5 Transport-Layer Security

Web Security Considerations

The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets.

A number of approaches to providing Web security are possible.

Figure 5.1 Relative location of security facilities in the TCP/IP protocol stack.

Figure 5.1 Relative location of security facilities in the TCP/IP protocol stack.

A general-purpose solution is to implement security just above TCP.

The foremost example of this approach is the Secure Sockets Layer (SSL) and the follow-on Internet standard known as Transport Layer Security (TLS).
For full generality, SSL (or TLS) could be provided as part of the underlying protocol suite and therefore be transparent to applications.

Secure Socket Layer (or SSL) probably most widely used Web security mechanism, and it is implemented at the Transport layer.

SSL is not a single protocol but rather two layers of protocols.

The SSL Record Protocol provides basic security services to various higher-layer protocols.
Three higher-layer protocols are also defined as part of SSL, which are SSL-specific protocols are used in the management of SSL exchange — though SSL Handshake protocol is the only one covered in the slides.

Figure 5.2 SSL protocol stack.

Figure 5.2 SSL protocol stack.

The SSL Record protocol defines two services for SSL connections:

Confidentiality: The Handshake Protocol defines a shared secret key that is used for conventional encryption of SSL payloads. The message is compressed before being concatenated with the MAC and encrypted, with a range of ciphers being supported.
Message Integrity: The Handshake Protocol also defines a shared secret key that is used to form a message authentication code (MAC).