HTTP Security with SSL - JohnHau/mis GitHub Wiki

https://www3.ntu.edu.sg/home/ehchua/programming/

HTTP Security A secure system shall provide the following assurances:

Authentication: "The person is who he says he is." This is usually carried out via "username and password". Other techniques include smart card and biometrics (retina scan, voice recognition, or fingerprints verification). Message Confidentiality: The message is encrypted. Eavesdroppers or network snifter can not recover the plaintext from ciphertext. Message Integrity: The message was not tempered with during transmission (e.g., man-in-the-middle attack). Non-repudiation: The sender cannot deny he has sent the message. HTTP supports two user authentication schemes: Basic Access Authentication and Digest Access Authentication. Basic Access Authentication is neither safe nor secure, as the username/password is sent in cleartext. Digest Access Authentication scheme is better. In the digest scheme, password is not sent, instead a digest of password is sent. Eavesdroppers cannot recover the password from the digest intercepted. Furthermore, a server's nounce is used to deter replay attack, as the digest value taken with the server's nounce is valid only for that particular session. The digest scheme, however, does not ensure message confidentiality, message integrity and non-repudiation.

Secure Socket Layout (SSL) is probably the best answer to HTTP security. This chapter briefly touches the SSL. SSL is an advanced topic, which cannot be covered in one chapter and deserves a book by itself.

Introduction to SSL/TLS Secure Socket Layer (SSL), also known as Transfer Layer Security (TLS), is a security protocol that implements three cryptographic assurances: user authentication, message confidentiality and message integrity. SSL/TLS uses public key cryptography for authentication and exchange of a shared secret session key. It then uses secret session key to encrypt the messages to assure confidentiality. It also uses message digest to assure message integrity.

SSL/TLS does not assure non-repudiation. It is because SSL/TLS uses secret key cryptography for message exchange, which cannot assure non-repudiation. It is because the secret key is shared by both parties. Consequently, both parties can produce the ciphertext and you cannot pin-point who actually sent the message.

SSL/TLS is meant for client-server communication and not for peer-to-peer network. SSL/TLS is usually run below the HTTP and on top of TCP/IP for secure exchange between an HTTP server and HTTP client. SSL/TLS can also be used for other application protocols, such as FTP, SMTP and VPN.

SSL was developed by Netscape. The original SSL version 2 (SSLv2) specification was released in 1994, and deployed on Netscape Navigator v1.1 in March 1995. Netscape released SSL version 3 (SSLv3) in late 1995 to plug the security holes in SSLv2.

In May 1996, IETF (Internet Engineering Task Force) formed a Transport Layer Security (TLS) committee for standardize the SSL. IETF published the TLS version 1 (TLSv1) as RFC 2246 in 1999. TLSv1 is based on SSLv3, which is often regarded as SSLv3.1.

Installing & Configuring HTTP with SSL (HTTPS) [TODO]

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

image

REFERENCES & RESOURCES RFC 1945 "Hypertext Transfer Protocol HTTP/1.0", 1996. RFC 2616 "Hypertext Transfer Protocol HTTP/1.1", 1999. RFC 2617 "HTTP Authentication: Basic and Digest Access Authentication", 1999. RFC 1321 "The MD5 Message Digest Algorithm", 1992. RFC 2630 "Cryptographic Message Syntax", 1999. "How SSL works" @ http://developer.netscape.com/tech/security/ssl/howitworks.html. [SSLv3] Freier A., Karlton P., and Kocher P., "The SSL Protocol v3.0", Netscape, 1996, @ http://www.netscape.com/eng/ssl3/draft302.txt. [SSLv2] Hickman K. E. B., "The SSL Protocol v2", Netscape, 1995 @ http://www.netscape.com/eng/security/SSL_2.html. RFC 2246 "The TLS Protocol v1.0", T. Dierks and C. Allen, 1999. OpenSSL project @ www.openssl.org Mod_SSL project @ www.modssl.org ITU Recommendation X.509 "The Directory - Authentication Framework", 1988. Stallings W., "Cryptography and Network Security, Principles and Practices", 3rd eds, Prentice Hall, 2003. Rescorla E., "SSL and TLS, Designing and Building Secure Systems", Addison Wesley, 2001. Hahate A., "Cryptography and Network Security", McGraw Hill, 2003. Wagner, D., and Schneier, B., "Analysis of the SSL 3.0 protocol", 1997. Kalikski B. S., "A Layman's Guide to a Subset of ASN.1, BER, and DER", Technical Note, RSA Laboratories, 1993. "RSA Crytography Standard Version 2.1", RSA Laboratories, 2001. Stephen T. A., "SSL & TLS Essentials: Securing the Web", John Wiley & Sons, 2000. Sigle R., "Building a Secure RedHat Apache Server HOWTO", Linux Documentation Project, 2001. Mel H. X., and Baker D., "Cryptography Decrypted", Addison Wesley, 2001.