ITFT - Web security
- 1. The Internet Architecure Board The internet architecture board (IAB) is the committee responsible for supervising the technical and engineering development of the internet. The IAB committee is appointed by the Internet Society (ISOC), which is an international organization whose mission is to encourage Internet usage. The Internet Society has more than 100 organizational and more than 28,000 individual members in over 80 chapters around the world.
- 2. Originally IAB was founded by the United States Department of Defense's ‘Defense Advanced Research Projects Agency’ that is responsible for development of new technology for use by the US military. In 1979, it was named Internet Configuration Control Board. Its name was changed to Internet Advisory Board in 1984 and internet Activities Board in 1986. In January 1992, it became Internet Architecture Board under ISOC.
- 4. Web Security The web security is required to protect the web sites from unauthorized access, information disclosure and data theft. Security on the web can be ensured using the following mechanism:
- 5. Encryption: • It is the process of translating data into a secret code that cannot be easily understood by the unauthorized people. Encryption is the best technique of achieving data security. A secret key or password is needed to read an encrypted data. Unencrypted data is referred as plain text while encrypted data is called cipher text. There are two types of encryption: • Asymmetric encryption or public - key encryption • Symmetric encryption
- 6. Asymmetric Encryption • This type of encryption makes use of two keys- a private key and a public key. The private key also known as secret key is available to the recipient of the data only whereas the knowledge of public key is known to all. • For instance, when Robert wants to send a message to Jane, he uses Jane’s public key to encrypt the message. Jane then uses her private key to decrypt the message. In asymmetric encryption, there is a relation between the public key and private keys in a way that for the encryption of the messages only the public key can be used and for the decryption, only corresponding private key can be used.
- 7. Asymmetric • To use asymmetric encryption, there must be a way for people to discover other public keys. The typical technique is to use digital certificates (also known simply as certificates). A certificate is a package of information that identifies a user or a server, and contains information such as the organization name, the organization that issued the certificate, the user's e-mail address and country, and the user's public key.
- 9. Symmetric Encryption • It is a type of encryption where the same key is used to encrypt and decrypt the data. The sender of the information encrypts the data using the shared keys and the receiver decrypts the information using the same key.
- 11. Secure Sockets Layer(SSL) Netscape developed this protocol to transmit private data through the web. Data is encrypted in SSL with the use of two keys, private key and public key. Secure HTTP: It is a protocol for transmitting data securely over the world wide web. S-HTTP and SSL help each other to transmit the information securely. A connection between the client and a server is created by SSL, over which data of any amount can be securely sent. •
- 12. Secure HTTP • Another protocol for transmitting data securely over the World Wide Web is Secure HTTP (S-HTTP) • . Whereas SSL creates a secure connection between a client and a server, over which any amount of data can be sent securely, S-HTTP is designed to transmit individual messages securely. SSL and S-HTTP, therefore, can be seen as complementary rather than competing tech. • Both protocols have been approved by the Internet Engineering Task Force (IETF) as a standard.
- 13. Firewall • Firewalls are often used to prevent unauthorized users on the web from accessing private networks. • The private networks are used and maintained by the companies to exchange business information. All the messages that enter or leave the private network go through the firewall. Each message is examined by the firewall and the ones that do not fulfill the security criteria specified, are blocked.
- 15. Security of the Web servers It is possible to protect web servers from the risks that can affect information security through good security practices. Following are the practices that can be adopted to secure the web servers: Remove all unnecessary services from your web server because an unnecessary service can become a possibility of unauthorized access. Remote server administration should be avoided until and unless it is done using a secured connection or password.
- 16. Cont… The number of individuals who access the web server should be limited. All the server updates should be done through intranet. We should have intrusion detection software (IDS) installed on web servers which inspects all the network activities and identifies the suspicious activities that may indicate an unauthorized access to the web server.