PART 5: NETWORK
AND INTERNET SECURITY
Chapter 16 TRANSPORT-LEVEL SECURITY
o Web Security Considerations
Web Security Threats
Web Traffic Security
o Secure Socket Layer and Transport Layer Security
SSL Architecture SSL
Change Cipher Spec
Protocol Alert Protocol
o Transport Layer Security
Authentication Code Pseudorandom
Function Alert Codes
Client Certificate Types Certificate_Verify and Finished Messages Cryptographic Computations
Initiation Connection Closure
o Secure Shell (SSH)
Protocol User Authentication Protocol Connection Protocol
◆ Secure Socket Layer (SSL) provides
security services between TCP and applications that use TCP. The Internet
standard version is called Transport Layer Service (TLS).
◆ SSL/TLS provides confidentiality using
symmetric encryption and message integrity using a message authentication code.
◆ SSL/TLS includes protocol mechanisms to
enable two TCP users to deter- mine the security mechanisms and services they
◆ HTTPS (HTTP over SSL) refers to the
combination of HTTP and SSL to implement secure communication between a Web
browser and a Web server.
◆ Secure Shell (SSH) provides secure remote
logon and other secure client/server facilities.
Virtually all businesses, most government agencies, and many individuals now have Web sites. The number of individuals and companies with Internet access is expanding rapidly and all of these have graphical Web browsers. As a result, businesses are enthu- siastic about setting up facilities on the Web for electronic commerce. But the reality is that the Internet and the Web are extremely vulnerable to compromises of various sorts. As businesses wake up to this reality, the demand for secure Web services grows. The topic of Web security is a broad one and can easily fill a book. In this chapter, we begin with a discussion of the general requirements for Web security and then focus on three standardized schemes that are becoming increasingly important as part of Web commerce and that focus on security at the transport layer: SSL/TLS, HTTPS, and SSH.