XML Security Suite: Increasing the Security of E-Business
By Doug Tidwell2005-05-18
Creating a secure session
|
|
There are several steps involved in creating a secure session:
- The secure server obtains a certificate from the appropriate certificate authority (CA).
- The secure server sends its public key to the client.
- The client uses the server's public key to encrypt a premaster secret (a random number generated by the client. The phrase premaster secret sounds much more sophisticated than random number). The server uses its private key to decrypt the premaster secret.
- The server generates a new key based on the premaster secret. The key is known to the server, and can only be decrypted and used by the client that generated the premaster secret.
This process creates a session in which all traffic between the client and server is encrypted. Only the server and the client can decrypt each other's data. Confidentiality, integrity, and authentication are covered. SSL doesn't address nonrepudiability, however; if I have a document on my system, you can deny that you ever sent it, or you can deny that you created the content that's currently in the document. Nonrepudiability is one of the functions provided by the XML Security Suite.
Tutorial Pages:
» A brief overview of Web security
» Creating a secure session
» The XML Security Suite
» XML Signatures
» About the sample programs
» Creating a certificate
» Signing an internal XML resource
» Signing an external XML resource
» Signing a non-XML resource
» Verifying a digital signature
» The joys of nonrepudiability
» Canonical XML
» Element-level encryption
» Other utilities
» Summary
» Resources
First published by IBM DeveloperWorks
|
