Advanced Software Engineering (ASE) - MCS 1020

Software Architecture-Assignment
2010/MCS/051

Security and the web. E-commerce applications running over the HTTP protocol need to offer
secure processing to clients. For this topic, you could look at SSL (Secure Sockets Layer) and
its underlying security concepts. This is a theoretical topic.

Security and the web

1. Introduction

Most e-commerce applications are distributed applications based on the well-known

client/server paradigm that reside mostly in an application server and that are usually
accessed by a remote thin web client. The communication protocol between the server and
the client is the Hypertext Transfer Protocol (HTTP), which in the server side is parsed and
processed by a component of the application server that is commonly known as the web
container. Most generally, a web container can be considered as a web server that can support
some language extensions to create more flexible web applications.

2. Web server

Figure 1 shows a typical architecture in which Internet clients connect to Web Server using
Web Browser

Figure 1

Current web sites have to face two issues that affect directly to the site scalability. First,
the web community is growing day after day, increasing exponentially the load that sites
must support to satisfy all clients requests. Second, dynamic web content is becoming
popular on current sites. At the same time, all information that is confidential or has
 market value must be carefully protected when transmitted over the open Internet.

3. HTTP and HTTPS

Security between network nodes over the Internet is traditionally provided using HTTPS .
With HTTPS, which is based on using HTTP over SSL (Secure Socket Layer), you can
perform usual authentication of both the sender and receiver of messages and ensure
message confidentiality. This process involves X.509 certificates that are configured on both
sides of the connection. This widespread diffusion of dynamic web content and SSL
increases the performance demand on application servers that host the sites.

4. The SSL Protocol

The Transmission Control Protocol/Internet Protocol (TCP/IP) governs the transport and
routing of data over the Internet. Other protocols, such as the Hyper Text Transport Protocol
(HTTP), Lightweight Directory Access Protocol (LDAP), or Internet Messaging Access
Protocol (IMAP), run "on top of" TCP/IP in the sense that they all use TCP/IP to support
typical application tasks such as displaying web pages or running email servers.

Figure 2

How SSL works

Processing transactions securely on the web means that we need to be able to transmit
information between the web site and the customer in a manner that makes it difficult for
other people to intercept and read. SSL works through a combination of programs and
encryption/decryption routines that exist on the web server computer and in web browsers
(like Netscape/Firefox and Internet Explorer) used by the Internet public

What is an SSL Certificate?

SSL certificates becomes the "passport" or the digital document that verify that the security
and authenticity of the interaction. The SSL certificate is installed on a web server to identify
the business using it to encrypt sensitive data such as credit card information. SSL certificates
give a website the ability to communicate securely with its web customers. Without a
certificate, any information sent from a user’s computer to a website can be intercepted and
viewed by hackers and fraudsters. It is similar to the difference between sending a post card
and a tamper proof sealed envelope.

SSL Certificate interaction with the Browser and the Server (see Figure 3 below)
• Browser checks the certificate to make sure that the site you are connecting to is the real
site and not someone intercepting.
• Determine encryption types that the browser and web site server can both use to
understand each other.
• Browser and Server send each other unique codes to use when scrambling (or encrypting)
the information that will be sent.
• The browser and server start talking using the encryption, the web browser shows the
encrypting icon, and web pages are processed secured. Interaction Between Web Server
and Web Browser

Figure 3
5. How SSL Works to Secure Privacy
Cryptography
• SSL protects confidential information using cryptography. Sensitive data is encrypted
across public networks to achieve a high level of confidentiality. Primarily, PKI utilizes
asymmetric cryptography that is considered more secure than symmetric cryptography.
• Simply, asymmetric algorithms use one key for encryption of data, and then a separate
key for decryption. Asymmetric algorithms are stronger than symmetric algorithms
because even if the encryption key is learned in one direction, the third party still needs to
know the other key in order to decrypt the message in the other direction.
• The primary benefit of asymmetric encryption (also referred to as PKI) is that both sides
can spontaneously initiate a transaction without ever having met. This is achieved by the
use of a public and private key pair. The public key of the entity is public knowledge and
is used for encryption, whereas the private key of the entity remains secret and is used for
decryption.
• Although PKI is more secure, it also is more expensive in terms of processing speed and
encryption/ decryption (in PKI) can take up to 1000 times the processing than symmetric
cryptography.
Public and Private Keys
SSL, generally speaking, takes advantage of the strengths of both public-key and
symmetric-key encryption technologies. Public-key technologies both securely
authenticate clients and servers and exchange trade secret symmetric keys used in the
encryption sessions. SSL certificates in particular have a public key and a private key – a
public key to encrypt information and the private key to decipher it. When a browser
points to a secured domain, a secure sockets layer handshake authenticates the server and
the client and establishes an encryption method and a unique session key. They can begin
a secure session that guarantees message privacy and message integrity.
SSL Certificates help prevent someone from impersonating the server with a false key
In particular, SSL uses digital certificates that act as digital documents that will attest to
the binding of a public key to an individual or other entity. They provide verification of
the claim that a specific public key does, in fact, belong to the specified entity.
These certificates use X.509 standards to validate identities. X.509 certificates contain
information about the entity, including public key and name. The role of the certificate
authority then is to validate this certificate.

6. Strengths of The SSL Protocol

Brute Force Attack Against Strong Ciphers
Replay Attack
Man-In-The-Middle Attack
7. Weaknesses of The SSL Protocol
Brute Force Attack Against Weak Ciphers
Renegotiation of Session Keys
8. Advantages/Disadvantages
Advantages
Privacy
Privacy is given through encryption. Although information can still be intercepted by a
third party, they will be unable to read any information as they have no access to the
encryption key.
Integrity
Integrity is also ensured through encryption. If information is received that will not
decrypt properly then the recipient knows that the information has been tampered with
during transmission.
Authentication
Authentication is provided through digital certificates.
Large Browser Deployment
Virtually everybody that uses the internet uses a version of either Internet Explorer or
Netscape Navigator. Both browsers support SSL. Therefore potential customers on the
Internet don’t need any software.
Disadvantages
Uncertainty
Many people feel unsafe giving their credit card details over the Internet. This is the
biggest problem e-commerce faces. Even though giving your credit card details over the
phone is less secure, there still exists a perception that using the internet is not safe.
Key Size
SSL is limited to 40 bit keys. Even though it is very difficult to break 40 bit encryption, it
is still possible.

Card Details
Even if the transaction between customer and merchant is secure, the merchant will have
the customer’s credit card details, probably on a database. How safe are these details? Is
it possible for someone to steal them.
9. Future

SSL is the dominant application for e-commerce. Most Web Stores use SSL for security.
While there are other alternatives out there, SSL is the most widely used security application.
With 128 bit encryption soon to be available, SSL will be around for a few more years. In the
future it is unlikely SSL will be completely replaced. It will probably be combined with other
applications/technologies to produce a better product.