Databases Reference
In-Depth Information
Enhancing the security of the web server itself has been a paramount
concern since the first Web server initially emerged, but progress has been
slow in deployment and implementation. As the market has mushroomed
for server use, and the diversity of data types that are being placed on the
server has grown, the demand has increased for enhanced Web server se-
curity. Various approaches have emerged, with no single
standard
yet emerging (though there are some early leaders — among them Secure
Sockets Layer [SSL] and Secure Hypertext Transfer Protocol [S-HTTP]).
These are two significantly different approaches, but both widely seen in
the marketplace.
de facto
Secure Socket Layer (SSL) Trust Model
One of the early entrants into the secure Web server and client arena is
Netscape's Commerce Server, which utilizes the Secure Sockets Layer
(SSL) trust model. This model is built around the RSA Public Key/Private
Key architecture. Under this model, the SSL-enabled server is authenticat-
ed to SSL-aware clients, proving its identity at each SSL connection. This
proof of identity is conducted through the use of a public/private key pair
issued to the server validated with x.509 digital certificates. Under the SSL
architecture, web server validation can be the only validation performed,
which may be all that is needed in some circumstances. This would be ap-
plicable for those applications where it is important to the user to be as-
sured of the identity of the target server, such as when placing company
orders, or other information submittal where the client is expecting some
important action to take place. Exhibit 4 diagrams this process.
Optionally, SSL sessions can be established that also authenticate the
client and encrypt the data transmission between the client and the server
for multiple I/P services (HTTP, Telnet, FTP). The multiservice encryption
capability is available because SSL operates below the application layer
and above the TCP/IP connection layer in the protocol stack, and thus oth-
er TCP/IP services can operate on top of a SSL-secured session.
Optionally, authentication of a SSL client is available when the client is
registered with the SSL server, and occurs after the SSL-aware client con-
nects and authenticates the SSL server. The SSL client then submits its dig-
ital certificate to the SSL server, where the SSL server validates the clients
certificate and proceeds to exchange a session key to provide encrypted
transmissions between the client and the server. Exhibit 5 provides a graph-
ical representation of this process for mutual client and server authentica-
tion under the SSL architecture. This type of mutual client/server
authentication process should be considered when the data being submitted
by the client are sensitive enough to warrant encryption prior to being sub-
mitted over a network transmission path.
Search WWH ::
Custom Search