S 5.65 Use of S-HTTP

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators, users

Secure HTTP (S-HTTP) provides for the securing of messages that are exchanged between an HTTP client and an HTTP server. S-HTTP makes the following mechanisms available as an extension of HTTP:

• Authentication of instances

• Negotiation of security services

• Protection of the confidentiality and integrity of HTML documents by means of cryptographic checksums and encryption.

S-HTTP protects submitted HTTP data at the sender's end by encrypting it or by attaching a cryptographic checksum, and transfers the protected data to the transport system. The protected data is then sent to the recipient. At the recipient's end, the encapsulated data is transferred from the transport system to the local S-HTTP. This decrypts the protected HTTP data and forwards it to the HTTP application.

The security services are based on the RSA, DES, RC2, MD2 and MD5 algorithms (in this connection see also S 3.23 Introduction to basic cryptographic terms). With S-HTTP, the security policy and the cryptographic algorithms that are to be used can be selected by means of an optional negotiation phase before every transmission.

In addition, various cryptographic security mechanisms can also be integrated into S-HTTP, for example PKCS-7 (cryptographic message syntax) and PEM. Interoperability between S-HTTP clients and servers which do not use S-HTTP is guaranteed by the optional negotiation phase.

The essential differences with respect to SSL (seeS 5.66 ) are as follows:

• S-HTTP must be integrated into WWW clients and servers at the application layer.

• S-HTTP offers its security services on the basis of the content of the HTML documents, whereas SSL protects the HTTP communication channel.

S-HTTP is used for protecting WWW applications. Nevertheless, malicious applets or MIME-encoded executable programs may get through to internal systems despite this protection or precisely because of it.