Security, Confidentiality and Legal Issues (SCLIM)

Background notes for session 4 - Internet security

[From http://www.cs.hut.fi/ssh/crypto/protocols.html]

SSL (Secure Socket Layer) is one of the two protocols for secure WWW connections (the other is SHTTP). WWW security has become important, as increasing amounts of sensitive information, such as credit card numbers, are being transmitted over the Internet.

SSL was originally developed by Netscape (http://developer.netscape.com/tech/security/ssl/protocol.html), and contributed for free use. Its documentation is available from Netscape and a number of other sources. Further information can be found from http://home.netscape.com/security/index.html.

An easy to follow explanation of how it works can be found at http://developer.netscape.com/tech/security/ssl/howitworks.html. For an explanation of how digital certificates can be used to authenticate a user, see http://www.verisign.com/clientauth/kit/details.html. More detail can be found at http://developer.netscape.com/docs/manuals/security/sslin/index.htm.

The version of SSL that is exportable from the United States is restricted to 40 bit keys, which means they can be broken by anyone with access to a reasonable amount of computing power (for example, in our university any computer science student could easily harness enough computing power by using idle time of workstations). Information on breaking SSL (and other brute force efforts) can be found at http://www.brute.cl.cam.ac.uk/brute/.

There is a freely available implementation from Australia that does not suffer from the security problems caused by US export limitations. Another implementation, Apache-SSL, is also available.

SSL is gaining support from a number of vendors; on the other hand, it is being criticized for centralized key management.

SHTTP (Secure Hypertext Transfer Protocol) is another protocol for providing more security for WWW transactions. In many ways it is more flexible than SSL; however, due to Netscape's dominance in the marketplace SSL is in a very strong position. However, the electronic marketplace is evolving very fast, so it is hard to know what will be the situation in a few months or years.

There is an Internet Draft of the SHTTP protocol. It is available at ftp://ftp.ietf.org/rfc/rfc2660.txt.

See http://www.cs.hut.fi/ssh/crypto/protocols.html for further details.

S/MIME (Secure-MIME) http://www.rsasecurity.com/standards/smime/

MSP (Message Security Protocol) http://www.imc.org/workshop/sdn701.ps

The WWW Consortium has a WWW security faq at http://www.w3.org/Security/Faq/www-security-faq.html

Microsoft has an online seminar on Internet Cryptography and Certificate Security at http://www.microsoft.com/Seminar/1033/Crypto_certs/Seminar.htm.

Netscape's Internet security resources can be found at http://developer.netscape.com/docs/manuals/security/secrs/index.htm

1. What financial transactions would you do over the Internet? Buying goods? Home banking? Dealing in stocks/shares?
2. If the Internet can be used for transferring money securely, is it equally dependable for other forms of transaction?
3. In particular, do the levels of security provide good enough mechanisms for the transmission of personal information such as health records?
4. Which is better, SSL or SHTTP? Under what circumstances would you use one but not the other?