Advanced Web Topics:

observancecookieΑσφάλεια

5 Νοε 2013 (πριν από 4 χρόνια και 8 μήνες)

94 εμφανίσεις

The Internet: Technology and Applications: Class #9

1

Advanced Web Topics:

Dynamic Web Technologies & Security


635.413.31


Summer 2007

The Internet: Technology and Applications: Class #9

2


The need for dynamic content


The basic model of the web, with static delivery of content, hampers the
deployment of advanced applications


Instead of rewriting HTML and HTTP, dynamic web content has been
added through the use of ‘helper’ programs and protocols


While XML promises to address the problem, the Web will be based
primarily on HTML, HTTP & ‘helper’ programs for a long time to come


Examples of solutions requiring dynamic web technologies

--

Online banking

--

Stock Trading

--

Online auctions

--

Almost any variety of E
-
Commerce


Disadvantages of dynamic content (compared to basic static content)


Programming expertise required


Increased computing requirements


More difficult to test and debug


Security issues



Introduction to Dynamic Web Technologies

The Internet: Technology and Applications: Class #9

3

Server
-
side Technologies

There are two major means of providing dynamic web content:

Client
-
side technologies and Server
-
side technologies


Introduction to Server
-
side Technologies


All dynamic processing done on or ‘behind’ the web server


A new HTML document is created for each request; depending on a
number of parameters associated with the request (and their
corresponding values) the document created could be different


The client (browser) knows nothing of the dynamic content; all it
deals with are static HTML pages


Advantages



Gives the Web the ability to report current information


Easier control of content by the creator


Imposes no special requirements on the client (browser) or the
hardware and software it runs on

The Internet: Technology and Applications: Class #9

4

Server
-
side Technologies


Introduction to server
-
side technologies (continued)


Disadvantages


Increased cost (compared to static content)


Increased network traffic


Increased server load and processing requirements


Inability to easily update real
-
time or NRT information


Examples of server
-
side technologies


The common gateway interface (CGI)


Active server pages (ASP) & now ASP.NET


PHP

The Internet: Technology and Applications: Class #9

5

Client
-
Side Technologies


Introduction


Information and some flavor of executable code is downloaded from
the server to the client (browser) to run


All processing of information is done by the client (browser)


The document is never fully specified by the server; Content display
depends on processing done by the client


Advantages


Ability to update information in near real
-
time or better


Allows much more sophisticated functionality (animation, etc.)
that is difficult or impossible with other approaches


Much more flexible than static or server
-
side dynamic
technologies

The Internet: Technology and Applications: Class #9

6

Client
-
Side Technologies


Introduction (continued)


Disadvantages


Imposes special hardware, software, and browser requirements because
of all the local processing necessary to display the information


Creates many security concerns associated with the downloading of
executable code


Many dynamic client
-
side technologies allow the downloaded code to
communicate across the network to send or gather information


Many times the downloaded code can create, modify, and delete files
on the client system


More difficult to create (program), test, and debug client
-
side dynamic
code because of variations in client hardware and software


Examples of Client
-
Side Technologies


Java


Javascript


ActiveX

The Internet: Technology and Applications: Class #9

7

The Common Gateway Interface

Two Server
-
side Dynamic Web Technologies in depth:

CGI & ASP


Introduction to the Common Gateway Interface (CGI)


A standard developed by the folks at NCSA to allow external information
sources to be dynamically accessed and displayed via a web browser


The current specification is CGI version 1.1
--

version 1.2 is currently in
development (as well as other ‘enhanced’ variants)


CGI allows external applications to be called by a web server and have the
output from the application directed back to the server


Web Server
Process
(httpd)
CGI Program
(C, Perl, etc.)
Database
or
Data
Source
(optional)
Server System
CGI
Client Browser
Client System
HTTP
The Internet: Technology and Applications: Class #9

8

The Common Gateway Interface


CGI Implementation


CGI programs reside in a special directory (typically cgi
-
bin)


this is
where the web server process looks for the CGI program when it
encounters a URL containing a CGI script


CGI scripts can be written in a variety of languages including:


Perl


TCL/TK


C/C++


Visual Basic


AppleScript


FORTRAN


Any Unix shell scripting language


With many web servers CGI support is built in and automatically
activated; with others the web server has to be explicitly configured to
support CGI programs

The Internet: Technology and Applications: Class #9

9

The Common Gateway Interface


Input to a CGI program


Input to a CGI program can come from both the web browser and the
web server passing the call to the CGI program


Client Input


Very important for many dynamic web based applications


Input is typically through the use of HTML Forms


Input can be sent back from the client (browser) in two ways


Method 1:

Using the HTTP GET command


Client information is embedded directly in the URL sent to
the server


Client information is found in the <query> part of the
URI/URL; separated from the rest of the URI/URL by a
question mark


Example URL with user information:
http://www.xyz.org/cgi
-
bin/test?choice1=yes&choice2=34

The Internet: Technology and Applications: Class #9

10

The Common Gateway Interface

Form example


<FORM ACTION=”http://www.xyz.org/cgi
-
bin/namepost”
METHOD=GET>


Name <INPUT NAME=”customer” SIZE=30><P>


Street Address <INPUT NAME=”Address” SIZE=40><P>


City <INPUT NAME=”City” SIZE=20><P>


State<INPUT NAME=”State” SIZE=2><P>


Zip Code <INPUT NAME=”Zip” SIZE=5><P>


<INPUT TYPE=SUBMIT VALUE=”Submit Info”><P>

</FORM>


What URL would be created from this:


http://www.xyz.org/cgi
-
bin/namepost?customer=John+Smith&Address=9600

+Doe+Way&City=Columbia&State=MD&Zip=21046

The Internet: Technology and Applications: Class #9

11

The Common Gateway Interface


Method 2:

Using the HTTP POST command


Client information is sent back in the body of the HTML page generated by the
POST command


Syntax of the client information is the same as the query part of the URL in the
GET command


Client information sent back to the server in either way is handed to
the CGI program using the QUERY_STRING environment variable


Web Server Input


Besides the information from the client there are several other environment
variables set by the web server that can be used by the CGI program


Like the client information the web server information can be used to influence
execution of the CGI program and/or output of results


Example Web Server environment variables:

REMOTE_ADDR


IP address of the client (browser)

REQUEST_METHOD


How the CGI program was called (usually equals GET)

HTTP_USER_AGENT


specific client info (e.g
--

Mozilla/4.61 [en] Win NT)

The Internet: Technology and Applications: Class #9

12

The Common Gateway Interface


State information


To create a better user experience there are times when it is
advantageous for state information to be collected about clients and
connections


Since web servers do not typically store state information it falls to the
CGI program to maintain state information


Two ways a CGI program can maintain state information:
long
-
term

and
short
-
term


Long
-
Term state information


Information is stored on the server by the CGI program in a
variable or file created by the program


Variables persist as long as the CGI program is running; files
can persist across restarts of the web server


The Internet: Technology and Applications: Class #9

13

The Common Gateway Interface


State information (continued)


Short
-
Term state information


For information that does not need to be stored longer than
the browser is running


State information is embedded in the URL passed back
and forth between the client (browser) and the CGI
program


Note that the CGI program doesn’t really know whether
the state information is correct or not; it is merely
manipulating the state information sent to it by the client

The Internet: Technology and Applications: Class #9

14

The Common Gateway Interface

Example CGI script

(Outputs the current CGI environment variables)


#!/bin/sh

# An example script that echoes environment variables back to the client for display

#

echo Content
-
type: text/plain

echo CGI/1.0 test script report:

echo argc is $#. argv is "$*".

echo SERVER_SOFTWARE = $SERVER_SOFTWARE

echo SERVER_NAME = $SERVER_NAME

echo SERVER_PROTOCOL = $SERVER_PROTOCOL

echo SERVER_PORT = $SERVER_PORT

echo REQUEST_METHOD = $REQUEST_METHOD

echo PATH_INFO = $PATH_INFO

echo PATH_TRANSLATED = $PATH_TRANSLATED

echo SCRIPT_NAME = $SCRIPT_NAME

echo QUERY_STRING = $QUERY_STRING

echo REMOTE_HOST = $REMOTE_HOST

echo REMOTE_ADDR = $REMOTE_ADDR

echo REMOTE_USER = $REMOTE_USER

echo CONTENT_TYPE = $CONTENT_TYPE

echo CONTENT_LENGTH = $CONTENT_LENGTH

The Internet: Technology and Applications: Class #9

15

Active Server Pages (ASP)


Introduction


Developed by Microsoft to provide better functionality and resource
utilization than CGI


CGI programs typically load a new process for each request; this is
very resource intensive


ASP uses a memory resident DLL for all requests for efficiency


Proprietary to Microsoft
; ASP found only on servers running MS
Internet Information Server (IIS)


ASP is actually a special part of a Microsoft API ‘toolkit’ called
ISAPI (Internet Services API)

The Internet: Technology and Applications: Class #9

16

Active Server Pages (ASP)


ASP Operational Overview


Client (browser) calls ASP web page (denoted by a page request using
a URL ending in .asp)


IIS sees GET command contains a URL ending in .asp and redirects it
to ASP.DLL


ASP.DLL parses command and calls the appropriate DLLs necessary
to handle the request


Output (if any) is passed back to ASP.DLL


ASP.DLL passes output to IIS


IIS sends generated page back to client (browser)

Web
Server
Process
(IIS)
Database
or
Data
Source
(optional)
Server System
ASP.DLL
Application
specific
DLL
Client
Browser
Client System
HTTP
The Internet: Technology and Applications: Class #9

17

Active Server Pages (ASP)


ASP Object Model



ASP has an object oriented structure with typical properties such as
encapsulation and inheritance


Six fundamental objects are defined:


Application:

contains methods (events) and data related to the
initialization and termination of your application


ObjectContext:

used exclusively for support of MS Transaction Server


Request:

The primary input object


Receives data input from client or IIS used to run the ASP program


Analogous to the CGI environment variables


Response:

The primary output object


Used to send data back to the client


Contains variables and methods for other functions such as cache
control and cookies


Server:

contains methods and variables used for communication with IIS


Session:

contains methods and data specific to the current session

The Internet: Technology and Applications: Class #9

18

Active Server Pages (ASP)


An example ASP program (time.asp)


<HTML><HEAD><TITLE> ASP Example </TITLE></HEAD>

<BODY>

<%

‘ This is a comment within the ‘asp’ code

‘ The <% %> tags delimit the ‘asp’ code

strGreetingMsg = “Hello. It is now ”& Time() & _ “on the server.”

Response.Write strGreetingMsg

%>

</BODY></HTML>


Generated Output (as a web page):


Hello. It is now 12:47:01 on the server.

The Internet: Technology and Applications: Class #9

19

Java


Java is an example of a
client
-
side

dynamic web technology


Introduction


Java is a specific programming environment developed by Sun
Microsystems to allow the design of client
-
side dynamic web pages


The Java programming environment was designed to make Java
operation independent of the underlying software and hardware


In the past several years Java has become one of the most important
dynamic web technologies: almost all web browsers released in the
past four years support Java


Microsoft has developed its own ‘version’ of Java usually called
J++; there are still some compatibility issues and legal arguments
over Java’s future


In a sense Java has been developed from C++ however it has been
streamlined to eliminate most of the least used & easily
misunderstood features

The Internet: Technology and Applications: Class #9

20

Java


The Java Programming Environment has three major components:


1.
The Java Run
-
Time Environment

2.
The Java Language

3.
The Java Class Library


Java defines a Run
-
Time Environment or virtual machine in which
Java Programs actually execute on the client (browser)


Java programs are converted from source code to machine executable
code in a two step process


Step one involves the developer compiling the source code into an
intermediate, system
-
independent format called Java
Bytecode


In step two the bytecode is downloaded to a client browser & the Java
Runtime Environment interprets it into local system executable code


This two
-
step process makes Java a ‘write
-
once, run
-
anywhere’ language


Ensures any system can run the Java applet & reduces development cost


It also helps ensure the graphics output will be the same on all systems


The Internet: Technology and Applications: Class #9

21

Java


Important functionality of the Java Run
-
Time Environment



Multi
-
threaded execution
: handles Java thread scheduling and context
switching


Automatic Garbage Collection:

minimizes memory leaks and
simplifies programming tasks


Internet Access:

includes a socket library for transport layer TCP or
UDP access


Extensive Graphics Support:

includes an extensive set tools for both
low
-
level and high
-
level control of the client graphics subsystem


The Java graphics toolkit is called the Abstract Window Toolkit (AWT)


The high level functionality allows a developer to work with an already
defined generic rectangular window complete with title, borders, and
scroll bars


The low level functionality gives a developer complete control over the
size, shape, color, and other features of the window (at the expense of a
lot more work)

The Internet: Technology and Applications: Class #9

22

Java


Java Language Characteristics


High Level:

provides a high level of abstraction and hides details of the
underlying hardware if the programmer does not wish to deal with them


General Purpose:

can be used for more than writing web
-
based applets


Object Oriented:

conforms to the common definitions of an object
oriented programming language


Dynamic:

Object instances are created dynamically at run
-
time


Strongly Typed:

operations (methods) defined for a certain data type
can only be used on that data type


Statically Type Checked:

type checking done when the source code is
compiled into bytecode


Concurrent Execution:

allows multiple threads to execute
simultaneously

The Internet: Technology and Applications: Class #9

23

Java


The Java Class Library


The Java Class Library contains an extensive variety of classes for all
aspects of system operation.


Examples of Kinds of Classes defined in the Library:


Graphics Support


Network Input/Output


Web Server Communication


Java Run
-
Time Environment System Access


File Input/Output


Common Data Structures


Event Capture


Exception Handling


The Internet: Technology and Applications: Class #9

24

Java


Compiling the Applet


The compiler for Java is usually called javac


Javac takes the source code file (which has to be named *.java), verifies
the proper syntax of the source code, translates it into bytecode, and
places the output in a file named *.class


The source file must contain at least one public class and this one class
has to have the same name as the file that contains it.


The link between Java and HTML


Applets can be run directly by plugging its URL into the web browser
but typically the link to an applet is embedded into an HTML document

The Internet: Technology and Applications: Class #9

25

Java


The APPLET tag


The APPLET tag is used to embed a link to the Java applet into a
HTML document


Two attributes are required in the APPLET tag to run the Java applet


The CODEBASE attribute specifies the system and path to the
Java applet


The CODE attribute specifies the name of the Java applet


Example: <APPLET CODEBASE=”www.xyz.com/test/”
CODE=”example.class”>


The closing </APPLET> is required even though in most cases it
does not seem to be necessary

The Internet: Technology and Applications: Class #9

26

Java


An example Applet

(A colorbox on the screen)

Import java.awt.*

Import java.applet.Applet

/* Example displays a filled colored box in the browser window */

public class FilledBox extends Applet {

Color boxColor;

// called only once when applet is initialized

public void init() {

String s;

s = getParameter(“color”);

// the default color is gray

boxColor = Color.gray

if ( s != null) {

if (s.equals(“white”)) boxColor = Color.white

if (s.equals(“blue”)) boxColor = Color.blue

if (s.equals(“red”)) boxColor = Color.red

}}

// this is called whenever the browser needs to redraw the applet

public void paint(Graphics g) {

g.setColor(boxColor);

g.fillRect(0,0,size().width, size().height);

}}


The Internet: Technology and Applications: Class #9

27

Java


An example Applet (Continued)


Example call from HTML page:



<APPLET CODEBASE=”/users/smiley” CODE=”FilledBox.class”
WIDTH=200 HEIGHT=60>

<PARAM NAME=color VALUE=”blue”>

</APPLET>

The Internet: Technology and Applications: Class #9

28

Javascript


Javascript: another client
-
side dynamic web technology


Introduction


Javascript was designed to provide a quick and easy way to gain the
leverage the benefits of Java for small, simple applications


Javascript is embedded right in the HTML source code for easy
integration with web pages


Javascript is supported on Netscape Navigator 4.x and IE 4.x and later
versions; there are minor compatibility issues between Netscape and
MS implementations


ECMA has standardized Javascript but their published standard is
slightly different than both the Netscape and Microsoft
implementations (ECMA = European Computer Manufacturers
Association)

The Internet: Technology and Applications: Class #9

29

Javascript


Javascript Advantages


Small and simple to use


Quick to learn


Can be developed using HTML tools; no separate compiler and
development environment necessary


Javascript Disadvantages


Speed: Javascript source code can take longer to download than
Java bytecode


Scalability: compared to Java, Javascript is very limited in its
functionality


Not compatible with earlier versions of browsers that do not have
Javascript functionality


Harder to guarantee interoperability with clients

The Internet: Technology and Applications: Class #9

30

Javascript


Javascript functionality & syntax is similar to Java but much more limited
in scope


With respect to Java, Javascript is restricted from the following:


Access only to information from (or on) its uploaded HTML page


No access to client browser history file


No file uploads, use of e
-
mail, or posting of news articles


Can only close windows it has created


Cannot read or set client browser preferences


Javascript does not use bytecode; source code is downloaded directly (in
the web page) and interpreted in the client browser


Javascript is usually embedded into the HTML page using the <SCRIPT>
and </SCRIPT> tags


It can also be used in an event handler routine (example: <INPUT
TYPE=Button VALUE=”Press Me” onClick=”alert(‘helloWorld’);”>


It can also be used in a URL


the Javascript is executed and the value is
inserted in the URL (
example:

validating input before it is sent back to the
server as CGI data input)


The Internet: Technology and Applications: Class #9

31

Javascript


Javascript Example


Plenty of others on Internet (e.g.


stock calculator); look at
http://javascript.internet.com



What goes into the header of the HTML Page:


<HEAD>


<SCRIPT LANGUAGE="JavaScript">

<!

Example JavaScript: This causes a description to show up when you
mouseover a hyperlinked image
--
>

<!
--

Begin

function showMsg(text) {

document.picform.message.value = text;

}

// End
--
>

</script>


</HEAD>



The Internet: Technology and Applications: Class #9

32

Javascript



(Example Continued) What is in the body of the HTML Page


<BODY><CENTER>

<ul><li>

<a href="HTTP://WWW.SITE1.COM" onmouseover="showMsg('this is information about pic 1....');"

onmouseout="showMsg('');">

<img name="button1" src="HTTP://WWW.YOUR
-
SITE.COM/IMG/PIC1.JPG"></a>

</li><li>

<a href="HTTP://WWW.SITE2.COM" onmouseover="showMsg('this is information about pic 2....');"

onmouseout="showMsg('');">

<img name="button2" src="HTTP://WWW.YOUR
-
SITE.COM/IMG/PIC2.JPG"></a>

</li><li>

<a href="HTTP://WWW.SITE3.COM" onmouseover="showMsg('this is information about pic 3....');"

onmouseout="showMsg('');">

<img name="button3" src="HTTP://WWW.YOUR
-
SITE.COM/IMG/PIC3.JPG"></a>

</li>

<form name="picform">

<textarea name=message rows=2 cols=40 wrap=virtual>choose an image for a description!</textarea><br>

<input type=hidden name=go value="">

</form>

</CENTER></BODY>

The Internet: Technology and Applications: Class #9

33

Web Services



The Web as a Content Delivery Vehicle


In recent years the WWW has moved from an end
-
user oriented
data delivery system to a complete
service
-
oriented architecture



Enables new B2B (Business
-
to
-
Business) capabilities &
potentially other far
-
reaching applications


Four core components to Web Services


XML


SOAP (Simple Object Access Protocol)


WSDL (Web Services Description Language)


UDDI (Universal Description, Discovery, & Integration)
protocol


There are plenty of other standards developed by the W3C and
OASIS for Web Services


The Internet: Technology and Applications: Class #9

34

Web Services



The Simple Object Access Protocol (SOAP)


Used to exchange structured & typed messages between peers


Standards defined by the W3C; current version is 1.2


SOAP components/messages written in XML


Basic Communications Attributes


Usually carried in HTTP, but other transport mechanisms can be specified
(e.g.


SMTP)


Provides a stateless one
-
way message passing protocol


More complex functions can be assembled from the basic operation


Provisions for basic error handling, but the specifics must be specified to
match underlying transport protocol


SOAP Message Structure


Envelope


encloses entire SOAP message


Header


optional component inside envelope


Body


mandatory component inside envelope


The Internet: Technology and Applications: Class #9

35

Web Services



Example Simple Object Access Protocol (SOAP) Message

<?xml version='1.0' ?>

<env:Envelope xmlns:env="http://www.w3.org/2003/05/soap
-
envelope">


<env:Header>


<m:reservation


xmlns:m="http://travelcompany.example.org/reservation"


env:role="http://www.w3.org/2003/05/soap
-
envelope/role/next"


env:mustUnderstand="true">


<m:reference>uuid:093a2da1
-
q345
-
739r
-
ba5d
-
pqff98fe8j7d</m:reference>


<m:dateAndTime>2001
-
11
-
29T13:36:50.000
-
05:00</m:dateAndTime>


</m:reservation>


<n:passenger xmlns:n="http://mycompany.example.com/employees"


env:role="http://www.w3.org/2003/05/soap
-
envelope/role/next"


env:mustUnderstand="true">


<n:name>Åke Jógvan Øyvind</n:name>


</n:passenger>


</env:Header>


<env:Body>


<p:itinerary


xmlns:p="http://travelcompany.example.org/reservation/travel">


<p:departure>


<p:departing>LGA</p:departing>


</p:departure>


<p:return>


<p:arriving>EWR</p:arriving>


</p:return>


</p:itinerary>


</env:Body>

</env:Envelope>

The Internet: Technology and Applications: Class #9

36

Web Services



The Web Services Description Language (WSDL)


Used as a structured, standardized means of describing a web service


Standards defined by the W3C


current version is 2.0


WSDL documents written in XML


Basic parts of a WSDL defined Web Service
:


Interface(s)


Operations, Messages, & Message Exchange Protocol (MEP)


Elements of service


Binding of Service (i.e.


turns abstract operations/messages &
interface(s) into implementable specifics


msgs. use SOAP 1.2 and
HTTP 1.1)


Service Definition (specifically where the service can be accessed)

The Internet: Technology and Applications: Class #9

37

Web Services



Example WSDL Specification (Service Portion)

<?xml version="1.0" encoding="utf
-
8" ?>

<description


xmlns="http://www.w3.org/ns/wsdl"


targetNamespace= "http://greath.example.com/2004/wsdl/resSvc"


xmlns:tns= "http://greath.example.com/2004/wsdl/resSvc"


xmlns:ghns = "http://greath.example.com/2004/schemas/resSvc"


. . .


xmlns:wsdlx="http://www.w3.org/ns/wsdl
-
extensions"> . . .


<types>


...


</types>


<interface name = "reservationInterface" >


<fault name = "invalidDataFault"


element = "ghns:invalidDataError"/>


<operation name="opCheckAvailability"


pattern="http://www.w3.org/ns/wsdl/in
-
out"


style="http://www.w3.org/ns/wsdl/style/iri"


wsdlx:safe = "true">


<input messageLabel="In"


element="ghns:checkAvailability" />


<output messageLabel="Out"


element="ghns:checkAvailabilityResponse" />


<outfault ref="tns:invalidDataFault" messageLabel="Out"/>


</operation>


</interface>


. . .

</description>

The Internet: Technology and Applications: Class #9

38

Web Services


The Universal Discovery, Description & Integration (UDDI) protocol


Designed to provide an open, ‘vendor
-
neutral’ framework for advertising
and finding web services


Supports different service description types, though WSDL is the
‘recommended’ method of description


UDDI messages (commands/responses) sent in SOAP, usually over HTTP


Messages must be encoded in the registry’s schema style


UDDI registries designed to provide three basic services:


“White” Pages


businesses by name


“Yellow” Pages


businesses by category


“Green” Pages


registration/searching of businesses & services


Primary UDDI Data Structures


BusinessEntity



information on a business


BusinessService



info on a service provided by a business


bindingTemplate



tech info needed to access a specific service


tModel_Structure



provides extra info allowing better discovery of services


Publisher



allows modeling of more complex businesses (e.g.


large
company with semi
-
independent subsidiaries)

The Internet: Technology and Applications: Class #9

39

Web Services


How it all fits together for B2B Web Service

WSDL
Service
Specification
Service
Producer
Service
Consumer
UDDI
Registry
4
3
2
1
SOAP Messages
The Internet: Technology and Applications: Class #9

40

The World Wide Web and Security

Introduction


There is a need for security on the World Wide Web because there’s no
security mechanisms built into the basic web protocols


No authentication


No data integrity (from an application standpoint)


No privacy


This clearly limits the usefulness of the WWW for many future applications



To deploy these applications a secure web
-
based infrastructure must be
developed that provides the four fundamental security services:


authentication


non
-
repudiation


data integrity


privacy


So far two different protocols have been deployed: The
Secure Sockets
Layer (SSL)

and
Secure HTTP (S
-
HTTP)



The Internet: Technology and Applications: Class #9

41

The Secure Sockets Layer (SSL)

Introduction


SSL provides a secure communications channel with the ability to
implement the four fundamental security services


SSL was originally developed by Netscape to provide secure
communications between their web servers and browsers


SSL sits between the application and the transport layers; it is not limited
to use with HTTP but can and will be used for other applications
requiring security (such as Secure Telnet & general VPN service)


Netscape openly published the SSL specification and it has been
universally adopted by other web server and browser developers


Latest version is 3.0


the IETF has developed a successor to SSL called
Transaction Layer Security (TLS v1.1 is defined in RFC 4346 and is
based on SSLv3)


SSL must run over a reliable transport layer protocol


in the TCP/IP
world it must use TCP (typically on port 443)

The Internet: Technology and Applications: Class #9

42

SSL Implementation

SSL Implementation Details


SSL sessions are usually initiated by accessing a URL that contains


‘https://’ as its protocol part


SSL actually provides symmetric security services; two
-
way
authentication and non
-
repudiation can be used if it is really necessary to
verify the server


SSL can use a variety of digital certificates (X.509 or Fortezza) as well as
a variety of private and public key encryption algorithms (RSA, DES,
etc.)


SSL consists of two ‘layers’ (or more appropriately sub
-
layers):


the Message ‘Layer’


the Record ‘Layer’

The Internet: Technology and Applications: Class #9

43

SSL Implementation

The Message Layer


The upper SSL layer that interfaces to the application layer


Responsible for exchanging information with the application layer


SSL Message Layer entities exchange four different types of messages:
User Data (from the application layer), Alerts, ChangeCipherSpecs, and
Handshake Messages


User Data Messages are the same size as the application reads and
writes


Alert Message carry error information and responses (handshake failure,
bad certificate, etc.)


ChangeCipherSpec Messages allow the applications to change security
parameters (encryption key length, algorithm, etc.)


Handshake Messages are used to initiate an SSL session

The Internet: Technology and Applications: Class #9

44

SSL Implementation

The Record Layer


The lower SSL layer that interfaces to the reliable transport layer


Transfers blocks of streamed data (called ‘records’) containing up to 16,383
bytes of payload (from the Message layer)


Multiple SSL messages could be combined into a single record or a large
SSL message could be broken into multiple messages (hence the transfer of
‘streamed’ data)


A record also contains a header specifying the content type, SSL protocol
version, record length, and a Message Authentication Code (MAC)


The use of a unique sequence number and the MAC at the record layer
provides data integrity

The Internet: Technology and Applications: Class #9

45

SSL Implementation

SSL in action: initiation of a secure web session


The SSL Handshake consists of a 12 message sequence


some are optional and are
only used when required by the parameters agreed upon for the session.


Client

opens connection & sends SSL
ClientHello

Message


Server

sends SSL S
erverHello

Message


Server
sends SSL
Digital Certificate

{Optional


for 2
-
way authentication}


Server

sends SSL
ServerKeyExchange

{Optional


for sending additional encryption
& authentication parameters}


Server

sends SSL
CertificateRequest

{Optional


for authenticating the client}


Client

sends SSL
Digital Certificate

{Optional


in request to previous message}


Client

sends SSL
ClientKeyExchange
{Contains agreed
-
upon session parameters}


Client

sends SSL
ClientVerify

{contains hash values for all previous handshake
messages; if they don’t match the values calculated by the server session is aborted}


Client

AND
Server

both send
ChangeCipherSpec

Messages {sends encryption keys to
use for the remainder of the session}


Client

AND
Server

both send
Finished

Messages


Once the handshake is complete secure application layer data can be transferred

The Internet: Technology and Applications: Class #9

46

Secure HTTP (S
-
HTTP)

Introduction


Another approach to security web/http exchanges


Instead of providing a generic security layer between transport and
application layer entities S
-
HTTP provides a secure transport layer
specifically for HTTP transfers.


Like SSL, S
-
HTTP provides the four fundamental security services for
web transactions: authentication, non
-
repudiation, data integrity, and
privacy


S
-
HTTP can work with a variety of digital certificate types, encryption
algorithms, and authentication methods


S
-
HTTP is an IETF experimental standard published in RFC 2660


In my experience, S
-
HTTP implementation has been much more limited
than SSL and at this point is rarely found in use (though it does provide a
good study of another way to secure web content)

The Internet: Technology and Applications: Class #9

47

S
-
HTTP Implementation


S
-
HTTP augments the normal HTTP procedures, using additional MIME
-
like security headers to send and negotiate security information


The “secure” HTTP requests and replies are actually encapsulated inside S
-
HTTP requests and replies

S
-
HTTP Message

Secure * Secure
-
HTTP/1.4

Content
-
Type: message/http

Prearranged key
-
info: des
-
cbc,abc12, inband:1

Content
-
Privacy
-
Domain: CMS

HTTP Message

HTTP / 1.0 200 OK

Header: text/html


HTML Header & Body

The Internet: Technology and Applications: Class #9

48

S
-
HTTP in action: an example session


Client
-
> Server:

Requests normal HTTP page with an S
-
HTTP link in an
anchor tag on the page (such as <A HREF=shttp://www.secret.com> this is secret
</A>)



Server
-
> Client:

Sends web page with the S
-
HTTP link embedded on the page
along with security information (in the page header) for accessing the link (public
key, encryption method, etc.)


Client
-
> Server:

If the user clicks on the S
-
HTTP link, the following happens:


A HTTP Request is generated for the page


Using the security parameters sent by the server the HTTP Request is
encapsulated in a S
-
HTTP envelope


S
-
HTTP message sent to the client; the payload may be encrypted if that service
was specified in the security parameters


Server reconstructs HTTP using the instructions received in the S
-
HTTP envelope


Server
-
> Client:

Using the received client request, server retrieves page to send


Web page and HTTP header fields are encapsulated in a S
-
HTTP envelope


S
-
HTTP message sent to the client; the payload may be encrypted if that service
was specified in the service parameters

The Internet: Technology and Applications: Class #9

49

Reading & Homework


Reading


Only Section 31.12 (SSL/TLS); reference RFCs for any details
needed


Homework #5 (due Thursday 7/15)


Chapter 27: 27.7 and 27.11


Chapter 29: 29.1*, 29.3, and 29.9


(25%) Research TLS and explain what enhancements TLS has over SSL.
Use a packet sniffer (e.g. Ethereal) to examine a secured (e.g.


https://)
connection to a web server. Analyze & report on the details of it.


(25%) Research Web Services and write a short (1 page) synopsis on what
standards have or are being developed for securing such services. Make sure
to provide at least a basic technical description of the service(s) discussed &
cite your references.


(25%) Find an example of proprietary SNMP MIB that has been defined;
explain what vendor’s make & model equipment the MIB is for, what
functionality it provides, and try to explain why the vendor went to the effort
to define a special MIB.



Problems worth 25% of HW grade