Friday, February 24, 2006

Internet Security: A case study

Folks, here's what most people get disturbed because of....

Myth.. Online transactions are not safe. Your credit card number can be misused by the hacker(a net robber). Talking about current day sales on the internet would be a waste of time, for it grows much faster, even faster than you can read this document. Transacting on the net is highly secure and private. It is even safer than your using your credit card at a fuel pump, or a restaurant, or any other place. We have tried to explain in lay terms how a transaction happens on the net. Every Web site developer must worry about the problem of security. If your Web site hosts confidential information such as credit card number, business documents, or passwords, you have a responsibility to protect this information. Failure might have dire consequences, both for your business and for the users of your Web site.

This topic focuses on the problems of security. In this you will learn how to ensure the security of your data while it is being transmitted. If someone enters a password or a credit card number at your Web site, you must prevent the wrong people from accessing this data as it travels across the Internet or your local network.

Encryption, Authentication and Data Integrity with SSL

The Secure Sockets Layer (SSL) is a protocol, originally developed by Netscape, for transmitting information securely across an insecure network. SSL is the only existing method for sending private information across the Internet that works with the majority of current browsers. SSL provides a technical solution to three distinct security problems: encryption, authentication and data integrity.


When you enter information into an HTML form and submit it at a Web site, the information is transmitted from your browser to the Web site’s server. As the information travels across the Internet, it typically passes through several intermediate connections. In theory, the data entered into the form can be intercepted and read.

The problem is analogous to the situation a general faces when he must send a message containing secret plans across enemy territory. As the messenger travels across the unknown territory, he could be captured, and the enemy could steal and read the secret plans.

The proper solution, for both the general and for the person entering information into the HTML form, is to encrypt the message before it is sent across hostile territory. Even if the message is captured, the privacy of the information is protected-unless, of course, the secret code is cracked.

SSI encrypts information as it passes back and forth between a Web server and a Web browser. The information is encoded using a publicly known encryption algorithm and a secret session encryption key. The number of bits in the session key determines the strength of the encryption.

When you installed IIS, by default you installed a version of IIS that supports a 40-bit session encryption key. However, you have the option of upgrading IIS to use a stronger 128-bit session encryption key. Although messages encrypted with the 40-bit key have been cracked, messages encrypted with the 128-bit key are considered unbreakable with current technology.

Why not always use the 128-bit key? There are two reasons. First, communicating using a 128-bit key can be significantly slower than using the 40-bit key. The longer the key, the more work the server and browser must perform to encrypt and decrypt the messages passed back and forth.

There are also legal restrictions on using the longer 128-bit key. The United States government has classified 128-bit SSL as munitions. This means that it is illegal, with certain exceptions, to export any program that supports this stronger encryption outside the United States. This applies to both Web servers and Web browsers.

Normally, if you install a 128-bit session key on your Web server, your Web server will automatically negotiate the highest level of encryption to use for secure communication. If someone communicates using a browser with a 40—bit key, your server will automatically use this level of encryption. However, you can also configure IIS to reject browsers that do not support the stronger 128-bit key.


If you visit a Web site that appears to be authentic in every way like, you might feel sage providing your credit card information to buy a book. However, a clever thief could create a Web site that is indistinguishable from and steal your credit card information.

To return to the example of the general sending a message across enemy territory, imagine that the enemy decides to impersonate the intended recipient of the secret plans. The general and the imposter decide on a secret code, and the messenger delivers the message encoded with the secret code. However, the messenger has delivered the secret plans to the imposter.

To prevent one Web site from pretending to be another, SSL can be used to authenticate a Web site. When you install SSL on your Web server, you must install a server certificate. This certificate is used to verify your Web site’s identity. A server certificate driver’s license or passport is use to verify your personal identity. A server certificate contains information about your organization, your Web site, and issuer of the certificate.

To work as a digital ID, a server certificate must be signed by a certificate authority. A certificate authority acts as a trusted third party that verifies the identity of a Web site for its users. Whenever you open a page using SSL, the information from the server certificate is included. For example, using Internet Explorer, you can view the certificate information for the home page of the Microsoft site. Enter labeled Certificates.

Instead of using a third-party certificate authority, you can also issue and sign your own certificates using Microsoft Certificate Server. In other words, you can be your own certificates authority. Being your own certificate authority is valuable when you need to authenticate multiple computers in your own organization to members of your organization. However, if your Web site is public, you should use a third-party certificate authority such as Verisign because a server certificate is only as trustworthy as its issuer.

SSL version 3.0 also supports client certificates. Client certificates work in exactly the same way as server certificates except that are used to authenticate Web browsers rather than Web servers. Both Microsoft Internet Explorer (version 3.0 and higher) and Netscape Navigator (version 3.0 and higher) support client certificates. You can get a client certificate from a certificate authority, or you can use Microsoft Certificate Server to issue your own.

Data Integrity

Imagine that a malicious individual decides to alter a message as it is transmitted across the Internet. This individual does not read the message or prevent the message from being transmitted. The message is simply vandalized.

To return to the example of the general, suppose that the messenger successfully delivers the general’s secret plans to the intended recipient. Without the messenger’s knowledge, however, the secret plans have been switched while the messenger was crossing the enemy terrain. The wrong plans have been delivered.

SSL protects the integrity of data as it crosses the Internet. When messages are transmitted with SSL, they include a message authentication code (MAC). This code is used to detect whether a message has been altered. In other words, when you use SSL, you know that the message received is the same as the message sent.

How Secure is SSL?

How safe is SSL?; Can you use SSL to safely transmit credit card information or private business documents across the Internet?. All the major commercial Web sites on the Internet that accept credit card information currently use SSL. For example, has accepted credit card information from over 4.5 million customers using SSL.

The real answer is that you do not have much choice. If you want to convey private information across the Internet without forcing your Web site’s users to download special programs such as Wallets, ActiveX components, or Java applets, then you must use SSL. SSL is the only method of sending private information that is supported by the majority of browsers.

Let’s see how this System Work .

Take a example of a e-commerce site.

The consumer moves through the internet to the merchant’s web site. From there, he decides that he wants to purchase something, so he is moved to the online transaction server, where all the information he gives is encrypted. Once he has placed his order, the information moves through a private gateway to a Processing Network, where the issuing and acquiring banks complete or deny the transaction. This generally takes place in no more than 5-7 seconds. With the addition of Secure Socket Layer technology, e-commerce is also a very safe way to complete transactions. Simple isn’t it.

Even Simpler is, When you log in to the https:// area of the website, the site issues you a public key, ( which is like a locking system) with which all the information that you send to us changes into a encrypted code, before it leaves your computer, and starts traveling towards our webserver. After we receive the "encrypted" information the same is passed on the bank for approval in the same format, and only the bank online transaction server ( Computer) has the private key to unlock the code ( Decrypt the encryption). The set of these "two keys" are "made to order" and there are no two sets of keys which are even remotely alike. The bank then sends back the approval or rejection in again an encrypted format which your computer public key can only read. So this way, even we, who are charging to your credit card, do not have access to your personal information or number.
& Credits goes to Open Source Codes and Online sources

0 responses:

Post a Comment

Thanking you for your comment(s). Hope you will visit this blog again!

Subscribe to geeklog feed Bookmark and Share

Design by Free blogger template