Chapter 20. Securing sessions 639
Figure 20-8 SSL tunneling
Some products have implemented SSL tunneling, for example IBM WebSphere
Traffic Express (WTE).
20.2 Secure sessions
SSL was developed by Netscape Communications Corp. and is implemented in
most Web browsers, including Netscape and Internet Explorer. SSL will
eventually be replaced by the new standard version, Transport Layer Security, a
security protocol from the IETF.
As illustrated in Figure 20-9 on page 640, SSL adds an additional layer between
network protocols and the protocols that are used on the application level. SSL
encapsulates TCP/IP sockets so that every application using TCP/IP can use
SSL to secure the connections.
Destination
Server
HTTPS://www.bigserver.com
CERTIFICATE
CERTIFICATE
Proxy
Server
Client
CERTIFICATE
CERTIFICATE
SSL Tunnel
Enable CONNECT
Proxy +:443
Port 80
myproxy.mycompany.com
SSLMode On
SSLPort 443
www.bigserver.com
640 IBM WebSphere Host Publisher Version 3.5
Figure 20-9 SSL layer in the TCP/IP stack
Currently, SSL is commonly used to secure communication between TCP/IP
applications, such as HTTP and Telnet.
The SSL protocol has functions that make it an excellent method for providing an
end-to-end encrypted communication session. This is achieved by supporting the
following functions:
Authentication allows each party to verify the identity of the other if required.
Digital certificates are used to provide this function. In SSL V2.0, only server
authentication is supported. SSL V3.0 supports both server and client
authentication. However, not many products have implemented client
authentication, since this is achieved via user ID/password authentication.
Data encryption and decryption ensures that transmitted data is not
readable by any one who does not have the secret key. A secret and shared
key is generated for each data exchange session and used to encrypt and
decrypt data.
Data integrity means that the data will be rejected if any changes are
detected. This is to ensure that no one can manipulate transmitted data
between the sender and receiver.
Application(s)
(WWW,POP,SMTP,e-mail)
Security Layer (SSL)
TCP/IP Layer
HTTP SMTP LDAP
Application Protocols
Network Protocols
Chapter 20. Securing sessions 641
Table 20-1 shows the categories of SSL service, the technologies used, and the
types of security attacks against which they offer protection.
Table 20-1 SSL services
SSL uses public-key encryption, symmetric encryption, hashing, digital
signatures, and certificates.
The main reasons why SSL incorporates both public-key and private-key
cryptography are to improve performance and to simplify key management.
Public-key cryptography offers the best security, but it is much slower than
private-key cryptography. SSL uses only public-key cryptography (specifically
RSA) for session initiation, which includes passing the secret symmetric key
needed for private-key cryptography. SSL uses private-key cryptography for all
data encryption after establishing the session (bulk encryption). This means that
SSL uses the maximum security to pass the secret key and then uses a faster
method for all consequent data to be exchanged.
Another important point to note is that when the browser contacts the server,
both the browser and the server have to agree on a common cipher that both can
use. It is like two people trying to talk to each other. One speaks French and
English, and the other person speaks English and Spanish. If they want to speak
to each other, they must use a language they both understand.
This means that a server with large-key-size support does not necessarily entail
a higher level of symmetric encryption if the browser does not support it. For
example, if the server supports 128-bit key encryption and the browser supports
only 40-bit encryption, then in this case the 40-bit encryption will be used to
encrypt data exchanged between the server and the browser.
For a complete and detailed description of public key infrastructures, refer to the
IBM Redbook Deploying a Public Key Infrastructure, SG24-5512.
SSL service Technology Protection
against
Authentication X.509 Certificates Fake entities
Integrity Message
Authentication
codes (Keyed hash
functions)
Vandals or entities
try to corrupt the
data
Privacy Encryption People try to read
confidential data
Get A Comprehensive Guide to IBM WebSphere Host Publisher Version 3.5 now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
