P1: IML/FFX P2: IML/FFX QC: IML/FFX T1: IML
WL040C-21 WL040/Bidgolio-Vol I WL040-Sample.cls August 13, 2003 17:16 Char Count= 0
262 SECURESOCKETSLAYER(SSL)server-side security is to prevent modification of a Web
site’s contents, to prevent use of the server’s hardware,
software, or databases for malicious purposes, and to en-
sure reasonable access to a Web site’s services (i.e., to
avoid or minimize denial-of-service attacks).
Secure transmission is concerned with the techniques
and practices that will guarantee protection from eaves-
dropping and intentional message modification. The
purpose of these security measures is to maintain the con-
fidentiality and integrity of user and server information as
it is exchanged through the communication channel. This
chapter focuses on a solution to the requirement for a se-
cure channel.Secure Channels
The Internet can be used for electronic communication.
Those who use the Internet for this purpose, on occa-
sion, have the need for that communication to be secure.
Secure communication can be ensured by the use of a
secure channel. A secure channel will provide three things
for the user: authentication of those involved in the com-
munication, confidentiality of the information exchanged
in a communication, and integrity of the information
exchanged in the communication.
SSL and its variant TLS are protocols that can be used
to establish and use a secure communication channel be-
tween two applications exchanging information. For ex-
ample, a secure channel may be required between a user’s
Web browser and the Web server the user has accessed.
The paradigm example is the transfer of the user’s credit
card information to a Web site for payment of an online
purchase. Another example would be an employee using
the Web to send his or her check routing information to
her employer for use in a direct deposit payroll request.History of Secure Channels—SSLv1 to v3,
PCT, TLS, STLP, and WTLS
Secure Sockets Layer (SSL) is a computer networking
protocol that provides authentication of, confidentiality
of, and integrity of information exchanged by means of a
computer network.
Netscape Communications designed SSL in 1994 when
it realized that users of its browser needed secure commu-
nications. SSL Version 1 was used internally by Netscape
and proved unsatisfactory for use in its browsers. SSL
Version 2 was developed and incorporated into Netscape
Navigator versions 1.0 through 2.X. This SSLv2 had weak-
nesses (Stein, 1998) that required a new version of SSL.
During that time—1995—Microsoft was developing PCT,
Private Communications Technology, in response to the
weaknesses of SSLv2. In response, Netscape developed
SSL version 3, solving the weakness of SSLv2 and adding
a number of features not found in PCT.
In May 1996 the Internet Engineering Task Force
(IETF) authorized the Transport Layer Security (TLS)
working group to standardize a SSL-type protocol. The
strategy was to combine Netscape’s and Microsoft’s ap-
proaches to securing channels. At this time, Microsoft
developed its Secure Transport Layer Protocol, which
was a modification of SSLv3 and added support for UDP
(datagrams) in addition to TCP support.In 2002 the WAP Forum (wireless access protocol)
adopted and adapted TLS for use in secure wireless
communications with its release of WAP 2.0 Protocol
Stack. This protocol provides for end-to-end security over
wireless or combined wireless/wired connections (WAP
Forum, 2002; Boncella, 2002).
An in-depth understanding of secure channels in gen-
eral and SSL and TLS in particular requires familiarity
with two sets of concepts. The first is how the client/server
computing paradigm is implemented using the TCP/IP
protocols. The second set of concepts deals with cryp-
tography. In particular one needs to be familiar with the
concepts of encryption, both symmetric and asymmetric
(public key encryption), key sharing, message digests, and
certification authorities.
The first set of concepts, clients/servers using TCP/IP, is
discussed in the following section, and the cryptography
concepts are reviewed following TCP/IP discussion. These
cryptography concepts are discussed in detail in another
chapter.INTERNETWORKING CONCEPTS
NECESSARY FOR E-COMMERCE
Clients and Servers
The World Wide Web (WWW or Web) is implemented
by means of interconnection of networks of computer
systems. This interconnection provides information and
services to users of the Web. Computer systems in this
interconnection of networks that provide services and in-
formation to users of computer systems are called Web
servers. Computer systems that request services and infor-
mation use software called Web browsers. The communi-
cation channel between the Web browser (client) and Web
server (server) may be provided by an Internet service
provider (ISP) that allows access to the communication
channel for both the server and client. The communica-
tion of the client with a server follows a request/response
paradigm. The client, via the communication channel,
makes a request to a server and the server responds to
that request via a communication channel.
The Web may be viewed as a two-way network com-
posed of three components:clients
servers
communication path connecting the servers and clients.The devices that implement requests and services both
are called hosts because these devices are “hosts” to the
processes (computer programs) that implement the re-
quests and services.Communication Paths
The communication path between a server and a client
can be classified in three ways:an internet
an intranet
or an extranet.