Secure HTTP (S-HTTP) is a secure message oriented communications protocol designed for use in conjection with HTTP. S-HTTP is designed to be easily integrated with HTTP applications.
S-HTTP has the following feature:
1. It provides a variety of security mechanisms to HTTP clients and servers.
2. It supports interoperation among a variety of implementations, and is compatible with HTTP.
3. The deployment of S-HTTP does not require client-side public key certificates (or public keys), as it supports symmetric key only operation modes. This is good in the sense that spontaneous private tranctions can occur without requiring individual users to have an established public key.
4. It provides full flexibility of cryptographic algorithms, modes and parameters. several cryptographic message format standards may be incorporated into S-HTTP clients and servers.
5. S-HTTP aware clients can communicate with S-HTTP ignorant servers and vice-versa, although such transactions would not be using the S-HTTP security features.
Syntactically, Secure HTTP messages are the same as HTTP, consisting of a request of status line followed by headers and a body. However, the range of headers is different and the bodies are typically cryptographically enhanced.
S-HTTP message, just as a HTTP messages, consist of requests from client to server and responses from server to client.
The request message, S-HTTP has the format as shown as
________________________________________
|Request | General | Request | Entity | Message |
|Line | Header | Header |Header | Body |
________________________________________
In the order to differentiate S-HTTP messages from HTTP messages and allow for special processing, the request line should use the special Secure method and use the protocol designator Secure HTTP/1.4. Consequently, Secure HTTP and HTTP processing can be intermixed on the same TCP port, e.g. port 80. In order to prevent leakage of potentially sensitive information Request-URI should be *.
S-HTTP responses should use the protocol designator Secure-HTTP/1.4. The response message will have the format as
____________________________________
|Status |General |Response |Entity |Message|
|Line |Header |Header |Header | Body |
_______________________________________
Note that the status in the Secure HTTP response line does not indicate anything about the
success or failure of the request. If the Secure HTTP processing is successful, servers just send the status as 200 OK. This prevents an attacker from seeing the success or failure of a given request, which the correct recipient can determine from the encapsulated data. Secure HTTP generally tries to leak as little information as possible.
No comments:
Post a Comment