Stella Mary's College of Engineering

(Approved by AICTE, New Delhi, Affiliated to Anna University,

Chennai, Accredited by NAAC & NBA (Mech & CSE))
Aruthengavilai, Kallukatti Junction, Azhikal (Post), Kanyakumari District-629202

DEPARTMENT OF ARTIFICIAL INTELLIGENCE AND DATA

SCIENCE

CW3551 : DATA AND INFORMATION SECURITY

NOTES

Name of the Student :

Register Number :

Year / Semester / Section :

Prepared by,
Mrs P. SRI PADMA ,AP/AIDS
 CW3551 – Data And Information Security Syllabus

Unit I: Introduction

History, What is Information Security?, Critical Characteristics of Information,

NSTISSC Security Model, Components of an Information System, Securing the
Components, Balancing Security and Access, The SDLC, The Security SDLC.

Unit II: Security Investigation

Need for Security, Business Needs, Threats, Attacks, Legal, Ethical and Professional
Issues – An Overview of Computer Security – Access Control Matrix, Policy –
Security policies, Confidentiality policies, Integrity policies and Hybrid policies.

Unit III: Digital Signature And Authentication

Digital Signature and Authentication Schemes: Digital signature-Digital Signature

Schemes and their Variants – Digital Signature Standards-Authentication: Overview-
Requirements Protocols Applications – Kerberos – X.509 Directory Services.

Unit IV: E-Mail And IP Security

E-mail and IP Security: Electronic mail security: Email Architecture – PGP –

Operational Descriptions – Key management – Trust Model – S/MIME.IP Security:
Overview – Architecture – ESP, AH Protocols IPSec Modes – Security association –
Key management.

Unit V: Web Security

Web Security: Requirements- Secure Sockets Layer – Objectives – Layers – SSL

secure communication – Protocols – Transport Level Security. Secure Electronic
Transaction- Entities DS Verification-SET processing.

Text Book:

1. Michael E Whitman and Herbert J Mattord, “Principles of Information Security,

Course Technology, 6th Edition, 2017.
2. Stallings William. Cryptography and Network Security: Principles and Practice,
Seventh Edition, Pearson Education, 2017.
References:

1. Harold F. Tipton, Micki Krause Nozaki, “Information Security Management

Handbook, Volume 6, 6th Edition, 2016.
2. Stuart McClure, Joel Scrambray, George Kurtz, “Hacking Exposed”, McGraw-
Hill, Seventh Edition, 2012.
3. Matt Bishop, “Computer Security Art and Science, Addison Wesley Reprint
Edition, 2015.
4. Behrouz A Forouzan, Debdeep Mukhopadhyay, Cryptography And network
security, 3rd Edition, . McGraw-Hill Education, 2015.
 lOMoARcPSD|45333583

www.BrainKart.com
CW3551-DATA AND INFORMATION SECURITY
UNIT V - WEB SECURITY

UNIT V WEB SECURITY

Web Security: Requirements- Secure Sockets Layer- Objectives-Layers -SSL secure communication-Protocols
- Transport Level Security. Secure Electronic Transaction- Entities DS Verification-SET processing.
Web Security
Web Security is very important nowadays. Websites are always prone to security threats/risks. Web
Security deals with the security of data over the internet/network or web or while it is being
transferred to the internet. For e.g. when you are transferring data between client and server and you
have to protect that data that security of data is your web security.
Hacking a Website may result in the theft of Important Customer Data, it may be the credit card
information or the login details of a customer or it can be the destruction of one’s business and
propagation of illegal content to the users while somebody hacks your website they can either steal
the important information of the customers or they can even propagate the illegal content to your
users through your website so, therefore, security considerations are needed in the context of web
security.
Requirements:
Security Threats:
A Threat is nothing but a possible event that can damage and harm an information system. Security
Threat is defined as a risk that which can potentially harm Computer systems & organizations.
Whenever an Individual or an Organization creates a website, they are vulnerable to security
attacks.
Security attacks are mainly aimed at stealing altering or destroying a piece of personal and
confidential information, stealing the hard drive space, and illegally accessing passwords. So
whenever the website you created is vulnerable to security attacks then the attacks are going to steal
your data alter your data destroy your personal information see your confidential information and
also it accessing your password.
Web Security Threats :
Web security threats are constantly emerging and evolving, but many threats consistently appear at
the top of the list of web security threats. These include:
 Cross-site scripting (XSS)
 SQL Injection
 Phishing
 Ransomware
 Code Injection

https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 lOMoARcPSD|45333583

www.BrainKart.com

 Viruses and worms

 Spyware
 Denial of Service
Security Consideration:
 Updated Software: You need to always update your software. Hackers may be aware of
vulnerabilities in certain software, which are sometimes caused by bugs and can be used to
damage your computer system and steal personal data. Older versions of software can become a
gateway for hackers to enter your network. Software makers soon become aware of these
vulnerabilities and will fix vulnerable or exposed areas. That’s why It is mandatory to keep your
software updated, It plays an important role in keeping your personal data secure.
 Beware of SQL Injection: SQL Injection is an attempt to manipulate your data or your
database by inserting a rough code into your query. For e.g. somebody can send a query to your
website and this query can be a rough code while it gets executed it can be used to manipulate
your database such as change tables, modify or delete data or it can retrieve important
information also so, one should be aware of the SQL injection attack.
 Cross-Site Scripting (XSS): XSS allows the attackers to insert client-side script into web
pages. E.g. Submission of forms. It is a term used to describe a class of attacks that allow an
attacker to inject client-side scripts into other users’ browsers through a website. As the injected
code enters the browser from the site, the code is reliable and can do things like sending the
user’s site authorization cookie to the attacker.
 Error Messages: You need to be very careful about error messages which are generated to
give the information to the users while users access the website and some error messages are
generated due to one or another reason and you should be very careful while providing the
information to the users. For e.g. login attempt – If the user fails to login the error message
should not let the user know which field is incorrect: Username or Password.
 Data Validation: Data validation is the proper testing of any input supplied by the user or
application. It prevents improperly created data from entering the information system. Validation
of data should be performed on both server-side and client-side. If we perform data validation on
both sides that will give us the authentication. Data validation should occur when data is
received from an outside party, especially if the data is from untrusted sources.
 Password: Password provides the first line of defense against unauthorized access to your
device and personal information. It is necessary to use a strong password. Hackers in many cases
use sophisticated software that uses brute force to crack passwords. Passwords must be complex
to protect against brute force. It is good to enforce password requirements such as a minimum of

https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 lOMoARcPSD|45333583

www.BrainKart.com
CW3551-DATA AND INFORMATION SECURITY
UNIT V - WEB SECURITY
eight characters long must including uppercase letters, lowercase letters, special characters, and
numerals.
How Does Web Security Work?
Web security is enforced by a security appliance that acts as a web proxy, sitting between users and
the Internet. This appliance can either be an on-premises or cloud-based appliance or software
deployed within the user’s web browser. Yet all that matters is that an employee’s computer is
configured to send all Internet-bound traffic through the web security system.
What is web security explanation?
Web security refers to protecting networks and computer systems from damage to or the theft of
software, hardware, or data. It also includes protecting computer systems from misdirecting or
disrupting the services they are designed to provide.

II.Secure Sockets Layer:

Secure Sockets Layer (SSL) is a security protocol that provides privacy, authentication, and integrity
to Internet communications. SSL eventually evolved into Transport Layer Security (TLS).
What is SSL?

SSL, or Secure Sockets Layer, is an encryption-based Internet security protocol. It was first
developed by Netscape in 1995 for the purpose of ensuring privacy, authentication, and data integrity
in Internet communications. SSL is the predecessor to the modern TLS encryption used today.

A website that implements SSL/TLS has "HTTPS" in its URL instead of "HTTP."
How does SSL/TLS work?

 In order to provide a high degree of privacy, SSL encrypts data that is transmitted across
the web. This means that anyone who tries to intercept this data will only see a garbled mix
of characters that is nearly impossible to decrypt.
 SSL initiates an authentication process called a handshake between two communicating
devices to ensure that both devices are really who they claim to be.
 SSL also digitally signs data in order to provide data integrity, verifying that the data is
not tampered with before reaching its intended recipient.
There have been several iterations of SSL, each more secure than the last. In 1999 SSL was updated
to become TLS.

https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 lOMoARcPSD|45333583

www.BrainKart.com

Why is SSL/TLS important?

Originally, data on the Web was transmitted in plaintext that anyone could read if they intercepted the
message. For example, if a consumer visited a shopping website, placed an order, and entered their
credit card number on the website, that credit card number would travel across the Internet
unconcealed.

SSL was created to correct this problem and protect user privacy. By encrypting any data that goes
between a user and a web server, SSL ensures that anyone who intercepts the data can only see a
scrambled mess of characters. The consumer's credit card number is now safe, only visible to the
shopping website where they entered it.

SSL also stops certain kinds of cyber attacks: It authenticates web servers, which is important because
attackers will often try to set up fake websites to trick users and steal data. It also prevents attackers
from tampering with data in transit, like a tamper-proof seal on a medicine container.
What is an SSL certificate?
SSL can only be implemented by websites that have an SSL certificate (technically a "TLS
certificate"). An SSL certificate is like an ID card or a badge that proves someone is who they say
they are. SSL certificates are stored and displayed on the Web by a website's or application's server.

One of the most important pieces of information in an SSL certificate is the website's public key.
The public key makes encryption and authentication possible. A user's device views the public key
and uses it to establish secure encryption keys with the web server. Meanwhile the web server also
has a private key that is kept secret; the private key decrypts data encrypted with the public key.

Certificate authorities (CA) are responsible for issuing SSL certificates.

What are the types of SSL certificates?

There are several different types of SSL certificates. One certificate can apply to a single website or
several websites, depending on the type:
 Single-domain: A single-domain SSL certificate applies to only one domain (a "domain"
is the name of a website, like www.cloudflare.com).
 Wildcard: Like a single-domain certificate, a wildcard SSL certificate applies to only
one domain. However, it also includes that domain's subdomains. For example, a wildcard
certificate could cover www.cloudflare.com, blog.cloudflare.com, and
developers.cloudflare.com, while a single-domain certificate could only cover the first.

https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 lOMoARcPSD|45333583

www.BrainKart.com
CW3551-DATA AND INFORMATION SECURITY
UNIT V - WEB SECURITY
 Multi-domain: As the name indicates, multi-domain SSL certificates can apply to multiple
unrelated domains.

SSL certificates also come with different validation levels. A validation level is like a background
check, and the level changes depending on the thoroughness of the check.

 Domain Validation: This is the least-stringent level of validation, and the cheapest. All a
business has to do is prove they control the domain.
 Organization Validation: This is a more hands-on process: The CA directly contacts the
person or business requesting the certificate. These certificates are more trustworthy for
users.
 Extended Validation: This requires a full background check of an organization before the
SSL certificate can be issued.
Secure Socket Layer (SSL) provides security to the data that is transferred between web browser
and server. SSL encrypts the link between a web server and a browser which ensures that all data
passed between them remain private and free from attack.
Secure Socket Layer Protocols:
 SSL record protocol
 Handshake protocol
 Change-cipher spec protocol
 Alert protocol

SSL Protocol Stack:

https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 lOMoARcPSD|45333583

www.BrainKart.com

SSL Record Protocol:

SSL Record provides two services to SSL connection.
 Confidentiality
 Message Integrity
In the SSL Record Protocol application data is divided into fragments. The fragment is compressed
and then encrypted MAC (Message Authentication Code) generated by algorithms like SHA
(Secure Hash Protocol) and MD5 (Message Digest) is appended. After that encryption of the data is
done and in last SSL header is appended to the data.

Handshake Protocol:
Handshake Protocol is used to establish sessions. This protocol allows the client and server to
authenticate each other by sending a series of messages to each other. Handshake protocol uses four
phases to complete its cycle.
 Phase-1: In Phase-1 both Client and Server send hello-packets to each other. In this IP session,
cipher suite and protocol version are exchanged for security purposes.
 Phase-2: Server sends his certificate and Server-key-exchange. The server end phase-2 by
sending the Server-hello-end packet.
 Phase-3: In this phase, Client replies to the server by sending his certificate and Client-
exchange-key.
 Phase-4: In Phase-4 Change-cipher suite occurs and after this the Handshake Protocol ends.
https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 lOMoARcPSD|45333583

www.BrainKart.com
CW3551-DATA AND INFORMATION SECURITY
UNIT V - WEB SECURITY

Change-cipher Protocol:
This protocol uses the SSL record protocol. Unless Handshake Protocol is completed, the SSL
record Output will be in a pending state. After the handshake protocol, the Pending state is
converted into the current state.
Change-cipher protocol consists of a single message which is 1 byte in length and can have only
one value. This protocol’s purpose is to cause the pending state to be copied into the current state.

Alert Protocol:
This protocol is used to convey SSL-related alerts to the peer entity. Each message in this protocol
contains 2 bytes.

https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 lOMoARcPSD|45333583

www.BrainKart.com

The level is further classified into two parts:

Warning (level = 1):
This Alert has no impact on the connection between sender and receiver. Some of them are:
Bad certificate: When the received certificate is corrupt.
No certificate: When an appropriate certificate is not available.
Certificate expired: When a certificate has expired.
Certificate unknown: When some other unspecified issue arose in processing the certificate,
rendering it unacceptable.
Close notify: It notifies that the sender will no longer send any messages in the connection.
Unsupported certificate: The type of certificate received is not supported.
Certificate revoked: The certificate received is in revocation list.

Fatal Error (level = 2):

This Alert breaks the connection between sender and receiver. The connection will be stopped,
cannot be resumed but can be restarted. Some of them are :
Handshake failure: When the sender is unable to negotiate an acceptable set of security
parameters given the options available.
Decompression failure: When the decompression function receives improper input.
Illegal parameters: When a field is out of range or inconsistent with other fields.
Bad record MAC: When an incorrect MAC was received.
Unexpected message: When an inappropriate message is received.
The second byte in the Alert protocol describes the error.

SL (Secure Sockets Layer) certificate is a digital certificate used to secure and verify the identity of
a website or an online service. The certificate is issued by a trusted third-party called a Certificate
Authority (CA), who verifies the identity of the website or service before issuing the certificate.
The SSL certificate has several important characteristics that make it a reliable solution for securing
online transactions:
1. Encryption: The SSL certificate uses encryption algorithms to secure the communication
between the website or service and its users. This ensures that the sensitive information, such as
https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes
 lOMoARcPSD|45333583

www.BrainKart.com
CW3551-DATA AND INFORMATION SECURITY
UNIT V - WEB SECURITY
login credentials and credit card information, is protected from being intercepted and read by
unauthorized parties.
2. Authentication: The SSL certificate verifies the identity of the website or service, ensuring that
users are communicating with the intended party and not with an impostor. This provides
assurance to users that their information is being transmitted to a trusted entity.
3. Integrity: The SSL certificate uses message authentication codes (MACs) to detect any
tampering with the data during transmission. This ensures that the data being transmitted is not
modified in any way, preserving its integrity.
4. Non-repudiation: SSL certificates provide non-repudiation of data, meaning that the recipient
of the data cannot deny having received it. This is important in situations where the authenticity
of the information needs to be established, such as in e-commerce transactions.
5. Public-key cryptography: SSL certificates use public-key cryptography for secure key
exchange between the client and server. This allows the client and server to securely exchange
encryption keys, ensuring that the encrypted information can only be decrypted by the intended
recipient.
6. Session management: SSL certificates allow for the management of secure sessions, allowing
for the resumption of secure sessions after interruption. This helps to reduce the overhead of
establishing a new secure connection each time a user accesses a website or service.
7. Certificates issued by trusted CAs: SSL certificates are issued by trusted CAs, who are
responsible for verifying the identity of the website or service before issuing the certificate. This
provides a high level of trust and assurance to users that the website or service they are
communicating with is authentic and trustworthy.

https://play.google.com/store/apps/details?id=info.therithal.brainkart.annauniversitynotes