Secure Channels

A secure channel between a web client and web server is useful for business transactions and privacy in general. Figure 10.3-A illustrates a secure channel between a web client and a web server. Both client and server must run compatible security schemes. Upon initial contact, the client and server negotiate session parameters, then exchange a key that is used to encrypt all subsequent data. Once a secure channel is obtained, users can exchange e-mail, access sensitive information, buy products, and conduct legal or business transactions with confidence that all transmissions are encrypted and secure.

Negotiation of a secure channel require certificates issued by a certificate authority such as Verisign as described above.

Two technologies that have been implemented to provide secure channel connections over the web are SSL (Secure Sockets Layer) and PCT (Private Communication Transport). They provide the following services:

•  Authenticate users and servers so both parties can be assured that data is being sent to the correct client or server.

•  Encryption to hide transmitted data.

•  Integrity to provide assurance that data has not been altered during transmission.

Note that the U.S. export version of SSL, which uses only 40-bit encryption algorithms, was attacked and broken. PCT provides an enhancement to SSL that includes some additional features such as the use of a separate key for authentication. This key is not restricted by government export limitations and so is stronger than the SSL export key. Microsoft and other vendors have implemented PCT.

Because SSL and PCT can slow down a communication session, they should only be used when necessary, such as when you are transferring sensitive information like credit cards. SSL/PCT uses a computer’s processor to encrypt data, so it takes much longer to send and receive information when using the protocol. On Microsoft’s web server (Internet Information Server), SSL is only engaged for directories that hold sensitive information. Other directories with public information do not use SSL for performance reasons.

Several initiatives are underway to create a single unified standard for securing channels. Microsoft and Netscape are working to combine the best features of SSL and PCT, but other initiatives are also underway. The IETF’s Transport Layer Security (TLS) working group is developing standards based on SSL, PCT, and other transport layer protocols. S-HTTP (Secure HyperText Transport Protocol) is a higher-level session protocol that can secure HTTP sessions and specific parts of web documents. S-HTTP is useful in workflow and document routing applications where documents must be signed and verified using digital signatures.

For more information on these standards and initiatives, check the following web sites:

Secure Internet Tunnels

Organizations can build virtual private network circuits across the Internet between their remote sites by using special encryption routers and tunneling protocols. An encrypting router automatically encrypts all traffic that traverses the links as shown in figure 10.3-B and C. Usually, a trusted network administrator programs the encryption keys into each device, then personally delivers and installs them at each site to prevent compromise.

A tunnel can provide a way to place different protocol packets into IP packets and transport them across the Internet from one location to another. For example, SNA or IPX traffic could be carried from site to site over the Internet. Data encryption is used to secure the traffic. Several tunneling protocols have been developed. You can find more information at the sites listed below.

Whether the Internet is ready for tunnels is another matter. In most cases, the Internet has too many bottlenecks for any organization to try to run on-time applications over it. As throughput increases, running on-time applications may become a more viable option in the future.