Secure web transactions system



Similar documents
Security Policy Revision Date: 23 April 2009

Tel: Toll-Free: Fax: Oct Website: CAIL Security Facility

Using etoken for SSL Web Authentication. SSL V3.0 Overview

SSL VPN vs. IPSec VPN

Cornerstones of Security

PrivyLink Internet Application Security Environment *

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

OFFICE OF THE CONTROLLER OF CERTIFICATION AUTHORITIES TECHNICAL REQUIREMENTS FOR AUDIT OF CERTIFICATION AUTHORITIES

Citrix MetaFrame XP Security Standards and Deployment Scenarios

ISM/ISC Middleware Module

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Steelcape Product Overview and Functional Description

ERserver. iseries. Secure Sockets Layer (SSL)

Introduction. Haroula Zouridaki Mohammed Bin Abdullah Waheed Qureshi

PrivyLink Cryptographic Key Server *

Chapter 8. Network Security

Overview. SSL Cryptography Overview CHAPTER 1

E-Commerce Security. The Client-Side Vulnerabilities. Securing the Data Transaction LECTURE 7 (SECURITY)

Case Study for Layer 3 Authentication and Encryption

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Top 10 Questions to Ask when Choosing a Secure File Transfer Solution

Secure Network Communications FIPS Non Proprietary Security Policy

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

Chapter 10. Network Security

Chapter 2 TOPOLOGY SELECTION. SYS-ED/ Computer Education Techniques, Inc.

Ciphire Mail. Abstract

Snow Agent System Pilot Deployment version

Global Client Access Managed Communications Solutions. JPMorgan - Global Client Access. Managed Internet Solutions (EC Gateway)

Authorize.net modules for oscommerce Online Merchant.

<Insert Picture Here> Oracle Security Developer Tools (OSDT) August 2008

Introducing etoken. What is etoken?

MetaFrame Presentation Server Security Standards and Deployment Scenarios Including Common Criteria Information

How To Secure Your Data Center From Hackers

Security Goals Services

How To Understand And Understand The Security Of A Key Infrastructure

Technical Description. DigitalSign 3.1. State of the art legally valid electronic signature. The best, most secure and complete software for

Chapter 17. Transport-Level Security

Web Application Entity Session Management using the eid Card Frank Cornelis 03/03/2010. Fedict All rights reserved

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

RELEASE NOTES. Table of Contents. Scope of the Document. [Latest Official] ADYTON Release corrections. ADYTON Release 2.12.

How To Understand The Architecture Of An Ulteo Virtual Desktop Server Farm

Release Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May New Features and Enhancements. Tip of the Day

PkBox Technical Overview. Ver

CRYPTOGRAPHY AS A SERVICE

Securing access to Citrix applications using Citrix Secure Gateway and SafeWord. PremierAccess. App Note. December 2001

ERserver. iseries. Securing applications with SSL

Lecture VII : Public Key Infrastructure (PKI)

eid Security Frank Cornelis Architect eid fedict All rights reserved

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

GENERIC SECURITY FRAMEWORK FOR CLOUD COMPUTING USING CRYPTONET

The Security Framework 4.1 Programming and Design

2014 IBM Corporation

Enhancing your security management

Network Access Security. Lesson 10

PKI Uncovered. Cisco Press. Andre Karamanian Srinivas Tenneti Francois Dessart. 800 East 96th Street. Indianapolis, IN 46240

SECURING SAP NETWEAVER DEPLOYMENTS WITH SAFE-T RSACCESS

Release Notes. NCP Secure Client Juniper Edition. 1. New Features and Enhancements. 2. Problems Resolved

The Seven Habits of State-of-the-Art Mobile App Security

Understanding digital certificates

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

Key & Data Storage on Mobile Devices

CycurHSM An Automotive-qualified Software Stack for Hardware Security Modules

INUVIKA OPEN VIRTUAL DESKTOP FOUNDATION SERVER

Security Considerations for DirectAccess Deployments. Whitepaper

: Network Security. Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT

Enterprise Security Management CheckPoint SecuRemote VPN v4.0 for pcanywhere

Savitribai Phule Pune University

CMSC 421, Operating Systems. Fall Security. URL: Dr. Kalpakis

Web Security. Mahalingam Ramkumar

PRIVACY, SECURITY AND THE VOLLY SERVICE

Xerox DocuShare Security Features. Security White Paper

The DoD Public Key Infrastructure And Public Key-Enabling Frequently Asked Questions

Version Highlights. CertainT 100 SSL Accelerator. Version International. New hardware and software version. North America

FileCloud Security FAQ

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Firewalls. Outlines: By: Arash Habibi Lashkari July Network Security 06

[SMO-SFO-ICO-PE-046-GU-

LBSEC.

Implementing Cisco IOS Network Security

TLS/SSL in distributed systems. Eugen Babinciuc

Why a Reverse Proxy with My Instant Communicator for mobiles??

Software Tool for Implementing RSA Algorithm

Security Protocols/Standards

Remote Connectivity for mysap.com Solutions over the Internet Technical Specification

INF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang

Using BroadSAFE TM Technology 07/18/05

Security Technical. Overview. BlackBerry Enterprise Server for Microsoft Exchange. Version: 5.0 Service Pack: 4

TrustKey Tool User Manual

IT Networks & Security CERT Luncheon Series: Cryptography

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui

2012 LABVANTAGE Solutions, Inc. All Rights Reserved.

BlackBerry Enterprise Server 5.0 SP3 and BlackBerry 7.1

DJIGZO ENCRYPTION. Djigzo white paper

Transcription:

Secure web transactions system TRUSTED WEB SECURITY MODEL Recently, as the generally accepted model in Internet application development, three-tier or multi-tier applications are used. Moreover, new trends show that most of these applications are web-based applications. In this sense, a typical three-tier web Internet application, see Fig. 1, consists of clients, web server and database server. In this model, client is always an Internet browser program and web server could be web server only or a combination of the web and application server. Client 1... Internet WEB server Application server Database server Client n WEB/Application server Figure 1: A simplified block diagram of the typical web Internet three-tier application architecture Security mechanisms in this architecture consist of two segments: Security segment for communication security between client and web server, Security segment for communication and access protection between web/application server and database server. Security part between client and server is realized by implementing security mechanisms on application and transport layers in the Secure Web Transaction (SWT) environment. Security solution for communication security between web/application server and database server is realized by using Cryptographic Proxy Gateways (CPG) as proprietary application level security gateway firewall with two Ethernet interfaces. CPG should be used as the last defense in front of data sensitive financial database server. If the system uses both WEB and application servers, CPG should be placed between the application and database server. Modern security trends request the application of the proprietary firewalls that offer greater level of security, instead of standard commercial ones, for this purpose.

2 SECURE WEB TRANSACTION SYSTEM Secure WEB transaction system (SWT) is designed to cryptographically enhance any WEB server to browser communication by implementing originally developed cryptographic functions. SWT is a NetSeT s proprietary system which is, in the transport level part, similar to the standardized and widely used SSL protocol. However, SWT system has four main advantages compared to SSL protocol: SWT system includes data protection on the application level based on asymmetric (e.g. RSA with 1024 bits key length) and symmetric cryptographic algorithms, SWT includes a proprietary server-browser authentication procedure, stronger than the one applied in SSL, for establishing cryptographic tunneling, SWT includes originally developed symmetric cryptographic algorithms for data protection on transport level with encryption key length ( 256 bits) larger than the keys used in SSL protocol (40 or 128 bits key length). SWT system also offers three possible options for symmetric cryptographic algorithms: public algorithms (DES, 3DES, RC2, RC4, IDEA, AES), proprietary SCA-13 NetSeT s algorithm with very long non-linear pseudorandom noise sequence (>>10 100 ), and user s defined symmetric algorithm, SWT system is fully verifiable on the source code level. Additionally, SWT system is associated with smart card readers both on the client s and server s side and has also implemented the originally developed user strong authentication procedure. Client parts of SWT system are designed both for Windows and Linux-based operating systems. In the SWT system, a combination of the cryptographic tunnel on the transport level and application level protection based on symmetrical and asymmetrical cryptographic algorithms is used, see Fig. 2. In this sense, SWT system consists of the transport SWT module and application SWT module. NetSeT 's SWT system for secure WEB communication is scalable and could consist of the following solution categories: A system based on the SWT smart card based application level protection and open (unsecured) transport level communication, A system based on the SWT smart card based application level protection and SSL security protocol on transport level based on digital certificates generated by NetSeT s Certification Authority system, A system based on the SWT application and transport level protection on the basis of smart cards completely provided by NetSeT the complete SWT system.

3 Application Application SWT module Network Transport SWT module TCP/IP Figure 2: SWT system s stack TRANSPORT SWT MODULE This module is based on proprietary cryptographic proxy components for both on the client and server side. By applying these components, a protected communication channel cryptographic tunnel based on symmetrical cryptographic algorithm is established. This tunnel is established only if the proprietary bilateral strong authentication procedure between client and server is successfully realized. This challenge-response authentication procedure is cryptographically stronger than the one used in SSL protocol and it is based on symmetrical and asymmetrical cryptographic algorithms, two session keys and X.509 digital certificates for both client and server. HTTP AUTHENTICATION SERVER Transport SWT module is a basis of the HTTP authentication server with the following main features: Transport SWT module could be used for protection of the WEB/application server used for specific business application, HTTP authentication server used proprietary protocol for communication with clients on the top of the HTTP protocol, Direct access to the WEB server is forbidden for outside world and only HTTP authentication server has a connection to the WEB business server, Accordingly, access to the WEB server is forbidden for all users except the ones that have special gateway HTTP proxy client, HTTP proxy client and HTTP authentication server are based on smart cards and strong authentication procedures between client and server,

4 HTTP authentication server, for the purpose of the user certificate validation, uses the CRL published on the LDAP server or Active Directory server. APPLICATION SWT MODULE This module is used for realization of two main functions: User strong authentication based on PKI bilateral challenge-response procedure, End-to-end security on the application level based on digital signature and digital envelope technologies using asymmetrical and symmetrical cryptographic algorithms. This module realizes functions for digital signature of the application data (providing authenticity, integrity protection and non-repudiation) and encryption (providing confidentiality protection). Namely, NetSeT s cryptographic application programming interface (API) is a set of the asymmetric and symmetric cryptographic functions which could be implemented in any of the user s applications, designed for Windows 98/NT/2000/XP and Linux platforms. This set consists of the following main functions: Digital signature (RSA algorithm with a key 1024 bits), Verification of the digital signature, Encryption (use of standard, NetSeT s proprietary or user s defined symmetric algorithms), Decryption, Communication with smart card reader with implemented authentication functionality, User s authentication. These API functions are fully compatible with existing de facto standards PKCS (Public Key Cryptographic Standards), such as: PKCS#1, PKCS#7 and PKCS#11. Besides the user strong authentication functions mostly implemented in the WEB server environment or in front of the WEB server (HTTP authentication server), application level security mechanisms enable end-to-end security between the client and application server that is mostly located in a domain behind the web server (it is located on application server or even directly on the database server). On the other side, SSL protocol provides security only between the client and web server, and all the data running over the internal network (behind the WEB server) is in clear. The SWT application level security module is realized as an ActiveX component or JAVA applet both for the client and server side. In fact, client modules are mostly ActiveX components (since Windows clients are prevalent) while servers sides are ActiveX for Windows or JAVA servlet for JAVA environments. These components are installed on the client side; they are integrated into the html pages and activated through client s Internet browser program.

5 Two working modes are possible, regarding the type of the application. Namely, it is possible to protect data in the interactive communication between client and server (on-line) or protection of data or files could be provided in advance (prepared signed and encrypted files) through some off-line cryptographic procedure. Both on-line and off-line procedure use the same ActiveX (or JAVA applet), but in the different environment (on-line is used through Internet browser program and off-line is used through some specialized off-line cryptographic application). The components of the SWT system are based on a modular structure and both of them have an application and transport SWT module. The main difference between the two SWT components is in the server and client s local application interface (SWAL Secure Web Application Link) that has a purpose of integrating these components into the WEB application. SWAL module enables WEB applications the use of the set of cryptographic API functions, necessary for the application level protection. In order to additionally improve the functionality and overall security of the server side of the SWT system, a PCI card-based crypotgraphic coprocessor solution, called NST2000, is to be implemented. The hardware security modules, realized as coprocessors, represent strong points of the modern security solutions for the computer networks. The existence of hardware security modules is ultimate for design of the computer network system with high performance and high level of the security. In that case, the encryption algorithms and the other security related functions (e.g. access control functions) are securely executed on the hardware element and sensitive data are never loaded on the user s computer memory. Without these modules, it would not be possible to achieve the trusted aplication concept with a full control of the system access and resistant to the Trojan Horse attacks. It is proven that PC operating systems and other system software components have some security drawbacks, and this is especially critical for the software-only cryptographic tools. CPG AS THE APPLICATION LEVEL FIREWALL IN THE TRUSTED WEB SECURITY MODEL In the trusted WEB security model, CPG is used for protection of the back-office second model segment namely, for communication protection between the WEB/application server and database server. In this configuration, a simplified blockdiagram is given on Fig. 3, it is necessary to implement a special cryptographic component on the WEB/application server, named CPG gateway, which is used for establishing secure communication (strong user authentication and cryptographic tunnel) between WEB/application server and database server. In this way, all communication between WEB/application server and database server is encrypted and only servers with CPG gateway could have access to the database server.

6 DeMilitarized Zone (DMZ) WEB or application СЕРВЕР server БОНИТЕТ ПККС CPG Internal network Database СЕРВЕР server БАЗЕ БОНИТЕТ CPG Crypto Gateway API Figure 3: Security protection between WEB/application server and database server

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information