30-01-2013, 01:46 PM
WEB Security
[attachment=48890]
Web Security Considerations
The WEB is easily accessible worldwide.
Complex software hide many security flaws.
Users are not trained in computer security and are not aware of the risks.
A Web server can be exploited as a launching pad into a corporation’s entire computer complex.
Web Security Approaches
1. To use IPSec: (At Network Level)
Provides a general purpose solution.
Transparent to end users and applications.
IPSEc Filtering capability: only selected traffic need incur the overhead of IPSec processing.
2. Implement Just above TCP:
Provides a general purpose solution.
Examples: SSL/TLS.
As a part of underlying protocol suite,
it is transparent to the applications.
SSL can also be embedded in applications. (Explorer browsers are equipped with SSL.)
3. Application Level:
Security services are embedded within an application.
Security service can be tailored for specific needs of an application.
Example: Secure Electronic Transaction (SET).
Secure Socket Layer (SSL)
Implements three cryptographic assurances:
1. Authentication.
2. Confidentiality.
3. Message integrity.
Also provides secure key exchange between a browser (client) and server.
Provides security parameters negotiation.
Does not offer non-repudiation.
Transport Layer Security (TLS)
The same record format as the SSL record format.
Defined in RFC 2246.
Similar to SSLv3.
Differences:
version number
For current version of TLS, the major version is 3 and minor version is 1.
message authentication code
TLS differs in actual algorithm and scope of the MAC calculation.