chapter 8
DESCRIPTION
Chapter 8. Internet Security Protocols. Basic Concepts. Static Web Pages Figure 1 : Static web Page Dynamic Web Pages: the contents can vary all day depending on a number of parameters Involves server-side programming. Tools to create: CGI, ASP, JSP. Figure 2 : Dynamic web page - PowerPoint PPT PresentationTRANSCRIPT
Basic Concepts Static Web Pages
Figure 1: Static web Page Dynamic Web Pages: the contents can vary all day
depending on a number of parameters Involves server-side programming. Tools to create: CGI, ASP, JSP. Figure 2: Dynamic web page
Active Web Pages: Figure 3: Active web page Java applet: small program sent to the browser along the
HTML page
Basic Concepts (cont’d)
ActiveX controls Difference between Java applets and ActiveX
controls An applet cannot write to the client’s hard disk, but an
ActiveX controls has no such restrictions An applet is downloaded with an active web page,
executed inside the browser, and destroyed when the user exits that Web page, but once downloaded, an ActiveX control remains on the client computer till it is explicitly deleted. Making applet quite slow as compared to ActiveX controls.
Basic Concepts (cont’d)
Protocols and TCP/IP Figure 4: TCP/IP layers.
Layered Organization Figure 5: Data exchange
using TCP/IP layers.
Figure 4: TCP/IP layers
Secure Socket Layer (SSL)
An Internet protocol for secure exchange of information between a web browser and a web server.
Provides 2 basic security services: Authentication Confidentiality
Position of SSL in TCP/IP Protocol Suite Figure 6: Position of SSL in TCP/IP Figure 7: SSL is located between application and
transport layers
How SSL Works?
SSL has three sub-protocols: Handshake Protocol Record Protocol Alert Protocol
The handshake protocol consists of a series of messages between the client and the server. Figure 8 shows format of the handshake protocol
message.
How SSL Works? (cont’d)
Figure 8: Format of the handshake protocol message.
Table 1: SSL handshake protocol message types
How SSL Works? (cont’d)
The handshake protocol is made up of 4 phases as shown in Figure 9.
Phase 1: Establish security capabilities Initiate a logical connection and establish the
security capabilities associated with the connection.
Consists of 2 messages: The client hello The server hello. Figure 10
How SSL Works? (cont’d)
Figure 10: Phase 1 of SSL handshake protocol: Establish security capabilities
How SSL Works? (cont’d)
Phase 2: Server authentication and key exchange Figure 11
Phase 3: Client authentication and key exchange Figure 12
Phase 4: Finish Figure 13
How SSL Works? (cont’d)
Figure 11: Phase 2 of SSL handshake protocol: Server authentication and key exchange
Help client to authenticate the server using server’s public key from the server’s certificate
(Optional) Server request for the client’s digital certificate
Optional in case of server does not send its digital certificate, server send Public Key
Indicate to the client that server’s portion of the hello message is complete
How SSL Works? (cont’d)
Figure 12: Phase 2 of SSL handshake protocol: Client authentication and key exchange
Allow the client to send information to the server.Client creates a 48-byte pre-master secret to encrypts it with the server’s public key and sends it to the server.
How SSL Works? (cont’d)
Record protocol Provides 2 services to an SSL connection:
Confidentiality: achieve by using the secret key that is defined by the handshake protocol
Integrity: the handshake protocol also defines a shared secret key (MAC) that is used for assuring the message integrity.
How SSL Works? (cont’d)
Alert Protocol When client or server detects an error, the detecting
party sends an alert message to the other party. If the error is fatal, both the parties immediately close the
SSL connection Other error, which are not severe, do not result in the
termination of the connection.
Severity Cause
Byte 1 Byte 2
Figure 15 Alert protocol message format
Closing and Resuming SSL connections Before ending their communication, the client and
the server must inform each other that their side of the connection is ending.
TSL (Transport Layer Security) is an IETF standardization initiative, whose goal is to come out with an Internet standard version of SSL.