Figure 10.20 Open the httpd-ssl.conf file
Unit 10 35 Listen 443 SSLEngine on SSLCertificateFile “/conf/ssl.crt/server.crt” The above are the basic SSL configuration directives. You can find further documentation on these directives at httpd.apache.org and . 3 Now you must stop and restart your Web server for your changes to take effect. 4 Test your Apache SSL server by pointing your Web browser at . The new protocol named ‘https’ is used when HTTP messages are carried over an SSL-encrypted channel. When a Web browser encounters https in a URL, it knows it must initiate setting up a secure connection via the SSL protocol. Complete the following self-test to check your knowledge of the SSL process. Self-test 10.6 1 How is the session key in an SSL transaction sent across the network? 2 Name two optional cryptographic operations in an SSL transaction. 3 Why should a Web client check whether the domain name in the server’s certificate matches the domain name of the server itself? You have learned how cryptography can be used to fulfil all the requirements for conducting digital commerce on the Internet. But, in practice, how well do cryptographic implementations really work on the Internet? Does cryptography ever fail? What are the weaknesses in using cryptography? Does cryptography often fail due to cryptanalysis, the science of cracking the mathematical theory behind the algorithms? Or is cryptography’s weakness the use of exhaustive key search, the systematic guessing of combinations in the key? The next section attempts to answer these questions.
36 COMP S834 Web Server Technology Limitations of cryptography Similar to firewalls and anti-virus software, encryption tools should only be part of an overall information security programme. Companies and individuals should not be lulled into a false sense of security just because they are using an SSL-enabled Web server and file encryption software. The success of cryptography depends highly on the secrecy of the symmetric key (for secret key cryptosystems) or the private key component of the keypair (for public key cryptosystems). Once this key is stolen, an attacker can impersonate its owner, sign documents in the owner’s name and decrypt documents that are meant for the owner’s eyes only. Ordinary users cannot be relied upon to keep their keys secret. They must be educated on the proper storage and handling of these keys, preferably through a key management policy that is disseminated throughout an entire organization. In theory, all cryptographic keys can be broken when an attacker is given sufficient time and resources. The most common approach to breaking cryptographic keys is a brute force attack in which every possible key combination is tried until the actual key is found. As computing power increases, attackers can search a given key-space in less time.
You've reached the end of your free preview.
Want to read all 74 pages?
- Spring '18
- Public-key cryptography