Unit-4 : Web security

What Is Web Security? Web security is a broad category of security solutions that protect your users, devices, and wider network against internet-based cyberattacks—malware, phishing, and more—that can lead to breaches and data loss

Requirements of web security

Authentication ensures that each entity involved in using a Web service—the requestor, the provider, and the broker (if there is one)—is what it actually claims to be. Authentication involves accepting credentials from the entity and validating them against an authority.

Authorization determines whether the service provider has granted access to the Web service to the requestor. Basically, authorization confirms the service requestor’s credentials. It determines if the service requestor is entitled to perform the operation, which can range from invoking the Web service to executing a certain part of its functionality.

Data Protection
Data protection ensures that the Web servicerequest and response have not been tampered with en route. It requires securing both data integrity and privacy. It’s worth mentioning that data protection does not guarantee the message sender’s identity.

Nonrepudiation guarantees that the message sender is the same as the creator of the message. Now that we have an idea of what constitutes Web service security, we’ll examine the top ten security factors affecting Web service implementation

Secure Sockets Layer

Secure Sockets Layer (SSL) is a protocol that provides secure communication over the Internet. It uses both symmetric and asymmetric cryptography.

The SSL protocol provides server authentication and client authentication:

  • Server authentication is performed when a client connects to the server. After the initial handshake, the server sends its digital certificate to the client. The client validates the server certificate or certificate chain.
  • Client authentication is performed when a server sends a certificate request to a client during the handshake. If the client certificate or chain is verified and the certificate verify message is verified, the handshake proceeds further.
  • An optional additional authentication is performed by checking the common name in the certificate against the server’s fully qualified domain name from a reverse Domain Name Server (DNS) lookup where the server’s fully qualified domain name can be obtained.

Types of Trust

Two types of trust for SSL certificates are supported:

  • CA Trust – Hierarchical trust based on a root certificate used to issue other certificates. This is the standard SSL certificate trust model.
  • Direct Trust – Direct trust of self-signed certificates assumed to be distributed through secure out-of-band mechanisms. Direct trust and self-signed certificates are not part of the SSL standards, but are frequently used in certain trading communities.

Using SSL Certificates

To communicate using the SSL protocol, configure the systems involved to support either server authentication or client/server authentication. To perform authentication against a server, you need a root Certificate Authority (CA) certificate and the set of intermediate certificates in the chain or, if the server uses a self-signed certificate, a copy of the self-signed certificate.

To support client/server authentication you need a CA or self-signed certificate and a system certificate.

You can obtain an SSL certificate from a trusted CA by providing a Certificate Signing Request (CSR) to the CA. The SSL certificate binds the public key and the SSL server or client.

If you plan to use client/server authentication, configure a system certificate. You can create system certificates in the following ways:

  • Check in an existing key certificate file or PKCS12 file
  • Generate a self-signed system certificate
  • Generate a CSR and get a certificate from a CA.

When setting up an SSL client connection to a partner’s SSL server, you must get one of the following items from your partner:

  • If the partner is using a self signed certificate, get the certificate. Check the certificate into the CA table and you are done.
  • If the partner is using a CA signed certificate:
    1. You must get the root CA certificate or verify that the root CA certificate already exists in the system.
    2. Test the connection.
    3. If the connection isn’t successful, get any intermediate certificates in the trust chain and check those into the CA table.
    4. Test the connection.

Transport layer security

Transport Layer Security (TLS), formerly known as Secure Sockets Layer (SSL), is a protocol used by applications to communicate securely across a network, preventing tampering with and eavesdropping on email, web browsing, messaging, and other protocols. Both SSL and TLS are client / server protocols that ensure communication privacy by using cryptographic protocols to provide security over a network. When a server and client communicate using TLS, it ensures that no third party can eavesdrop or tamper with any message.

All modern browsers support the TLS protocol, requiring the server to provide a valid digital certificate confirming its identity in order to establish a secure connection. It is possible for both the client and server to mutually authenticate each other, if both parties provide their own individual digital certificates

How Does TLS Work

Established by the Internet Engineering Task Force (IETF), TLS uses encryption for the client and server to generate a secure connection between the applications. It begins when users access a secured website by specifying the TLS encryption method like the advanced encryption standard (AES).

It works with two security layers – the TLS record protocol and the TLS handshake protocol. These protocols use symmetric and asymmetric cryptography methods to secure data transfer and communications between the clients and web servers.

The TLS handshake protocol, for example, uses asymmetric cryptography to generate public and private keys that encrypt and decrypt data. Then, the overall process is as follows:

  1. The client sends a list of all TLS versions along with suggestions for a cipher suite and generates a random number that will be used later.
  2. The server confirms which options it will use to initiate the connection.
  3. The server sends a TLS certificate to the client for the authentication process.
  4. After validating the certificate, the client creates and sends a pre-master key encrypted by the server’s public key and decrypted by the server’s private key.
  5. The client and server generate session keys using the previously generated random numbers and the pre-master key.
  6. Both the client and server have a finished message that has been encrypted with a session key.
  7. The TLS handshake process is finished, and both the client and server have created secure symmetric encryption.

Furthermore, the record protocol uses symmetric encryption to generate unique session keys for each connection during the handshake process. It also adds all data exchanged with a hash-based message authentication code (HMAC) to verify the data authenticity.

Now, TLS is becoming a standard practice for most modern browsers and other applications, where it serves three purposes:

  • Encryption. It hides the data transferred from third parties through encoded information.
  • Authentication. TLS ensures both parties’ identities are who they claim to be by providing a certificate.
  • Integrity. Finally, it verifies that the data transmitted has not been forged or tampered with during the delivery process.

TLS Protocol Benefits in Businesses and Web Applications

Since cyber threats can harm any business, ensuring your site’s security should be the top priority. In this case, a transport layer security protocol offers many benefits, such as:

  • Preventing eavesdropping and tampering. TLS provides secure internet communications between a client and a server with a trusted cipher suite. This way, hackers cannot read the data transmitted on the internet, including online transactions.
  • Providing data integrity. By supporting authentication code, TLS provides privacy and data integrity. It ensures that all information will reach its destination without any loss or alteration from third parties.
  • Improving search engine optimization (SEO). Website security is a vital Google ranking factor as they aim to build a safe browsing experience. Therefore, using TLS protocols will give you a competitive edge, improving your site’s ranking on search engines.
  • Enhancing customer trust. Using a TLS connection will provide users with a secure web browsing experience, which will build customer trust in any business. This way, customers will feel more comfortable providing their data for creating a new account or making online purchases.
  • Offering granular control. TLS has a robust and reactive alert system to help users identify a problem. It gives control over what can be transmitted or received in a secure session so that users will receive notification alerts if there’s any problem like the err SSL version or cipher mismatch error.

Secure electronic transaction

A secure electronic transaction is a process used to allow the transfer of secure information over the Internet. Examples include credit card numbers, bank account numbers, government-issued identification numbers and other data that must be exchanged to complete a financial transaction. It most often is employed for electronic commerce using credit cards or direct withdrawal of funds from a bank account and for sensitive activities such as online investing or online management of a bank account. In fact, the development of secure electronic transactions integrated into a website’s payment system has made electronic commerce not only possible but in many ways safer and more secure than traditional financial transactions.

The term “secure electronic transaction” refers specifically to SET, a specific security protocol that makes use of several layers of encryption to protect sensitive information. In SET, a typical secure electronic transaction works based on a series of electronic signatures. Merchants, customers and banks all receive individual digital signatures, often keyed to an individual secure electronic transaction so that each individual purchase has its own set of encryption keys, and all credit card or bank account numbers are protected from exposure and potential fraud. This results in a complex but ultimately very secure system. In order to use SET, both the customer’s browser and the merchant’s server must be SET-enabled.

Providing another layer of security, each transaction uses a dual signature. A set of order information is sent to the merchant under one signature, and payment information is sent to the customer’s bank under another signature. Thus the credit card number is not disclosed to the merchant, and the customer’s order contents are not disclosed to the bank. This system requires the order information and the payment information to be linked, and it requires use of a digital “wallet,” in which the customer’s information is stored.