Cryptography and network security: principles and practice (5th edition): Part 2

(BQ) In this age of universal electronic connectivity, viruses and hackers, electronic eavesdropping, and electronic fraud, security is paramount. This text provides a practical survey of both the principles and practice of cryptography and network security. The book is divided into 2 parts, part 2 from chapter 16 to chapter 23.
Nội dung trích xuất từ tài liệu:
Cryptography and network security: principles and practice (5th edition): Part 2 PART 5: NETWORK AND INTERNET SECURITY CHAPTER TRANSPORT-LEVEL SECURITY 16.1 Web Security Considerations Web Security Threats Web Traffic Security Approaches 16.2 Secure Socket Layer and Transport Layer Security SSL Architecture SSL Record Protocol Change Cipher Spec Protocol Alert Protocol Handshake Protocol Cryptographic Computations 16.3 Transport Layer Security Version Number Message Authentication Code Pseudorandom Function Alert Codes Cipher Suites Client Certificate Types Certificate_Verify and Finished Messages Cryptographic Computations Padding 16.4 HTTPS Connection Initiation Connection Closure 16.5 Secure Shell (SSH) Transport Layer Protocol User Authentication Protocol Connection Protocol 16.6 Recommended Reading and Web Sites 16.7 Key Terms, Review Questions, and Problems 485 486 CHAPTER 16 / TRANSPORT-LEVEL SECURITY Use your mentality Wake up to reality —From the song, “I’ve Got You Under My Skin” by Cole Porter KEY POINTS ◆ Secure Socket Layer (SSL) provides security services between TCP and applications that use TCP. The Internet standard version is called Transport Layer Service (TLS). ◆ SSL/TLS provides confidentiality using symmetric encryption and message integrity using a message authentication code. ◆ SSL/TLS includes protocol mechanisms to enable two TCP users to deter- mine the security mechanisms and services they will use. ◆ HTTPS (HTTP over SSL) refers to the combination of HTTP and SSL to implement secure communication between a Web browser and a Web server. ◆ Secure Shell (SSH) provides secure remote logon and other secure client/server facilities. Virtually all businesses, most government agencies, and many individuals now have Web sites. The number of individuals and companies with Internet access is expanding rapidly and all of these have graphical Web browsers. As a result, businesses are enthu- siastic about setting up facilities on the Web for electronic commerce. But the reality is that the Internet and the Web are extremely vulnerable to compromises of various sorts. As businesses wake up to this reality, the demand for secure Web services grows. The topic of Web security is a broad one and can easily fill a book. In this chapter, we begin with a discussion of the general requirements for Web security and then focus on three standardized schemes that are becoming increasingly important as part of Web commerce and that focus on security at the transport layer: SSL/TLS, HTTPS, and SSH. 16.1 WEB SECURITY CONSIDERATIONS The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets. As such, the security tools and approaches discussed so far in this book are relevant to the issue of Web security. But, as pointed out in [GARF02], the Web presents new challenges not generally appreciated in the con- text of computer and network security. • The Internet is two-way. Unlike traditional publishing environments—even electronic publishing systems involving teletext, voice response, or fax-back— the Web is vulnerable to attacks on the Web servers over the Internet. 16.1 / WEB SECURITY CONSIDERATIONS 487 • The Web is increasingly serving as a highly visible outlet for corporate and product information and as the platform for business transactions. Reputations can be damaged and money can be lost if the Web servers are subverted. • Although Web browsers are very easy to use, Web servers are relatively easy to configure and manage, and Web content is increasingly easy to develop, the underlying software is extraordinarily complex. This complex software may hide many potential security flaws. The short history of the Web is filled with examples of new and upgraded systems, properly installed, that are vulnerable to a variety of security attacks. • A Web server can be exploited as a launching pad into the corporation’s or agency’s entire computer complex. Once the Web server is subverted, an attacker may be able to gain access to data and systems not part of the Web itself but connected to the server at the local site. • Casual and untrained (in security matters) users are common clients for Web-based services. Such users are not necessarily aware of the security risks that exist and do not have the tools or knowledge to take effective countermeasures. Web Security Threats Table 16.1 provides a summary of the types of security threats faced when using the Web. One way to group these threats is in terms of passive and active attacks. Passive attacks include eavesdropping on network traffic between browser and server and gaining access to information on a Web site that is supposed to be restricted. Active attacks include impersonating another user, altering messages in transit between client and server, and altering information on a Web site. Another way to classify ...