Figure 10.20
Open
the httpd-ssl.conf
file
Unit 10
35
Listen 443
SSLEngine on
SSLCertificateFile
“/conf/ssl.crt/server.crt”
The above are the basic SSL configuration directives. You can find
further documentation on these directives at
httpd.apache.org
and
.
3
Now you must stop and restart your Web server for your changes to
take effect.
4
Test your Apache SSL server by pointing your Web browser at
. The new protocol named ‘https’ is used when
HTTP messages are carried over an SSL-encrypted channel. When a
Web browser encounters https in a URL, it knows it must initiate
setting up a secure connection via the SSL protocol.
Complete the following self-test to check your knowledge of the SSL
process.
Self-test 10.6
1
How is the session key in an SSL transaction sent across the
network?
2
Name two optional cryptographic operations in an SSL transaction.
3
Why should a Web client check whether the domain name in the
server’s certificate matches the domain name of the server itself?
You have learned how cryptography can be used to fulfil all the
requirements for conducting digital commerce on the Internet. But, in
practice, how well do cryptographic implementations really work on the
Internet? Does cryptography ever fail? What are the weaknesses in using
cryptography? Does cryptography often fail due to cryptanalysis, the
science of cracking the mathematical theory behind the algorithms? Or is
cryptography’s weakness the use of exhaustive key search, the systematic
guessing of combinations in the key? The next section attempts to answer
these questions.
36
COMP S834 Web Server Technology
Limitations of cryptography
Similar to firewalls and anti-virus software, encryption tools should only
be part of an overall information security programme. Companies and
individuals should not be lulled into a false sense of security just because
they are using an SSL-enabled Web server and file encryption software.
The success of cryptography depends highly on the secrecy of the
symmetric key (for secret key cryptosystems) or the private key
component of the keypair (for public key cryptosystems). Once this key
is stolen, an attacker can impersonate its owner, sign documents in the
owner’s name and decrypt documents that are meant for the owner’s eyes
only. Ordinary users cannot be relied upon to keep their keys secret.
They must be educated on the proper storage and handling of these keys,
preferably through a key management policy that is disseminated
throughout an entire organization.
In theory, all cryptographic keys can be broken when an attacker is given
sufficient time and resources. The most common approach to breaking
cryptographic keys is a brute force attack in which every possible key
combination is tried until the actual key is found. As computing power
increases, attackers can search a given key-space in less time.
You've reached the end of your free preview.
Want to read all 74 pages?
- Spring '18
- Public-key cryptography
