Software Architecture-Assignment
2010/MCS/051
Security and the web. E-commerce applications running over the HTTP protocol need to offer
secure processing to clients. For this topic, you could look at SSL (Secure Sockets Layer) and
its underlying security concepts. This is a theoretical topic.
1. Introduction
2. Web server
Figure 1 shows a typical architecture in which Internet clients connect to Web Server using
Web Browser
Figure 1
Current web sites have to face two issues that affect directly to the site scalability. First,
the web community is growing day after day, increasing exponentially the load that sites
must support to satisfy all clients requests. Second, dynamic web content is becoming
popular on current sites. At the same time, all information that is confidential or has
market value must be carefully protected when transmitted over the open Internet.
Security between network nodes over the Internet is traditionally provided using HTTPS .
With HTTPS, which is based on using HTTP over SSL (Secure Socket Layer), you can
perform usual authentication of both the sender and receiver of messages and ensure
message confidentiality. This process involves X.509 certificates that are configured on both
sides of the connection. This widespread diffusion of dynamic web content and SSL
increases the performance demand on application servers that host the sites.
The Transmission Control Protocol/Internet Protocol (TCP/IP) governs the transport and
routing of data over the Internet. Other protocols, such as the Hyper Text Transport Protocol
(HTTP), Lightweight Directory Access Protocol (LDAP), or Internet Messaging Access
Protocol (IMAP), run "on top of" TCP/IP in the sense that they all use TCP/IP to support
typical application tasks such as displaying web pages or running email servers.
Figure 2
Processing transactions securely on the web means that we need to be able to transmit
information between the web site and the customer in a manner that makes it difficult for
other people to intercept and read. SSL works through a combination of programs and
encryption/decryption routines that exist on the web server computer and in web browsers
(like Netscape/Firefox and Internet Explorer) used by the Internet public
SSL certificates becomes the "passport" or the digital document that verify that the security
and authenticity of the interaction. The SSL certificate is installed on a web server to identify
the business using it to encrypt sensitive data such as credit card information. SSL certificates
give a website the ability to communicate securely with its web customers. Without a
certificate, any information sent from a user’s computer to a website can be intercepted and
viewed by hackers and fraudsters. It is similar to the difference between sending a post card
and a tamper proof sealed envelope.
SSL Certificate interaction with the Browser and the Server (see Figure 3 below)
• Browser checks the certificate to make sure that the site you are connecting to is the real
site and not someone intercepting.
• Determine encryption types that the browser and web site server can both use to
understand each other.
• Browser and Server send each other unique codes to use when scrambling (or encrypting)
the information that will be sent.
• The browser and server start talking using the encryption, the web browser shows the
encrypting icon, and web pages are processed secured. Interaction Between Web Server
and Web Browser
Figure 3
5. How SSL Works to Secure Privacy
Cryptography
• SSL protects confidential information using cryptography. Sensitive data is encrypted
across public networks to achieve a high level of confidentiality. Primarily, PKI utilizes
asymmetric cryptography that is considered more secure than symmetric cryptography.
• Simply, asymmetric algorithms use one key for encryption of data, and then a separate
key for decryption. Asymmetric algorithms are stronger than symmetric algorithms
because even if the encryption key is learned in one direction, the third party still needs to
know the other key in order to decrypt the message in the other direction.
• The primary benefit of asymmetric encryption (also referred to as PKI) is that both sides
can spontaneously initiate a transaction without ever having met. This is achieved by the
use of a public and private key pair. The public key of the entity is public knowledge and
is used for encryption, whereas the private key of the entity remains secret and is used for
decryption.
• Although PKI is more secure, it also is more expensive in terms of processing speed and
encryption/ decryption (in PKI) can take up to 1000 times the processing than symmetric
cryptography.
Public and Private Keys
SSL, generally speaking, takes advantage of the strengths of both public-key and
symmetric-key encryption technologies. Public-key technologies both securely
authenticate clients and servers and exchange trade secret symmetric keys used in the
encryption sessions. SSL certificates in particular have a public key and a private key – a
public key to encrypt information and the private key to decipher it. When a browser
points to a secured domain, a secure sockets layer handshake authenticates the server and
the client and establishes an encryption method and a unique session key. They can begin
a secure session that guarantees message privacy and message integrity.
SSL Certificates help prevent someone from impersonating the server with a false key
In particular, SSL uses digital certificates that act as digital documents that will attest to
the binding of a public key to an individual or other entity. They provide verification of
the claim that a specific public key does, in fact, belong to the specified entity.
These certificates use X.509 standards to validate identities. X.509 certificates contain
information about the entity, including public key and name. The role of the certificate
authority then is to validate this certificate.
Card Details
Even if the transaction between customer and merchant is secure, the merchant will have
the customer’s credit card details, probably on a database. How safe are these details? Is
it possible for someone to steal them.
9. Future
SSL is the dominant application for e-commerce. Most Web Stores use SSL for security.
While there are other alternatives out there, SSL is the most widely used security application.
With 128 bit encryption soon to be available, SSL will be around for a few more years. In the
future it is unlikely SSL will be completely replaced. It will probably be combined with other
applications/technologies to produce a better product.