| Web Security 101 | ||||||||||||||||||||||
|
Goal of Web Security. From the point of view of a user, web security mainly addresses two questions:
How is This Achieved by VisibleSecurity? From the top level, VisibleSecurity follows the big picture of most security models. The big picture can be best visualized as follows. When you visit a web site to which you are going to submit some data, say, credit card information, the site sends you a safebox with an embedded certificate. So you first check the certificate to see whether the box IS from the right place. Then you use another safebox of your own, put your data in the safebox, lock your box, put a copy of your key in the safebox from the web site and lock it as well. Finally, you "submit" both boxes to the web site. The box from the web site differs from yours in that once it is locked nobody can open it except the web site itself. Therefore, neither of the boxes can be opened during transmission. Once the web site receives the two boxes, it opens its own box first to get the key to your box, then use the key to open your box and get the data you sent. If the site determines the replying data need to be secure as well, it puts the data in the box you sent and sends the box, not the key, back to you. After you receive your box, you open the box and get the replying data which concludes a complete transaction. What is public key encryption? Public key encryption uses a pair of keys to encrypt data: the public key and the private key. The data is encrypted using the public key, and the encrypted data can only be decrypted using the private key. For this reason, public key encryption is also called asymmetric key encryption. The public key can be given to anybody, but one must keep the private key secret. As an example, if A wants to encrypt and send data to B, he uses the public key of B to encrypt the data and send the encrypted data to B. When B receives the data, he uses his private key to decrypt the data. When the size of the keys are large enough, the encryption is very strong. However, as the key size gets larger, the computation required increases significantly. Therefore, encryption of large volume of data using this method is not suitable. What is symmetric key encryption? Symmetric key encryption is also called secret key encryption. It uses a single key called symmetric key or secret key to encrpt the data, it uses the same key to decrypt the encrypted data. Unlike public key encryption, symmetric key encryption is very efficient. In the example above, if A use a secret key to encrypt data and send it to B,, B will have to know the secret key in order to decrypt ths data. This is a fatal drawback of this method. What encryption method is used in VisibleSecurity? As in most security model, VisibleSecurity uses both public key encryption and symmetric key encryption. The model is illustrated in the first section above. What are session keys and personal keys? In VisibleSecurity, two type of symmetric keys are used: session key and personal key. When the data is encrypted using the session key and sent to the server, server will be able to decrypt your data. For example, when you send the credit card information to purchase something, the vendor must be able to decrypt the card number. However, if the card number is encrypted using a personal key, nobody but yourself will be able to decrypt the data. Disclaim: All names, grades, and other sample data are fictional for the purpose of demonstration. They should not be used to match ones in the real world. |
|||||||||||||||||||||
| | xTy Technology | Download xTyHTMLDecrypter | Download Server Component | Contact | | ||||||||||||||||||||||