https://intellipaat.

com/blog/ipsec-internet-security-protocol/
https://www.geeksforgeeks.org/ip-security-ipsec/

IPv4 stands for Internet Protocol version 4. It is the fourth version of the Internet Protocol (IP) and is one
of the core protocols of standards-based internetworking methods in the Internet and other packet-
switched networks

. IPv4 was the first version deployed for production on SATNET in 1982 and on the ARPANET in January
1983

. IPv4 is still used to route most Internet traffic today, even with the ongoing deployment of Internet
Protocol version 6 (IPv6), its successor

. IPv4 uses 32-bit addresses which limits the address space to 4294967296 (232) addresses

. An IPv4 address is a series of four eight-bit binary numbers separated by a decimal point

. IPv4 is a connectionless protocol, and operates on a best-effort delivery model, in that it does not
guarantee delivery, nor does it assure proper sequencing or avoidance of duplicate delivery

. These aspects, including data integrity, are addressed by an upper layer transport protocol, such as the
Transmission Control Protocol (TCP)

. IPv4 is still a popular protocol for communication over the Internet and on local networks

What is IP header?
IP Header is meta information at the beginning of an IP packet. It
displays information such as the IP version, the packet’s length, the
source, and the destination.

IPV4 header format is 20 to 60 bytes in length. It contains information

need for routing and delivery. It consists of 13 fields such as Version,
Header length, total distance, identification, flags, checksum, source IP
address, destination IP address. It provides essential data need to
transmit the data. LE
IPv4 Header Components/Fields
 IP header format
Following are various components/fields of IP packet header

 Version: The first IP header field is a 4-bit version indicator. In

IPv4, the value of its four bits is set to 0100, which indicates 4 in
binary. However, if the router does not support the specified
version, this packet will be dropped.
 Internet Header Length: Internet header length, shortly known as
IHL, is 4 bits in size. It is also called HELEN (Header Length). This
IP component is used to show how many 32-bit words are present
in the header.
 Type of Service: Type of Service is also called Differentiated
Services Code Point or DSCP. This field is provided features related
to the quality of service for data streaming or VoIP calls. The first 3
bits are the priority bits. It is also used for specifying how you can
handle Datagram.
 Total length: The total length is measured in bytes. The minimum
size of an IP datagram is 20 bytes and the maximum, it can be
65535 bytes . HELEN and Total length can be used to calculate the
dimension of the payload. All hosts are required to be able to read
576-byte datagrams. However, if a datagram is too large for the
hosts in the network, the fragmentation method is widely used.
 Identification: Identification is a packet that is used to identify
fragments of an IP datagram uniquely. Some have recommended
 using this field for other things like adding information for packet
tracing, etc.
 IP Flags: Flag is a three-bit field that helps you to control and
identify fragments. The following can be their possible
configuration:

Bit 0: is reserved and has to be set to zero

Bit 1: means do not fragment

Bit 2: means more fragments.

 Fragment Offset: Fragment Offset represents the number of Data

Bytes ahead of the particular fragment in the specific Datagram. It
is specified in terms of the number of 8 bytes, which has a
maximum value of 65,528 bytes. use to identify the sequence of
fragments in the frame. It generally indicates a number of data
bytes preceding or ahead of the fragment.

 Time to live: It is an 8-bit field that indicates the maximum time the
Datagram will be live in the internet system. The time duration is
measured in seconds, and when the value of TTL is zero, the
Datagram will be erased. Every time a datagram is processed its
TTL value is decreased by one second. TTL are used so that
datagrams are not delivered and discarded automatically. The
value of TTL can be 0 to 255.
 Protocol: This IPv4 header is reserved to denote that internet
protocol is used in the latter portion of the Datagram. For Example,
6 number digit is mostly used to indicate TCP, and 17 is used to
denote the UDP protocol.
 Header Checksum: The next component is a 16 bits header
checksum field, which is used to check the header for any errors.
The IP header is compared to the value of its checksum. When the
header checksum is not matching, then the packet will be
discarded.
  Source Address: The source address is a 32-bit address of the
source used for the IPv4 packet.
 Destination address: The destination address is also 32 bit in size
stores the address of the receiver.
 IP Options: It is an optional field of IPv4 header used when the
value of IHL (Internet Header Length) is set to greater than 5. It
contains values and settings related with security, record route and
time stamp, etc. You can see that list of options component ends
with an End of Options or EOL in most cases.
 Data: This field stores the data from the protocol layer, which has
handed over the data to the IP layer.

IPv6 or Internet Protocol Version 6 is a network layer

protocol that allows communication to take place over the
network. IPv6 was designed by Internet Engineering Task
Force (IETF) in December 1998 with the purpose of
superseding the IPv4 due to the global exponentially
growing internet users.
IPv4 vs IPv6
The common type of IP address (is known as IPv4, for
“version 4”). Here’s an example of what an IP address might
look like:
25.59.209.224
An IPv4 address consists of four numbers, each of which
contains one to three digits, with a single dot (.)
separating each number or set of digits. Each of the four
numbers can range from 0 to 255. This group of separated
numbers creates the addresses that let you and everyone
around the globe to send and retrieve data over our
Internet connections. The IPv4 uses a 32-bit address scheme
allowing to store 2^32 addresses which is more than 4
billion addresses. To date, it is considered the primary
Internet Protocol and carries 94% of Internet traffic.
Initially, it was assumed it would never run out of
addresses but the present situation paves a new way to
IPv6, let’s see why? An IPv6 address consists of eight
groups of four hexadecimal digits. Here’s an example IPv6
address:
3001:0da8:75a3:0000:0000:8a2e:0370:7334
This new IP address version is being deployed to fulfil the
need for more Internet addresses. It was aimed to resolve
issues which are associated with IPv4. With 128-bit address
space, it allows 340 undecillion unique address space. IPv6
also called IPng (Internet Protocol next generation).
IPv6 support a theoretical maximum of 340, 282, 366, 920,
938, 463, 463, 374, 607, 431, 768, 211, 456. To keep it
straightforward, we will never run out of IP addresses
again.
Types of IPv6 Address
Now that we know about what is IPv6 address let’s take a
look at its different types.
 Unicast addresses It identifies a unique node on a
network and usually refers to a single sender or a
single receiver.
 Multicast addresses It represents a group of IP
devices and can only be used as the destination of a
datagram.
 Anycast addresses It is assigned to a set of
interfaces that typically belong to different nodes.
Advantages of IPv6
 Reliability
 Faster Speeds: IPv6 supports multicast rather than
broadcast in IPv4.This feature allows bandwidth-
intensive packet flows (like multimedia streams) to
be sent to multiple destinations all at once.
 Stronger Security: IPSecurity, which provides
confidentiality, and data integrity, is embedded
into IPv6.
 Routing efficiency
 Most importantly it’s the final solution for growing
nodes in Global-network.
Disadvantages of IPv6
 Conversion: Due to widespread present usage of IPv4
it will take a long period to completely shift to
IPv6.
  Communication: IPv4 and IPv6 machines cannot
communicate directly with each other. They need an
intermediate technology to make that possible.

List of IPv6 Header Format Components

There are two main parts to the IPv6 data packet that is header and payload. The header
of IPv6 is of fix length of 40 bytes which has the following fields:

Refer to the below image for the components of the IPv6 header

 Version
 Traffic Class
 Flow label:
 Payload Length (16-bits)
 Next Header (8-bits):
 Hop Limit (8-bits)
 Source Address (128 bits)
 Destination Address (128 bits)

IPv6 Fixed Header

The size of the IPv6 fixed header is 40 bytes long and IPv6 header format consists of the
following information:
Version (4-bits) :

It shows the version of internet protocol we used, i.e. 0110

Traffic Class (8-bits) :

This is an 8-bit field in which 8 bits are divided into two parts. The most significant 6-bit is for
the type of service so that the router will get to know about what services need to be provided to
the given packet. And for Explicit Congestion Notification (ECN), the least significant 2-bit is
used.

Flow Label (20-bits) :

This 20-bit is required for maintaining the sequential flow of packets related to a particular
communication. This field is also helpful in avoiding the reordering of packets. The source labels
the sequence to help the router so that it can identify that a particular packet is related to a
specific flow of data. It is generally used for real or streaming media.

Payload Length (16-bits) :

This field is used to help the router in knowing how much information is stored in the payload of
a particular packet.
Next Header (8-bits) :

This field is used to represent the type of extension header or if the extension header is not
present then it shows the Upper Layer PDU. The value for Upper Layer PDU is the same as that
of values in IPv4. The Extension Header contains optional information that helps routers
to understand how to handle a packet/flow.

Hop Limit (8-bits) :

Hop limit is a field in a header that stops the header to go into an infinite loop in the network. It
works the same as that of TTL in IPv4. When it passes a hop or router its value
is decremented by 1. The packet is discarded when it reaches 0.

Source Address (128-bits) :

This field provides the address from where the packet originates.

Destination Address (128-bits) :

The destination address is the address of the packet's intended recipient.

https://www.scaler.com/topics/ipv6-header-format/

There are two main advantages that Authentication Header

provides,
Message Integrity – It means, message is not

modified while coming from the source.
 Source Authentication – It means, the source is
exactly the source from whom we were expecting data.
Prerequisite: Internet Protocol version 6 (IPv6) Header IP
Authentication Header is used to provide connection-less
integrity and data origin authentication.
When packet is sent from source A to Destination B, it
consists of data that we need to send and header which
consist of information regarding packet. Authentication
Header verifies origin of data and also payload to confirm
if there has been modification done in between, during
transmission between source and destination. However, in
transit, values of some IP header fields might change
(like- Hop count, options, extension headers). So, values
of such fields cannot be protected from Authentication
header. Authentication header cannot protect every field of
IP header. It provides protection to fields which are
essential to be protected.
Authentication Header : The question may arise, that how IP
header will know that adjacent Extension header is
Authentication Header. Well, there is protocol field in IP
Header which tells type of header that is present in
packet. So, protocol field in IP Header should have value
of “51” in order to detect Authentication
Header.

1. Next Header – Next Header is 8-bit field that

identifies type of header present after
Authentication Header. In case of TCP, UDP or
destination header or some other extension header it
will store correspondence IP protocol number . Like,
number 4 in this field will indicate IPv4, number 41
will indicate IPv6 and number 6 will indicate TCP.
2. Payload Length – Payload length is length of
Authentication header and here we use scaling factor
of 4. Whatever be size of header, divide it by 4 and
then subtract by 2. We are subtracting by 2 because
we’re not counting first 8 bytes of Authentication
header, which is first two row of picture given
above. It means we are not including Next Header,
Payload length, Reserved and Security Parameter
index in calculating payload length. Like, say if
 payload length is given to be X. Then (X+2)*4 will
be original Authentication header length.
3. Reserved – This is 16-bit field which is set to
“zero” by sender as this field is reserved for
future use.
4. Security Parameter Index (SPI) – It is arbitrary 32-
bit field. It is very important field which
identifies all packets which belongs to present
connection. If we’re sending data from Source A to
Destination B. Both A and B will already know
algorithm and key they are going to use. So for
Authentication, hashing function and key will be
required which only source and destination will know
about. Secret key between A and B is exchanged by
method of Diffie Hellman algorithm. So Hashing
algorithm and secret key for Security parameter
index of connection will be fixed. Before data
transfer starts security association needs to be
established. In Security Association, both parties
needs to communicate prior to data exchange.
Security association tells what is security
parameter index, hashing algorithm and secret key
that are being used.
5. Sequence Number – This unsigned 32-bit field
contains counter value that increases by one for
each packet sent. Every packet will need sequence
number. It will start from 0 and will go till –
1 and there will be no wrap around. Say, if all
sequence numbers are over and none of it is left but
we cannot wrap around as it is not allowed. So, we
will end connection and re-establish connection
again to resume transfer of remaining data from
sequence number 0. Basically sequence numbers are
used to stop replay attack. In Replay attack, if
same message is sent twice or more, receiver won’t
be able to know if both messages are sent from a
single source or not. Say, I am requesting 100$ from
receiver and Intruder in between asked for another
100$. Receiver won’t be able to know that there is
intruder in between.
6. Authentication Data (Integrity Check Value)
– Authentication data is variable length field that
contains Integrity Check Value (ICV) for packet.
 Using hashing algorithm and secret key, sender will
create message digest which will be sent to
receiver. Receiver on other hand will use same
hashing algorithm and secret key. If both message
digest matches then receiver will accept data.
Otherwise, receiver will discard it by saying that
message has been modified in between. So basically,
authentication data is used to verify integrity of
transmission. Also length of Authentication data
depends upon hashing algorithm you choose.
Modes of operations in Authentication Header:
There are two modes in the authentication header
 Authentication Header Transport Mode:
 Authentication Header Tunnel Mode:
1. Authentication Header Transport Mode: In the
authentication header transport mode, it is lies
between the original IP Header and IP Packets
original TCP header.
2. Authentication Header Tunnel Mode: In this
authentication header tunnel mode, the original IP
packet is authenticated entire and the
authentication header is inserted between
the original IP header and new outer IP header.
Here, the inner IP header contains the ultimate
source IP address and destination IP
address. whereas the outer IP header contains
different IP address that is IP address of the
firewalls or other security gateways.
How does the header deals with Replay attack?
 In a replay attack, the attacker a copy of an
authenticated packet and then send to the intended
destination. As the same packet received twice, the
destination user can face some problems. To reduce
this problem, the authentication header use a
sequence number field.
 At this initial stage, the value of this field is
set to 0. whenever the sender sends the packets to
the same receiver over the same SA, it increments
the fields value by 1. If the number of packets over
the same increase this number, then communication
with the receiver sender must establishing a new SA
with the receiver.
 At the receiver side, the receiver maintains a
sliding window size to W. The default value of W is
64. This window right edge represents the highest
sequence number N received so far for a valid
packet.
When the receiver gets a packet from the sender,
it perform some action. The appropriate action
depends on the sequence number of the packet.
https://www.educba.com/authentication-header/

Encapsulation security payload, also abbreviated as ESP

plays a very important role in network security. ESP or
Encapsulation security payload is an individual protocol in
IPSec. ESP is responsible for the CIA triad of security
(Confidentiality, Integrity, Availability), which is
considered significant only when encryption is carried along
with them. Securing all payload/ packets/ content in IPv4
and IPv6 is the responsibility of ESP.
As the name suggests, it involves encapsulation of the
content/ payload encrypts it to suitable form and then there
a security check or authentication takes place for payload
in IP Network. Encryption/ encapsulation and security/
authentication make the payload extremely secure and safe
from any kind of harm or threat to content/ data/ payload
being stolen by any third party. The encryption process is
performed by authenticated user, similarly, the decryption
process is carried out only when the receiver is verified,
thus making the entire process very smooth and secure. The
entire encryption that is performed by ESP is carried on the
principle of the integrity of payload and not on the typical
IP header.

Working of ESP:

1. Encapsulating Security Payload supports both main

Transport layer protocols: IPv4 and IPv6 protocols.
2. It performs the functioning of encryption in headers
of Internet Protocol or in general say, it resides
and performs functions in IP Header.
3. One important thing to note here is that the insertion
of ESP is between Internet Protocol and other
protocols such as UDP/ TCP/ ICMP.

Modes in ESP:

Encapsulating Security Payload supports two modes, i.e.

Transport mode, and tunnel mode.
Tunnel mode:
1. Mandatory in Gateway, tunnel mode holds utmost
importance.
2. Here, a new IP Header is created which is used as the
outer IP Header followed by ESP.
Transport mode:
1. Here, IP Header is not protected via encryption or
authentication, making it vulnerable to threats
2. Less processing is seen in this mode, so the inclusion
of ESP is preferred

Advantages:

Below listed are the advantages of Encapsulating Security

Payload:
1. Encrypting data to provide security
2. Maintaining a secure gateway for data/ message
transmission
3. Properly authenticating the origin of data
4. Providing needed data integrity
5. Maintaining data confidentiality
 6. Helping with antireplay service using authentication
header

Disadvantages:

Below listed are the disadvantages of Encapsulating Security

Payload:
1. There is a restriction on the encryption method to be
used
2. For global use and implementation, weaker encryptions
are mandatory to use

Components of ESP:

An important point to note is that authentication and

security are not provided for the entire IP packet in
transport mode. On the other hand for the tunnel mode, the
entire IP packet along with the new packet header is
encapsulated.
ESP structure is composed of the following parts as shown
below :
 ESP Structure

The diagrammatic representation of ESP has the below-

mentioned components :
1. Security Parameter :
 Security parameters are assigned a size of 32 bits
for use
 Security Parameter is mandatory to security parameter
in ESP for security links and associations
2. Sequence Number:
 The sequence number is 32 bits in size and works as
an incremental counter.
 The first packet has a sequence number 1 assigned to
it whenever sent through SA
3. Payload Data:
  Payload data don’t have fixed size and are variable
in size to use
 It refers to the data/ content that is provided
security by the method of encryption
4. Padding:
 Padding has an assigned size of 0-255 bytes assigned
to it.
 Padding is done to ensure that the payload data which
needs to be sent securely fits into the cipher block
correctly, so for this padding payloads come to the
rescue.
5. Pad Length:
 Pad Length is assigned the size of 8 bits to use
 It is a measure of pad bytes that are preceding
6. Next Header:
 The next header is associated with a size of 8 bits
to use
 It is responsible for determining the data type of
payload by studying the first header of the payload
7. Authentication Data:
 The size associated with authentication data is
variable and never fixed for use-case
 Authentication data is an optional field that is
applicable only when SA is selected. It serves the
purpose of providing integrity
Ah protocol
PERPLEXITY

The Authentication Header (AH) protocol is a member of the IPsec protocol suite that provides
data origin authentication, data integrity, and replay protection

. AH ensures connectionless integrity by using a hash function and a secret shared key in the
AH algorithm

. AH authenticates the same IP datagram fields as the IP header

. AH is implemented in one way only: Authentication along with Integrity

. AH provides data integrity, data origin authentication, and an optional replay protection
service

. AH is used in two modes: transport mode and tunnel mode

. In transport mode, some fields in the IP header change en-route and their value cannot be
predicted by the receiver. These fields are called mutable and they are not protected by AH

. Mutable IPv4 fields include Type of service (TOS), Flags, Fragment offset, Time to live (TTL), and
Header checksum

. AH is used to provide integrity and authentication to IP datagrams, and replay protection is

also possible

. The choice of authentication protocol depends on the specific needs of the organization or
system, and the type of information needed for authentication.
Encapsulating Security Payload (ESP) provides all encryption
services in IPSec based on integrity for the payload and not for
the IP header, confidentiality and authentication that using
encryption, without authentication is strongly discouraged because
it is insecure.
Any translations in readable message format into an unreadable
format are encrypted and used to hide the message content against
data tampering.
IPSec provides an open framework, such as SHA and MD5 for
implementing industry standard algorithms.
Encryption/decryption allows only the sender and the authorised
receiver to make the data to be received in readable form and only
after the integrity verification process is complete, the data
payload in the packet is decrypted.
IPSec uses a unique identifier for each packet, which is a data
equivalent of a fingerprint and checks for packets that are
authorised or not. It doesn't sign the entire packet unless it is
being tunnelled—ordinarily, for this IP data payload is protected,
not the IP header. In Tunnel Mode, where the entire original IP
packet is encapsulated with a new packet header added.
ESP in transport mode does not provide integrity and
authentication for the entire IP packet.

https://www.tutorialspoint.com/internet-security-association-and-key-management-protocol-
isakmp
What is VPN? How It Works, Types of VPN

VPN stands for "Virtual Private Network" and describes the opportunity to establish a
protected network connection when using public networks. VPNs encrypt your internet
traffic and disguise your online identity. This makes it more difficult for third parties to
track your activities online and steal data. The encryption takes place in real time.
How does a VPN work?
A VPN hides your IP address by letting the network redirect it through a specially
configured remote server run by a VPN host. This means that if you surf online with a
VPN, the VPN server becomes the source of your data. This means your Internet
Service Provider (ISP) and other third parties cannot see which websites you visit or
what data you send and receive online. A VPN works like a filter that turns all your data
into "gibberish". Even if someone were to get their hands on your data, it would be
useless.

What are the benefits of a VPN connection?

A VPN connection disguises your data traffic online and protects it from external
access. Unencrypted data can be viewed by anyone who has network access and
wants to see it. With a VPN, hackers and cyber criminals can’t decipher this data.
Secure encryption: To read the data, you need an encryption key . Without one, it
would take millions of years for a computer to decipher the code in the event of a brute
force attack . With the help of a VPN, your online activities are hidden even on public
networks.
Disguising your whereabouts : VPN servers essentially act as your proxies on the
internet. Because the demographic location data comes from a server in another
country, your actual location cannot be determined. In addition, most VPN services do
not store logs of your activities. Some providers, on the other hand, record your
behavior, but do not pass this information on to third parties. This means that any
potential record of your user behavior remains permanently hidden.
Access to regional content: Regional web content is not always accessible from
everywhere. Services and websites often contain content that can only be accessed
from certain parts of the world. Standard connections use local servers in the country to
determine your location. This means that you cannot access content at home while
traveling, and you cannot access international content from home. With VPN location
spoofing , you can switch to a server to another country and effectively “change” your
location.
Secure data transfer: If you work remotely, you may need to access important files on
your company’s network. For security reasons, this kind of information requires a secure
connection. To gain access to the network, a VPN connection is often required. VPN
services connect to private servers and use encryption methods to reduce the risk of
data leakage.

Why should you use a VPN connection?

Your ISP usually sets up your connection when you connect to the internet. It tracks you
via an IP address. Your network traffic is routed through your ISP's servers, which can
log and display everything you do online.

Your ISP may seem trustworthy, but it may share your browsing history with advertisers,
the police or government, and/or other third parties. ISPs can also fall victim to attacks
by cyber criminals: If they are hacked, your personal and private data can be
compromised.
This is especially important if you regularly connect to public Wi-Fi networks. You never
know who might be monitoring your internet traffic and what they might steal from you,
including passwords, personal data, payment information, or even your entire identity.

What should a good VPN do?

You should rely on your VPN to perform one or more tasks. The VPN itself should also
be protected against compromise. These are the features you should expect from a
comprehensive VPN solution:

 Encryption of your IP address: The primary job of a VPN is to hide your IP address
from your ISP and other third parties. This allows you to send and receive information
online without the risk of anyone but you and the VPN provider seeing it.
 Encryption of protocols: A VPN should also prevent you from leaving traces, for
example, in the form of your internet history, search history and cookies. The encryption
of cookies is especially important because it prevents third parties from gaining access
to confidential information such as personal data, financial information and other content
on websites.
 Kill switch: If your VPN connection is suddenly interrupted, your secure connection will
also be interrupted. A good VPN can detect this sudden downtime and terminate
preselected programs, reducing the likelihood that data is compromised.
 Two-factor authentication: By using a variety of authentication methods, a strong VPN
checks everyone who tries to log in. For example, you might be prompted to enter a
password, after which a code is sent to your mobile device. This makes it difficult for
uninvited third parties to access your secure connection.
The history of VPNs
Since humans have been using the internet, there has been a movement to protect and
encrypt internet browser data. The US Department of Defense already got involved in
projects working on the encryption of internet communication data back in the 1960s.

The predecessors of the VPN

Their efforts led to the creation of ARPANET (Advanced Research Projects Agency
Network), a packet switching network, which in turn led to the development of the
Transfer Control Protocol/Internet Protocol (TCP/IP).
The TCP/IP had four levels: Link, internet, transport and application. At the internet
level, local networks and devices could be connected to the universal network – and this
is where the risk of exposure became clear. In 1993, a team from Columbia University
and AT&T Bell Labs finally succeeded in creating a kind of first version of the modern
VPN, known as swIPe: Software IP encryption protocol.

In the following year, Wei Xu developed the IPSec network, an internet security protocol
that authenticates and encrypts information packets shared online. In 1996, a Microsoft
employee named Gurdeep Singh-Pall created a Peer-to-Peer Tunneling Protocol
(PPTP).
Early VPNs

Contiguous to Singh-Pall developing PPTP, the internet was growing in popularity and
the need for consumer-ready, sophisticated security systems emerged. At that time,
anti-virus programs were already effective in preventing malware and spyware from
infecting a computer system. However, people and companies also started demanding
encryption software that could hide their browsing history on the internet.

The first VPNs therefore started in the early 2000s, but were almost exclusively used by
companies. However, after a flood of security breaches, especially in the early 2010s,
the consumer market for VPNs started to pick up.

VPNs and their current use

According to the GlobalWebIndex, the number of VPN users worldwide increased

more than fourfold between 2016 and 2018. In countries such as Thailand, Indonesia
and China, where internet use is restricted and censored, one in fiveinternet
users uses a VPN. In the USA, Great Britain and Germany, the proportion of VPN
users is lowerat around 5%, but is growing.

One of the biggest drivers for VPN adoption in recent years has been the increasing
demand for content with geographical access restrictions. For example, video streaming
services such as Netflix or YouTube make certain videos available only in certain
countries. With contemporary VPNs, you can encrypt your IP address so that you
appear to be surfing from another country, enabling you to access this content from
anywhere.

Here’s how to surf securely with a VPN

A VPN encrypts your surfing behavior, which can only be decoded with the help of a
key. Only your computer and the VPN know this key, so your ISP cannot recognize
where you are surfing. Different VPNs use different encryption processes, but generally
function in three steps:

1. Once you are online, start your VPN. The VPN acts as a secure tunnel between you and
the internet. Your ISP and other third parties cannot detect this tunnel.
2. Your device is now on the local network of the VPN, and your IP address can be
changed to an IP address provided by the VPN server.
3. You can now surf the internet at will, as the VPN protects all your personal data.

types of vpn
PERPLEXITY
There are several types of VPNs available, each with its own set of features and benefits.
Here are some of the most common types of VPNs:
1. Remote access VPNs: This type of VPN allows users to connect to a private
network from a remote location, such as their home or a public Wi-Fi hotspot.
Remote access VPNs are commonly used by employees to access their
company's network securely.
2. Site-to-site VPNs: This type of VPN connects two or more networks together over
the internet, allowing them to share resources and communicate securely. Site-
to-site VPNs are commonly used by businesses with multiple locations.
3. Mobile VPNs: This type of VPN is designed for use on mobile devices, such as
smartphones and tablets. Mobile VPNs allow users to access their company's
network securely while on the go.
4. Personal VPNs: This type of VPN is designed for individual use and is typically
used to protect online privacy and security. Personal VPNs are commonly used by
individuals who want to access content that is restricted in their country or
region.
5. Access control VPNs: This type of VPN is used to control access to specific
resources on a network. Access control VPNs are commonly used by businesses
to restrict access to sensitive data.
6. Premium, budget, or free VPNs: VPNs can also be classified based on their pricing
model. Premium VPNs offer more features and better security, while budget
VPNs are more affordable but may have fewer features. Free VPNs are available
but may not offer the same level of security and privacy as paid VPNs.
There are also different VPN protocols, including OpenVPN, IPSec/IKEv2, WireGuard,
SSTP, L2TP/IPSec, and PPTP. The choice of VPN type and protocol depends on the
specific needs of the organization or individual, such as the level of security required,
the number of users, and the devices being used.
PERPLEXITY

Web security refers to the protective measures and protocols that organizations adopt to
protect their networks, computer systems, and websites from cyber threats and attacks

. Web security is crucial to business continuity and protecting data, users, and companies from
risk. Web security includes website security, cloud security, and web application security, which
defend cloud services and web-based applications, respectively

. There are several factors that go into web security and web protection, including data origin
authentication, data integrity, and replay protection

. Web security threats are vulnerabilities within websites and applications, or attacks launched
by malicious actors, designed to breach an organization's security defenses, enabling hackers
and cybercriminals to control systems, access data, and steal valuable resources.

.There are several types of VPNs available, including remote access VPNs, site-to-site VPNs,
mobile VPNs, personal VPNs, access control VPNs, and premium, budget, or free VPNs

. The choice of VPN type and protocol depends on the specific needs of the organization or
individual, such as the level of security required, the number of users, and the devices being
used.Web security is a broad category of security solutions that protect users, devices, and
wider networks against internet-based cyberattacks, such as malware, phishing, and other types
of cyber threats

. Web security solutions secure servers or user endpoints as well as the traffic that moves
between those and the internet. Web security is important for modern enterprises, and it is the
first line of defense against threats that can lead to the exposure of sensitive data, costly
ransoms, reputational harm, compliance violations, and a host of other consequences

.There are several resources available for learning about web security, including free online
training centers like the Web Security Academy, which offers interactive labs and progress-
tracking

. Other resources include online courses like Web Security Fundamentals, which introduces
learners to the web security landscape and provides an overview of current best practices for
securing web applications
What is a secure sockets layer?
Secure sockets layer (SSL) is a networking protocol designed for securing
connections between web clients and web servers over an insecure network, such as
the internet. Netscape formally introduced the SSL protocol in 1995, making it the
first widely used protocol for securing online transactions between consumers and
businesses. It eventually came to be used to secure authentication and encryption for
other applications at the network transport layer.

SSL suffered from numerous problems, and the Internet Engineering Task Force
(IETF) stopped recommending its use in 2015. It was replaced by the Transport Layer
Security (TLS) protocol. While SSL is still in use today, mostly in legacy systems,
TLS has taken over its role in securing internet connections.

In addition to securing internet connections, SSL was also used to authenticate and
encrypt other applications at the network transport layer. SSL typically involved
securing connections between a web browser (client) and a website (server). It
facilitated safe transactions between consumers and businesses, helping create the
foundation for e-commerce. Without SSL, data sent to and from a website could be
intercepted by a threat actor.

SSL uses public key and private key encryption and other cryptographic functions to
secure connections between devices communicating over a TCP/IP network. SSL can
scramble clear text entered on a website using asymmetric cryptography and public
key encryption. It is just one of the ways in which public key infrastructure (PKI) is
used by modern businesses.

Why is SSL important?

Part of SSL's significance lies in the fact that it was the first widely used and broadly
implemented network protocol to enable cryptographically secured communications
between client and server systems.
Netscape initially launched SSL as a proprietary protocol. The web server software
company then published the protocol and made it available for other companies to
implement. By making the protocol accessible to its competitors, Netscape expanded
its share of the web server market and also ensured the SSL protocol would become
an IETF proposed standard.

SSL became a key part of internet security because of problems with Hypertext
Transfer Protocol (HTTP), the framework used to connect web clients to web servers.
HTTP uses public networks and lacks encryption, making it vulnerable. Malicious
actors can easily read or extract names, addresses, credit card numbers and
other personally identifiable information sent to a website. This is why HTTP over
SSL (HTTPS), also known as HTTP Secure, has emerged as HTTP's more secure
successor.

Most websites today display the prefix HTTPS at the beginning of their web address.
The "s" indicates to the visitor that the site uses SSL or TLS to secure its user activity.

How the SSL certificate is obtained

The SSL protocol process starts with a company acquiring a valid SSL
certificate from a trusted certificate authority (CA). The purpose of the SSL certificate
is to confirm to the user and the web browser they're using that they are interacting
with the desired web server and not an imposter.

Let's say that a company, Brand A, wants to launch a secure website where users can
safely order its products without putting themselves at risk of having their information
stolen. Brand A decides to use SSL on its website. It coordinates with a reputable CA,
such as Comodo SSL or DigiCert to get an SSL certificate for its website.

The digital certificate includes the following:

 the person, organization or device to which the certificate was issued;

  the certificate thumbprint -- a hash of all the certificate data and its
signature;

 the SSL or TLS version being used;

 the domain name it was issued under;

 any associated subdomains

 the name of the CA issuing it;

 the CA's digital signature;

 the certificate's issue and expiration dates;

 the public key; and

 an associated private key that is kept secret.

Brand A's digital certificate not only confirms to clients that Brand A owns its
specified domain; it also verifies that Brand A is reputable by referencing the SSL
certificate's CA details. This lets the customer and the web browser they're using
know that the site can be trusted. Websites that are secured with SSL or TLS will
usually display a lock symbol next to the web domain. Search engines will rank these
sites higher on their results pages based on this additional user security.

The public and private security keys generated by this process are unique and
mathematically related. These two keys make this cryptographic method asymmetric;
because without the private key, information encrypted using the public key cannot be
decoded.

In the case of SSL and PKI, the public key and the private key act as the encryptor
and the decryptor, respectively. The private key can only decrypt data that has been
encrypted by the public key. Think of it like a door that can only be locked with a
public key and unlocked with a private key.
The public key gets its name because it is distributed publicly and its utility is
negligible without access to the private key. The private key is kept secret by the web
server, or Brand A in this example.

The key
components of PKI include the digital certificate, the certificate authority, the registration authority and
the certificate database. Find out more about each of these.

Steps involved in the secure sockets layer process

There are several steps involved in the SSL process, including the following:

 Initial connection. When a user -- say a customer -- logs onto Brand A's
website, the web browser indicates to Brand A's server that a user wants to
establish a private connection. After receiving this notification, the Brand A
server sends over its SSL certificate, which includes its public key.

 Certificate authentication. As part of the initial handshake process, Brand

A's server presents its SSL certificate to authenticate itself to the client. In
this case, that would be the customer's web browser. Server certificates
follow the 509 certificate format defined by the Public Key Cryptography
Standards. The web browser analyzes the certificate to verify that the
customer is interacting with the intended server. Public key encryption is
used to validate the digital certificate and to verify that a server is what it
 claims to be. Most web browsers will implicitly trust SSL certificates that
have been issued by a CA, as a way of expediting the process.

 Once the browser, or client, has authenticated the web server and its
certificate, it encrypts the user's message using Brand A's public key. The
message is then sent to Brand A's server.

 Brand A's server decrypts the message using its own private key. The
message includes a symmetric session key to establish a two-way
handshake between the two entities.

 Cipher settings and shared encryption key. Once the server has been
authenticated, the client and server establish cipher settings and a shared
key to encrypt the information they exchange during the remainder of the
session. This provides data confidentiality and integrity. This process is
invisible to the customer. For example, if a webpage requires an SSL
connection, the URL will change from HTTP to HTTPS, and a padlock icon
will appear in the browser once the server has been authenticated.

 Client authentication. The handshake also allows the client to authenticate

itself to the server. In this case, after server authentication is complete, the
client must present its certificate to the server to authenticate the client's
identity before the encrypted SSL session can be established.
 How the client
and server negotiate transmission of SSL certificates.

What is SSL?
SSL, or Secure Sockets Layer, is an encryption-based Internet security protocol. It was
first developed by Netscape in 1995 for the purpose of ensuring privacy, authentication,
and data integrity in Internet communications. SSL is the predecessor to the
modern TLS encryption used today.

A website that implements SSL/TLS has "HTTPS" in its URL instead of "HTTP."
How does SSL/TLS work?
 In order to provide a high degree of privacy, SSL encrypts data that is transmitted
across the web. This means that anyone who tries to intercept this data will only see
a garbled mix of characters that is nearly impossible to decrypt.

 SSL initiates an authentication process called a handshake between two

communicating devices to ensure that both devices are really who they claim to be.

 SSL also digitally signs data in order to provide data integrity, verifying that the data
is not tampered with before reaching its intended recipient.

There have been several iterations of SSL, each more secure than the last. In 1999 SSL
was updated to become TLS.

Why is SSL/TLS important?

Originally, data on the Web was transmitted in plaintext that anyone could read if they
intercepted the message. For example, if a consumer visited a shopping website, placed
an order, and entered their credit card number on the website, that credit card number
would travel across the Internet unconcealed.

SSL was created to correct this problem and protect user privacy. By encrypting any data
that goes between a user and a web server, SSL ensures that anyone who intercepts the
data can only see a scrambled mess of characters. The consumer's credit card number is
now safe, only visible to the shopping website where they entered it.

SSL also stops certain kinds of cyber attacks: It authenticates web servers, which is
important because attackers will often try to set up fake websites to trick users and steal
data. It also prevents attackers from tampering with data in transit, like a tamper-proof
seal on a medicine container.
Are SSL and TLS the same thing?
SSL is the direct predecessor of another protocol called TLS (Transport Layer Security). In
1999 the Internet Engineering Task Force (IETF) proposed an update to SSL. Since this
update was being developed by the IETF and Netscape was no longer involved, the
name was changed to TLS. The differences between the final version of SSL (3.0) and the
first version of TLS are not drastic; the name change was applied to signify the change in
ownership.

Since they are so closely related, the two terms are often used interchangeably and
confused. Some people still use SSL to refer to TLS, others use the term "SSL/TLS
encryption" because SSL still has so much name recognition.

Is SSL still up to date?

SSL has not been updated since SSL 3.0 in 1996 and is now considered to be
deprecated. There are several known vulnerabilities in the SSL protocol, and security
experts recommend discontinuing its use. In fact, most modern web browsers no longer
support SSL at all.

TLS is the up-to-date encryption protocol that is still being implemented online, even
though many people still refer to it as "SSL encryption." This can be a source of
confusion for someone shopping for security solutions. The truth is that any vendor
offering "SSL" these days is almost certainly providing TLS protection, which has been an
industry standard for over 20 years. But since many folks are still searching for "SSL
protection," the term is still featured prominently on many product pages.

What is an SSL certificate?

SSL can only be implemented by websites that have an SSL certificate (technically a "TLS
certificate"). An SSL certificate is like an ID card or a badge that proves someone is who
they say they are. SSL certificates are stored and displayed on the Web by a website's or
application's server.

One of the most important pieces of information in an SSL certificate is the website's
public key. The public key makes encryption and authentication possible. A user's device
views the public key and uses it to establish secure encryption keys with the web server.
Meanwhile the web server also has a private key that is kept secret; the private key
decrypts data encrypted with the public key.

Certificate authorities (CA) are responsible for issuing SSL certificates.

What are the types of SSL certificates?

There are several different types of SSL certificates. One certificate can apply to a single
website or several websites, depending on the type:

 Single-domain: A single-domain SSL certificate applies to only one domain (a

"domain" is the name of a website, like www.cloudflare.com).

 Wildcard: Like a single-domain certificate, a wildcard SSL certificate applies to only

one domain. However, it also includes that domain's subdomains. For example, a
wildcard certificate could cover www.cloudflare.com, blog.cloudflare.com, and
developers.cloudflare.com, while a single-domain certificate could only cover the
first.

 Multi-domain: As the name indicates, multi-domain SSL certificates can apply to

multiple unrelated domains.

SSL certificates also come with different validation levels. A validation level is like a
background check, and the level changes depending on the thoroughness of the check.

 Domain Validation: This is the least-stringent level of validation, and the cheapest.
All a business has to do is prove they control the domain.
  Organization Validation: This is a more hands-on process: The CA directly contacts
the person or business requesting the certificate. These certificates are more
trustworthy for users.

Extended Validation: This requires a full background check of an organization before

the SSL certificate can be issued. Establishment of SSL Session
As discussed above, there are four phases of SSL session
establishment. These are mainly handled by SSL Handshake protocol.
Phase 1 − Establishing security capabilities.
 This phase comprises of exchange of two messages
– Client_hello and Server_hello.

 Client_hello contains of list of cryptographic

algorithms supported by the client, in decreasing order
of preference.
 Server_hello contains the selected Cipher Specification
(CipherSpec) and a new session_id.
 The CipherSpec contains fields like −
o Cipher Algorithm (DES, 3DES, RC2, and RC4)
o MAC Algorithm (based on MD5, SHA-1)
o Public-key algorithm (RSA)
o Both messages have “nonce” to prevent replay
attack.
Phase 2 − Server authentication and key exchange.
  Server sends certificate. Client software comes
configured with public keys of various “trusted”
organizations (CAs) to check certificate.
 Server sends chosen cipher suite.
 Server may request client certificate. Usually it is not
done.
 Server indicates end of Server_hello.
Phase 3 − Client authentication and key exchange.

 Client sends certificate, only if requested by the

server.
 It also sends the Pre-master Secret (PMS) encrypted with
the server’s public key.
 Client also sends Certificate_verify message if
certificate is sent by him to prove he has the private
key associated with this certificate. Basically, the
client signs a hash of the previous messages.
Phase 4 − Finish.
  Client and server send Change_cipher_spec messages to
each other to cause the pending cipher state to be copied
into the current state.
 From now on, all data is encrypted and integrity
protected.
 Message “Finished” from each end verifies that the key
exchange and authentication processes were successful.

https://www.geeksforgeeks.org/secure-socket-layer-ssl/
Email (short for electronic mail ) is a digital method by
using it we exchange messages between people over the
internet or other computer networks. With the help of this,
we can send and receive text-based messages, often an
attachment such as documents, images, or videos, from one
person or organization to another.
It was one of the first applications developed for the
internet and has since become one of the most widely used
forms of digital communication. It has an essential part of
personal and professional communication, as well as in
marketing, advertising, and customer support.
In this article, we will understand the concept of email
security, how we can protect our email, email security
policies, and email security best practices, and one of the
features of email is an email that we can use to protect the
email from unauthorized access.
Email Security:
Basically, Email security refers to the steps where we
protect the email messages and the information that they
contain from unauthorized access, and damage. It involves
ensuring the confidentiality, integrity, and availability of
email messages, as well as safeguarding against phishing
attacks, spam, viruses, and another form of malware. It can
be achieved through a combination of technical and non-
technical measures.
Some standard technical measures include the encryption of
email messages to protect their contents, the use of digital
signatures to verify the authenticity of the sender, and
email filtering systems to block unwanted emails and malware,
and the non-technical measures may include training
employees on how to recognize and respond to phishing attacks
and other email security threats, establishing policies and
procedures for email use and management, and conducting
regular security audits to identify and address
vulnerabilities.
We can say that email security is important to protect
sensitive information from unauthorized access and ensure
the reliability and confidentiality of electronic
communication.
Steps to Secure Email:

We can take the following actions to protect our email.

 Choose a secure password that is at least 12
characters long, and contains uppercase and lowercase
letters, digits, and special characters.
 Activate the two-factor authentication, which adds an
additional layer of security to your email account by
requiring a code in addition to your password.
 Use encryption, it encrypts your email messages so
that only the intended receiver can decipher them.
Email encryption can be done by using the programs
like PGP or S/MIME.
 Keep your software up to date. Ensure that the most
recent security updates are installed on your
operating system and email client.
 Beware of phishing scams: Hackers try to steal your
personal information by pretending as someone else in
phishing scams. Be careful of emails that request
private information or have suspicious links because
these are the resources of the phishing attack.
 Choose a trustworthy email service provider: Search
for a service provider that protects your data using
encryption and other security measures.
 Use a VPN: Using a VPN can help protect our email by
encrypting our internet connection and disguising our
IP address, making it more difficult for hackers to
intercept our emails.
 Upgrade Your Application Regularly: People now
frequently access their email accounts through apps,
although these tools are not perfect and can be taken
advantage of by hackers. A cybercriminal might use a
vulnerability, for example, to hack accounts and steal
data or send spam mail. Because of this, it’s
important to update your programs frequently.
PGP
o PGP stands for Pretty Good Privacy (PGP) which is invented by Phil Zimmermann.
o PGP was designed to provide all four aspects of security, i.e., privacy, integrity,
authentication, and non-repudiation in the sending of email.
o PGP uses a digital signature (a combination of hashing and public key encryption) to
provide integrity, authentication, and non-repudiation. PGP uses a combination of secret
key encryption and public key encryption to provide privacy. Therefore, we can say that
the digital signature uses one hash function, one secret key, and two private-public key
pairs.
o PGP is an open source and freely available software package for email security.
o PGP provides authentication through the use of Digital Signature.
o It provides confidentiality through the use of symmetric block encryption.
o It provides compression by using the ZIP algorithm, and EMAIL compatibility using the
radix-64 encoding scheme.

Following are the steps taken by PGP to create secure e-mail

at the sender site:
o The e-mail message is hashed by using a hashing function to create a digest.
o The digest is then encrypted to form a signed digest by using the sender's private key, and
then signed digest is added to the original email message.
o The original message and signed digest are encrypted by using a one-time secret key
created by the sender.
o The secret key is encrypted by using a receiver's public key.
o Both the encrypted secret key and the encrypted combination of message and digest are
sent together.
PGP at the Sender site (A)

Following are the steps taken to show how PGP uses hashing
and a combination of three keys to generate the original
message:
o The receiver receives the combination of encrypted secret key and message digest is
received.
o The encrypted secret key is decrypted by using the receiver's private key to get the one-
time secret key.
o The secret key is then used to decrypt the combination of message and digest.
o The digest is decrypted by using the sender's public key, and the original message is
hashed by using a hash function to create a digest.
o Both the digests are compared if both of them are equal means that all the aspects of
security are preserved.
PGP at the Receiver site (B)

Disadvantages of PGP Encryption

o The Administration is difficult: The different versions of PGP complicate the
administration.
o Compatibility issues: Both the sender and the receiver must have compatible versions of
PGP. For example, if you encrypt an email by using PGP with one of the encryption
technique, the receiver has a different version of PGP which cannot read the data.
o Complexity: PGP is a complex technique. Other security schemes use symmetric
encryption that uses one key or asymmetric encryption that uses two different keys. PGP
uses a hybrid approach that implements symmetric encryption with two keys. PGP is more
complex, and it is less familiar than the traditional symmetric or asymmetric methods.
o No Recovery: Computer administrators face the problems of losing their passwords. In
such situations, an administrator should use a special program to retrieve passwords. For
example, a technician has physical access to a PC which can be used to retrieve a password.
However, PGP does not offer such a special program for recovery; encryption methods are
very strong so, it does not retrieve the forgotten passwords results in lost messages or lost
files.
Pretty Good Privacy (PGP)






By

 Peter Loshin, Former Senior Technology Editor

 Rob Wright, News Director

What is Pretty Good Privacy (PGP)?

Pretty Good Privacy or PGP was a popular program used to encrypt and
decrypt email over the internet, as well as authenticate messages with digital
signatures and encrypted stored files. PGP now commonly refers to
any encryption program or application that implements the OpenPGP public
key cryptography standard.

PGP was initially brought out as freeware and later as a low-cost commercial
product. First published by Philip R. Zimmermann in 1991, it was once the
most used privacy program and a de facto email encryption standard.

The original freeware and commercial versions of PGP are no longer

available. Ownership of the program shifted several times before its eventual
demise. Zimmerman originally owned PGP, and later PGP Inc., the company
he founded to market PGP, took over ownership. Network Associates Inc.
(NAI) acquired PGP Inc. in 1997. Other companies that have marketed some
or all of the PGP technologies include the following:
  Broadcom

 Intel

 McAfee Associates

 PGP Corp.

 Symantec

 Townsend Security

While it may no longer be simple to acquire a new copy of the original PGP
program, the Internet Engineering Task Force (IETF) has published
PGP protocols as internet standards since 1996. Both open source and
commercial implementations of the OpenPGP protocol are widely available.
The GNU Privacy Guard (GPG) implementation is published under the GNU
Public License (GPL).

In 2015, it was reported that Zimmermann no longer used PGP because

working versions were not available for any of his devices.

The Pretty Good Privacy trademark was abandoned as of April 2020.

Implementations of the OpenPGP specification now often refer to their
implementations of the protocol as Pretty Good Privacy or simply PGP.

How does PGP work?

Pretty Good Privacy uses a variation of the public key system. In this system,
each user has an encryption key that is publicly known and a secret or private
key that is known only to that user. Users encrypt a message they send to
someone else using that person's public PGP key. When the recipient
receives the message, they decrypt it using their private key.

Encrypting an entire message using public key encryption can consume

excessive amounts of resources. As a result, PGP uses a symmetric key
encryption algorithm to encrypt the message and then uses the public key to
encrypt that symmetric encryption key. Both the encrypted message and the
encrypted symmetric encryption key are sent to the recipient, who first uses
their private key to decrypt the short key and then uses that key to decrypt the
message.

The original PGP program was offered in two versions, one using the Rivest-
Shamir-Adleman (RSA) algorithm for key exchange, and one using the Diffie-
Hellman algorithm for key exchange. PGP was required to pay a license fee to
RSA for the RSA version. That version used the International Data Encryption
Algorithm to generate a short key for the entire message and RSA to encrypt
the short key. The Diffie-Hellman version used the CAST algorithm for the
short key to encrypt the message and the Diffie-Hellman algorithm to encrypt
the short key.

When sending digital signatures, PGP uses an efficient algorithm that

generates a hash (a mathematical summary) from the user's name and other
signature information. This hash code is then encrypted with the sender's
private key. The receiver uses the sender's public key to decrypt the hash
code. If it matches the hash code sent as the digital signature for the
message, the receiver is sure that the message has arrived securely from the
stated sender. PGP's RSA version used the MD5 algorithm to generate the
hash code. PGP's Diffie-Hellman version used the SHA-1 algorithm to
generate the hash code; neither of those hashing algorithms is considered
secure today.
 Find out
how a PGP transaction works with this step-by-step example.

How to get PGP

To get a Pretty Good Privacy program, users must download or buy it and
install it on their computer system. It typically contains a user interface that
works with the user's email program. The public key that the PGP program
provides must be registered with a PGP public-key server so that people
exchanging messages with the user will be able to find it.

PGP software that supports the OpenPGP protocol can be a standalone

application like GPG, or it may be a front-end
interface, applet or plugin implementing the protocol. In most cases, PGP
software is packaged as part of an email client or web browser.

PGP concepts
PGP depends on some concepts that enable users to easily access and share
public keys, and to transmit cryptographic information across networks and
systems. Important terms include the following:

 Alice and Bob are names assigned to generic actors in

cryptographic processes. Alice, Bob and other generic actor names
are often used when illustrating cryptographic exchanges like those
used by PGP.
 Web of trust is a concept used to describe the way trust is
established in public keys. A PGP user can try to establish trust
directly with every key holder they interact with. In those cases
where trust is established, they may also be willing to sign those
keys to signify that they have authenticated the key pair and its
holder. The PGP user can also accept trust in key holders that
certain other PGP users have already signed to indicate they are
trustworthy. If Alice accepts that Bob is sufficiently trustworthy in how
carefully he vets the public keys he accepts as authenticated, then
Alice can also trust those other public keys that Bob trusts.

 Implicit trust is one of the two different types of trust that can be
established through the web of trust. Implicit trust is used when Alice
signs Bob's public key pair. This indicates that Alice has vetted Bob --
and his private and public keys and his email address -- and is willing
to assert (through her own signature) that she found Bob to be who
he says he is and that the email and key pair are under Bob's
control.

 Explicit trust is the other type of trust established through the web
of trust. It occurs when Carlos, a third generic user, is willing to trust
Alice's judgement about other individuals whose keys she has
signed. Carlos can use explicit trust in Alice to accept that Bob's
public key pair is also valid.

 Key signing is the PGP function that enables one person to

announce that they have verified the person who claims to own the
public key pair. PGP creator Zimmermann stresses verifying the
following:

 The key you are signing should be verified as controlled by the

person who claims it.
  The identity of the key holder should be verified with at least one
form of photo ID. Even friends or coworkers should be formally
identified if you have never previously seen that person's ID.

 Email and private key ownership should be verified. The email

address in the signed key should be verified as the correct one for
the person claiming the key pair.

 ASCII armor, also known as Radix-64 encoding, is a way of

formatting encrypted data in a printable format. PGP
uses ASCII armor to format data in a way that resists the introduction
of errors through different computer formats as the data transits the
internet. ASCII armor uses only ASCII characters and header and
footer blocks to identify the start and finish of the armored data.

 Session key is a symmetric encryption key used for just one

encryption session.
What is PGP used for?
There are two main reasons to use PGP.

1. Encryption. PGP enables encryption of sensitive information or data

whether it is a file, email or message. A PGP user can secure data
through encryption, in a format that is easily transmitted but that can
only be decrypted with the recipient's secret key.

2. Authentication. PGP enables digital signing of a message, file or

email -- whether encrypted or not. The recipient uses the signer's
public key to authenticate the digital signature.

More specifically, PGP software enables users to do all basic PGP

transactions, including the following functions:

 creating a PGP public key pair;

 revoking a PGP public key pair, so that others will no longer use it;
  key server functions, like specifying a default key server and
registering key pairs;

 encrypting a message or file;

 decrypting a message or file;

 digitally signing a message or file;

 authenticating a digital signature;

 signing a public key; and

 key management.

Different OpenPGP implementations have different -- but similar -- processes

for each of these functions.

PGP is used mostly to encrypt or digitally sign emails, though it can also be
used to do the following:

 Encrypt and digitally sign transmissions in messaging

applications. PGP has been implemented as an applet or an add-on
to messaging applications. The basic GPG implementation operates
at the command line, but numerous projects and some products act
as a graphical user interface (GUI) front end for GPG.

 Encrypt and digitally sign disk drives. Depending on the OS,

PGP-based applications are available for encrypting disk volumes.

 Scripts and application programming interfaces (API)s for

programming with PGP. Developers can use scripts of
cryptographic processes. Many of these common but complicated
scripts are available online. Users can also develop their own scripts
or use APIs to integrate PGP support into their customized
applications.
PGP's challenges
PGP's success was largely a result of offering early users access to strong
cryptography with little or no investment in software licenses. However,
implementing and using PGP can be challenging for the following reasons:

 Usability. PGP implementations tend to be difficult to use, whether

at the command line or in a GUI.

 Conceptual complexity. New users often have difficulty

understanding key PGP concepts and processes.

 Decentralized infrastructure. Using a web of trust can pose a

problem when there are not enough participants in the larger general
population.

While most users do not use PGP, there is still enough of a user base to fuel
continued development of OpenPGP-compliant implementations and related
applications.

PGP vs. OpenPGP and GNU Privacy Guard

Although originally conceived of as proprietary software, PGP became popular
with computer professionals and organizations in the 1990s. After being
published as an information standard in 1996, PGP was
renamed OpenPGP and moved to the IETF standards track in 1998.

There is still confusion about the term PGP, which until recently was used to
refer to the freeware and commercial programs first developed by
Zimmermann. It is now more commonly used to describe any software that
supports the OpenPGP protocol specification.

GPG was one of the first OpenPGP implementations. It is an open source

version of PGP published under GPL.
https://www.javatpoint.com/computer-network-pgp

Backdoor and key escrow are two distinct concepts related to encryption and security. Let's
explore each of them in the context of PGP (Pretty Good Privacy).

1. Backdoor: A backdoor refers to a deliberate vulnerability or weakness intentionally built into a

system or encryption algorithm, allowing unauthorized access or bypassing security measures. It
provides a covert means for someone to gain unauthorized access to encrypted data without
the knowledge or consent of the legitimate users.

In the context of PGP, which is an encryption software commonly used for secure
communication and file encryption, it is crucial that there are no backdoors in the
implementation. PGP relies on strong cryptographic algorithms and practices to ensure the
confidentiality and integrity of data. Introducing a backdoor would compromise the security of
the encryption and undermine the trust users have in the system.

It's important to note that PGP has been extensively reviewed and scrutinized by the security
community, and the strength of its encryption relies on the absence of any deliberate
vulnerabilities or backdoors.

2. Key Escrow: Key escrow involves the practice of storing cryptographic keys with a trusted third
party, allowing them to be accessed under certain circumstances. This concept is often
considered in the context of government regulations or law enforcement requirements for
lawful access to encrypted data.
In the case of PGP, key escrow would mean that a copy of the private key used for encryption is
stored by a third party, such as a government agency or key recovery agent. This allows them to
decrypt communications or data encrypted with that key without the knowledge or cooperation
of the key owner.

Key escrow is a highly debated topic as it poses potential risks to privacy and security. Critics
argue that centralized key escrow systems can be vulnerable to unauthorized access, abuse, or
exploitation by malicious actors. Additionally, it can undermine the trust and security of
encryption systems if not implemented carefully.

It's worth noting that the standard implementation of PGP does not include key escrow features.
The private keys used for encryption are typically kept solely in the possession of the key owners
to ensure the security and confidentiality of their encrypted communications and files.

Overall, both backdoors and key escrow raise concerns about the security and integrity of
encryption systems. It is generally recommended to use encryption tools and implementations
that prioritize strong security practices, transparency, and independence from any unauthorized
access mechanisms.
DEFINITION
MIME (Multipurpose Internet Mail
Extensions)






By

 Rahul Awati

What is MIME (Multipurpose Internet Mail Extensions)?

MIME (Multipurpose Internet Mail Extensions) is an extension of the original
Simple Mail Transport Protocol (SMTP) email protocol. It lets users exchange
different kinds of data files, including audio, video, images and application
programs, over email.

Unlike SMTP, MIME supports sending both ASCII text and non-ASCII data via
email. For text in character sets other than ASCII, the MIME protocol is
required.

Drawbacks of SMTP
SMTP, which emerged in 1981, is a standard protocol for delivering messages
via email. However, the original SMTP protocol supported only 7-bit ASCII text
communications that were both unauthenticated and unencrypted. With only
94 printable characters in ASCII, the system cannot deal with binary files or
characters in non-English languages that use different writing systems,
accented letters, etc.

Pure SMTP also does not accommodate sending video or audio data.

The default design of every SMTP server was an open mail relay that lets
anyone send emails through it, not just those from or to known users. These
limitations made SMTP communications vulnerable to
email spoofing, spamming, worms and man-in-the-middle (MitM) attacks.

MIME was proposed as a solution to these limitations.

Origins of MIME
In 1991, Nathaniel Borenstein, then a technical staff member at Bellcore,
proposed to the Internet Engineering Task Force (IETF) that SMTP be
extended so web (and other internet) clients and servers could recognize and
handle all kinds of data, not just Latin-based ASCII text, and to allow the
encoding of binary files for transfer through SMTP.

As a result, new file types were added to "mail" as a supported Internet

Protocol file type. MIME is not restricted to textual data and is also important
for other communication protocols, even though it was originally designed only
to address the shortcomings of email and SMTP.

New MIME data types are registered with the Internet Assigned Numbers
Authority (IANA). IETF's RFC 6838 defines the procedures to notify and
register media types for use in MIME.
 MIME
addresses the limitations of the SMPT email protocol that could lead to vulnerabilities like
email spoofing.

Advantages of MIME
MIME has several advantages over SMTP.

 Users can send different kinds of binary attachments via email.

  Multiple attachments of different types can be included in the same
email.

 There are no limits on message length.

 Multipart messages are supported.

MIME defines four subtypes for multipart messages, specifying the nature of
these parts and their relationship to one another. In particular, the
"multipart/alternative" subtype lets systems choose the best representation of
the message: plain text or HTML.

How MIME works

Emails with MIME formatting may be transmitted via standard protocols like
SMTP, Post Office Protocol (POP) or Internet Message Access Protocol
(IMAP). The body of such messages may consist of multiple parts. The
header may be specified in non-ASCII character sets MIME supports.
IETF's RFC 2045 defines the various headers used to describe the structure
of MIME messages.

Servers insert the MIME header at the beginning of an email transmission.

Clients use the MIME header to select an appropriate player application for
the data type indicated by the header. Some players are built into the web
client or browser. For instance, all browsers come with GIF and JPEG image
players and can handle HTML files. Other players may need to be
downloaded.

At the sender's end, MIME transforms non-ASCII data to 7-bit Network Virtual
Terminal (NVT) data. 7-bit ASCII can represent 128 characters. MIME then
delivers this transformed data to the client SMTP. At the recipient's end, the
message is transferred back to the original data, allowing them to see its
contents, regardless of whether it contains text, audio, video or some other
kind of data.
 Standard
email protocols like SMTP, POP or IMAP may transmit emails with MIME formatting.

MIME header fields

A MIME header contains multiple subparts. These include:

MIME-Version
This header field indicates the message is MIME-formatted. Its value is
typically "1.0."

Content-Type
This header describes the media type of the content within the message. It
consists of a type and a subtype, both of which are strings. When
concatenated with a slash (/) between them, the type and subtype comprise a
MIME type.

 Type: General category of the data type (e.g., video or text)

 Subtype: Exact kind of data the MIME type represents.

MIME types are case-insensitive. An optional parameter can be added to the

MIME type to provide additional details. So, if the parameter is "charset", it will
specify the character set used for the data characters. If this parameter is not
specified, MIME will use the default ASCII character set.
Using the type "multipart," MIME allows mail messages to have parts
arranged in a tree structure to support:

 simple text messages

 text plus attachments

 replies with original message attached

 multiple alternatives in HTML

 images, audio and video

 applications
The S/MIME certificate's nitty-gritty will assist you in
strengthening your critical security concerns in the mail while
also advancing your commercial goals. Continue reading to learn
more.
Over the last two decades, business and official interactions have
shifted from phone conversations to emails. Because email is the
most used mode of communication, according to Statista, 4.03
billion people will use email in 2021, and that number is expected
to climb to 4.48 billion by 2024.
Every day, emails are sent and received across devices,
necessitating the need to secure these interactions. Because of
the amount and type of sensitive data in a commercial firm, this
criticality is increased. Assume you work in a field where
sensitive data is handled.

 Intellectual property is something that belongs to you.

 Personal information about employees
 Customer information and contact information
 Card information (credit and debit)
If this is the case, consider safeguarding your emails and
safeguarding sensitive information. Apart from preventing anyone
from reading your emails, you must also protect your data from
fraudsters. These individuals are well-known for utilizing your
email and concocting phishing schemes to dupe people into handing
over personal information.

What Exactly is S/MIME?

Secure/Multipurpose Internet Mail Extension (S/MIME) is an
industry-standard for email encryption and signature that is
commonly used by businesses to improve email security. S/MIME is
supported by the majority of corporate email clients.
S/MIME encrypts and digitally signs emails to verify that they are
verified and that their contents have not been tampered with.

How Does S/MIME Address Email Security Problems?

An S/MIME certificate is an end-to-end encryption solution for
MIME data, a.k.a. email communications, as shown in the preceding
sections. The use of asymmetric cryptography by S/MIME
certificates prevents the message's integrity from being
compromised by a third party. In basic English, a digital signature
is used to hash the message. The mail is then encrypted to protect
the message's secrecy.
S/MIME employs public encryption to protect communications that
can only be decoded with the corresponding private key obtained
by the authorized mail receiver, according to GlobalSign, a
company that provides specialized Public Key Infrastructure (PKI)
solutions to businesses.
Stepping back in time allows us to visualize the situation. Wax
seals on letters served as a unique identifying proof of the sender
while also assisting the recipient in determining whether the
letters had been tampered with. S/MIME certificates work on a
similar principle.
The sender can use a private key to digitally sign the letter he
is sending. The email is then accompanied by a public key while
in transit. The recipient will use it to verify the sender's
digital signature and decode the message using his own private
key. Using 'asymmetric cryptography,' this system uses two
separate but mathematically comparable cryptographic keys to
provide end-to-end encryption. The completely encrypted contents
of the email will be nearly hard to crack without both keys.

S/MIME Certificate Characteristics

You receive a slew of cryptographic security features when you use
an S/MIME certificate for email apps.
 Authentication − It refers to the verification of a
computer user's or a website's identity.
 Message consistency − This is a guarantee that the
message's contents and data have not been tampered with.
The message's secrecy is crucial. The decryption
procedure entails checking the message's original
contents and guaranteeing that they have not been
altered.
 Use of digital signatures that invoke non-repudiation −
This is a circumstance in which the original sender's
identity and digital signatures are validated so that
there is no doubt about it.
 Protection of personal information − A data breach cannot
be caused by an unintentional third party.
 Encryption is used to protect data − It relates to the
procedures described above, in which data security is
ensured by a mix of public and private keys representing
asymmetric cryptography.
The MIME type is designated by a S/MIME certificate. The enclosed
data is referred to by the MIME type. The MIME entity is completely
prepared, encrypted, and packaged inside a digital envelope.

Support for S/MIME

Some of the most popular email programs that support S/MIME are
listed below.

iPhone iOS Mail

Apple Mail

Gmail IBM Notes

Mozilla Thunderbird MailMate Microsoft Outlook or
Outlook on the Web
 CipherMail
Although an S/MIME certificate has been around for a long time
and is supported by most email clients, the disadvantages of using
it include complicated implementation owing to the public and
private keys of the sender and receiver. As a result, it was
restricted to highly classified government communications and
those started by techies.
The adoption trend has improved, thanks to the advent of automated
solutions for deploying and managing S/MIME certificates. The
benefits of using S/MIME certificates to safeguard data in transit
and, at rest, have surpassed the disadvantages.

As we all know, an email’s journey across the internet includes stops at numerous servers and
routers. Sometimes, at any of these stops, malicious actors may come across the email message
and read its contents or insert a bogus answer, impersonating the two parties who are
communicating. For instance, this could lead to the theft of login credentials or the redirection of
traffic to a phishing website.

This tactic is known as a Man-in-the-Middle (MitM) attack, and it can be difficult to detect,
but it can be prevented by using S/MIME’s encryption and digital signatures.

But first things first!

What Is S/MIME?
S/MIME or Secure/Multipurpose Internet Mail Extension is a technology widely used by
corporations that enhances email security by providing encryption, which protects the content
of email messages from unwanted access. It also adds digital signatures, which confirm that you
are the authentic sender of the message, making it a powerful weapon against many email-based
attacks.

In a nutshell, S/MIME is a commonly-used protocol for sending encrypted and digitally-signed

email messages and is implemented using S/MIME certificates.

S/MIME Uses
S/MIME can be used to:

 Check that the email you sent has not been tampered with by a third party.
 Create digital signatures to use when signing emails.
 Encrypt all emails.
 Check the email client you’re using.

How Does S/MIME Work?

To operate, S/MIME employs mathematically related public and private keys. This technology is
based on asymmetric cryptography. Because the two keys are mathematically related, a message
that was encrypted with the public key (which is, of course, published) can only be decrypted
using the private key (which is kept secret).
When someone clicks “send” on an email, S/MIME sending agent software encrypts the message
with the recipient’s public key, and the receiving agent decrypts it with the recipient’s private
key. Needless to say, both the sender and the recipient must support S/MIME.

The email message decryption process can only be done with the private key associated with it,
which is supposed to be in sole possession of the recipient. Unless the private key is
compromised, users can be confident that only the intended recipient will have access to the
confidential information contained in their emails.

Simply put, S/MIME encryption muddles emails so that they can only be viewed by receivers
who have a private key to decrypt them. It prevents others, particularly malicious actors, from
intercepting and reading email messages as they are sent from senders to recipients.

You may be aware that SMTP-based Internet email does not provide message security. An
SMTP (Simple Mail Transfer Protocol) internet email message can be read by anyone who sees
it as it travels or views it where it is stored. S/MIME uses encryption to tackle these issues.

Message encryption provides two distinct security benefits:

Confidentiality
The purpose of message encryption is to keep the contents of an email message safe. The
contents are only visible to the intended recipient, and they remain private and inaccessible to
anyone else who might obtain or view the message. Encryption ensures message confidentiality
while in transit and storage.

Data integrity
Message encryption, like digital signatures, offers data integrity services as a result of the
operations that make encryption possible.

As I mentioned before, S/MIME also adds a digital signature to an email. This guarantees that
the sender has permission to send emails from a specific domain.

S/MIME Digital Signatures

Digital signatures are the most commonly used service of S/MIME. As the name indicates, they
are the digital equivalent of the conventional, legal signature on a paper document. S/MIME
digital signatures protect against email spoofing attempts by confirming the sender’s identity,
making sure that the message content has not been tampered with, and verifying that the sender
actually sent the email message.

Security capabilities offered by digital signatures:

Authentication
A signature validates the answer to the question “who are you?” by allowing that entity to be
distinguished from all others and proving its uniqueness. Authentication ensures that a message
was sent by the individual or organization claiming to have sent it. This reduces the likelihood of
email spoofing, which is common in phishing scams.

Nonrepudiation
A signature’s uniqueness prevents the sender from denying that they sent the message. This is
useful for purchases and transactions, legal documentation, and criminal investigations, among
other things.

Data integrity
When the receiver of a digitally signed email validates the digital signature, the recipient is
assured that the received email message is the same one that was signed and sent and that has not
been tampered with while it traveled.

What Is a S/MIME Certificate and How Does It Work?

An email signing certificate, which you can obtain from a certificate authority, is required to sign
and encrypt your email. This certificate can be used to digitally sign your emails. Once you
purchase it, it will automatically get added to your email.
All senders and receivers must have a digital certificate that binds their identity to a public key.
Typically, an administrator is in charge of configuring S/MIME and issuing digital certificates.

Why Need a S/MIME Certificate?

 S/MIME certificates ensure that the emails you send are only accessible by the intended recipient.
 They employ asymmetric encryption.
 Public and private keys will be used to encrypt and decrypt emails, ensuring that the emails you
send cannot be read by anyone other than the receiving party.
 S/MIME certificates protect emails by preventing hackers from accessing or changing their
contents.
 Offer both digital signatures and encryption.
 While asymmetric encryption keeps your data private, digital signatures provide authentication
and message integrity.
 S/MIME certificates are installed on email clients.

Secure Electronic Transaction or SET is a system that

ensures the security and integrity of electronic
transactions done using credit cards in a scenario. SET is
not some system that enables payment but it is a security
protocol applied to those payments. It uses different
encryption and hashing techniques to secure payments over
the internet done through credit cards. The SET protocol
was supported in development by major organizations like
Visa, Mastercard, and Microsoft which provided its Secure
Transaction Technology (STT), and Netscape which provided
the technology of Secure Socket Layer (SSL).
SET protocol restricts the revealing of credit card details
to merchants thus keeping hackers and thieves at bay. The
SET protocol includes Certification Authorities for making
use of standard Digital Certificates like X.509
Certificate.
Before discussing SET further, let’s see a general scenario
of electronic transactions, which includes client, payment
gateway, client financial institution, merchant, and
merchant financial institution.

Requirements in SET: The SET protocol has some requirements

to meet, some of the important requirements are:
 It has to provide mutual authentication i.e.,
customer (or cardholder) authentication by
confirming if the customer is an intended user or
not, and merchant authentication.
  It has to keep the PI (Payment Information) and OI
(Order Information) confidential by appropriate
encryptions.
 It has to be resistive against message modifications
i.e., no changes should be allowed in the content
being transmitted.
 SET also needs to provide interoperability and make
use of the best security mechanisms.
Participants in SET: In the general scenario of online
transactions, SET includes similar participants:
1. Cardholder – customer
2. Issuer – customer financial institution
3. Merchant
4. Acquirer – Merchant financial
5. Certificate authority – Authority that follows
certain standards and issues certificates(like
X.509V3) to all other participants.
SET functionalities:
 Provide Authentication
 Merchant Authentication – To prevent theft,
SET allows customers to check previous
relationships between merchants and financial
institutions. Standard X.509V3 certificates
are used for this verification.
 Customer / Cardholder Authentication – SET
checks if the use of a credit card is done by
an authorized user or not using X.509V3
certificates.
 Provide Message Confidentiality: Confidentiality
refers to preventing unintended people from reading
the message being transferred. SET implements
confidentiality by using encryption techniques.
Traditionally DES is used for encryption purposes.
 Provide Message Integrity: SET doesn’t allow message
modification with the help of signatures. Messages
are protected against unauthorized modification
using RSA digital signatures with SHA-1 and some
using HMAC with SHA-1,
What is Secure Electronic Transaction (SET)?
Secure Electronic Transaction (SET) is a system and electronic protocol to ensure the
integrity and security of transactions conducted over the internet. E-
commerce websites implemented this early protocol to secure electronic payments
made via debit and credit cards.

SET blocks out all personal details on the card, preventing hackers and data thieves
from accessing or stealing the cardholder's information. The merchant also cannot see
these personal details, which are transferred directly to the credit card company for
user authentication and verification.

SET is not a payment system or gateway, but a set of security protocols. It uses some
aspects of a Public Key Infrastructure (PKI) to address concerns around privacy,
authenticity and security in e-commerce applications.

The primary goal of SET is to protect credit/debit card transactions as they take place
online. It provides a secure and confidential transaction environment for everyone
involved in the e-commerce transaction, including the customer and merchant. It also
authenticates users with the help of digital certificates.
TECHTARGET

The development of SET can be traced to the emergence of e-commerce in the mid-
1990s. SET was jointly designed by card companies Visa and Mastercard, with the
aim of securing web browsers for card transactions. In its early days of development,
SET was also supported by other organizations, including:

 technology firms like Microsoft and IBM;

 network infrastructure and internet services companies like Verisign; and

 web services company Netscape.

Microsoft provided the Secure Transaction Technology (STT) for SET, while
Netscape provided the Secure Sockets Layer (SSL) technology.

Secure Electronic Transaction and cryptography

SET was designed to fulfill the requirements for e-commerce security that were not
being fulfilled by SSL and Transport Layer Security (TLS). To secure card
transactions and protect purchasing information, SET uses both symmetric (Data
Encryption Standard or DES) and asymmetric (PKI) cryptography.
For key management, it uses PKI to reliably distribute public keys between
participants.

SET uses 56-bit session keys which are transmitted asymmetrically. The remainder of
the card transaction uses symmetric DES encryption. SET uses long keys for both
kinds of encryption.

Secure Electronic Transaction and digital signatures

In SET, authentication and nonrepudiation are achieved through digital signatures so
the parties in the transaction cannot deny that the transaction occurred. Every time a
customer initiates an electronic purchase, an encrypted digital certificate is generated
for the transaction's participants. This includes the customer, merchant and financial
institution.

Matching digital keys are also generated, so participants can confirm the certificates
of the other party and verify the transaction.

Using a hashing algorithm, SET signs electronic transactions using the sender's
private key. This produces a series of values (message digest) that "sign" a message.
The transaction's authenticity can be verified by comparing the transaction message
and message digest with the sender's public key.

The algorithms used in SET ensure that only the party with the corresponding digital
key can confirm the transaction, no one else.
TECHTARGET
Secure Electronic Transaction signs electronic transactions using the sender's private key through a
hashing algorithm.

Security architecture of Secure Electronic Transaction

The SET architecture (designed to support PKI) comprises:

Digital certificates
Digital signatures authenticate the merchant's and customer's identities to mitigate the
risk of a malicious third party manipulating transaction information. The Certificate
Authority (CA) issues digital certificates to the issuing bank. The card issuer and
acquirer, which may be a bank or other financial institution, both play an important
role in issuing digital certificates.

Dual signatures
In the SET scheme, the customer's order information and payment information are
encrypted with separate public keys. The order information is encrypted with the
merchant's public keys, and the payment information is encrypted with the acquiring
bank's public keys.

This system ensures that the encrypted PI can only be decrypted by the acquiring
bank, and the encrypted OI can only be decrypted by the merchant.
TECHTARGET
Digital signatures authenticate merchant and customer identities, lessening the possibility of transaction
manipulation by third parties.

Digital wallet
SET enforces customer self-authentication by entering a password that activates
their digital wallet. This happens before they initiate a payment transaction. Following
the authentication, the customer's device (PC, phone, etc.) sends their order and
payment information to the merchant. When the cardholder is authenticated, the
issuing bank provides payment authorization to the acquiring bank, which then
informs the merchant.

Secure Electronic Transaction participants

A number of participants are involved in the SET process:

 Cardholder/customer: The authorized holder of the payment card (Visa or

Mastercard)

 E-commerce merchant: The seller

 Card issuer: A financial organization (e.g., bank) that issues the payment
card
  Acquirer: A financial organization that processes payment authorization
and facilitates electronic funds transfer to the merchant's account

 Payment gateway: Interface between card payment networks and secure

electronic transactions

 Certificate Authority: Trusted organization that provides public key digital

certificates
The drawbacks of Secure Electronic Transaction
When SET was first introduced in 1996 by the SET consortium (Visa, Mastercard,
Microsoft, Verisign, etc.), it was expected to be widely adopted within the next few
years. Industry experts also predicted that it would quickly become the key enabler of
global ecommerce. However, this didn't quite happen due to some serious
shortcomings in the protocol.

The security properties of SET are superior to SSL and the newer TLS, particularly in
their ability to prevent e-commerce fraud. However, the biggest drawback of SET is
its complexity. SET requires both customers and merchants to install special software
-- card readers and digital wallets -- meaning that transaction participants had to
complete more tasks to implement SET. This complexity also slowed down the speed
of e-commerce transactions. SSL and TLS do not have such problems.

The overhead involved in PKI and the initialization and registration processes also
stalled the widespread adoption of SET. Interoperability among SET products -- e.g.,
certificate translations and interpretations among trusted third parties with different
certificate policies -- was also a significant problem with SET, which also was
challenged by poor usability and the vulnerability of PKI.

The decline of Secure Electronic Transaction

Despite enthusiastic support for SET in the early days, support for the protocol has
waned over time. Other security standards have emerged for online debit and credit
card transactions for e-commerce.
Visa and other card providers including Mastercard and American Express eventually
adopted the 3-D Secure framework for securing customers' digital payments.
This XML-based protocol is designed to provide additional security for online
credit/debit card transactions.