Page 295 - StudyBook.pdf
P. 295

Communication Security: Web Based Services • Chapter 5  279

                 used for authentication, containing such data as the server’s name, public encryp-
                 tion key, and the trusted Certificate Authority (CA).As we’ll discuss later in this
                 chapter, when we cover code signing, the CA is a server or entity that issues digital
                 certificates, such as an internal certificate server on a network or a trusted third
                 party like VeriSign (www.verisign.com). Once the client has the certificate, they
                 may proceed further by contacting the CA to ensure that the certificate is
                 authentic, and will present the server with a list of encryption algorithms that the
                 server can use to choose the strongest algorithm that the client and server can sup-
                 port. Data exchanged between the client and server is then used with hashing
                 functions to generate session keys that are used for encryption and decryption
                 throughout the SSL session.
                 HTTP/S

                 HTTP/S or HTTPS is simply HTTP over SSL.What is important to remember
                 about HTTP/S is that it isn’t a new type of protocol, but is two protocols: HTTP
                 and SSL. Because of this, the same individual components of each protocol apply.
                 As we saw previously with SSL, the data transmitted is encrypted between the
                 client and the server.
                    HTTP/S is the protocol responsible for encryption of traffic from a client
                 browser to a Web server. HTTP/S uses port 443 instead of HTTP port 80.When a
                 URL begins with “https://,” you know you are using HTTP/S. Both HTTP/S
                 and SSL use a X.509 digital certificate for authentication purposes from the client
                 to the server.
                    HTTP/S is often used for secure transmissions over the Internet, such as during
                 online transactions where banking or credit card information is exchanged between
                 a client and server. Because the data is encrypted, it provides protection from eaves-
                 droppers or MITM attacks, which could result in unwanted parties accessing the
                 data. It may also be used on intranets, where secure transmission across an internal
                 network is vital.



                 EXAM WARNING

                      SSL must be known and understood for the Security+ exam. Remember
                      key items like the port it uses (443) and its basic functionality, as well as
                      aspects related to its successor, TLS. You will also need to remember that
                      HTTP/S is HTTP over SSL and is used for secure Internet transmissions
                      between an SSL enabled server and client. For additional information on





                                                                              www.syngress.com
   290   291   292   293   294   295   296   297   298   299   300