Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations bkrike on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Data Security 3

Status
Not open for further replies.
aarrgghh

aarrgghh

Technical User
Sep 5, 2002
60
US
Hey all,

I am looking for some advice. I have created a website that requires people to supply his or her first and last names, and social security number. What are my options for safely collecting this data via a web form without anyone being able to intercept it and read it on its way to my server? Basically I need help parsing through all of the information regarding security (i.e., Private Key Encryption, Public Key Encryption, Digital Signatures, Digital Certificates, and Secure Web Servers). What do you suggest I use?

Thanks in advance.

Patrick
 
Sort by date Sort by votes
So there is no way to use any type of encyption using http? So in what situations would one use: Public Key Encyption, Private Key Encryption, Digital Signatures, Digital Certificates?
 
Upvote 0 Downvote
HTTP transmits its data in the clear. That's why SSL and HTTPS were invented by Netscape. Browser vendors adopted SSL (and its successor TLS) as the defacto standard for encrypting transmissions between the web server and web client.

Public keys, private keys, digital signatures, and digital certificates are all used within SSL, because SSL is actually an asymmetric encryption algorithm that uses private public keys to encrypt the data being transferred.

You generate a public and private key pair on your web server. You then combine the public key with information about yourself into a encryption certificate. You then send the certificate to a certificate signing authority, such as Thawte or Verisign. Once the signing authority verifies your identity or the identity of your business, the signing authority then applies its digital signature to your public key. You now have a signed certificate which you can configure your web server to use.

When you point your browser to an HTTPS site, the browser downloads the public key of the server and generates its own public key. It then encrypts its public key using the server's public key and transmits the encrypted key to the server. The server then decrypts the browser's public key using its own private key. The server and browser can then use each others' public keys to transfer information in encrypted form. (It's actually a little more complicated than than, but my description is correct in general.)

Web browsers have built into them the public keys of various signing authorities. Your browser can compare the key used to sign your SSL certificate to the signature it knows to be correct. If the signatures match, your browser assumes that since it trusts the signing authoritiy and the signing authority trusts you, it can also trust you. It accepts your server's public key for encryption. Your browser will also check to make sure that the HTTPS site name ("secure.foo.com") matches the site name in the certificate.

The Apache web server uses external libraries, namely OpenSSL, to perform the cryptography to make HTTPS work. The OpenSSL libraries contain the functionality for you to sign your own certificates. Browsers will accept them and HTTPS will operate normally -- it's just that browsers will complain that it can't verify the signature on the certificate coming from the server.


Actually, though, I misspoke. The applicability of encryption algorithms other than SSL with HTTP really depend on how much effort you are willing to put out in getting the communications encrypted. You could write a web service that communicates to a custom web client application using encrypted channels.

If you want to know more, I recommend that you go to the source: Applied Cryptography, by Bruce Schneier.


Want the best answers? Ask the best questions: TANSTAAFL!!
 
Upvote 0 Downvote
Wow. Thank you for that excellent description. I have read a few different things about encryption, but none that made as much sense as you just did. Thanks.
 
Upvote 0 Downvote
Yes, good explanation on SSL : *.

I can also recommend that book by Schneier - excellent overview AND very detailed. Its the standard textbook on crypto.

As regarding adding SSL to your site, check with your web host. With most, you can just use their cert and enable SSL very, very easily on any page in your site (for a little extra, probably).

Posting code? Wrap it with code tags: [ignore]
Code: 
[/ignore][code]CodeHere
[ignore][/code][/ignore].
 
Upvote 0 Downvote
Nothing is easy with the goverment, but thanks for the added info.
 
Upvote 0 Downvote
you can also look it in a way that if the NSA has an eye on you that you at least will have a permanent backup of your data ;)

for people interested in crypto I can also recommend "the code book" from simon singh

(about the history of crypto and how it influenced history from the middle ages till now)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

W
  • Locked
  • Question
how to send checked row data in php
Replies
0
Views
386
wiltang2004
W
R
  • Locked
  • Question
How Can I Use MySQL To Send Data To An Email
Replies
1
Views
602
Chris Miller
Chris Miller
Brianfree
  • Locked
  • Question
Dropdown list data generator
Replies
3
Views
530
Brianfree
Brianfree
milisql
  • Locked
  • Question
Fetching Data But not calculating Correctly
Replies
0
Views
607
milisql
milisql
lexer
  • Locked
  • Question
Join two mysql tables for populate datatable
Replies
3
Views
505
spamjim
spamjim

Part and Inventory Search

Sponsor

Back
Top