Java Reference
In-Depth Information
information values—the prime factor
p
of the modulus
n
, the prime factor
q
of
n
, the exponent
d
mod (
p
- 1), the exponent
d
mod (
q
- 1), and the coeicient (inverse of
q
) mod
p
.
8.4 Protection of Data in transit
We have understood that data at rest needs to be protected when it is stored in a system, but it is
also important to understand that data is accessed frequently by users and, consequential, these
data travels over networks. An attacker intent on stealing sensitive information will naturally
adopt measures to snif the data over a network and breach the conidentiality or integrity of the
data transmitted over a network. It is imperative that sensitive information being transmitted
over a network is also protected. Data are sent over public and private networks, and determined
attackers, using simple network monitoring tools, can easily gain access to the information being
transmitted over the wire. his information might contain usernames, passwords, credit card
information, encryption keys, and so on. his type of attack, where an attacker snifs network
traic and gains access to information, is known as a
man-in-the-middle attack
. he requirement
for the protection, in this case, would be that the link over which the sensitive information is
transmitted be encrypted to ensure that the information being transmitted over the network can-
not be snifed during its transmission.
8.4.1 History of Secure Socket Layer/Transport Layer Security
he standard implementation for secure transmission for a Web application is the use of transport
layer security (TLS). TLS was formerly known as SSL (secure socket layer). Netscape developed
SSL for the purpose of transmitting private information over the Internet. SSL uses two keys for
its operations: the public key and the private key. SSL is implemented with the help of digital cer-
tiicates. SSL provides an encrypted link for the client to interact with the server. SSL version 1.0
was developed by Netscape, and version 2.0 was released in 1995 but was found to be lawed in
several aspects, leading to the creation of version 3.0 in the year 1996. he Internet Engineering
Taskforce (IETF) took over SSL, and it was called the TLS, which was adopted as a standard. In
1999, all the major payment brands like Visa, MasterCard, and American Express as well as sev-
eral inancial institutions publicly declared that SSL/TLS should be adopted as a security measure
for e-commerce transactions. Traic, which is protected with SSL/TLS for access to a Web appli-
cation, will occur over hypertext transfer protocol-secure (HTTPS) instead of over the regular
HTTP protocol, which is unencrypted.
To provide secure transport of information over a network, SSL/TLS uses a combination of
cryptographic processes. SSL/TLS is essentially a secure enhancement to the standard TCP/IP
sockets protocol used for Internet communications. he secure sockets layer is essentially added
between the transport layer and the application layer in the standard TCP/IP protocol stack, as
exempliied in Figure 8.13. he Web application most commonly used with SSL is hypertext
transfer protocol (HTTP), the protocol for Internet Web pages.
8.4.1.1 The SSL/TLS Handshake Process
SSL/TLS uses many diferent cryptographic processes for secure data transportation and at vari-
ous stages. For example, SSL uses public key cryptography to provide authentication and secret
key cryptography and digital signatures to secure information and privacy. Communication over
Search WWH ::
Custom Search