Transport-Level Security

PART 5: NETWORK AND INTERNET SECURITY

Chapter 16 TRANSPORT-LEVEL SECURITY

o Web Security Considerations

·        Web Security Threats

·        Web Traffic Security Approaches

o Secure Socket Layer and Transport Layer Security

·        SSL Architecture SSL Record Protocol

·        Change Cipher Spec Protocol Alert Protocol

·        Handshake Protocol Cryptographic Computations

o Transport Layer Security

·        Version Number

·        Message Authentication Code Pseudorandom Function Alert Codes

·        Cipher Suites

·        Client Certificate Types Certificate_Verify and Finished Messages Cryptographic Computations

·        Padding

o HTTPS

·        Connection Initiation Connection Closure

o Secure Shell (SSH)

·        Transport Layer Protocol User Authentication Protocol Connection Protocol

KEY POINTS

◆      Secure Socket Layer (SSL) provides security services between TCP and applications that use TCP. The Internet standard version is called Transport Layer Service (TLS).

◆      SSL/TLS provides confidentiality using symmetric encryption and message integrity using a message authentication code.

◆      SSL/TLS includes protocol mechanisms to enable two TCP users to deter- mine the security mechanisms and services they will use.

◆      HTTPS (HTTP over SSL) refers to the combination of HTTP and SSL to implement secure communication between a Web browser and a Web server.

◆      Secure Shell (SSH) provides secure remote logon and other secure client/server facilities.

Virtually all businesses, most government agencies, and many individuals now have Web sites. The number of individuals and companies with Internet access is expanding rapidly and all of these have graphical Web browsers. As a result, businesses are enthu- siastic about setting up facilities on the Web for electronic commerce. But the reality is that the Internet and the Web are extremely vulnerable to compromises of various sorts. As businesses wake up to this reality, the demand for secure Web services grows. The topic of Web security is a broad one and can easily fill a book. In this chapter, we begin with a discussion of the general requirements for Web security and then focus on three standardized schemes that are becoming increasingly important as part of Web commerce and that focus on security at the transport layer: SSL/TLS, HTTPS, and SSH.