1 . 6 Web Security
"Relying on the government to protect your privacy is like asking a peeping tom to install your window blinds." John Perry Barlow
Web servers and browsers present a whole range of security problems. Two of the key security issues are the authentication of requests and privacy. These issues boil down to one using mechanisms to ensure that I know who you say you are. These mechanisms are more important in some Web interactions than in others.
The more complex Web interactions such as database transactions and shopping require the execution of programs on the server. These programs are most commonly used when you enter and submit data via a form. The data you entered in the form are sent to the server and a program on the server does something with the data; it executes a program and sends a result, if any, back to you.
Security is a major issue here. In fact it is the main reason the creation of the Common Gateway Interface (CGI) protocol was created. This protocol controls how programs communicate with the Web server.
Typical Web Client/Server Interaction using CGI Script.
CGI gateway programs can be written in any language that can execute on the server machine. Typically, UNIX(15) scripts or other scripting languages are used instead of compiled code, because they are easier to debug and maintain. A terrific book by Ian Graham called "The HTML Sourcebook" published by John Wiley, described three mechanisms by which data can be passed to the gateway program:
1. Command-Line ArgumentsThe server launches the gateway program with command-line arguments.
2. Standard InputThe server passes data to the gateway program such that it is read as input (from standard input) by the gateway program client.
3. Environment VariablesThe server puts information in special environment variables before starting the gateway program. The gateway program can then access these variables and obtain their contents.
These three mechanisms specify data transfer from the Web server to the gateway program. In addition, a CGI program can pass data back to the Web server by either of two mechanism. As The HTML Sourcebook explains, these are:
1. Write to standard outputThe gateway program passes data back to the server by writing data to standard output. This is the only way that gateway programs can return data to a client.
2. The name of the gateway programGateway programs with names beginning with the string nph- are called nonparsed header programs and are treated specially by the server. In general, the server parses the output of a gateway program looking for headers that it can use to create the HTTP response headers it will send to the client with the returned data. If a gateway program name begins with nph-, the server sends the gateway program directly to the client and does not add any header information.
The behavior and assumptions used by one browser may be different from those used by other browsers, resulting in documents that look different. Similarly, the behavior of secure interfaces must also be scrutinized. Often the implementation of a security algorithm, not the algorithm itself, creates problems. The way a browser interacts and implements security protections is important. Currently vendors vary widely in their approaches.
Perhaps the most farreaching development towards using secure transactions for true electronic commerce is the recent agreement between VISA and MasterCard. MasterCard issued a press release on February 1, 1996, stating, in part:
Addressing consumer concerns about making purchases on the Internet, MasterCard International and Visa International joined together today to announce a technical standard for safeguarding payment-card purchases made over open networks such as the Internet. Prior to this effort, Visa and MasterCard were pursuing separate specifications. The new specification, called Secure Electronic Transactions (SET), represents the successful convergence of those individual efforts. A single standard means that consumers and merchants will be able to conduct bankcard transactions in cyberspace as securely and easily as they do in retail stores today.
The associations expect to publish SET on their World Wide Web sites in mid-February. Following a comment period, the joint specification is scheduled to be ready for testing in the second quarter 1996. Visa and MasterCard expect that banks will be able to offer secure bankcard services via the Internet to their cardholders in the fourth quarter 1996.
Using the Web to make purchases is currently a little risky. Credit card numbers and other types of confidential information were never intended to be sent through the Internet. The widely distributed, unregulated, open nature of the Internet is the antithesis of a secure system. Of course, thanks to the mathematically obscure field of cryptography, all hope is not lost. The issue is how to make usable the various types and forms of encryption.
1 . 6 . 1 Digital Signatures and Public Key Cryptography
In the real world, we sign all sorts of legal documents, contracts, checks, time slips and other item. A signature is your unique identification; it is your seal of approval that you have read, approved, and agreed with the document. In the electronic world, we must create the equivalent, a digital signature. Unfortunately it is easy to fake an electronic name. What is necessary is to have some magic way to ensure that a signature is legitimate, not a forgery. That magic is what's known as Public Key Cryptography.
Think about what a digital signature really is. When you look at a "signed" document you want to be positive that the signature is authentic, that the person, (your boss, for example) really signed the message (especially if he's terminating your employment). You want to be able to pass a magic wand over the signed document to let you read the document and know that your boss actually signed it.
Encrypted messages are unreadable unless you have the secret decoder ring, the key to decrypting the message. Most encryption schemes currently use a single encryption key. For example, the password you use to logon to a computer system is encrypted with a single key. You type the password itself; it tells the computer to let you in. It's simple and still quite secure, but it does not provide a way for the computer system to ensure, authenticate, that you are who you say you are. If someone steals your password, they effectively steal your identity.
The Data Encryption Standard (DES) has been used for many years and is the basis of the UNIX password system.(16) The U.S. government has kept details of the DES algorithm classified, and many variations have been developed because people assume that a secret trapdoor exists for government eavesdropping. Whether or not this is true, recent advances using a technique called differential cryptanalysis can use a statistical method to break the DES. Protections against this attack have been created. The current "state of the art" is a triple DES: three passes of the algorithm using 112 or 168-bit keys.
Public Key Cryptography involves the use of two keys. Each person in a transaction has a public key and a private key. Everyone can see a person's public key, but individuals keep their private keys private. The two keys are intimately related to each other and were generated at the same time by the cryptography program, such as PGP, you are using.
General Public Key Signing Method, the secret key is used for signing and the public key is used for verification.(17)
A message encrypted by one key can be decrypted only by the other. In practice, this means that if my boss wants to send only me a message he encrypts it using my public key. When I receive the message, only I can decode it, using my private key. If my boss wants to send a signed message to a lot of people in the company he encrypts it with his private key and everyone can decrypt it with the boss's public key ensuring that he originated the document.
Pretty Good Privacy ((PGP)(18) is a public domain implementation of public key cryptography by Phil Zimmerman of MIT. The program has generated controversy, pitting law enforcement agencies against privacy advocates. No matter what side of the battle you are on, the genie is out of the bottle and is never going back.
In the construction of a secure transaction system, one golden rule is to never, ever send clear text through the net. The information must be encrypted on the local client and transmitted in encrypted form. Netscape browsers have a nice user interface feature, a blue bar, which lights up when you are in a secure transaction mode. In addition Netscape and other browsers will report that the information you are about to transmit is insecure, when you fill out forms. This is a configurable option.
1 . 6 . 2 Firewalls and Proxies
Many organizations are understandably reluctant to give outsiders access to their internal computer systems. Press stories about computer break-ins and hackers are a staple. The principle technical solution is to create a "firewall." The idea is to leave all of the organization's computing network infrastructure alone, but to have a single point through which outside traffic to and from the Internet, must pass. One particular system is designated as the firewall machine, and additional security measures can be taken on it. Restricted access based, for example, on the domain name can be implemented in the one firewall machine, which checks each request before passing the information on to the destination machine.
Once a firewall is set up, "proxy" servers must also be put into place for the users inside, behind the firewall. Proxy services invisibly look at requests and pass them to the outside world. For example, if I am behind a firewall and I make a request to ftp (File Transfer Protocol) a file from another machine outside, the ftp proxy machine first looks at my request, then passes it on and makes the connection. Proxies must be set up on a perservice basis. HTTP, FTP, Gopher and other services would each be given a designated proxy through which the information passes. Typically, these proxies are specified in a configuration portion of the Web browser.
From a technological point of view, security issues can be addressed in many ways. According to Nicholas Baran in an article "The Greatest Show on Earth,"(19)
Today there are two basic approaches to secure electronic commerce. The first one focuses on protecting resources by securing individual servers and network sites. This access security is generally addressed by firewalls or other means of `perimeter' security. The second approach focuses on transaction security. Transaction security addresses unauthorized listening in or eavesdropping on buyer/seller communications; authentication, so both parties are confident they know who they're talking to; message integrity, so the message contents can't be changed or tampered with; and a nonrepudiable record of the transaction in the form of a receipt or signature.
Secure transactions are the critical piece of technology just beginning to be deployed that will enable meaningful electronic commerce. As a result confidential transactions and the use of anonymous digital cash are beginning to appear as realistic purchasing options.(20)
DigiCash has created Ecash, electronic cash with many of the advantages of real cash.
An Ecash withdrawal from a bank
In addition to anonymous cash transactions, secure credit card purchases will probably become even more widespread. The infrastructure for both the client browser and the merchant, is rapidly coming into place. One company trying to put all the pieces together is CyberCash.
CyberCash's secure financial transaction technology is used by Virtual Vineyards to sell on-line wines. Unbeknownst to the buyer, the transaction, goes something like the following:
Customer clicks on the cybercash icon, to establish a link between the customer, virtual vineyards, and the participating bank, Wells Fargo. The customer fills out credit card information and it is encrypted (using 768 bit encryption) and sent to the CyberCash server, which initiates a standard credit card authorization request to the bank. Once processed, CyberCash sends an electronic receipt and credit card authorization to Virtual Vineyards. The whole process takes several seconds.(21)
