The underlying protocol used the world wide web www

to remember, to ensure that too much encryption is not used while, at the same time, enough is used to sufficiently protect the data.

Authentication is meant to verify the sender to the recipient. When the sender sends the message to the other party, they electronically sign the document that verifies to the person receiving the document the authen-ticity of it. It also verifies what the person sent is what the person received. It does not however protect the data while in transit, which is a distinct difference from encryption and is often a misconception on the part of the general user community.

Encryption takes the message that can be sent, turns it into unreadable text, and transmits it across a network where it is decrypted for the reader. This is a greatly simplified explanation of what occurs and does not contain nearly the detail needed to understand this functionality. Security profes-sionals should understand the inner workings of encryption and how and when to best apply it to their environment. More importantly, they must understand the methods of encryption and decryption and the level at which encryption occurs.

Private key encryption is the least secure method of sending and receiv-ing messages. This is due to a dependency on the preliminary setup that involves the sharing of keys between parties. It requires that these keys be transmitted either electronically or physically on a disk to the other party and that every person who communicates with this person potentially has a separate key. The person who supplies the encryption key must then

As a user, PGP is the easiest form of encryption to use. User 1 simply stores a public key on a public server. This server can be accessed by any-one and if the key is ever changed, User 1’s decryption will not work and User 1 will know that something is amiss. For the system administrator, it is merely a matter of maintaining the public key server and keeping it prop-erly secured.

There are several different algorithms that can be applied to this type of technology. If the reader would like to know more about how to build the keys or development of these systems, there are several books available that thoroughly describe them.

Digital signatures perform three very important functions:

1. Integrity: A digital signature allows the recipient of a given file or message to detect whether that file or message has been modified. 2. Authentication: A digital signature makes it possible to verify cryp- tographically the identity of the person who signed a given message. 3. Nonrepudiation: A digital signature prevents the sender of a mes- sage from later claiming that they did not send the message.

If the newly computed message digest matches the one that was trans-mitted, the message was not altered in transit, and the receiver can be cer-tain that it came from the expected sender. If, on the other hand, the num-ber does not match, then something is amiss and the recipient should be suspect of the message and its content.

The particular intent of a message digest, on the other hand, is to protect against human tampering by relying on functions that are computationally infeasible to spoof. A message digest should also be much longer than a simple checksum so that any given message may be assumed to result in a unique value. To be effective, digital signatures must be unforgeable; this means that the value cannot be easily replaced, modified, or copied.

The recipient of an encrypted digital certificate uses the CA’s public key to decode the digital certificate attached to the message. Then they verify it as issued by the CA and obtain the sender’s public key and identification information held within the certificate. With this information, the recipient can verify the owner of a public key.

A certificate authority is a trusted third-party organization or company that issues digital certificates used to verify the owner of a public key and create public-private key pairs. The role of the CA in this process is to guar-antee that the individual granted the unique certificate is who he or she claims to be. Usually, this means that the CA has an arrangement with a financial institution, such as a credit card company, which provides it with information to confirm an individual’s claimed identity. CAs are a critical component in data security and electronic commerce because they guar-antee that the two parties exchanging information are really who they claim to be.

The other protocol for transmitting data securely over the World Wide Web is Secure HTTP (S-HTTP). Whereas SSL creates a secure connection between a client and a server, over which any amount of data can be sent securely, S-HTTP is designed to securely transmit individual messages. SSL and S-HTTP, therefore, can be seen as complementary rather than compet-ing technologies. Both protocols have been approved by the Internet Engi-neering Task Force (IETF) as a standard.

However, fully understanding what SSL is means that one must also understand HTTP (HyperText Transfer Protocol), the underlying protocol used by the World Wide Web (WWW). HTTP defines how messages are for-matted and transmitted, and what actions Web servers and browsers should take in response to various commands. For example, when one enters a URL in the browser, this actually sends an HTTP command to the Web server directing it to fetch and transmit the requested Web page.

Combining everything discussed thus far and a few practical principles involved in networking, one now has the ability to put together a much