Firewall and others-8

Application Layer Security

Remember (and be careful): the security protocol at the network layer (Transport Layer) allows the number of hosts (processes)
Add security attributes to the data channel. Essentially, this means that the real (or even confidential) data channel is still
It is established between hosts (or processes), but it is impossible to distinguish files transmitted over the same channel.
Security requirements. For example, if a Secure IP channel is established between a host and another host
All IP packets running on this channel will be automatically encrypted. Similarly, if a process and another
Processes establish a secure data channel through the Transport Layer Security protocol.
All messages are automatically encrypted.

If you really want to differentiate the security requirements of a specific file, you must use the application layer's
Security. Providing security services at the application layer is actually the most flexible way to process the security of a single file. Example
For example, an email system may need to sign individual paragraphs of a letter to be sent. Lower-Layer
The security functions provided by the Agreement generally do not know the paragraph structure of any letter to be sent and thus cannot be known.
Which part of the signature is required. Only the application layer is the only layer that can provide such security services.

Generally, there are several possible ways to provide security services at the application layer. The first thought is probably
Modify each application (and application protocol) separately. Some important TCP/IP applications have already done so. In
In RFC 1421 to 1424, IETF stipulated the private use of enhanced mail (PEM) for SMTP-based email systems.
Provides security services. For various reasons, the adoption of PEM in the Internet industry is still too slow.
The reason is that PEM depends on an existing and fully operable PKI (Public Key Infrastructure ). Pem pki is based on
A hierarchical organization consists of the following three layers:

· The top layer is the Internet Security Policy Registration Authority (IPRA)
· The secondary layer is the security policy Certificate Authority (PCA)
· The bottom layer is the Certificate Authority (CA)

Building a PKI compliant with PEM specifications is also a political process because it requires multiple parties to share one thing in common.
To achieve trust. Unfortunately, history shows that political processes always take time as an intermediate
Step Phil Zimmermann developed a software package called PGP (pretty Good Privacy ). PGP
Comply with the vast majority of PEM specifications, but do not require the existence of PKI. Instead, it uses a distributed trust model.
It is up to each user to decide which other users to trust. Therefore, PGP does not promote a global
Is to allow users to build their own trusted network. This immediately generates a problem: distribution.
In a trusted model.

S-HTTP is a security enhanced version of Hypertext Transfer Protocol (HTTP) used on the Web.
Design. The S-HTTP provides a file-level security mechanism so that each file can be set to private/signed
Status. Algorithms Used for encryption and signature can be negotiated by both parties involved in communication. S-HTTP provides many
Support for one-way Hash functions such as MD2 MD5 and SHA. Support for multiple single-key systems is as follows:
DES ternary DES RC2 RC4 and CDMF; support for digital signature systems such as RSA and DSS.

Currently, there are no accepted standards for Web security. Such standards can only be set by WWW Consortium IETF or its
Developed by the relevant Standardization Organization. The formal standardization process may take several years.
Until all standardization organizations fully recognize the importance of Web security. S-HTTP and SSL are from different angles
Provides Web security. S-HTTP distinguishes a single file by private/Signature, while SSL
Data channels between processes of communication are monitored by private and authenticated channels. From Terisa
The SecureWeb tool package can be used to provide security functions for any Web application. The tool package provides
RSA Data Security Company's cryptographic algorithm library and provides comprehensive support for SSL and S-HTTP.

Another important application is e-commerce, especially credit card transactions. For credit card transactions on the Internet
For security, MasterCard (together with IBM Netscape GTE and Cybercash) has developed security
Electronic Payment Agreement (SEPP) Visa International and Microsoft (together with some other companies) have developed secure transactions
Technology (STT) protocol. At the same time, MasterCard Visa International and Microsoft have agreed to jointly launch the Internet
Security credit card transaction service. They released the corresponding security electronic transaction (SET) protocol, which stipulates
The credit card holder uses his/her credit card to pay over the Internet. The background of this mechanism has
Issued by the certificateInfrastructure supports X.509 certificates