• Choose a category
• All
• Classic-Fiction

Regardless of which vendor’s implementation is being discussed, the steps can be summarized as illustrated in Figure 7.18. When a connection request is made to the server, the server sends a message back to the client indicating that a secure connection is needed. The client sends the server a certificate indicating the capabilities of the client. The server then evaluates the certificate and responds with a session key and an encrypted key. The session is secure at the end of this process.

FIGURE 7.18 The SSL connection process

This session will stay open until one end or the other issues a command to close it. The command is typically issued when a browser is closed or another URL is requested.

As a security administrator, you will occasionally need to know how to configure SSL settings for a website running on your operating system. You should also know that in order for SSL to work properly, the clients must be able to accept the level of encryption that you apply. Internet Explorer 5.5 and later, as well as Netscape 4.72 and later, can work with 128-bit encrypted sessions/certificates. Earlier browsers often needed to use 40- or 56-bit SSL encryption. As an administrator, you should push for the latest browsers on all clients.

VeriSign used a clever advertising strategy that makes this point readily comprehensible: It mailed flyers in a clear bag with the lines, “Sending sensitive information over the Web without the strongest encryption is like sending a letter in a clear envelope. Anyone can see it.” This effectively illustrates the need for the strongest SSL possible.

Transport Layer Security (TLS) is a security protocol that expands upon SSL. Many industry analysts predict that TLS will replace SSL in the near future. Figure 7.19 illustrates the connection process in the TLS network.

FIGURE 7.19 The TLS connection process

The TLS protocol is also referred to as SSL 3.1, but despite its name, it doesn’t interoperate with SSL. The TLS standard is supported by the IETF.

Think of TLS as an updated version of SSL. TLS is based on SSL and is intended to supersede it.

Certificate Management Protocols

Certificate Management Protocol (CMP) is a messaging protocol used between PKI entities. This protocol isn’t yet widely used, but you may encounter it in some PKI environments.

XML Key Management Specification (XKMS) is designed to allow XML-based programs access to PKI services. XKMS is being developed and enhanced as a cooperative standard of the World Wide Web Consortium (W3C). XKMS is a standard that is built upon CMP and uses it as a model.

CMP is expected to be an area of high growth as PKI usage grows.

Secure Multipurpose Internet Mail Extensions

Secure Multipurpose Internet Mail Extensions (S/MIME) is a standard used for encrypting e-mail. S/MIME contains signature data. It uses the PKCS #7 standard (Cryptographic Message Syntax Standard) and is the most widely supported standard used to secure e-mail communications.

MIME is the de facto standard for e-mail messages. S/MIME, which is a secure version of MIME, was originally published to the Internet as a standard by RSA. It provides encryption, integrity, and authentication when used in conjunction with PKI. S/MIME version 3, the current version, is supported by IETF.

S/MIME is defined by RFC 2633. For the exam, know that it’s a secure version of MIME used for encrypting e-mail. Know, as well, that it uses asymmetric encryption algorithms for confidentiality and digital certificates for authentication.

Secure Electronic Transaction

Secure Electronic Transaction (SET) provides encryption for credit card numbers that can be transmitted over the Internet. It was developed by Visa and MasterCard and is becoming an accepted standard by many companies.

SET is most suited for transmitting small amounts of data.

SET works in conjunction with an electronic wallet that must be set up in advance of the transaction. An electronic wallet is a device that identifies you electronically in the same way as the