Secure Socket Layer (SSL)


Secure Socket Layer (SSL) is a security protocol that was developed by Netscape Communications Corporation, along with RSA Data Security, Inc. The Primary goal of the SSL protocol is to provide a private channel between communicating applications, which ensures privacy of data, authentication of the partners, and integrity. The Secure Socket Layer (SSL) technology was used for the websites or web applications which need more security.


Schematic representation of the SSL handshake ...
 SSL handshake protocol with two way authentication with certificates. (Photo credit: Wikipedia)

 

Secure Socket Layer (SSL) is composed of two layers:


  • At the lower layer, a protocol for transferring data using a variety of predefined cipher and authentication combinations, called the SSL Record Protocol.
  • On the upper layer, a protocol for initial authentication and transfer of encryption keys, called the SSL Handshake Protocol.

An SSL session is initiated as follows:


  • On the client (browser), the user requests a document with a special URL that starts with https: instead of http: either by typing it into the URL input field, or by clicking the link. For example the major search engines like Google, Yahoo, Bing and other money transactions websites uses Secure Socket Layer (SSL).The client computers which do not installed the Secure Socket Layer (SSL) certificates on their computer unable to browse those sites.
  • The client code recognizes the SSL request and establishes a connection through TCP port 443 to the SSL code on the server.
  • The client then initiates the SSL handshake phase, using the SSL Record Protocol as a carrier. At this point, there is no encryption or integrity checking built into the connection.

The Secure Socket Layer (SSL) Protocol addresses the following security issues:


  • Privacy: After the symmetric key is established in the initial handshake, the messages are encrypted using this key.
  • Integrity: Messages contain a message authentication code (MAC) ensuring the message integrity.
  • Authentication: During the handshake, the client authenticates the server using an asymmetric or public key. It can also be based on certificates. SSL requires that each message is encrypted and decrypted and therefore has a high performance and resource cost.

Secure Socket Layer (SSL) Protocol


The SSL protocol is located at the top of the transport layer. SSL is also a layered protocol itself. It simply takes the data from the application layer, re-formats it, and transmits it to the transport layer. SSL handles a message as follows.

The sender performs the following tasks

  • Takes the message from upper layer.
  • Fragments the data to manageable blocks.
  • Optionally compress the data.
  • Applies a message authentication code (MAC)
  • Encrypts the data.
  • Transmits the result to the lower layer.

 The receiver performs the following tasks.


  • Takes the data from lower layer.
  • Decrypts.
  • Verifies the data with the negotiated MAC key.
  • Decompress the data if compression was used.
  • Reassembles the message.
  • Transmits the message to the upper layer.


An SSL session works in different states. These states are session and connection states. The SSL handshake protocol coordinates the states of the client and the server. In addition, there are read and write states defined to coordinate the encryption according to the change Cipher Spec messages.


Change Cipher Spec Protocol


The change Cipher Spec protocol is responsible for sending change Cipher Spec messages. At any time, the client can request to change current cryptographic parameters such as the handshake key exchange. Following the change Cipher Spec notification, the client sends a handshake key exchange and if available, certificate verify messages, and the server sends a change Cipher Spec message after processing the key exchange message. After that, the newly agreed keys will be used until the next change Cipher Spec request. The change Cipher Spec message is sent after the hello messages during the negotiation.


SSL handshake protocol


The SSL handshake protocol allows the client and server to determine the required parameters for and SSL connection such as protocol version, cryptographic algorithms, optional client or server authentication, and public key encryption methods to generate shared secrets. During this process, all handshake messages are forwarded to the SSL record layer to be encapsulated into special SSL messages. Figure below illustrates an SSL handshake process.



Secure Socket Layer (SSL)



SSL record protocol


After the master key has been determined, the client and server can use it to encrypt application data. The SSL record protocol specifies a format for these messages in general, they include a message digest ensure that they have not been altered and the whole message is encrypted using a symmetric cipher.



Other Internet security methods are: Transport Layer Security (TSL), Pretty Good Privacy (PGP) and Firewall, I will post about them later. Keep following this blog.



You Might also view the following Related Posts

For more Posts: Click Here

Internet Security & IP Security (IPSec)


English: Encapsulating one IP packet in anothe...
English: Encapsulating one IP packet in another IP packet (Photo credit: Wikipedia)
Internet Security is the securing web server and client (browser) from the possible attacks over the Wide Area Networks or Internet. Internet security is a type of Computer Security or the network Security. It includes mainly specific security protocols like IPSec (Internet Security Protocol), SSL (Secure Socket Layer) or TSL (Transport Layer Security). Internet Security also describes about PGP (Pretty Good Privacy) which is designed to create authenticated and confidential e-mails. It also discuss about Firewalls and Antivirus Programs.


# IP Security (IPSec)


IP Security (IPSec) is collection of protocols designed by Internet Engineering Task Force (IETF) to provide security for a packet at the network level. It helps to create authenticated and confidential packets for the IP layer. IPSec operates in one of the following two modes.


i) Transport Mode


In this mode, IPSec protects what is delivered from the transport layer to the network layer. i.e. the transport mode protects the network layer payload, the payload to be encapsulated in the network layer. This mode does not protect the IP header, i.e. it protects only the packet from the transport layer. In this mode, the IPSec header and trailer are added to the information coming from the transport layer. The IP header is added later. This mode is normally used when we need host-to-host protection of data. The sending host uses IPSec to authenticate and / or encrypt the payload delivered from the transport layer. The receiving host uses IPSec to check the authentication and / or decrypt the IP Packet and deliver it to the transport layer.


ii) Tunnel Mode

 

Internet Security & IP Security



Tunneling or encapsulation is a common technique in packet-switched networks. It consists of wrapping a packet in a new one. That is, a new header is attached to the original packet. The entire original packet becomes the payload of the new one, as shown in Figure. In this mode, IPSec protects the entire IP Packet. It takes an IP packet including the header, applies IPSec security methods to the entire Packet, and then adds a new IP header. The new IP header has different information than the original IP Header.

In general, tunneling is used to carry traffic of one protocol over a network that does not support that protocol directly. For example, NetBIOS or IPX can be encapsulated in IP to carry it over a TCP/IP WAN link. In the case of IPSec, IP is tunneled through IP for a slightly different purpose: To provide total protection, including the header of the encapsulated Packet. Tunneling requires intermediate processing of the original packet while en-route. The destination specified in the outer header, usually and IPSec firewall of router, receives the tunneled packet, extracts the original packet, and sends it to the ultimate destination. The processing cost is compensated by the extra security. A notable advantage of IP tunneling is the possibility to exchange packets with private IP addresses between two intranets over the public Internet, which requires globally unique addresses.


The IPsec framework has three main components, Authentication Header(AH), Encapsulating Security Payload (ESP) and Internet Key Exchange (IKE).


Authentication Header (AH)


AH is used to provide integrity and authentication of IP datagrams. Replay protection is also possible. Although its usage is optional, the replay protection service must be implemented by any IPsec compliant system. The services are connectionless, they work on a per-packet basis. AH is used in two modes, transport mode and tunnel mode.


Encapsulating Security Payload (ESP)

 

English: IP packet with IPsec ESP
English: IP packet with IPsec ESP  (Photo credit: Wikipedia)
ESP is used to provide integrity check, authentication and encryption to IP datagrams. Optional replay protection is also possible. These services are connectionless, in that they operate on a per-packet basis. Encryption can be selected independently of other services. It is highly recommended that, if encryption is enabled, integrity check and authentication be turned on. Like AH, ESP can be used in two ways: Transport mode and tunnel mode.


Internet Key Exchange Protocol (IKE)


The internet Key Exchange (IKE) framework, previously referred to as ISAKMP/Oakley, supports automated negotiation of security Associations, and automated generation and refresh of cryptographic keys. The ability to perform these functions with little or no manual configuration of machines is a critical element to any enterprise-scale IPsec deployment. Internet security association and key management protocol (ISAKMP) is a framework that defines the management of security associations (negotiable, modify, delete) and keys, and it also defines the payloads for exchanging key generation and authentication data. Internet Key exchange (IKE) is a protocol that uses parts of ISAKMP and the Oakley and SKEME key exchange protocols to provide management of keys and security associations for the IPsec AH and ESP protocols and ISAKMP itself.


# Secure Socket Layer (SSL)




You Might also view the following Related Posts 

For more Posts: Click Here

Solved MCQ of System Analysis and Design Set-2

Solved MCQ of System Analysis and Design Set-2


Q.1 ………… is a sort of blueprint of the system Development Effort.
A) MDP
B) DMP
C) MPD
D) DPM

Q. 2 Data store in a DFD represents.
A) a sequential file
B) a disk store
C) a repository of data
D) a random access memory


Q.3 …………… system consists of programs, data files and documentation
A) Conceptual
B) Logical
C) Physical
D) None of the above

Q.4 …………… is a good example of deterministic system.
A) Life cycle
B) Computer Program
C) Software Program
D) None of the above

Q.5 The main ingredient of the report documenting the ……………… is the cost benefit analysis.
A) System Analysis
B) Feasibility Study
C) System Analyst
D) System Design

Q.6  A data flow can
A) Only a data store
B) Only leave a data store
C) Enter or leave a data Store
D) Either enter or leave a data store but not both

Q.7  Changing the relationship with and services provided to customers in such a way that they will not think of changing suppliers is called ………….
A) Lock in customers
B) Lock out customers
C) Lock in competitors
D) Lock out competitors

Q.8  …………… can be defined as data that has been processed into a form that is meaningful to the recipient and is of real or perceived value in current or prospective decisions.
A) Information
B) Data collection
C) Internal data
D) Sample data

Q.9  Increased volume of sales is an example of ………….…. Benefit. Reduction of bad debts is an example of ………..
A) Tangible, Intangible
B) Tangible, Tangible
C) Intangible, Tangible
D) Intangible, Intangible

Q.10  A data cannot flow between a store and
i) a store              ii) a process        iii) an external entity

A) i and iii
B) i and ii
C) ii and iii
D) ii

Answers:
1.       A) MDP
2.       C) a repository of data
3.       C) Physical
4.       B) Computer Program
5.       B) Feasibility Study

6.       C) Enter or leave a data Store
7.       A) Lock in customers
8.       A) Information
9.       D) Intangible, Intangible
10.   A) i and iii

Solved MCQ of System Analysis and Design Set-1

Solved MCQ of System Analysis and Design Set-1

Q. 1 …………………………. is an important factor of management information system.
A) System
B) Data
C) Process
D) All

Q.2  Which are the following is / are the level(s) of documentation?
A) Documentation for management
B) Documentation for user
C) Documentation for data processing department
D) All of the above


Q.3 ………………………….. level supply information to strategic tier for the use of top management.
A) Operational
B) Environmental
C) Competitive
D) Tactical

Q.4  In a DFD external entities are represented by a
A) Rectangle
B) Ellipse
C) Diamond shaped box
D) Circle
Q.5  …………… can be defined as data that has been processed into a form that is meaningful to the recipient and is of real or perceive value in current or prospective decisions.
A) System
B) Information
C) Technology
D) Service
Q.6 Use the new system as the same time as the old system to compare the results. This is known as ……
A) Procedure Writing
B) Simultaneous processing
C) Parallel Operation
D) File Conversion

Q.7 Decision making model was proposed by ………………….
A) Harry Goode
B) Herbert A Simon
C) Recon Michal
D) None of this

Q.8 A data flow can
A) Only emanate from an external entity
B) Only terminate in an external entity
C) May emanate and terminate in an external entity
D) May either emanate or terminate in an external entity but not both

Q. 9 …………… can be defined as most recent and perhaps the most comprehensive technique for solving computer problems.
A) System Analysis
B) System Data
C) System Procedure
D) System Record

Q.10 SDLC stands for
A) System Development Life Cycle
B) Structure Design Life Cycle
C) System Design Life Cycle
D) Structure development Life Cycle



Answers:
1.       A) System
2.       D) All of the above
3.       D) Tactical
4.       A) Rectangle
5.       B) Information

6.       C) Parallel Operation
7.       B) Herbert A Simon
8.       C) May emanate and ………entity
9.       A) System Analysis
10.   A) System Development Life Cycle

Relational Database Management System (RDBMS)

Relational Database Management System (RDBMS)

      A relational database management system (RDBMS) is a database management system (DBMS) that is based on relational model. It is the information that is stored database is related to import and export information each other. It acts as an interface between the user and the data. It ensures that the data is kept in a compact and consistent format, and allow the user to ask a wide range of questions about the data. A DBMS can be described by the view of the data it presents to the user.

 Key terms used in RDBMS
Query: A query is a small command or program given to a database system instructing it how to manipulate some data from a database.

Example: SELECT * FROM tbl_std;

Relation: A relational database consists of a set of two-dimensional tables termed relations. All the data in the database is contained entirely within such tables. Each relation in the database has a unique name so that it can be identified.

Example: An example of relation is shown here. It relates the names of the students and the marks obtained by them.

Students name
Mathematics
Science
Jems
88
67
Nikki
68
69
Ram
82
87


Domain: A column of data from such a relation is called a domain. Thus a domain represents a "vertical slice “of a relation. Each domain in a relation has a unique name. A domain is constrained to hold one particular type of data.
Example: Using example of the above relation, the domain Mathematics is shown here.

Mathematics
88
68
82

Attribute: An attribute refers to a property of a particular domain, for instance its name. Another attribute is the type of data stored within that domain.

Example: In the above example of domain, the name of domain “Mathematics” and the data type i.e. “integer” is the attribute of that domain.

Tuple: A single row from a relation is termed a tuple. A tuple represents a "horizontal slice" of a relation.

Example: An example of single tuple from the above relation is shown below.

Students name
Mathematics
Science
Jems
88
67


Field: A single atomic item of data is termed a field. A field is represented by the intersection of a specific tuple with a specific domain.

Example: An example of single field from the above relation is shown below.

Jems

Schema: Schema defines the structure of a relation which consists of a fixed set of attribute domain pair.

Instance: An instance of a relation is a time varying set of tuples where each tuple consists of attribute value pairs.

Candidate Key: A candidate key is a set of attribute that form a super key but no proper subset of which is a super key.

Primary Key: A primary key is a candidate key chosen by database designer to identify tuples in a relation.


Data model and Relational Database Model

Data model and Relational Database Model


A data model

               The data model is used to represent real facts of the application. An application may contain many facts however one has to focus only on important facts ignoring the others. For example in case of student details application, student name, roll no, address have to be described however student may also contain other facts like fathers name etc. which may not be relevant.  Some of the salient features that model must may have are listed.
  • Data model mainly describes the data, which gets stored and processed in a given situation.
  • A data model may describe data and various levels and description may be at logical / physical levels or from the point of user.
  • A data model proposes a set of concepts for description of the nature of data and inter-relationships between them along with the syntax.
  • A model should have as minimum concepts, which are close to real world so that user can understand the model and verify.
  • The model should provide primitives by which meaning of data can be captured. The meaning contains type of value data items take their inter-relation to higher level entities and the correctness requirement for them.

Relational Database Model

             Insertion anomalies and redundant data are problems associated with an early database model known as a hierarchical table (parent-child table). Network database (owner-member table) models were problematic as well. These two models led to the development of the relational database model.

The relational model for database management is a database model based on first –order predicate logic (mathematical theories applied by Dr. E. F. Codd). A database model organized in terms of relational model is a relational database model (RDM).

In a RDM, data are stored in a relation or table (those terms may be used interchangeably.) Each table contains rows or records, (also called tuples), and columns which represent attributes or fields. Each record or row is represented by a unique field known as the Primary key. The categories of relationships in a RDM are one-to-one, one-to-many, and many-to-many. A many-to-many relationship must be broken down into numerous one-to-many relationships. If a pair of tables share a relationship, data can be retrieved based on matching values of a shared field between the tables. Data is retrieved by specifying fields and tables using a standard query language known as Structured Query Language (SQL). Most DBMSs (Database Managements Systems) use SQL to build, modify, maintain and manipulate databases. Thorough knowledge of SQL isn’t always necessary since most DMBSs use a graphical interface to generate SQL statements and retrieve data. It is good, however, to have basic knowledge of SQL.



Database Management System (DBMS)

Database Management System (DBMS)


Data: Data is raw fact or figures or entity. When activities in the organization takes place, the effect of these activities need to be recorded which is known as Data.

          For example, the raw material to be purchased may have many facts like type of raw material, vendor name, address, quantity etc. Likewise Organization will have many transactions and entities which are to be recorded.

Information: Processed data is called information.

A database management system (DBMS) is a collection of program that enables user to create and maintain a database. In other words, the systematic organization of data is called database.

The DBMS is hence general purpose software system that facilities the process of defining constructing and manipulating database for various applications.
  •       Defining a database involves specifying the data types, structures and constraints for the data to be stored in the database.
  •      Constructing the database is the process of storing the data itself on some stored medium that is controlled by the DBMS.
  •       Manipulating database includes such functions as querying the database to retrieve specific data updating the database to reflect change and generation of reports from the data.

DBMS Characteristics

The data processing system should have some characteristics to produce the information. Some of the requirements are listed below.
  •  To incorporate the requirements of the organization, system should be designed for easy maintenance.
  •    Information systems should allow interactive access to data to obtain new information without writing fresh programs.
  •  System should be designed to co-relate different data to meet new requirements.
  •  Data should be stored with minimum redundancy to ensure consist in stored data across different application.
  •  An independent central repository, which gives information and meaning of available data, is required.
  •    Integrated database will helps in understanding the inter-relationships between data stored in different applications.
  •  The stored data should be made available for access by different users simultaneously.
  •  Automatic recovery feature has to be provided to overcome the problems with processing system failure.


Advantage of using a DBMS

The following are the advantages of using DBMS.
1.       Controlling redundancy
2.       Restricting unauthorized access.
3.       Providing persistent storage for program object and data structures.
4.       Permitting interface and actions by using rules.
5.       Providing multiple user interfaces.
6.       Presenting complex relationships among data.
7.       Enforcing integrity constraints.
8.       Providing backup and recovery.


E-commerce Security Issues

E-commerce Security Issues

First of all e-commerce is surrounded by different issues such as commercial, Network infrastructure, Social and Cultural and Security issues are presented below which are important for successful business. E-commerce security issues are frequently aired in the press and are certainly important. Customers are concerned that the item ordered won’t materialize, or be as described. As (much worse) they worry about their social security number and credit card details being misappropriated. However rare, these things do happen, and customers need to be assured that all e-commerce security issues have been covered. Your guarantees and returns policies must be stated on the website and they must be adhered to. Let us first state the security attacks on e-commerce process and Security goals we want to achieve for successful e-commerce.

Attacks on Security
Security attacks can be classified in the following categories depending on the nature of the attacker.

a)      Passive Attacks
The attacker can only eavesdrop or monitor the network traffic. Typically, this is the easiest form of attack and can be performed without difficulty in many networking environments, e.g. broadcast type networks such as Ethernet and wireless networks.

b)      Active Attacks
The attacker is not only able to listen to the transmission but is also able to actively alter or obstruct it. Furthermore, depending on the attackers actions, the following subcategories can be used to cover to cover the majority to cover the majority of attacks.

c)       Eavesdropping
This is attack is used to gain knowledge of the transmitted data. This is passive attack which is easily performed in many networking environments as motioned above. However, this attack can easily perform in many networking environments. However this attack can easily be prevented by using an encryption scheme to protect the transmitted data.

d)      Traffic Analysis
The main goal of this attack is not to gain direct knowledge about the transmitted data, but to extra information from the characteristics of the transmission, e.g. amount of data transmitted, identity of the communicating nodes etc. This information may allow the attacked to deduce sensitive information, e.g., the roes of the communicating nodes, their position etc. Unlike the previously described attack, this one is more difficult to prevent.

e)      Impersonation
Here, the attacker uses the identity of another node to gain unauthorized access to resource or data. This attack is often used as a prerequisite to eavesdropping. By impersonating a legitimate node, the attacker can try to gain access to the encryption key used to protect the transmitted data. Once, this key is known by the attacker, she can successfully perform the eavesdropping attack.


f)       Modification
This attack modifies data during the transmission between the communicating nodes, implying that the communicating nodes do not share the same view of the transmitted data. An example could be when the transmitted data represents a financial transaction where the attacker has modified the transactions value.

g)      Insertion
This attack involves an unauthorized party, who inserts new data claiming that it originates from a legitimate party. This attack is related to that of impersonation.

You may also wanted to view the following related posts