows routers to
identify the destination address of each data packet. Therefore, IPSec transport
is used in a close and trusted network, such as securing a direct connection
between two computers.
IPSEC Protocol Suite – IKE PHASE 1
• IPsec - IKE Phase 1 | IKE Phase 2