2Basic Concepts Static Web Pages Figure 1: Static web PageDynamic Web Pages: the contents can vary all day depending on a number of parametersInvolves server-side programming.Tools to create: CGI, ASP, JSP.Figure 2: Dynamic web pageActive Web Pages:Figure 3: Active web pageJava applet: small program sent to the browser along the HTML page
3Basic Concepts (cont’d) Figure 1: Static Web Page
4Basic Concepts (cont’d) Figure 2: Dynamic Web Page
5Basic Concepts (cont’d) Figure 3: Active Web Page
6Basic Concepts (cont’d) ActiveX controlsDifference between Java applets and ActiveX controlsAn applet cannot write to the client’s hard disk, but an ActiveX controls has no such restrictionsAn applet is downloaded with an active web page, executed inside the browser, and destroyed when the user exits that Web page, but once downloaded, an ActiveX control remains on the client computer till it is explicitly deleted. Making applet quite slow as compared to ActiveX controls.
7Basic Concepts (cont’d) Protocols and TCP/IPFigure 4: TCP/IP layers.Layered OrganizationFigure 5: Data exchange using TCP/IP layers.Figure 4: TCP/IP layers
8Basic Concepts (cont’d) Figure 5: Data exchange using TCP/IP layers
9Secure Socket Layer (SSL) An Internet protocol for secure exchange of information between a web browser and a web server.Provides 2 basic security services:AuthenticationConfidentialityPosition of SSL in TCP/IP Protocol SuiteFigure 6: Position of SSL in TCP/IPFigure 7: SSL is located between application and transport layers
10Secure Socket Layer (SSL) (cont’d) Figure 6: Position of SSL in TCP/IP
11Secure Socket Layer (SSL) (cont’d) Figure 7: SSL is located between application and transport layer
12How SSL Works? SSL has three sub-protocols: Handshake ProtocolRecord ProtocolAlert ProtocolThe handshake protocol consists of a series of messages between the client and the server.Figure 8 shows format of the handshake protocol message.
13Table 1: SSL handshake protocol message types How SSL Works? (cont’d)Figure 8: Format of the handshake protocol message.Table 1: SSL handshake protocol message types
14How SSL Works? (cont’d)The handshake protocol is made up of 4 phases as shown in Figure 9.Phase 1: Establish security capabilitiesInitiate a logical connection and establish the security capabilities associated with the connection.Consists of 2 messages:The client helloThe server hello.Figure 10
17How SSL Works? (cont’d)Phase 2: Server authentication and key exchangeFigure 11Phase 3: Client authentication and key exchangeFigure 12Phase 4: FinishFigure 13
18How SSL Works? (cont’d)Help client to authenticate the server using server’s public key from the server’s certificateOptional in case of server does not send its digital certificate, server send Public Key(Optional) Server request for the client’s digital certificateIndicate to the client that server’s portion of the hello message is completeFigure 11: Phase 2 of SSL handshake protocol: Server authentication and key exchange
19How SSL Works? (cont’d)Allow the client to send information to the server.Client creates a 48-byte pre-master secret to encrypts it with the server’s public key and sends it to the server.Figure 12: Phase 2 of SSL handshake protocol: Client authentication and key exchange
20Figure 13: Phase 2 of SSL handshake protocol: Finish How SSL Works? (cont’d)Figure 13: Phase 2 of SSL handshake protocol: Finish
21How SSL Works? (cont’d) Record protocol Provides 2 services to an SSL connection:Confidentiality: achieve by using the secret key that is defined by the handshake protocolIntegrity: the handshake protocol also defines a shared secret key (MAC) that is used for assuring the message integrity.
22Figure 14: SSL record protocol How SSL Works? (cont’d)Figure 14: SSL record protocol
23Figure 15 Alert protocol message format How SSL Works? (cont’d)Alert ProtocolWhen client or server detects an error, the detecting party sends an alert message to the other party.If the error is fatal, both the parties immediately close the SSL connectionOther error, which are not severe, do not result in the termination of the connection.SeverityCauseByte 1Byte 2Figure 15 Alert protocol message format
24Closing and Resuming SSL connections Before ending their communication, the client and the server must inform each other that their side of the connection is ending.TSL (Transport Layer Security) is an IETF standardization initiative, whose goal is to come out with an Internet standard version of SSL.