P1: IML/FFX P2: IML/FFX QC: IML/FFX T1: IML
WL040C-21 WL040/Bidgolio-Vol I WL040-Sample.cls August 13, 2003 17:16 Char Count= 0
Secure Sockets Layer (SSL)Secure Sockets Layer (SSL)
Robert J. Boncella,Washburn UniversityE-commerce and Secure Communication
Channels 261
Overview 261
Definition of E-commerce 261
Secure Channels 262
History of Secure Channels—SSLv1 to v3, PCT,
TLS, STLP, and WTLS 262
Internetworking Concepts Necessary for
E-commerce 262
Clients and Servers 262
Communication Paths 262
The OSI Model and TCP/IP 263
Cryptographic Concepts used in SSL and TLS 266
Encryption 266
Key Sharing 266
Digital Signatures 266
Message Digest Algorithms 266Certification Authorities 266
SSL Architecture 266
Overview 266
Connection Process 267
Record Protocol 267
TLS —Transport Layer Security 268
SSL and TLS Protocols: Details 268
Cipher Suites and Master Secrets 270
Status of SSL 270
SSLv3 and TLS 1.0 and Commercial Use 270
Advantages and Disadvantages of and
Alternatives to SSL/TLS 271
Glossary 272
Cross References 272
References 272
Further Reading 273E-COMMERCE AND SECURE
COMMUNICATION CHANNELS
OverviewThis chapter provides an overview of how the SSL proto-
col and its variant the TLS protocol are used to establish
and operate a secure communication channel. It is
assumed that the readers of this chapter are nontechnical
in their academic background. As a result some space will
be spent in explaining the background concepts necessary
for a full understanding of SSL and TLS. If the reader re-
quires more technical detail, Boncella (2000) is suggested.
This chapter has five major sections. First is a discus-
sion of the need for and history of secure channels for
e-commerce. Second is an overview of the internetwork-
ing concepts necessary to appreciate the details of SSL
and TLS protocols. Third is a brief review of cryptographic
concepts used in SSL and TLS. Fourth is a detailed expo-
sition of SSL and TLS. And finally is a discussion of SSL
and TLS protocol’s status in e-commerce—its strengths
and weakness, and possible alternatives.Definition of E-commerce
E-commerce may be defined as the use of electronic or
optical transmission media to carry out the exchange
of goods and services. E-commerce in particular and
e-business in general rely on electronic or optical com-
munication in order to exchange information required to
conduct business.
In an e-commerce transaction both the user and the
provider of the service have expectations regarding the
security of the transaction.
The user’s expectation is that the service to be provided
is legitimate, safe, and private: legitimate in the sense that
the providers of the service are who they say they are; safein the sense that the services or information being pro-
vided will not contain computer viruses or content that
will allow the user’s computer system to be used for ma-
licious purposes; and finally, private in the sense that the
provider of the requested information or services will not
record or distribute any information the user may have
sent to the provider in order to request information or
services.
The server’s expectation is that the requestor of the in-
formation or service is legitimate and responsible: legiti-
mate in the sense the user has been accurately identified;
responsible in that the user will not attempt to access
restricted documents, crash the server, or use the server
computing system as means of gaining illegal access to
another computer system.
Both the server and the user have an expectation that
their communications will be free from eavesdropping
and reliable—meaning that their transmissions will not
be modified by a third party.
The purpose of Web security for e-commerce is to meet
the security expectations of users and providers. To that
end, Web security is concerned with client-side security,
server-side security, and secure transmission of informa-
tion.
Client-side security is concerned with the techniques
and practices that protect a user’s privacy and the integrity
of the user’s computing system. The purpose of client se-
curity is to prevent malicious destruction of a user’s com-
puter systems, e.g., by a virus that might format a user’s
fixed disk drive, and to prevent unauthorized of use of a
user’s private information, e.g., use of a user’s credit card
number for fraudulent purposes.
Server-side security is concerned with the techniques
and practices that protect the Web server software and
its associated hardware from break-ins, Web site van-
dalism, and denial-of-service attacks. The purpose of261