Security is a critical factor in the establishment and acceptance of commercial applications on the Web. For example, if you are using a hom...
Security is a critical factor in the establishment and acceptance of commercial applications on the Web. For example, if you are using a home banking service, you want to be assured that your client/server interactions are both confidential and untampered with. In addition, both you and your bank must be able to verify each other’s identity and to produce auditable records of your transactions.
Security on the web is a two-sided affair that involves both the client (the browser) and the server. They each have a role to play. Currently, most of the web security technology is focused on solving four immediate problems that are standing in the way of widespread e-Commerce.
Using secure Internet sites for transactions
Many Internet sites are set up to prevent unauthorized people from seeing the information that is sent to or from those sites. These are called "secure" sites. Because Internet Explorer supports the security protocols used by secure sites, you can send information to a secure site with safety and confidence. (A protocol is a set of rules and standards that enable computers to exchange information.)
When you visit a secure Web site, it automatically sends you its certificate, and Internet Explorer displays a lock icon on the status bar. (A certificate is a statement guaranteeing the identity of a person or the security of a Web site.)
If you are about to send information (such as your credit card number) to an unsecured site, Internet Explorer can warn you that the site is not secure. If the site claims to be secure but its security credentials are suspect, Internet Explorer can warn you that the site might have been tampered with or might be misrepresenting itself.
Protecting your identity over the Internet
You can use a personal certificate to protect your identity over the Internet. A certificate is a statement guaranteeing the identity of a person or the security of a Web site. You can control the use of your own identity by having the private key that only you know on your own system. When used with mail programs, security certificates with private keys are also known as "digital IDs."
Internet Explorer uses two different types of certificates:
A "personal certificate" is a kind of guarantee that you are who you say you is. This information is used when you send personal information over the Internet to a Web site that requires a certificate verifying your identity.
A "Web site certificate" states that a specific Web site is secure and genuine. It ensures that no other Web site can assume the identity of the original secure site.
How do security certificates work?
A security certificate, whether it is a personal certificate or a Web site certificate, associates an identity with a "public key." Only the owner knows the corresponding "private key" that allows the owner to "decrypt" or make a "digital signature." When you send your certificate to other people, you are actually giving them your public key, so they can send you encrypted information, which only you can decrypt and read with your private key.
The digital signature component of a security certificate is your electronic identity card. The digital signature tells the recipient that the information actually came from you and has not been forged or tampered with.
Before you can start sending encrypted or digitally signed information, you must obtain a certificate and set up Internet Explorer to use it. When you visit a secure Web site (one that starts with "https"), the site automatically sends you their certificate.
What SSL Provides to Your Website
When you configure the Secure Web Page Service in your Java Web Server, you are configuring a web server to use SSL. This protocol combination is called "HTTPS" (HTTP with SSL).
The Secure Sockets Layer (SSL) is a general-purpose network security protocol. In its normal usage, SSL provides up to four features to your TCP connections:
1. Your web server is authenticated to its clients, so that they can tell who you "really" are. Public Key Certificates are used to do this authentication.
2. All requests to your web server are encrypted so that client data (such as credit card data) is kept confidential. So are the responses from your web server.
3. The data is protected against being tampered with by a third party. This is called integrity protection.
4. When appropriate, clients can authenticate themselves to your server using their own Public Key Certificates.
There are several different ways to use SSL. In particular, each of the four features above comes in several varieties, and all except integrity protection are optional.
Using a Certificate Authority
Most secure web servers authenticate themselves using a certificate provided by a trusted "Certificate Authority" (CA). The role of a CA is to provide introductions between parties who don't know each other; they authenticate addresses according to policies specified in a "Certification Practices Statement" (CPS), which are intended to support use of these certificates (with digital signatures) as evidence in court cases.
When a CA is used, a client using a web browser does not need to get a copy of the server's certificate except through using the SSL protocol.
If you want to use SSL with a CA, do the following:
1.Use the authstore utility to generate a self-signed server certificate.
2.Then generate a "Certificate Signing Request" (CSR) for that self-signed server certificate.
3.Get that CSR to your certificate authority, either through e-mail or through an on-line procedure from a certificate authority. Note that some web browsers, such as Internet Explorer, are extremely restrictive with respect to the certificate authorities, which they support. Certificate Authorities you may wish to consult include:
VeriSign Inc. ... provides "Server" Digital IDs.
4.Note that you will need to provide the CA with proof that you have the right to use the name you provide to them. They will take time to verify this proof. You may be able to get the CA to respond in about a week.
5.The CA will respond with a "PEM encoded X.509 Certificate", which looks something like this:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
6. Import that with the "authstore" tool.
7. You will probably want to enable the HTTPS Service ("Secure Web Page Service") at this time.
Additional Certificate Authorities Support Support for additional Certificate Authorities (CA's) is now available. To use a CA other than the built-in VeriSign CA's:
Security on the web is a two-sided affair that involves both the client (the browser) and the server. They each have a role to play. Currently, most of the web security technology is focused on solving four immediate problems that are standing in the way of widespread e-Commerce.
- Encryption: You don’t want to send your password, credit card number, electronic cash, and other sensitive messages in the clear (i.e., plain text).
- Authentication: Both the client and the server must prove their identity to a trusted third party before they can start a secure session. On the Internet, the clients must prove their identity; so must the servers. The last thing you want is to send your credit card to a Trojan horse masquerading as the real server.
- Firewalls: This is very useful to protect your Intranets from the Internet. This typically involves creating some kind of gateway (or buffer) between the Intranet and the Internet.
- Non-repudiation: This means incontestable proof that a document (or message) was really originated by you and only you. This requires some forms of unforgeable electronic signature that can stand in a court of law.
Using secure Internet sites for transactions
Many Internet sites are set up to prevent unauthorized people from seeing the information that is sent to or from those sites. These are called "secure" sites. Because Internet Explorer supports the security protocols used by secure sites, you can send information to a secure site with safety and confidence. (A protocol is a set of rules and standards that enable computers to exchange information.)
When you visit a secure Web site, it automatically sends you its certificate, and Internet Explorer displays a lock icon on the status bar. (A certificate is a statement guaranteeing the identity of a person or the security of a Web site.)
If you are about to send information (such as your credit card number) to an unsecured site, Internet Explorer can warn you that the site is not secure. If the site claims to be secure but its security credentials are suspect, Internet Explorer can warn you that the site might have been tampered with or might be misrepresenting itself.
Protecting your identity over the Internet
You can use a personal certificate to protect your identity over the Internet. A certificate is a statement guaranteeing the identity of a person or the security of a Web site. You can control the use of your own identity by having the private key that only you know on your own system. When used with mail programs, security certificates with private keys are also known as "digital IDs."
Internet Explorer uses two different types of certificates:
A "personal certificate" is a kind of guarantee that you are who you say you is. This information is used when you send personal information over the Internet to a Web site that requires a certificate verifying your identity.
A "Web site certificate" states that a specific Web site is secure and genuine. It ensures that no other Web site can assume the identity of the original secure site.
How do security certificates work?
A security certificate, whether it is a personal certificate or a Web site certificate, associates an identity with a "public key." Only the owner knows the corresponding "private key" that allows the owner to "decrypt" or make a "digital signature." When you send your certificate to other people, you are actually giving them your public key, so they can send you encrypted information, which only you can decrypt and read with your private key.
The digital signature component of a security certificate is your electronic identity card. The digital signature tells the recipient that the information actually came from you and has not been forged or tampered with.
Before you can start sending encrypted or digitally signed information, you must obtain a certificate and set up Internet Explorer to use it. When you visit a secure Web site (one that starts with "https"), the site automatically sends you their certificate.
What SSL Provides to Your Website
When you configure the Secure Web Page Service in your Java Web Server, you are configuring a web server to use SSL. This protocol combination is called "HTTPS" (HTTP with SSL).
The Secure Sockets Layer (SSL) is a general-purpose network security protocol. In its normal usage, SSL provides up to four features to your TCP connections:
1. Your web server is authenticated to its clients, so that they can tell who you "really" are. Public Key Certificates are used to do this authentication.
2. All requests to your web server are encrypted so that client data (such as credit card data) is kept confidential. So are the responses from your web server.
3. The data is protected against being tampered with by a third party. This is called integrity protection.
4. When appropriate, clients can authenticate themselves to your server using their own Public Key Certificates.
There are several different ways to use SSL. In particular, each of the four features above comes in several varieties, and all except integrity protection are optional.
Using a Certificate Authority
Most secure web servers authenticate themselves using a certificate provided by a trusted "Certificate Authority" (CA). The role of a CA is to provide introductions between parties who don't know each other; they authenticate addresses according to policies specified in a "Certification Practices Statement" (CPS), which are intended to support use of these certificates (with digital signatures) as evidence in court cases.
When a CA is used, a client using a web browser does not need to get a copy of the server's certificate except through using the SSL protocol.
If you want to use SSL with a CA, do the following:
1.Use the authstore utility to generate a self-signed server certificate.
2.Then generate a "Certificate Signing Request" (CSR) for that self-signed server certificate.
3.Get that CSR to your certificate authority, either through e-mail or through an on-line procedure from a certificate authority. Note that some web browsers, such as Internet Explorer, are extremely restrictive with respect to the certificate authorities, which they support. Certificate Authorities you may wish to consult include:
VeriSign Inc. ... provides "Server" Digital IDs.
4.Note that you will need to provide the CA with proof that you have the right to use the name you provide to them. They will take time to verify this proof. You may be able to get the CA to respond in about a week.
5.The CA will respond with a "PEM encoded X.509 Certificate", which looks something like this:
-----BEGIN CERTIFICATE-----
MIICZTCCAdICBQL3AAC2MA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMSAwHgYD
VQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJlIFNlcnZlciBDZX
J0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NzAyMjAwMDAwMDBaFw05ODAyMjAyMzU5NTlaMI
GWMQswCQYDVQQGEwJVUzETMBEGA1UECBMKQ2FsaWZvcm5pYTESMBAGA1UEBxMJUG
FsbyBBbHRvMR8wHQYDVQQKExZTdW4gTWljcm9zeXN0ZW1zLCBJbmMuMSEwHwYDVQQLE
xhUZXN0IGFuZCBFdmFsdWF0aW9uIE9ubHkxGjAYBgNVBAMTEWFyZ29uLmVuZy5zdW4uY29tM
IGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCofmdY+PiUWN01FOzEewf+GaG+lFf132Up
zATmYJkA4AEA/juW7jSi+LJkwJKi5GO4RyZoyimAL/5yIWDV6l1KlvxyKslr0REhMBaD/3Z3EsLTTEf5gVrQS6sTMoSZAyzB39kFfsB6oUXNtV8+UKKxSxKbxvhQn267PeCz5VX2QIDAQAB
MA0GCSqGSIb3DQEBAgUAA34AXl3at6luiV/7I9MN5CXYoPJYI8Bcdc1hBagJvTMcmlqL2uOZH9T5
hNMEL9Tk6aI7yZPXcw//FrMp0UwJmdxX7ljV6ZtUZf7pY492UqwC1777XQ9UEZyrKJvF5ntleeO0ayB
qLGVKCWzWZX9YsXCpv47FNLZbupE=
-----END CERTIFICATE-----
6. Import that with the "authstore" tool.
7. You will probably want to enable the HTTPS Service ("Secure Web Page Service") at this time.
Additional Certificate Authorities Support Support for additional Certificate Authorities (CA's) is now available. To use a CA other than the built-in VeriSign CA's:
- Import the root certificate of the CA using the "Import CA" button in Authstore.
- Import the certificate issued by that CA.
