Available:*
Shelf Number | Material Type | Copy | Shelf Location | Status |
---|---|---|---|---|
005.8 22 | 1:E-BOOK | 1 | 1:ONLINE | Searching... Unknown |
Bound With These Titles
On Order
Summary
Summary
This newly revised edition of the Artech House bestseller brings you the most, up-to-date, comprehensive analysis of the current trends in WWW security available, with brand new chapters on authentication and authorization infrastructures, server-side security, and risk management. You also find coverage of entirely new topics such as Microsoft.NET Passport. From HTTP security, firewalls and proxy servers, cryptographic security protocols, electronic payment systemsOC to public key infrastructures, authentication and authorization infrastructures, and client-side security, the book offers an in-depth understanding of the key technologies and standards used to secure the World Wide Web, Web-based applications, and Web services."
Author Notes
Rolf Oppliger received his M.Sc. and Ph.D. in Computer Science from the University of Berne, Switzerland, and the Venia Legendi in Computer Science from the University of Zürich, Switzerland.
Oppliger is the founder and owner of eSECURITY Technologies Rolf Oppliger (www.esecurity.ch) and works for the Swiss Federal Strategy Unit for Information Technology (FSUIT) . He is also the author of Security Technologies for the World Wide Web (Artech House, 1999) , Internet and Intranet Security (Artech House, 1998), and Authentication Systems for Secure Networks (Artech House, 1996). Dr. Oppliger is the computer security series editor at Artech House.
050
Table of Contents
Preface | p. xv |
References | p. xx |
Acknowledgments | p. xxiii |
1 Introduction | p. 1 |
1.1 Internet | p. 1 |
1.2 WWW | p. 5 |
1.3 Vulnerabilities, threats, and countermeasures | p. 8 |
1.4 Generic security model | p. 10 |
1.4.1 Security policy | p. 12 |
1.4.2 Host security | p. 13 |
1.4.3 Network security | p. 13 |
1.4.4 Organizational security | p. 16 |
1.4.5 Legal security | p. 17 |
References | p. 17 |
2 HTTP Security | p. 21 |
2.1 HTTP | p. 21 |
2.2 User authentication, authorization, and access control | p. 26 |
2.3 Basic authentication | p. 29 |
2.4 Digest access authentication | p. 34 |
2.5 Certificate-based authentication | p. 41 |
2.6 Sever configuration | p. 42 |
2.6.1 Configuring HTTP basic authentication | p. 42 |
2.6.2 Configuring HTTP digest access authentication | p. 45 |
2.7 Conclusions | p. 46 |
References | p. 48 |
3 Proxy Servers and Firewalls | p. 49 |
3.1 Introduction | p. 49 |
3.2 Static packet filtering | p. 54 |
3.3 Dynamic packet filtering or stateful inspection | p. 57 |
3.4 Circuit-level gateways | p. 58 |
3.5 Application-level gateways | p. 64 |
3.6 Firewall configurations | p. 68 |
3.6.1 Dual-homed firewall | p. 69 |
3.6.2 Screened host firewall | p. 71 |
3.6.3 Screened subnet firewall | p. 72 |
3.7 Network address translation | p. 74 |
3.8 Configuring the browser | p. 76 |
3.9 Conclusions | p. 80 |
References | p. 83 |
4 Cryptographic Techniques | p. 87 |
4.1 Introduction | p. 87 |
4.2 Cryptographic hash functions | p. 90 |
4.3 Secret key cryptography | p. 92 |
4.3.1 DES | p. 93 |
4.3.2 Triple-DES | p. 93 |
4.3.3 IDEA | p. 95 |
4.3.4 SAFER | p. 95 |
4.3.5 Blowfish | p. 95 |
4.3.6 CAST-128 | p. 95 |
4.3.7 RC2, RC4, RC5, and RC6 | p. 95 |
4.3.8 AES | p. 96 |
4.4 Public key cryptography | p. 96 |
4.4.1 RSA | p. 100 |
4.4.2 Diffie-Hellman | p. 101 |
4.4.3 ElGamal | p. 102 |
4.4.4 DSS | p. 102 |
4.4.5 ECC | p. 102 |
4.5 Digital envelopes | p. 103 |
4.6 Protection of cryptographic keys | p. 105 |
4.7 Generation of pseudorandom bit sequences | p. 107 |
4.8 Legal issues | p. 107 |
4.8.1 Patent claims | p. 108 |
4.8.2 Regulations | p. 109 |
4.8.3 Electronic and digital signature legislation | p. 110 |
4.9 Notation | p. 111 |
References | p. 113 |
5 Internet Security Protocols | p. 117 |
5.1 Introduction | p. 117 |
5.2 Network access layer security protocols | p. 118 |
5.2.1 Layer 2 Forwarding Protocol | p. 121 |
5.2.2 Point-to-Point Tunneling Protocol | p. 122 |
5.2.3 Layer 2 Tunneling Protocol | p. 124 |
5.2.4 Virtual private networking | p. 124 |
5.3 Internet layer security protocols | p. 125 |
5.3.1 IP security architecture | p. 128 |
5.3.2 IPsec protocols | p. 131 |
5.3.3 IKE Protocol | p. 136 |
5.3.4 Implementations | p. 141 |
5.4 Transport layer security protocols | p. 143 |
5.5 Application layer security protocols | p. 143 |
5.5.1 Security-enhanced application protocols | p. 144 |
5.5.2 Authentication and key distribution systems | p. 144 |
5.5.3 Layering security protocols above the application layer | p. 145 |
5.6 Conclusions | p. 146 |
References | p. 148 |
6 SSL and TLS Protocols | p. 153 |
6.1 SSL Protocol | p. 153 |
6.1.1 History | p. 153 |
6.1.2 Architecture | p. 155 |
6.1.3 SSL Record Protocol | p. 159 |
6.1.4 SSL Handshake Protocol | p. 161 |
6.1.5 Security analysis | p. 167 |
6.1.6 Implementations | p. 169 |
6.2 TLS Protocol | p. 171 |
6.3 SSL and TLS certificates | p. 175 |
6.4 Firewall traversal | p. 178 |
6.4.1 SSL/TLS tunneling | p. 179 |
6.4.2 SSL/TLS proxy servers | p. 181 |
6.5 Conclusions | p. 182 |
References | p. 183 |
7 Certificate Management and Public Key Infrastructures | p. 185 |
7.1 Introduction | p. 185 |
7.2 Public key certificates | p. 187 |
7.2.1 PGP certificates | p. 188 |
7.2.2 X.509 certificates | p. 190 |
7.3 IETF PKIX WG | p. 193 |
7.4 Certificate revocation | p. 196 |
7.4.1 CRLs | p. 198 |
7.4.2 OCSP | p. 199 |
7.4.3 Alternative schemes | p. 200 |
7.5 Certificates for the WWW | p. 201 |
7.5.1 CA certificates | p. 201 |
7.5.2 Server or site certificates | p. 203 |
7.5.3 Personal certificates | p. 204 |
7.5.4 Software publisher certificates | p. 205 |
7.6 Conclusions | p. 207 |
References | p. 210 |
8 Authentication and Authorization Infrastructures | p. 213 |
8.1 Introduction | p. 213 |
8.2 Microsoft .NET Passport | p. 216 |
8.2.1 Overview | p. 217 |
8.2.2 .NET Passport user accounts | p. 219 |
8.2.3 .NET Passport SSI service | p. 222 |
8.2.4 Complementary services | p. 228 |
8.2.5 Security analysis | p. 230 |
8.3 Kerberos-based AAIs | p. 231 |
8.3.1 Kerberos | p. 231 |
8.3.2 SESAME | p. 240 |
8.3.3 Windows 2000 | p. 240 |
8.4 PKI-based AAIs | p. 241 |
8.5 Conclusions | p. 245 |
References | p. 245 |
9 Electronic Payment Systems | p. 249 |
9.1 Introduction | p. 249 |
9.2 Electronic cash systems | p. 255 |
9.3 Electronic checks | p. 257 |
9.4 Electronic credit-card payments | p. 259 |
9.5 Micropayment systems | p. 261 |
9.6 Conclusions | p. 262 |
References | p. 264 |
10 Client-side Security | p. 267 |
10.1 Introduction | p. 267 |
10.2 Binary mail attachments | p. 271 |
10.3 Helper applications and plug-ins | p. 272 |
10.4 Scripting languages | p. 275 |
10.5 Java applets | p. 278 |
10.5.1 Security architecture | p. 279 |
10.5.2 Security policy | p. 281 |
10.5.3 Code signing | p. 281 |
10.6 ActiveX controls | p. 283 |
10.7 Security zones | p. 288 |
10.8 Implications for firewalls | p. 291 |
10.9 Conclusions | p. 293 |
References | p. 294 |
11 Server-side Security | p. 297 |
11.1 Introduction | p. 297 |
11.2 CGI | p. 300 |
11.3 Server APIs | p. 309 |
11.4 FastCGI | p. 310 |
11.5 Server-side includes | p. 311 |
11.6 ASP | p. 312 |
11.7 JSP | p. 313 |
11.8 Conclusions | p. 314 |
References | p. 314 |
12 Privacy Protection and Anonymity Services | p. 317 |
12.1 Introduction | p. 317 |
12.2 Early work | p. 321 |
12.3 Cookies | p. 324 |
12.4 Anonymous browsing | p. 328 |
12.4.1 Anonymizing HTTP proxy servers | p. 329 |
12.4.2 JAP | p. 330 |
12.4.3 Crowds | p. 330 |
12.4.4 Onion routing | p. 333 |
12.4.5 Freedom network | p. 336 |
12.5 Anonymous publishing | p. 336 |
12.5.1 JANUS and the rewebber service | p. 336 |
12.5.2 TAZ servers and the rewebber network | p. 338 |
12.5.3 Publius | p. 340 |
12.6 Voluntary privacy standards | p. 341 |
12.6.1 Privacy seals | p. 341 |
12.6.2 P3P | p. 342 |
12.7 Conclusions | p. 343 |
References | p. 344 |
13 Intellectual Property Protection | p. 347 |
13.1 Introduction | p. 347 |
13.2 Usage control | p. 349 |
13.3 Digital copyright labeling | p. 351 |
13.3.1 Introduction | p. 351 |
13.3.2 Categories of watermarking techniques | p. 352 |
12.3.3 Attacks | p. 355 |
13.4 Digital Millenium Copyright Act | p. 356 |
13.5 Conclusions | p. 357 |
References | p. 358 |
14 Censorship on the WWW | p. 359 |
14.1 Introduction | p. 359 |
14.2 Content blocking | p. 360 |
14.2.1 IP address blocking | p. 361 |
14.2.2 URL blocking | p. 363 |
14.3 Content rating and self-determination | p. 365 |
14.4 Conclusions | p. 371 |
References | p. 373 |
15 Risk Management | p. 375 |
15.1 Introduction | p. 375 |
15.2 Formal risk analysis | p. 378 |
15.3 Alternative approaches and technologies | p. 379 |
15.3.1 Security Scanning | p. 379 |
15.3.2 Intrusion Detection | p. 381 |
15.4 Conclusions | p. 382 |
References | p. 383 |
16 Conclusions and Outlook | p. 385 |
Abbreviations and Acronyms | p. 389 |
About the Author | p. 403 |
Index | p. 405 |