Server Authentication

Server authentication protects clients as they access Web applications because server authentication verifies the identity of the owner of the Web application. That means that if clients are sending information such as name , age, Social Security number, credit-card information, and so on, they will have the confidence that they know who the owner of the Web application is because this has been verified . Now this doesn't eliminate the possibility of some sort of misuse of the client information. It simply identifies the party to whom the information is going. If this party elects to misuse this information, server authentication can do nothing to prevent this. The only role of server authentication is to verify the identity of the destination party.

The topics we'll cover include those that you need to know to understand the broad security issues. They include

• Keys

• Certificates

• Why use SSL for everything?

When developing a site that is either going to collect or provide other confidential information, you must keep your customer's protection in mind. That usually means some form of encryption.

To prevent data theft, you need to apply a special encryption mechanism to your Web site. Users access your Web site, and the information that they send is not encrypted by default. If someone intercepts and deciphers the data sent from the user to your Web site, the data can be used for an entire range of things that neither you nor your client would want. The mechanism you should use to prevent this misuse is the Secured Socket Layer (SSL). Web sites that use SSL look different from regular sites. A normal Web site might be http://www.microsoft.com

If a Web site is using SSL, the HTTP protocol token becomes https , as in https://www.microsoft.com

Keys

When using SSL, first you must create keys. A key is a special type of encryption encoding that is applied to the data. Both the user browser and the Web site must have keys to open and read transmitted data. The program that enables the Web site administrator to create keys is the key manager .

The two types of keys used are public and private keys. The public key is available to anyone who wants to exchange data, whereas the private key is held by the owner. The keys package data into digital envelopes that have digital signatures.

Senders use the recipient's public key to encrypt the information into a digital envelope when sending data. The sender then transmits the digital envelope to the recipient. Although the packet can be stolen, only the recipient's private key decodes the digital envelope, making the envelope unreadable to anyone who lacks the private key. Only the official recipient has the private key.

So that the recipient can know that it was indeed the correct sender that sent the data, the sender adds a digital signature as proof of its credentials. The sender uses its private key to sign the digital envelope. The recipient need only use the sender's public key to verify the signature. Because the sender's public key verifies the signature, the recipient can be assured that the digital envelope came from the official sender.

Certificates

One problem that does occur with creating public/private keys and using SSL is that they can deceive users into a false sense of security. Just because a Web site is secure does not mean that the site is a legitimate site. A rogue site could establish an SSL Web site, create keys, and collect credit card numbers for a bogus product. To protect from this scam, a certificate authority can certify the site. A certificate authority must certify the site before any encryption keys may be installed on it.

A certificate authority (CA) ensures that your Web site is a legitimate place of business. There are hundreds of CAs, which you can find with a quick search of the Internet, that can certify your keys. You must have a CA certification and assign your site a certificate before you can use SSL. These certificates continue to be valid until expiration or revocation. Something to keep in mind as well is that the CA maintains a list of invalid certificates in a special list called the certificate revocation list (CRL).

Why Not Use SSL for Everything?

Although SSL makes it easy to secure data, you might not get the best performance using SSL. SSL slows your applications way down because huge amounts of data processing are required to encrypt and decrypt all the data. The best time to use SSL is when you're sending confidential information over the Internet. Confidential information should be protected whether your Web site or the user sends it.

Creating a Secure Site

Creating your own secure Web site with SSL is not as difficult as it might initially seem. Follow these steps:

1. Open the Internet Information Server Management Console. Right-click the Web site for which you want to use SSL. When the pop-up menu appears, select Properties. Click the Security tab.

2. Click the Key Manager button, and right-click the WWW entry; a submenu appears.

3. Select Create New Key from the pop-up menu. You then must enter a filename in which the key will be contained. You will use this generated key when you apply for your certificate. You can see the dialog box in which you enter the filename.

4. Name the key and type in a password. As with most Microsoft password selection dialog boxes, you must confirm the password before continuing.

5. In the next dialog box, enter the organizational information. Be sure that the Common Name field contains the fully qualified domain name.

6. Enter location information in the Geographical dialog box.

7. A very important Contact dialog box comes next, in which you enter your name, e-mail address, and phone number.

8. Finally, you'll get to a Request File Summary dialog box with instructions. This is largely a confirmation dialog box.

9. Return to Key Manager; it now shows that a key was created. The Key icon, however, indicates by the orange and yellow mark that it is not complete. In other words, the certificate from a certificate authority has not been added.

10. Choose one of many certificate authorities. I use Thawte. Their Web site is http://www.Thawte.com. There, I apply for a certificate. An important part of the application is submission of the newly created key. Open the text file that Key Manager created, copy the key information, and paste it into the application form.

    Note

    When you apply for a certificate, you must choose the Web server type you are using. You also need to be prepared to provide some documentation, including proof of your company's existence and proof of your right to apply for a certificate for the domain. You will then have to sign the application. The application can be printed from your browser.

    When I applied for a certificate, my difficulty was that I applied using a company that is a sole proprietorship. I got a response from Thawte indicating that they wanted my incorporation documents. Because I did not have any, mainly because I applied with a sole proprietorship, I had to provide some additional documentation. Be prepared for the extra step if you don't have papers of incorporation. In spite of the inconvenience, I would rather them err on the side of caution.

11. When you receive your certificate, you are ready to complete the process. With certificate in hand, open Key Manager. Right-click the Incomplete Key icon. When the pop-up menu appears, select Install Key Certificate. You then have to type in your password.

    Caution

    One word of warning: Don't lose your password. If you pay for a certificate and lose your password and are then unable to install the certificate, you are out of luck. The certificate authority will not provide you with your password, and they will not issue another certificate.

12. Edit the server bindings for the SSL certificates. You must set the IP address or addresses and the port number.

13. In all likelihood , the IP address will be that of your domain. Set the port to anything you want. The port is usually set to 80. However, you typically leave it set to All Unassigned.

    Note

    For any resources that must be secured using the digital certificate, you must set its properties to be so. Normally, you will only want to make selected files secure. You can, however, make the entire domain secure, but as discussed earlier, this might not be a good idea because it exacts a performance penalty on the server.

14. From the Internet Information Server Management Console, right-click the resources you want to make secure. For this example, I used a single file named UseSSL.htm .

15. Right-click the file, select properties, and click the Key Manager button. A dialog box will appear.

16. The only change I made was to select the check box labeled Secure Channel.

17. One thing you must remember is to set the SSL port for your Web site. From the Management Console, right-click the Web site and bring up its properties. Set the SSL port to 443.

To find the best tech support in this area you need to contact Thawte. Initially I had some difficulty with the installation; I forgot to set the SSL port to 443. I read some of the FAQs on the Thawte Web site. When I wasn't able to define my problem exactly I decided to use their 24- hour 5-day tech support chat client. It was an easy way to talk to their tech support people in real time and figure my problem out quickly.

If you are going to have commerce on your server or confidential information is transferred, you need to have SSL. To use SSL, you must obtain and install a digital certificate.

Adding SSL is a relatively easy process but is a mystery to many developers. Use the instructions in this section, and you should have no trouble implementing SSL certificates on your IIS server. For more information go to www.Thawte.com.