Whose Site is it Anyway?
by Richard Moulds - nCipher - Monday, 29 March 2004.
The tamper-resistant security modules integrate directly with a web server and store all the private keys and host all cryptographic functions. The most secure devices - such as nCipher's nShield HSM - are validated to FIPS 140-2 Level 3, the most widely recognised security benchmark for secure cryptographic modules.

The importance of securing keys in hardware has also been recognised by VeriSign, the world's leading provider of digital certificates. For the first time a commercial SSL certificate has been created specifically for organisations that wish to protect their website with hardware.

VeriSign and nCipher have joined forces to counter the threat of web site spoofing and online data theft with a new premium grade VeriSign SSL certificate that is protected in a FIPS 140-2 certified HSM throughout its lifecycle.

Companies implementing VeriSign's Hardware Protected SSL Certificate will be able to display a distinct VeriSign Secure Site Seal on their websites that will giver users greater confidence in doing business online.

Beyond the web server

With hardware security, SSL is capable of authenticating the website and securing data as it travels between a browser and a web server - but what risks lay beyond the web server? After all, if an SSL session is terminated on a web server and sensitive information - such as a password and PIN for example - is unencrypted and left exposed, the point of weakness is simply shifted. This is in fact a common scenario, as authentication information often needs to be stripped and compared with data stored in a back-end database for validation.

The challenge therefore, is to extend the security provided by SSL deeper into the website infrastructure in order to protect data behind the firewall from internal as well as external attacks. As the concept of perimeter security, relying solely on creating a secure network boundary around an organisation, becomes outdated it becomes even more important to protect sensitive information wherever it flows, inside or outside a corporate network. To achieve this, the same tamper-resistant hardware protected environment used to store SSL keys can now be used to terminate SSL sessions, process unencrypted data and pass traffic securely on to other back-end applications.

SSL has come along way and the encryption protocol is now being widely adopted as a major industry standard. What lies behind the simple padlock is a complex technology that underpins the security of the Internet. Providing that it is deployed correctly, which typically includes the use of a dedicated HSM for any organization handling sensitive information, SSL delivers the all important level of trust that is vital if more of us are going to have the confidence to buy and do business online.

What is SSL

The SSL protocol was developed in 1994 by Netscape - one of the early Internet browser pioneers - for securing web transactions and messages over the Internet and today is included in all standard browsers along with most web server products. SSL uses a process of public key encryption to secure the connection between your web browser and a remote web server.

Public key encryption uses a pair of asymmetric keys for encryption and decryption. Each pair of keys consists of a public key that anyone can know and a private key that is never distributed and always kept secret. Data encrypted with the public key can be decrypted only with the private key. Conversely, data encrypted with the private key can be decrypted only with the public key.

When a customer uses a web browser to connect to an online store to carry out a purchase or visits their online bank, the SSL protocol causes the vendor's web server to present its public key in the form of a digital certificate to the customer's web browser, to identify and authenticate itself. The customer's web browser then creates and encrypts a 'session key' using the public key information stored in the digital certificate. This session key is returned to the vendor's web server, where it is unencrypted using the web site's own and hopefully secret private key.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th