The K Zone, Home

About Me

K View

Projects

Papers

Gallery

Email
 

 

  
  A review of security techniques used in protecting Active Server Pages (ASP) - Page 4

 

Back to Contents Page

  
 

 

Security Techniques used in protecting Active Server Pages

2. TLS Transport Layer Security
The popularity of the SSL protocol prompted it to be submitted to the Internet Engineering Task Force (IETF) for validation as the official Internet Standard for Transport Layer Security (TLS). The consequent development of the SSL 3.0 protocol by the IETF produced the Transport Layer Security (TLS) protocol.


TLS is thus an evolved version of the SSL 3.0 specification despite this the differences between the two render them non-interoperable. The goal in developing TLS was to produce a protocol that was both extensible and efficient while still offering the security services of SSL [4].

Using TLS
The similarities between TLS and SSL are mirrored in their usage, key differences between the two are the complex handshake procedure and the extended record layer.
The handshake procedure is now responsible for responsible for exchanging random numbers, checking for session resumption, generating the master key and providing security parameters to the record layer in addition to those tasks performed by the SSL handshake protocol.


The changes to the handshake protocol have also seen the complexity of the record protocol increase. When transmitting data the record protocol must now fragment the data into more manageable blocks, optionally compress data, apply a MAC, encrypt the data, and finally transmit the data. Equally when receiving data it must decrypt the data, verify it, decompress and reassemble the data before delivering it to the client [4].

TLS Security Review
TLS offers a greater level of security in comparison with SSL. This is due to small changes to the security features of SSL.
The integrity of the master key is improved through the use of two hash algorithms in the key generation phases. Thus for an attacker to compromise the master secret they would have to first break both hashes before obtaining the required keys or MAC secrets. Furthermore record security has been improved through the introduction of a sequence number to the MAC. Thus missing, extra or repeated messages are detectable.
TLS is still susceptible to man-in-the-middle attacks in anonymous sessions as it can only prevent eavesdropping in this state.


Additional changes to the architecture include the introduction of an alert message. Used by the record layer, the alert message indicates security or connection alerts and depending on the severity of the alert can force termination of the connection [4].


 

Next Page

 

  

Home | About Me | K View | Projects | Papers | Gallery | Email