B.C.

A study

Unit-4 : Web security

What Is Web Security? Web security is a broad category of security solutions that protect your users,
devices, and wider network against internet-based cyberattacks—malware, phishing, and more—that can
lead to breaches and data loss

Requirements of web security

Authentication
Authentication ensures that each entity involved in using a Web service—the requestor, the provider, and
the broker (if there is one)—is what it actually claims to be. Authentication involves accepting credentials
from the entity and validating them against an authority.

Authorization
Authorization determines whether the service provider has granted access to the Web service to the
requestor. Basically, authorization confirms the service requestor’s credentials. It determines if the service
requestor is entitled to perform the operation, which can range from invoking the Web service to executing
a certain part of its functionality.

Data Protection
Data protection ensures that the Web servicerequest and response have not been tampered with en route. It
requires securing both data integrity and privacy. It’s worth mentioning that data protection does not
guarantee the message sender’s identity.

Nonrepudiation
Nonrepudiation guarantees that the message sender is the same as the creator of the message. Now that
we have an idea of what constitutes Web service security, we’ll examine the top ten security factors
affecting Web service implementation

Secure Sockets Layer

Secure Sockets Layer (SSL) is a protocol that provides secure communication over the Internet. It uses both
symmetric and asymmetric cryptography.
The SSL protocol provides server authentication and client authentication:

Server authentication is performed when a client connects to the server. After the initial handshake, the
server sends its digital certificate to the client. The client validates the server certificate or certificate
chain.
Client authentication is performed when a server sends a certificate request to a client during the
handshake. If the client certificate or chain is verified and the certificate verify message is verified, the
handshake proceeds further.
An optional additional authentication is performed by checking the common name in the certificate
against the server’s fully qualified domain name from a reverse Domain Name Server (DNS) lookup
where the server’s fully qualified domain name can be obtained.

Types of Trust

Two types of trust for SSL certificates are supported:

CA Trust – Hierarchical trust based on a root certificate used to issue other certificates. This is the
standard SSL certificate trust model.
Direct Trust – Direct trust of self-signed certificates assumed to be distributed through secure out-of-
band mechanisms. Direct trust and self-signed certificates are not part of the SSL standards, but are
frequently used in certain trading communities.

Using SSL Certificates

To communicate using the SSL protocol, configure the systems involved to support either server
authentication or client/server authentication. To perform authentication against a server, you need a root
Certificate Authority (CA) certificate and the set of intermediate certificates in the chain or, if the server uses
a self-signed certificate, a copy of the self-signed certificate.

To support client/server authentication you need a CA or self-signed certificate and a system certificate.

You can obtain an SSL certificate from a trusted CA by providing a Certificate Signing Request (CSR) to
the CA. The SSL certificate binds the public key and the SSL server or client.

If you plan to use client/server authentication, configure a system certificate. You can create system
certificates in the following ways:

Check in an existing key certificate file or PKCS12 file

When setting up an SSL client connection to a partner’s SSL server, you must get one of the following
items from your partner:
 If the partner is using a self signed certificate, get the certificate. Check the certificate into the CA table
and you are done.
If the partner is using a CA signed certificate:
1. You must get the root CA certificate or verify that the root CA certificate already exists in the
system.
2. Test the connection.
3. If the connection isn’t successful, get any intermediate certificates in the trust chain and check those
into the CA table.
4. Test the connection.

Transport layer security

Transport Layer Security (TLS), formerly known as Secure Sockets Layer (SSL), is a protocol used by
applications to communicate securely across a network, preventing tampering with and eavesdropping on
email, web browsing, messaging, and other protocols. Both SSL and TLS are client / server protocols that
ensure communication privacy by using cryptographic protocols to provide security over a network.
When a server and client communicate using TLS, it ensures that no third party can eavesdrop or tamper
with any message.

All modern browsers support the TLS protocol, requiring the server to provide a valid digital
certificate confirming its identity in order to establish a secure connection. It is possible for both the client
and server to mutually authenticate each other, if both parties provide their own individual digital
certificates

How Does TLS Work

Established by the Internet Engineering Task Force (IETF), TLS uses encryption for the client and server to
generate a secure connection between the applications. It begins when users access a secured website by
specifying the TLS encryption method like the advanced encryption standard (AES).

It works with two security layers – the TLS record protocol and the TLS handshake protocol. These
protocols use symmetric and asymmetric cryptography methods to secure data transfer and
communications between the clients and web servers.

The TLS handshake protocol, for example, uses asymmetric cryptography to generate public and private
keys that encrypt and decrypt data. Then, the overall process is as follows:

1. The client sends a list of all TLS versions along with suggestions for a cipher suite and generates a
random number that will be used later.
2. The server confirms which options it will use to initiate the connection.
3. The server sends a TLS certificate to the client for the authentication process.
4. After validating the certificate, the client creates and sends a pre-master key encrypted by the server’s
public key and decrypted by the server’s private key.
5. The client and server generate session keys using the previously generated random numbers and the
pre-master key.
 6. Both the client and server have a finished message that has been encrypted with a session key.
7. The TLS handshake process is finished, and both the client and server have created secure symmetric
encryption.

Furthermore, the record protocol uses symmetric encryption to generate unique session keys for each
connection during the handshake process. It also adds all data exchanged with a hash-based message
authentication code (HMAC (https://www.okta.com/identity-101/hmac)) to verify the data
authenticity.

Now, TLS is becoming a standard practice for most modern browsers and other applications, where it
serves three purposes:

Encryption. It hides the data transferred from third parties through encoded information.
Authentication. TLS ensures both parties’ identities are who they claim to be by providing a
certificate.
Integrity. Finally, it verifies that the data transmitted has not been forged or tampered with during the
delivery process.

TLS Protocol Benefits in Businesses and Web

Since cyber threats can harm any business, ensuring your site’s security should be the top priority. In this
case, a transport layer security protocol offers many benefits, such as:

Preventing eavesdropping and tampering. TLS provides secure internet communications between
a client and a server with a trusted cipher suite. This way, hackers cannot read the data transmitted on
the internet, including online transactions.
Providing data integrity. By supporting authentication code, TLS provides privacy and data
integrity. It ensures that all information will reach its destination without any loss or alteration from
third parties.
Improving search engine optimization (SEO). Website security is a vital Google ranking factor as
they aim to build a safe browsing experience. Therefore, using TLS protocols will give you a
competitive edge, improving your site’s ranking on search engines.
Enhancing customer trust. Using a TLS connection will provide users with a secure web browsing
experience, which will build customer trust in any business. This way, customers will feel more
comfortable providing their data for creating a new account or making online purchases.
Offering granular control. TLS has a robust and reactive alert system to help users identify a
problem. It gives control over what can be transmitted or received in a secure session so that users will
receive notification alerts if there’s any problem like the err SSL version or cipher mismatch error.
Secure electronic transaction

A secure electronic transaction is a process used to allow the transfer of secure information over the
Internet. Examples include credit card numbers, bank account numbers, government-issued identification
numbers and other data that must be exchanged to complete a financial transaction. It most often is
employed for electronic commerce using credit cards or direct withdrawal of funds from a bank account
and for sensitive activities such as online investing or online management of a bank account. In fact, the
development of secure electronic transactions integrated into a website’s payment system has
made electronic commerce not only possible but in many ways safer and more secure than traditional
financial transactions.

The term “secure electronic transaction” refers specifically to SET, a specific security protocol that makes
use of several layers of encryption to protect sensitive information. In SET, a typical secure electronic
transaction works based on a series of electronic signatures. Merchants, customers and banks all receive
individual digital signatures, often keyed to an individual secure electronic transaction so that each
individual purchase has its own set of encryption keys, and all credit card or bank account numbers are
protected from exposure and potential fraud. This results in a complex but ultimately very secure system.
In order to use SET, both the customer’s browser and the merchant’s server must be SET-enabled.

Providing another layer of security, each transaction uses a dual signature. A set of order information is
sent to the merchant under one signature, and payment information is sent to the customer’s bank under
another signature. Thus the credit card number is not disclosed to the merchant, and the customer’s order
contents are not disclosed to the bank. This system requires the order information and the payment
information to be linked, and it requires use of a digital “wallet,” in which the customer’s information is
stored.


A WordPress.com Website.