Internet & Intranet Security Management - Risks & Solutions
Internet & Intranet Security Management - Risks & Solutions
Internet & Intranet Security Management - Risks & Solutions
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
• Confidentiality. Data items transferred in the session are transparently encrypted after an initial<br />
handshake and session key determination.<br />
The SSL handshake protocol is layered on top of the SSL record protocol and is used to exchange a<br />
series of messages between the communicating peers when they first establish an SSL connection.<br />
During the SSL handshake protocol the server and the client are able to authenticate each other:<br />
• Server authentication. The server is authenticated to the client by presenting a public key certificate<br />
(confirming to the X.509 v3 standard (ITU-T, 1997)). The client has to check that the server's<br />
certificate is valid and has been issued by a certificate authority (CA) trusted by him. This<br />
confirmation might be important if the user, for example, is sending a credit card number over the<br />
network and wants to check the identity of the receiving server.<br />
• Client authentication. Similarly, the server can optionally authenticate the client by requiring the<br />
client's public key certificate. This optional service may protect the server from fraudulent users and<br />
non-repudiation problems.<br />
In addition, during the SSL handshake protocol the server and the client are able to negotiate several<br />
parameters (e.g. compression, encryption algorithm, etc.). After negotiation, a master key is created.<br />
This master key is used to determine session keys which can be used for further symmetric<br />
encryption/decryption.<br />
The use of public key certificates assumes the existence of a public key infrastructure (PKI),<br />
including both certifying authorities to issue, revoke and distribute certificates. Since client<br />
authentication is optional, server certificates are widely used today.<br />
Secure HTTP<br />
The secure HTTP (S-HTTP) protocol was initially developed by Enterprise Integration Technologies<br />
in 1994 and shortly thereafter was taken under consideration by the IETF Web Transaction <strong>Security</strong><br />
working group which submitted an RFC in August 1999 (Rescorla and Schiffman, 1999). S-HTTP is<br />
essentially a security-enhanced version of HTTP, that can be used to provide security services at the<br />
application layer: confidentiality, authentication, message integrity and non-repudiation of origin. In<br />
fact, this means that it is possible to differentiate among the security requirements of individual<br />
documents that are transmitted on a secure HTTP channel. For example, a Web application using S-<br />
HTTP can mark an individual document as private or digitally signed, in contrast, SSL encrypts the<br />
entire communication stream. One conceptual difference between SSL and S-HTTP is that, SSL<br />
establishes a secure TCP/IP connection between a client and a server, which can be used for HTTP<br />
traffic. Unlike SSL, S-HTTP uses TCP/IP connections to transmit data.