The protocol SSL and its extension PCT

Today the various mechanisms for the solution of the wide spectrum of problems of information safety maintenance in the INTERNET are developed. The most known and the most ad­vanced information protecting mean is protocol Secure Socket Layer (SSL) offered by Netscape. The wide distribution of it is caused the SSL realization by the other large corporations such as the IBM, Microsoft and Spyglass. They have embedded this protocol in the applications using for systems based on architec­ture the client-server.

The version SSL 2.0 takes into account two most important aspects of information protection in the network: authentication and enciphering. Authentication is necessary for confirmation of the fact that the user is legal, it usually needs for the user only to input the identifier (network "name") and password. How­ever during authenticating process the intruder can "overhear" on the communication channel and intercept the user password and identifier. The mechanism of enciphering of the password and identifier before their sending via network is used for it pre­vention. The mechanism SSL and the authenticating methods of types PAP or CHAP that used in many remoted access systems, are mainly similar.

The protection from UAA is necessary not only for user identificating data, but also for electronic mail or for confidential files loaded from FTP-server. In the SSL for these purposes is re­alizing the enciphering that allows to ensure the safety practically to the all information, transferred between user and server.

Protocol SSL is not absolutely perfect. Some doubts con­cerning reliability of used enciphering mechanism are expressed. In order to correct this situation, the Microsoft has offered the extension of the protocol SSL that named PCT (Private Com­munications Technology). It is expected, that this new proto­col will be embedded into the structure of the universal system "Information Server" for access in the INTERNET, created by Microsoft. The additional key specially intended for authentica­tion is proposed in the PCT. Besides that the Microsoft is going to develop more proof algorithm for random numbers genera­tion. This generator, intended for creating of enciphering key, is considered as one weaker item in the protocol SSL safety. It is mentioned, that protocol SSL even supplied with PCT op­tions, is not capable to solve a problem of absolute safety of the information. The systems of general protection, the similar to the combination SSL and PCT only prevent an opportunity of viewing of transferring messages and data contents that may happened on communication lines. However they are not quite suitable for restriction or protection from access to the informa­tion sources.

There are several groups of the INTERNET users, whose requirements are out from frameworks of standard confiden­tiality. For example, one of such large and influential groups — governmental structures. The absolutely reliable authentica­tion is especially important for these structures. The critical im­portance for them has the guarantee that the users and informa­tion services are really legal. The system Fortezza is mechanism guaranteeing the increased information security level and more preferable to these users of the INTERNET.

 

COMPREHENSION CHECK

Answer the questions.

1. Why should one provide the creation of information re­sources protecting system? 2. What types of information threats in the Internet do you know? 3. What does UAA mean? 4. How can the unauthorized access be performed? 4. What are the most wide­spread means for information protection? 5. What are the short­comings of systems for protection from unauthorized users ac­cess? 6. What are the demerits of using Internet? 7. What is the most known information protecting mean? 8. Characterize the protocol SSL. Why is not SSL absolutely perfect?