The K Zone, Home

About Me

K View

Projects

Papers

Gallery

Email
 

 

  
  A review of security techniques used in protecting Active Server Pages (ASP) - Page 3

 

Back to Contents Page

  
 

 

Security Techniques used in protecting Active Server Pages

As part of our review we will look at four security techniques, briefly covering their history, usage and the security they offer against potential threats.

1. SSL 2.0 / SSL 3.0 Secure Socket Layer
Developed by Netscape, SSL has established itself as the de facto standard security protocol for Internet communication and is supported by all major browsers.
Part of its appeal is that it is non-application specific and can therefore be applied to any transport protocol by layering it on top. Once applied SSL provides authentication, confidentiality and integrity by protecting against message tampering, eavesdropping and spoofing [4].

Using SSL
Establishing a new session initiates a handshake procedure. The handshake procedure is responsible for the selection of a cipher, exchange of master key, authentication of the server and authentication of the client. Figure 3 illustrates a simple handshake procedure:


Simple Handshake Procedure
Figure 3. Simple Handshake procedure: no client authentication and no Session ID [4]

With the handshaking complete, data transfer can commence. All data transfer takes place over a SSL record protocol layer. The record layer is formed of two parts, a header and data. The data part is formed of a Message Authentication Code (MAC), and the data itself. This data is encrypted if necessary. For the purpose of tracking each message has a unique ID created upon its generation [4].

SSL Security Review
As with all the security techniques discussed, SSL uses encryption to secure transferred data. What differs is the application of the encryption and the authentication techniques used.


SSL offers optimal protection when using a 128-bit cipher and a large size key (say 128 bits). In this state, SSL is protected from dictionary attacks and brute force attacks. Previously this optimal state was not possible because US export laws restricted manufacturers from using keys greater than 40-bits. Fortunately this restriction was lifted in January 2001 [6].


Unfortunately, SSL encrypted messages are not accepted through firewalls and as such the sender is reduced to either sending their data unprotected or not sending it at all.
On the plus side replay attacks are ruled out through the introduction of a nonce number. Protection from man-in-the-middle attacks is also available if the server users a private key to decrypt the master key and the server has a certificate.

 

Next Page

 

  

Home | About Me | K View | Projects | Papers | Gallery | Email