Analyzing Security Technologies And Processes For Online Banking Transactions

Authentication between the server and the browser

Your tasks are to analyse and to write a report about the processes and the security technologies being used when you access your bank account online via a web browser. It is a well-known fact that the Internet is a public network and every single message you exchange with the server can potentially be intercepted by attackers. You need to analyse in detail what technologies and techniques are used to prevent attackers from modifying the financial transaction requests you initiate on the server and what keeps your passwords and credit card details safe on the wire between your browser and the online banking server.

You are required to address the following topics and task in details in your report:

1. The authentication process between the server and the browser.

1.1 Analytical Tasks

a) Analyse and write a report on how the browser ensures that it is communicating to the right server?

b) Describe the role of the digital signatures in this process.

c) Analyse and write a report on how the server ensures that it is communicating to the account owner?

d) Briefly describe at least three other additional techniques that can be used to achieve authentication of the clients by servers. 1.2 Practical

Tasks: Open your browser, visit your online banking website and verify: a) Which certificate authority your bank has acquired the SSL certificate from? b) What information is embedded inside the SSL certificate presented by the server? c) The certificates issued by which companies are installed as the trusted root certificates on your computer? Describe the purpose of the trusted root certificates. 2. The confidentiality and the integrity services used for to secure the communication between the server and the browser. 2.1 Analytical

Tasks a) Analyse and write a report on how the server and the browser agree on which cipher suit to use?

b) Analyse and write a report on how they agree on the symmetrical secret key for the encryption and hashing algorithms? 2.2 Practical Tasks: Open your browser, visit your online banking website and verify:

d) Which version of the SSL/TLS protocol is being used?

e) What encryption algorithm is being used for confidentiality? f) What hashing algorithm is being used for integrity? 3. The anti-replay service between the server and the browser. 3.1 Analytical Task a) Analyse and write a report on how the protection against replay attacks are achieved between the server and the browser. BN305 Virtual Private Network 3 Prepared by: Abulfaz Aghabalayev Moderated by: Fariza Sabrina April, 2018.

Instructions:

1. To enhance your understanding of the technology in this report you are required to describe how the technology works theoretically, as well as you need to perform some small practical activities and include the screenshots and the descriptions of them. The questions are organized in the logical order, however to make them easy to distinguish, the analytical questions are presented in blue and the practical questions are presented in green.

2. Include cover page with the subject name, the assignment name, the student name and ID,submission date.

3. Include table of contents.

4. Include table of figures.

5. Ensure that all the figures are numbered and names. You have to refer to the figures you add in the contexts.

6. Strictly follow the IEEE reference format for in-body citations and the references section.

7. You can use trustable online resources and documentations from well-known technology companies such as Microsoft, Cisco, Juniper and etc.

8. No plagiarism is allowed.

9. There are no limitations to the minimum and maximum word counts included in this assignments. However, it is expected that the report is correct, it is written to the point and using the right technical terminologies.

Authentication between the server and the browser

Virtual Private Network generally known as VPN is a secure way of connecting a private network through a public gateway. In other words, it is a kind of tunnel which goes through public network to a remote network. Virtual private network is the innovation that can be used from a remote network safely, so the correspondence information is shielded from sniffing or capturing by hackers. VPN connection can be established between two VPN networks via a secured gateway with the ability to encode the information, protect data integrity and guarantee the correspondence just occur between those two verified networks.

The VPN is somewhat connected to the past remote network called public switched telephone network.  VPN networks are associated with IP based communication. Before VPN came into existence big ventures invested lots of resources and time in building intricate private networks, these private networks are called intranets. It was costly to install the private networks. Some companies, who could not afford leased lines, used low speed network services.

As the Internet turned out to be increasingly open and transfer speed limits developed, organizations started to put their Intranets onto the web and make what are currently known as Extranets to interface interior and outside clients. Security is the main problem behind the telephone network. Today, VPN network provides a secured peer-to-peer connection. VPN are significantly low in costs than private or leased network as the communication is done over public network. Earlier the VPN technology was difficult to implement but thanks to the modern technology, our technology has reached a level where deployment is simple and affordable for all types of organizations.

Basically this report tells about the processes and the security technologies being used when we access your bank account online via a web browser. It is a well-known fact that the Internet is a public network and every single message you exchange with the server can potentially be intercepted by attackers. This report also includes the technologies and techniques that are used to prevent attackers from modifying the financial transaction requests we initiate on the server and what keeps your passwords and credit card details safe on the wire between your browser and the online banking server. 

1. Authentication Process between the server and the browser –
   • Analytical Task

• How the browser ensures that it is communicating to the right server?

Answer – When the user enters the URL in the browser, the browser initiates a TCP connection to the server through its IP address present in DNS. Then URL is converted into an IP address by the browser and the process is called DNS lookup requests. Then server acknowledges the TCP connection, the browser sends HTTPs request to the server to retrieve the content. After the server answers with content for the page, the program recovers it from the HTTP parcels and shows it as needs be. This HTTP is noticeable in left side corner of inquiry bar which indicates communication is secure or not and the authentication is likewise unmistakable there. This is the manner by which program decides if it has conveyed to right server or not.

Browser also looks the third party certificate issued to the server and issued by third part owner. The certificate states that server belongs to the entity which user is looking for. 

• Describe the role of digital signatures in authentication process.

Analytical Tasks

Answer –  A digital signature is a digital code authenticated by public key encryption which is attached to an electronically transmitted document to validate the authenticity and integrity of the software or digital document. In managing an account industry digital signatures are useful for various causes. Some banking transaction like loans, account openings needs client signature prerequisites which regularly require all archives to be mailed and handshakes for consumer loyalty and further with the client affirmation by marking the record. The presentation of digital signatures into this banking process ends up being productive as it conveys noteworthy and quantifiable outcomes as far as cost, increases in transaction speed and improves the consumer loyalty. 

• How the server ensures that it is communicating to the account owner?

Answer – Server uses authentication for the purpose to know exactly who is accessing the information or website. In this authentication process, user has to prove its identity by providing the credentials like user name and password. There are also other authentication processes like entering card details, retina scan, voice recognition and fingerprints. Authentication does not figure out which tasks the individual can do or what records the individual can see. Authentication only distinguishes and checks who the individual or system is. 

• Briefly describe at least three other additional techniques that can be used to achieve authentication of the clients by servers.

Answer – Authentication is process of identifying a user by its valid user name and password and it can also be done through MAC address.

Three techniques that can be used to achieve authentication of the clients by server are:-

• 1X verification — 802.1X is a strategy for confirming the character of a client before giving system access to the client. Remote Authentication Dial In User Service (RADIUS) is a convention that gives brought together verification, approval, and bookkeeping administration. For validation reason, the remote customer can partner to a system get to server (NAS) or RADIUS customer, for example, a remote IAP. The remote customer can pass information activity simply after fruitful 802.1X validation.
• MAC authentication – Media Access Control (MAC) confirmation is utilized for verifying gadgets in view of their physical MAC addresses. Macintosh verification requires that the MAC address of a machine coordinates a physically characterized rundown of addresses. This confirmation technique isn't prescribed for versatile systems and the systems that require stringent security settings. [4]
• Kerberos Authentication - Kerberos is a trusted third party confirmation framework that depends on shared insider facts. It presumes that the outsider is secure, and gives single sign-on abilities, unified watchword stockpiling, database interface verification, and upgraded PC security. It does this through a Kerberos confirmation server, or through Cyber safe Active Trust, a business Kerberos-based validation server. [5] 

• Practical tasks

• Which certificate authority your bank has acquired the SSL certificate from? 

Commonwealth bank has acquired SSL certificate from DigiCert. 

• What information is embedded inside the SSL certificate presented by the server? 

 This certificate shows all the details of what it has in it. It includes version, serial number, algorithms, validation etc. 

• The certificates issued by which companies are installed as the trusted root certificates on your computer? Describe the purpose of the trusted root certificates. 

 The objective for Trusted Root is to improve interior procedures encompassing the issuance and lifecycle administration of computerized. My computer trusted root certification store contains 47 certificates.  

1. The confidentiality and the integrity services used for to secure the communication between the server and the browser.

• Analytical Tasks

• How the server and the browser agree on which cipher suite to use?

Answer – "Cipher suite" is the technical protocol term that portrays the sort, size, and strategies that are utilized when information (plaintext) is transformed into "cipher message", or encrypted information. To know how the server and the program concur on which cipher suite to utilize, we have to get acquainted with SSL 2.0, SSL 3.0 and TLS 1.0 convention. TLS 1.0 is the transport layer security and is the most recent variant of SSL 3.0. The program has every one of the conventions and calculations and the server picks one of the conventions which appear to be more secure, at that point it is utilized as a part of that channel. Essentially those conventions are picked by server that is available in rundown of appropriate conventions. In the event that server does not locate any reasonable suite, the connection is rejected. 

• How the server and the browser agree on the symmetrical secret key for the encryption and hashing algorithms?

Answer – Symmetrical secret encryption is a type of encryption in which only one key is involved both for encryption and decryption of a message. To encrypt the message using this algorithm firstly cipher suite is selected called AES cipher suite (more secure), then the cipher text is encrypted. Precisely when the program and server do TLS handshake, program makes a symmetric key and offer it to the server and all further correspondence is happen through symmetric encryption. [8] 

• Practical tasks

• Which version of the SSL/TLS protocol is being used? 

Common wealth bank uses SSL 3.0 version. 

• What encryption algorithm is being used for confidentiality? 

 RSA encryption algorithm is used to maintain the confidentiality of the information.

• What hashing algorithm is being used for integrity? 

The anti-replay service between the server and the browser.

• Analytical task

• How the protection against replay attacks is achieved between the server and the browser?

Answer – Replay attacks, in which assailants catch and resend organize packets that don't have a place with them, are amazingly unsafe and can at times, cause serious damage. What makes these sorts of assaults much more baneful is that they can even be arranged on encoded correspondence channels without accessing the decoding keys. Aggressors just need to spy on your line and have a general learning of what assignment a particular arrangement of packets are performing, and by resending those packets or demands, they will have the capacity to disrupt your interchanges or cause all the more harming impacts.

This replay attacks can be prevented by using SSL/TLS certifications. SSL/TSL prevents the resending of packets. Replay attack is additionally forestalled by utilizing a one time token idea in which each HTTP reaction in fixing to a token string which will be legitimate for next request. 

Conclusion

VPN is a creating advancement that has gained significant ground. From an unreliable disjoin of Telephone frameworks to a powerful business help that uses the Internet as its section. VPN's advancement is so far making, and this is an unprecedented favored stance to associations particularly keeping money area, which require development that can scale and create nearby them. Virtual private system has remarkable security includes that is greatly required in this legendary digital world

References

[1]          k. Shetty. (2018). Virtual Private Network in Banking. [Online]. Available:

[2]          Microsoft.com. (2008). What is a digital signature?. [Online].

[3]          D.Shinder. (2001, August. 28). Understanding and selecting authentication methods.

[4]          Oracle.com. (2018). Authentication Methods. 

[5]          Anonymous, (2018). Understanding Authentication Methods.

[6]          Microsoft.com. (2018). How to: View Certificates with the MMC Snap-in.

[7]          Microsoft.com. (2018). How to Determine the Cipher Suite for the Server and Client.

[8]          A.krauss. (2016, August. 11) How Public Key and Symmetric Key Encryption Work.