Web Security, Privacy & Commerce

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

This chapter looks at the basics of web security. We'll discuss the risks of running a web server on the Internet and give you a framework for understanding how to mitigate those risks. We'll look at the risks that the Web poses for users—people who simply want to use the Web to get information or participate in online communities. And we'll look at the hype surrounding web security, analyze what companies (probably) mean when they use the phrase "secure web server," and discuss overall strategies for reducing the risks associated with the World Wide Web.

When we published the first edition of Practical Unix Security in 1991, we gave a simple definition of computer security:

A computer is secure if you can depend on it and its software to behave as you expect.

This definition has stood the test of time. Whether you are talking about a complex attack such as cross-site scripting, or you are discussing the age-old problem of password sharing, the fundamental goal of computer security is to minimize surprise and to have computers behave as we expect them to behave. Our definition puts forth a holistic approach to protecting computers and the information that they contain: a web site is as dead if it is compromised by an attacker as it is if the sole web server on which the site resides washes away in a flood. Web security, then, is a set of procedures, practices, and technologies for assuring the reliable, predictable operation of web servers, web browsers, other programs that communicate with web servers, and the surrounding Internet infrastructure. Unfortunately, the sheer scale and complexity of the Web makes the problem of web security dramatically more complex than the problem of Internet security in general.

Today's web security problem has three primary facets:

Securing the web server and the data that is on it: You need to be sure that the server can continue its operation, that the information on the server cannot be modified without authorization, and that the information is only distributed to those individuals to whom you want it distributed.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

When we published the first edition of Practical Unix Security in 1991, we gave a simple definition of computer security:

A computer is secure if you can depend on it and its software to behave as you expect.

This definition has stood the test of time. Whether you are talking about a complex attack such as cross-site scripting, or you are discussing the age-old problem of password sharing, the fundamental goal of computer security is to minimize surprise and to have computers behave as we expect them to behave. Our definition puts forth a holistic approach to protecting computers and the information that they contain: a web site is as dead if it is compromised by an attacker as it is if the sole web server on which the site resides washes away in a flood. Web security, then, is a set of procedures, practices, and technologies for assuring the reliable, predictable operation of web servers, web browsers, other programs that communicate with web servers, and the surrounding Internet infrastructure. Unfortunately, the sheer scale and complexity of the Web makes the problem of web security dramatically more complex than the problem of Internet security in general.

Today's web security problem has three primary facets:

Securing the web server and the data that is on it: You need to be sure that the server can continue its operation, that the information on the server cannot be modified without authorization, and that the information is only distributed to those individuals to whom you want it distributed.
Securing information that travels between the web server and the user: You would like to assure that information the user supplies to the web server (usernames, passwords, financial information, the names of web pages visited, etc.) cannot be read, modified, or destroyed by any third parties. You want similar protection for the information that flows back from the web servers to the users. It is also important to assure that the link between the user and the web server cannot be easily disrupted.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Security is most often viewed as a process that is designed to prevent something from happening. As a result, people often approach computer security by thinking about the risks that they face and then formulating strategies for minimizing or mitigating these risks. One traditional way to approach this problem is with the process of risk analysis , a technique that involves gauging the likelihood of each risk, evaluating the potential for damage that each risk entails, and addressing the risks in some kind of systematic order.

Risk analysis has a long and successful history in the fields of public safety and civil engineering. Consider the construction of a suspension bridge. It's a relatively straightforward matter to determine how much stress cars, trucks, and weather on a bridge will place on the bridge's cables. Knowing the anticipated stress, an engineer can compute the chance that the bridge will collapse over the course of its life given certain design and construction choices. Given the bridge's width, length, height, anticipated traffic, and other factors, an engineer can compute the projected destruction to life, property, and commuting patterns that would result from the bridge's failure. All of this information can be used to calculate cost-effective design decisions and a reasonable maintenance schedule for the bridge's owners to follow.

Unfortunately, the application of risk analysis to the field of computer security has been less successful. Risk analysis depends on the ability to gauge the likelihood of each risk, identify the factors that enable those risks, and calculate the potential impact of various choices—figures that are devilishly hard to pin down. How do you calculate the risk that an attacker will be able to obtain system administrator privileges on your web server? Does this risk increase over time, as new security vulnerabilities are discovered, or does it decrease over time, as the vulnerabilities are publicized and corrected? Does a well-maintained system become less secure or more secure over time? And how do you calculate the likely damages of a successful penetration? Unfortunately, few statistical, scientific studies have been performed on these questions. Many people think they know the answers to these questions, but research has shown that people badly estimate risk based on personal experience.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

In this chapter, we'll look at the technological underpinnings of The World Wide Web and of the Internet, the computer network on which the Web is based.

Before we begin our detailed discussion of web security, it is important to explain the basic mechanics of how the Internet and the Web work. It's also important to introduce the terminology that this book uses. And finally, to understand where the Web is today, it's useful to review the history of basic networking and the Internet.

The success of the Internet has been nothing short of phenomenal. It's difficult to remember that the Internet is more than 25 years old and that the Web has existed for more than a decade. Although it's increasingly difficult to remember what business was like in the age before the Internet, the vast majority of today's Internet users have had email and dialup access to the World Wide Web for less than five years, and more than half probably gained their first access during the last 18 months.

It's easy to attribute the success of the Internet and the Web to a combination of market need, determinism, and consumerism. It's possible to argue that the critical mass of reasonably powerful desktop computers, reasonably fast modems, and reasonably sophisticated computer users made it inevitable that something like the Web would be deployed in the mid-1990s and that it would gain mass appeal. The world was ripe for the Web.

It's also possible to argue that the Web was pushed on the world by companies including IBM, Cisco, Dell, and Compaq—companies that engaged in huge advertising campaigns designed to convince business leaders that they would fail if they did not go online. Certainly, the apparent success of a large number of venture capital-financed Internet startups such as Amazon.com, Yahoo, and VeriSign helped to create a climate of fear among many "old economy" CEOs at the end of the 20th century; the rapid growth of the Internet-based firms, and their astonishing valuations by Wall Street, made many firms feel that their only choice for continued survival was to go online.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The success of the Internet has been nothing short of phenomenal. It's difficult to remember that the Internet is more than 25 years old and that the Web has existed for more than a decade. Although it's increasingly difficult to remember what business was like in the age before the Internet, the vast majority of today's Internet users have had email and dialup access to the World Wide Web for less than five years, and more than half probably gained their first access during the last 18 months.

It's easy to attribute the success of the Internet and the Web to a combination of market need, determinism, and consumerism. It's possible to argue that the critical mass of reasonably powerful desktop computers, reasonably fast modems, and reasonably sophisticated computer users made it inevitable that something like the Web would be deployed in the mid-1990s and that it would gain mass appeal. The world was ripe for the Web.

It's also possible to argue that the Web was pushed on the world by companies including IBM, Cisco, Dell, and Compaq—companies that engaged in huge advertising campaigns designed to convince business leaders that they would fail if they did not go online. Certainly, the apparent success of a large number of venture capital-financed Internet startups such as Amazon.com, Yahoo, and VeriSign helped to create a climate of fear among many "old economy" CEOs at the end of the 20th century; the rapid growth of the Internet-based firms, and their astonishing valuations by Wall Street, made many firms feel that their only choice for continued survival was to go online.

But such arguments are almost certainly flawed. It is a mistake to attribute the success of the Internet and the Web to a combination of timing and market forces. After all, the Internet was just one of many large-scale computer networks that were deployed in the 1970s, 80s, and 90s—and it was never considered the network "most likely to succeed." Instead, for many years most industry watchers were placing their bets on a network called the Open System Interconnection (OSI). As examples, IBM and HP spent hundreds of millions of dollars developing OSI products; OSI was mandated by the U.S. government, which even in the 1990s saw the Internet and TCP/IP as a transitional step.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The easiest way to explain the functioning of the Web today is to explore what happens when you start a web browser and attempt to view a page on the Internet.

Every computer manufactured today is equipped with a small memory chip that holds its information even when the computer is turned off. When you turn on your computer, the computer's microprocessor starts executing a small program that is stored on this memory chip. The program is called the computer's Basic Input Output System, or BIOS. The BIOS has the ability to display simple information on the computer's screen, to read keystrokes from the keyboard, to determine how much memory is in the computer, and to copy the first few blocks of the computer's disk drive into memory and execute them.

The first few blocks of the computer's hard drive contain a program called the bootstrap loader. The bootstrap loader reads in the first part of the computer's operating system from storage (on a disk or CD-ROM), which loads in the rest of the computer's operating system, which starts a multitude of individual programs running. Some of these programs configure the computer's hardware to run the operating system, others perform basic housekeeping, and still others are run for historical reasons—whether that is to assure compatibility with previous generations of operating systems, or because developers at the company that created the operating system forgot to take the programs out of the system before it was shipped.

The computer may finally prompt you for a username and password. This information is used to "log in" (authenticate) to the computer—that is, to set up the computer for a particular user's preferences and personal information, and possibly to gain access to network resources shared with other computers local to your organization. Finally, the computer starts up a graphical user interface, which displays the computer's desktop . Simson's desktop computer's screen is shown in Figure 2-4.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Now that we've seen how the underlying Internet technology works, the next logical question to ask is, "Who do you complain to when the Internet stops working?" Another way of asking this question is, "Who runs the Internet?" And who owns it?

The Internet is a large, distributed network operated by millions of individuals and organizations. As such, it doesn't have a single owner—it has many of them. When your computer is connected to the Internet it literally becomes part of the network, so in a very real sense you are one of the Internet's owners. But don't get carried away: you only own a very small part.

Let's look at the various other "owners" of the Internet.

There are many ways that you can connect to the Internet. You can use a dial-up modem, a DSL line, an ISDN connection, a cable modem, or even a wireless link through your cellular phone. But no matter what sort of digital pipe you use to make the connection, at the other end of the pipe there needs to be a computer that receives your packets and routes them to other computers on the network.

The organization that operates the equipment on the other side of your Internet connection is referred to as an Internet service provider (ISP). The first ISPs were universities and research labs. They provided Internet service for their employees, students, affiliates, and frequently friends and family of the system operators.

Over the past two decades, the world of ISPs has been transformed. In the late 1980s, before commercial use of the Internet was allowed, most ISPs were poorly-funded small businesses run by the early Internet entrepreneurs. In the 1990s some of these ISPs grew large enough on their own funds that they could service tens or hundreds of thousands of customers. Others arranged for outside funding. Still more ISPs were started by wealthy individuals, banks, or venture capital funds, all seeking to get in on the Internet gold rush.

Today many universities still provide Internet service to their staff and students, and there are thousands of relatively small ISPs that provide service to a few thousand customers. But by far the majority of people who use the Internet in the United States now get their Internet service from a large ISP. Some of these large ISPs are either owned outright or affiliated with existing telephone companies and cable TV companies.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

This chapter explains the basics of cryptography, on which many secure Internet protocols are based. Cryptography is a complex topic and in this chapter we're obviously presenting only a summary. Chapter 4 describes how cryptography is used today on the Web. For more complete information on cryptography concepts and algorithms, see the references in Appendix E.

Cryptography is a collection of mathematical techniques for protecting information. Using cryptography, you can transform written words and other kinds of messages so that they are unintelligible to anyone who does not possess a specific mathematical key necessary to unlock the message. The process of using cryptography to scramble a message is called encryption . The process of unscrambling the message by use of the appropriate key is called decryption . Figure 3-1 illustrates how these two processes fit together.

Figure 3-1: Encryption is a process that uses a key to transform a block of plaintext into an encrypted ciphertext. Decryption is the process that takes an encrypted ciphertext and a decryption key and produces the original plaintext.

Cryptography is used to prevent information from being accessed by an unauthorized recipient. In theory, once a piece of information is encrypted, that information can be accidentally disclosed or intercepted by a third party without compromising the security of the information, provided that the key necessary to decrypt the information is not disclosed and that the method of encryption will resist attempts to decrypt the message without the key.

For example, here is a message that you might want to encrypt:

SSL is a cryptographic protocol

And here is the message after it has been encrypted:

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Cryptography is a collection of mathematical techniques for protecting information. Using cryptography, you can transform written words and other kinds of messages so that they are unintelligible to anyone who does not possess a specific mathematical key necessary to unlock the message. The process of using cryptography to scramble a message is called encryption . The process of unscrambling the message by use of the appropriate key is called decryption . Figure 3-1 illustrates how these two processes fit together.

Figure 3-1: Encryption is a process that uses a key to transform a block of plaintext into an encrypted ciphertext. Decryption is the process that takes an encrypted ciphertext and a decryption key and produces the original plaintext.

Cryptography is used to prevent information from being accessed by an unauthorized recipient. In theory, once a piece of information is encrypted, that information can be accidentally disclosed or intercepted by a third party without compromising the security of the information, provided that the key necessary to decrypt the information is not disclosed and that the method of encryption will resist attempts to decrypt the message without the key.

For example, here is a message that you might want to encrypt:

SSL is a cryptographic protocol

And here is the message after it has been encrypted:

Because the decryption key is not shown, it should not be practical to take the preceding line of gibberish and turn it back into the original message.

The science of cryptography is thousands of years old. In his book The Code Breakers

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Symmetric key algorithms are for the bulk encryption of data or data streams. These algorithms are designed to be very fast and have a large number of possible keys. The best symmetric key algorithms offer excellent secrecy; once data is encrypted with a given key, there is no fast way to decrypt the data without possessing the same key.

Symmetric key algorithms can be divided into two categories: block and stream. Block algorithms encrypt data a block (many bytes) at a time, while stream algorithms encrypt byte-by-byte (or even bit-by-bit).

Different encryption algorithms are not equal. Some systems are not very good at protecting data, allowing encrypted information to be decrypted without knowledge of the requisite key. Others are quite resistant to even the most determined attack. The ability of a cryptographic system to protect information from attack is called its strength. Strength depends on many factors, including:

The secrecy of the key.
The difficulty of guessing the key or trying out all possible keys (a key search). Longer keys are generally more difficult to guess or find.
The difficulty of inverting the encryption algorithm without knowing the encryption key (breaking the encryption algorithm).
The existence (or lack) of back doors , or additional ways by which an encrypted file can be decrypted more easily without knowing the key.
The ability to decrypt an entire encrypted message if you know the way that a portion of it decrypts (called a known plaintext attack ).
The properties of the plaintext and knowledge of those properties by an attacker. For example, a cryptographic system may be vulnerable to attack if all messages encrypted with it begin or end with a known piece of plaintext. These kinds of regularities were used by the Allies to crack the German Enigma cipher during World War II.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The existence of public key cryptography was first postulated in print in the fall of 1975 by Whitfield Diffie and Martin Hellman. The two researchers, then at Stanford University, wrote a paper in which they presupposed the existence of an encryption technique in which information encrypted with one key (the public key) could be decrypted by a second, apparently unrelated key (the private key). Robert Merkle, then a graduate student at Berkeley, had similar ideas at the same time, but because of the vagaries of the academic publication process, Merkle's papers were not published until the underlying principles and mathematics of the Diffie-Hellman algorithm were widely known.

Since that time, a variety of public key encryption systems have been developed. Unfortunately, there have been significantly fewer developments in public key algorithms than in symmetric key algorithms. The reason has to do with how these algorithms are created. Good symmetric key algorithms simply scramble their input depending on the input key; developing a new symmetric key algorithm requires coming up with new ways for performing that scrambling reliably. Public key algorithms tend to be based on number theory. Developing new public key algorithms requires identifying new mathematical equations with particular properties.

The following list summarizes the public key systems in common use today:

Diffie-Hellman key exchange: A system for exchanging cryptographic keys between active parties. Diffie-Hellman is not actually a method of encryption and decryption, but a method of developing and exchanging a shared private key over a public communications channel. In effect, the two parties agree to some common numerical values, and then each party creates a key. Mathematical transformations of the keys are exchanged. Each party can then calculate a third session key that cannot easily be derived by an attacker who knows both exchanged values.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Message digest functions distill the information contained in a file (small or large) into a single large number, typically between 128 and 256 bits in length. This is illustrated in Figure 3-4. The best message digest functions combine these mathematical properties:

Every bit of the message digest function is potentially influenced by every bit of the function's input.
If any given bit of the function's input is changed, every output bit has a 50 percent chance of changing.
Given an input file and its corresponding message digest, it should be computationally infeasible to find another file with the same message digest value.

Figure 3-4: A message digest function

Message digests are also called one-way hash functions because they produce values that are difficult to invert, resistant to attack, effectively unique, and widely distributed.

Many message digest functions have been proposed and are now in use. Here are a few:

MD2: Message Digest #2, developed by Ronald Rivest. This message digest is probably the most secure of Rivest's message digest functions, but takes the longest to compute. As a result, MD2 is rarely used. MD2 produces a 128-bit digest.
MD4: Message Digest #4, also developed by Rivest. This message digest algorithm was developed as a fast alternative to MD2. Subsequently, MD4 was shown to have a possible weakness. That is, it is possible to find a secured file that produces the same MD4 as a given file without requiring a brute force search (which would be infeasible for the same reason that it is infeasible to search a 128-bit keyspace). MD4 produces a 128-bit digest.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

When you get right down to it, the Internet is an unsecure communications system. While the Internet was designed to be efficient and robust, it was not designed to be inherently secure. The Internet's original security was provided by simple access control: only trustworthy military installations, corporations, and schools were allowed to have access. At each of those organizations, only trustworthy individuals were allowed to have accounts. In theory, people who abused the network lost their access.

The idea of using access control to ensure security failed almost immediately. In December 1973, Robert Metcalfe noted that high school students had gained access to the Internet using stolen passwords; two computers had crashed under suspicious circumstances. In RFC 602 (reprinted on the following page) Metcalfe identified three key problems on the network of his day: sites were not secure against remote access; unauthorized people were using the network; and some ruffians were breaking into computers (and occasionally crashing those machines) simply for the fun of it.

Today, the Internet's overall security posture has changed significantly. As we saw in Chapter 2, the simple act of browsing a web page on a remote computer can involve sending packets of information to and receiving them from more than a dozen different computers operated by just as many different organizations. The division of responsibility among multiple organizations makes it possible for each of these organizations—and many more—to eavesdrop on your communications, or even to disrupt them.

Yet in many ways, today's Internet is more secure than the early network of the 1970s and 1980s. The reason is the widespread and growing use of cryptography.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Today, cryptography is the fundamental technology used to protect information as it travels over the Internet. Every day, encryption is used to protect the content of web transactions, email, newsgroups, chat, web conferencing, and telephone calls as they are sent over the Internet. Without encryption any crook, thief, Internet service provider, telephone company, hostile corporation, or government employee who has physical access to the wires that carry your data could eavesdrop upon its contents. With encryption, as we discussed in Chapter 3, it is possible to protect a message in such a way that all of the world's computers working in concert until the end of time would be unable to decipher its contents.

Cryptography can be used for more than scrambling messages. Increasingly, systems that employ cryptographic techniques are used to control access to computer systems and to sign digital messages. Cryptographic systems have also been devised to allow the anonymous exchange of digital money and even to facilitate fair and unforgeable online voting.

Security professionals have identified five different roles that encryption can play in modern information systems. In the interest of sharing a common terminology, each of these different roles is identified by a specific keyword. The roles are:

Authentication: Digital signatures can be used to identify a participant in a web transaction or the author of an email message; people who receive a message that is signed by a digital signature can use it to verify the identity of the signer. Digital signatures can be used in conjunction with passwords and biometrics (see Chapter 6) or as an alternative to them.
Authorization: Whereas authentication is used to determine the identity of a participant, authorization techniques are used to determine if that individual is authorized to engage in a particular transaction. Crytographic techniques can be used to disbribute a list of authorized users that is all but impossible to falsify.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

A cryptographic system is a collection of software and hardware that can encrypt or decrypt information. A typical cryptographic system is the combination of a desktop computer, a web browser, a remote web server, and the computer on which the web server is running. A cryptographic protocol, by contrast, describes how information moves throughout the cryptographic system. In our examples, the web browser and the remote web server communicate using the Secure Sockets Layer (SSL) cryptographic protocol.

More than a dozen cryptographic protocols have been developed for Internet security and commerce. These systems fall into two categories. The first category of cryptographic programs and protocols is used for encryption of offline messages—mostly email. The second category of cryptographic protocols is used for confidentiality, authentication, integrity, and nonrepudiation for online communications.

Offline encryption systems are designed to take a message, encrypt it, and either store the ciphertext or transmit it to another user on the Internet. Some popular programs that are used for email encryption are shown in Table 4-1 and described in the sections that follow.

Table 4-1: Cryptographic protocols for offline communications
Protocol	What does it do?	Widely deployed?	Programs and systems	URL
PGP/OpenPGP	Encryption and digital signatures for email and electronic documents

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Cryptography is an incredibly powerful technology for protecting information, but it is only one of many technologies that play a role in web security and commerce. Unfortunately, cryptography plays such an important role that many people assume that any computer system is automatically secure, and that any system that does not use encryption can't be made secure. As a matter of fact, the phrase secure web server is often used interchangeably with the phrase cryptographically enabled web server.

Encryption isn't all-powerful. You can use the best cryptography that's theoretically possible, but if other mistakes are made in either systems design or data handling, confidential information may still be revealed. For example, a document might be encrypted so that it could only be decoded by one person, but if that person prints out a document and then throws it out without first shredding the paper, the secrets that the document contains could still end up on the front page of the local newspaper.

Likewise, cryptography isn't an appropriate solution for many problems, including the following:

Cryptography can't protect your unencrypted documents: Even if you set up your web server so that it only sends files to people using 1024-bit SSL, remember that the unencrypted originals still reside on your web server. Unless you separately encrypt them, those files are vulnerable. Somebody breaking into the computer on which your server is located will have access to the data.
Cryptography can't protect against stolen encryption keys: The whole point of using encryption is to make it possible for people who have your encryption keys to decrypt your files or messages. Thus, any attacker who can steal or purchase your keys can decrypt your files and messages. That's important to remember when using SSL, because SSL keeps copies of the server's secret key on the computer's hard disk. (Normally it's encrypted, but it doesn't have to be.)

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The legal landscape of cryptography is complex and constantly changing. In recent years the legal restrictions on cryptography in the United States have largely eased, while the restrictions in other countries have increased somewhat.

In this section, we'll examine restrictions that result from patent law, trade secret law, import/export restrictions, and national security concerns.

These regulations and laws are in a constant state of change, so be sure to consult with a competent attorney (or three) if you will be using cryptography commercially or internationally.

Patents applied to computer programs, frequently calledsoftware patents , have been accepted by the computer industry over the past thirty years—some grudgingly, and some with great zeal.

Some of the earliest and most important software patents granted by the U.S. Patent and Trademark Office were in the field of cryptography. These software patents go back to the late 1960s and early 1970s. Although computer algorithms were widely thought to be unpatentable at the time, the cryptography patents were allowed because they were written as patents on encryption devices that were built with hardware—computers at the time were too slow to perform meaningfully strong encryption in a usably short time. IBM's original patents on the algorithm that went on to become the U.S. Data Encryption Standard (DES) were, in fact, on a machine that implemented the encryption technique.

The doctrine of equivalence holds that if a new device operates in substantially the same way as a patented device and produces substantially the same result, then the new device infringes the original patent. As a result of this doctrine, which is one of the foundation principles of patent law, a program that implements a patented encryption technique will violate that patent, even if the original patent was on a machine built from discrete resistors, transistors, and other components. Thus, the advent of computers that were fast enough to implement basic logic circuits in software, combined with the acceptance of patent law and patents on electronic devices, assured that computer programs would also be the subject of patent law.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

SSL is the Secure Sockets Layer, a general-purpose protocol for sending encrypted information over the Internet. Developed by Netscape, SSL was first popularized by Netscape's web browser and web server. The idea was to stimulate the sales of the company's cryptographically enabled web servers by distributing a free client that implemented the same cryptographic protocols.

Since then, SSL has been incorporated into many other web servers and browsers, and by now support for SSL is no longer a competitive advantage but a necessity. SSL has gone through two major versions. In 1996 the Internet Engineering Task Force Transport Layer Security (TLS) was established to create an open stream encryption standard. The group started with SSL 3.0 and, in 1999, published RFC 2246, "TLS Protocol Version 1.0." RFC 2712 adds Kerberos authentication to TLS. RFC 2817 and 2818 apply to TLS using HTTP/1.1. This chapter introduces SSL and TLS. Appendix B provides detailed technical information.

SSL is a layer that exists between the raw TCP/IP protocol and the application layer. While the standard TCP/IP protocol simply sends an unauthenticated, error-free stream of information between two computers (or between two processes running on the same computer), SSL adds numerous features to that stream, including:

Authentication of the server, using digital signatures
Authentication of the client, using digital signatures
Data confidentiality through the use of encryption
Data integrity through the use of message authentication codes

Cryptography is a fast-moving field, and cryptographic protocols don't work unless both parties to the communication use the same algorithms. For that reason, SSL is an extensible and adaptive protocol. When one program using SSL attempts to contact another, the two programs electronically compare notes, determining the strongest cryptographic protocol that they share in common. And this exchange is called the

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

SSL is a layer that exists between the raw TCP/IP protocol and the application layer. While the standard TCP/IP protocol simply sends an unauthenticated, error-free stream of information between two computers (or between two processes running on the same computer), SSL adds numerous features to that stream, including:

Authentication of the server, using digital signatures
Authentication of the client, using digital signatures
Data confidentiality through the use of encryption
Data integrity through the use of message authentication codes

Cryptography is a fast-moving field, and cryptographic protocols don't work unless both parties to the communication use the same algorithms. For that reason, SSL is an extensible and adaptive protocol. When one program using SSL attempts to contact another, the two programs electronically compare notes, determining the strongest cryptographic protocol that they share in common. And this exchange is called the SSL Hello .

SSL was designed for use worldwide, but it was developed in the United States when the U.S. restricted the export of strong cryptography. For this reason, SSL was designed with many features intended to conform with the U.S. government's older, more restrictive policies on the export of cryptographic systems (described in Chapter 4).

The SSL protocol was designed by Netscape for use with Netscape Navigator. Version 1.0 of the protocol was used inside Netscape. Version 2.0 of the protocol shipped with Netscape Navigator Versions 1 and 2. After SSL 2.0 was published, Microsoft created a similar secure link protocol called PCT, which overcame some of SSL 2.0's shortcomings. The advances of PCT were echoed in SSL 3.0. The SSL 3.0 protocol is the basis for the TLS protocol developed by the IETF. Implementations of SSL 3.0/TLS are present in Netscape Navigator, Microsoft Windows, and the open source OpenSSL library.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Both Netscape Navigator and Microsoft's Internet Explorer contain extensive support for SSL and TLS. This section describes the support for transferring documents using encryption. SSL/TLS support for digital certificates is described in Chapter 17.

Netscape Navigator uses the term "secure document" as shorthand for the phrase "documents that are transmitted using SSL."

Of course, documents transmitted using SSL aren't any more secure or unsecure than documents that are sent in the clear. They are simply cryptographically protected against eavesdropping and modification while in transit. The SSL Protocol makes no assurance that the document itself was not modified on the web server—a far easier attack than intercepting and modifying the contents of a TCP/IP stream.

Netscape Navigator and Internet Explorer control their SSL behavior through the use of special control panels. Navigator calls this panel Security Preferences and it is accessed from Navigator's Preferences menu. Explorer calls this panel the Advanced Options panel and it is accessed from Explorer's Internet Options menu.

Section 5.2.1.1: Navigator preferences

The Netscape Navigator 6.0 Security Preferences panel is shown in Figure 5-4.

Figure 5-4: Netscape Navigator's Security Preferences panel

The controls listed under Navigator's General tab allow the user to choose when various alerts are displayed. Netscape Navigator can be configured to alert the user:

When entering a site that uses SSL.
When entering a site that uses "low-grade" encryption (that is, 40-bit symmetric ciphers or 512-bit RSA).

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

A variety of identification systems in use on the Web today are designed to provide the same sort of assurance in cyberspace that they offer in the real world. The simplest of the systems are based on usernames and passwords; others are based on special-purpose hardware that can measure unique distinguishing characteristics of different human beings. Finally, there are systems that are based on cryptography, relying on the public key cryptography techniques introduced in earlier chapters.

This chapter presents a survey of the various digital technologies that are available to identify people on and off the Internet. Chapter 7 describes the use of digital certificates and their use in the public key infrastructure (PKI).

Fly to San Francisco International Airport, flash two pieces of plastic, and you can drive away with a brand new car worth more than $20,000. The only assurance the car rental agency has that you will return its automobile is your word—and the knowledge that if you break your word, they can destroy your credit rating and possibly have you thrown in jail.

Your word wouldn't mean much to the rental agency if they didn't know who you are. It's your driver's license and credit card, combined with a worldwide computer network, that allows the rental agency to determine in seconds if your credit card has been reported stolen, and that gives the firm and its insurance company the willingness to trust you.

As the rental car agency knows, the ability to identify people creates accountability, which helps to promote trust. Indeed, identification is an indispensable part of modern life. Large organizations use employee identification badges to help guards determine who should be let into buildings and who should be kept out. Governments use identification papers to help control their borders and provide taxpayer-funded benefits. And, increasingly, computers use various kinds of systems to determine the identity of their users and control access to information and services.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

Fly to San Francisco International Airport, flash two pieces of plastic, and you can drive away with a brand new car worth more than $20,000. The only assurance the car rental agency has that you will return its automobile is your word—and the knowledge that if you break your word, they can destroy your credit rating and possibly have you thrown in jail.

Your word wouldn't mean much to the rental agency if they didn't know who you are. It's your driver's license and credit card, combined with a worldwide computer network, that allows the rental agency to determine in seconds if your credit card has been reported stolen, and that gives the firm and its insurance company the willingness to trust you.

As the rental car agency knows, the ability to identify people creates accountability, which helps to promote trust. Indeed, identification is an indispensable part of modern life. Large organizations use employee identification badges to help guards determine who should be let into buildings and who should be kept out. Governments use identification papers to help control their borders and provide taxpayer-funded benefits. And, increasingly, computers use various kinds of systems to determine the identity of their users and control access to information and services.

No identification techniques are foolproof. Fortunately, most of them don't have to be. The goal of most identification systems isn't to eliminate the possibility of impersonation, but to reduce to acceptable levels the risk of impersonation and the resulting losses. Another important goal of identification systems is to quantify the amount of risk that remains once the system has been deployed: quantifying the amount of residual risk allows an organization to make decisions about policies, the need or desirability of alternative identification systems, and even the amount of insurance coverage necessary to protect against the remaining amount of fraud.

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

The identification and authentication techniques mentioned in the first part of this chapter all share a common flaw: to reliably identify an individual, that person must be in the presence of the person or computer that is performing the identification. If the person is not present—if the identification is being performed by telephone, by fax, or over the Internet—then there is high potential for fraud or abuse because of replay attacks.

To understand replay attacks, consider the case of a computer that verifies its user's identity with a fingerprint scanner. Under ideal conditions, a person sits down at the computer, presses his thumb to the scanner, and the computer verifies his identity. But consider the case shown in Figure 6-5, in which one computer acquires the fingerprint and another performs the verification. In this case, it is possible for an attacker to intercept the code for the digitized fingerprint as it moves over the network. Once the attacker has the fingerprint transmission, the attacker can use it to impersonate the victim.

Figure 6-5: When a biometric verification is performed remotely over a computer network, the identification can be compromised by replay attacks (by tampering with the computer or software that measures the biometric).

Replay attacks aren't a problem for biometrics alone: they represent a fundamental attack against all of the digital identification systems mentioned in this chapter. For example, passwords can be eavesdropped and re-used by an attacker. Even position-based systems can be attacked with replay attacks.

Simple encryption provides a measure of protection against replay attacks because encryption makes it more difficult for an attacker to intercept passwords, digitized fingerprints, and other kinds of information used to prove identity. But straightforward encryption has an important limitation: although encryption protects the identification information while it is in transit, if the information is ever revealed to a hostile party, then the information is forever compromised!

Additional content appearing in this section has been removed.
Purchase this book now or read it online at Safari to get the whole thing!

Content preview·Buy PDF of this chapter|Buy reprint rights for this chapter

In this section, we'll explore how two systems use public key cryptography to authenticate identity: PGP, an offline system that uses public keys to prove authorship of electronic documents; and SSH, an online system that uses public keys to authenticate the identity of interactive users and remote systems.

If you get an email message, how do you know who it is really from? Today's email programs allow users to enter any "From:" address that they wish, so how do you know that a message is really from the person listed in the message header? Email messages can travel through many different computers and be repeatedly forwarded, so how do you know that the message you are reading hasn't been altered since it was originally sent?

The underlying infrastructure of the Internet doesn't provide any mechanism for verifying the authorship of email messages. It's all too easy to claim you are somebody—or something—you aren't. It's this reality that was behind Peter Steiner's cartoon in the July 5, 1993 issue of The New Yorker, which portrayed two dogs in front of a computer; one says to the other, "On the Internet, nobody knows you're a dog."

But while it is possible to anonymously post messages and claim to be something that you aren't in the online world, it is also possible to establish your identity, and authenticate your authorship of documents and email messages that you create. One of the best ways to do this is using PGP.

Although PGP was originally written and released for the purpose of securing

Table of Contents

Section 5.2.1.1: Navigator preferences