1. Introduction The topic WEB SECURITY describes a very widespread topics.WEB SECURITY means WORLD WIDE WEB SECURITY.

Web is a large repository of information spread all over the world and linked together by means of pointer. security is the ability to have control over others use of your resources .web is a distributed client server service . The different types of threats on the Internet, which can create damage, have to be known and understood before being able to develop and implement types of security against those risks. The security problems can occur on any networked computer. The possible risks are an important theme of our essay; because they are the reason why customers lose their trust and confidence as a business could suffer from a big loss in profit and image, because of intrusion or failure. The threats can come from the inside of a company as well as from the outside, but it is sure that they are increasing from both sides. The most known and feared threats are for example hackers and viruses. The main reason why this kind of risks can exist is that many threats are only possible through the original design of the TCP/IP (Transmission Control Protocol/Internet Protocol), but most are due to configuration or operator carelessness. We will shortly say a few words about TCP/IP so that it is understandable what it is that makes them so open to attacks. IP packets through which most Internet traffic is transferred have the function to pass packets from source to destination and nothing more. It is not their purpose to perform packet recovery nor do they guarantee the arrival of the packet at the destination. The data can be of any possible form. TCP is a connection-oriented reliable transport layer protocol. This means that before any data is exchanged, the two machines establish a session and the TCP is responsible for the guarantee of the delivery. To prevent against those occurring threats, security systems, in general called Information or Web Security, are established.

2. Information or Web Security - Types of Security

Security has always been a big issue in the question of IT use. But its complexity and necessity have both risen in the past few years. As already said in the introduction, connecting to the Internet creates many opportunities for a company, but it also gives the possibility for security risks. In order to create trust, it is very important to fight against those risks and that is why information security is already a well-established discipline with the purpose of being able to control the transmitted information. This primary security controls are Confidentiality Authentication Integrity.

Information security defends against the threats that can occur. To protect from the illegal use, information security knows different types of security like digital signatures and certificates. The point is that no one likes to trust blindly but prefers to see some proofs. Such proofs are digital signatures and digital certificates. In easy words digital signatures are the assurance that the transferred data has been sent by the person who claims to have sent it and furthermore that the data has not been changed and digital certificates are the assurance that the sender is really the person he claims to be. Digital signatures and certificates are very complex. For better understanding why digital signatures and certificates can be trusted, their components will be described in further detail. 2.1 Virtual Private Networks (VPN) An e-commerce system spans multiple users together in the network. Those users have to communicate securely with each other so that they are able to do business over the Internet. For this reason two main issues are necessary: the information has to be authenticated, which means the sender has to send it by himself, and the information has to be unchanged. In order to achieve

those issues, the information is encrypted in the way that only specific users can decrypt it. By doing so, they have established a Virtual Private Network. For different purposes exist different ways to encrypt the information and we will explain the most important ones. In order to understand the different encrypting methods, one must first understand the meaning of encryption. 2.2 The meaning of encryption Encryption [] is the process of scrambling a message in order to hide its content, thus providing confidentiality. Throughout history, encryption has always played an important role. During the Second World War radio signals had to be encrypted in order to keep enemies away of getting important information. Complicated methods and techniques have been developed to make encryption as secure as possible. The foundation for the field of cryptography was developed during the Second World War, where especially Japanese, Americans, and Germans established examples of sophisticated mechanized algorithms that were extremely difficult, not to say impossible to break by hand. Nowadays, encryption plays an important role for the functionality of digital signatures. In terms of computer language it means that it is the scrambling of data files so that they are unreadable by anyone who does not have the key. The general encryption system in graphical form

Encryption key

Decryption key

threatened (public) transmission channel Enryp -ted text Enryp -ted text

Clear text

Encryption fuction

Decryption fuction

Clear text

Figure 1: General Encryption System, Krause (2000)

2.2.1 Secret Key Encryption - Symmetric Encryption The Secret Key Encryption uses the same key for encrypting and decrypting the information. This means that the sender as well as the receiver has to use the identical key. Secret key algorithms work well when sender and receiver can arrange to exchange the key. But there exists a big risk while using this form of encryption. When transmitting the key over a public network, an unofficial user can capture it. To work against that problem another kind of encryption exists: 2.2.2 Public key encryption - Asymmetric encryption The technical system on which digital signatures and certificates are based is called asymmetric encryption, also known as Public Key Cryptography, and it is a form of encryption where keys are kept in pairs. Typically the users create a matching key pair and make one of the keys public while keeping the other one secret. The two keys are therefore called public and private key. This key pairs generally can be created and updated by the users themselves. Asymmetric encryption systems have the advantage that by knowing only one key, it is impossible to trivially guess the other one.

Asymmetric encryption in graphical form

Random number Generation of the key

Key for testing the signature, publicly known

Text

Signing

Text with signature

Text with signature and Test result Testing Either ok or false

Figure 2, Asymmetric Encryption System, Bertsch (2002)

3.2.3. Public Key Infrastructure For using the asymmetric encryption method, a Public Key Infrastructure is required. It is a set of servers, software, protocols and application programs that are used in order to manage the private and the public keys of a group of users.

3. Digital signatures In the following chapter an explanation about the concept of digital signatures and its functionality will be given. 3.1 The concept of digital signatures Digital signatures cannot be understood as a bitmap image of a handwritten signature, although they basically are a means to do online what persons do with written signatures in the real world. In its simplest form, a digital signature is a cryptographic piece of data that is attached to a piece of code, which could be a programme code or Web Services. Simply said, a digital signature is meant to provide the receiver of a message with assurance that the original message and its content is unaltered or has its original integrity.

Digital signatures are created and verified by cryptography and use the above explained public key cryptography. The sender of the message encrypts it with his private key and everyone that receives the message can decode it with the public key of the sender. But the public key encryption has one big disadvantage. It is its speed. As a solution a hashing function is being used. The hashing function, the so-called fingerprint, is a one-way function that creates a much shorter digital summery of the data. A hashing function cannot be reversed, but it is not possible for two documents to produce the same hash. In a digital signature, a documents hash is encoded with the private key of the sender and attached to the document. Only if the message has really been encoded with the senders private key and the content of the message has not been modified or changed, the receiver gets an ok when decoding the hash with the senders public key. Any modification of the data, for example the content of the message, in effect, breaks the signature and anyone can tell that the message and its content have been changed. Summarized a digital signature meets the primary control and the needed legal requirements: Signer Authentication: If the public key associates to the private key of the signer, the signer is identified and his message ascribed. Message Authentication: If the hash function before the encryption corresponds identical to the one after the decryption, the message cannot have been changed. The method used for creating digital signatures has a highly developed technology and is therefore also accepted by many corporations, banks, and government agencies. A malfunction or a security problem in a digital signature cryptosystem is as good as impossible. The risk on undetected forgery or alteration is much higher, while using wet ink signatures.

Digital Signatures in graphical form

Message

Hash Function

Hash Result

Signing Function

To Verifier

Only Private Key Holder can sign

Private Key

Figure 3, Digital Signature Creation Process

Hash Result Message Digital Signature Hash Function

From Signer

Verify Function

Valid Y/N?

Anyone can verify

Public Key

Figure 4, Digital Signature Verification Process

3.2. Summarizing digital signatures Concluding we want to explain the development of a digital signature and its components. Firstly the hash of the message, which has to be signed, is created and being encrypted with the private key of the sender. The message together with the signed hash is being transmitted to the receiver. The receiver gets it and is looking for the public key with which the hash can be decrypted. If it can be decrypted the hash cannot have been changed. After that the receiver also creates the hash of the message and looks if it is equal to the hash created by the sender. If the two values match, a valid digital signature exists.

In praxis all of these different and complicating steps are not visible for the user. Current email programs make it possible to add a digital signature automatically to the information, which shall be signed. Additionally the software of the receiver can also automatically verify the digital signature. Obviously the sender as well as the receiver is able to encrypt and decrypt information with a click of the mouse. But as a prerequisite of a legally accepted digital signature, the users have to apply to a public key infrastructure. As explained a digital signature wants to be verified. The verifier must get somehow to the signers public key and also be sure that it also matches to the signers private key. As the keys are actually only a pair of numbers, they cannot be trivially associated with a person. In order to be able to associate a key with a person, another system is necessary. 4. Digital Certificates In the electronic world, a certificate is a collection of information to which a digital signature has been affixed by some authority who is recognized and trusted by some community of certificate users. Digital certificates exist, because authentication control and integrity control, which are guaranteed as explained before through using digital signatures, do not yet assure the identity of the sender. It still has to be proofed that the sender of a signed data is really the person he claims to be, which is done through issuing a digital certificate. A digital certificate can be seen as an electronic identity card. Therefore a digital certificate has two tasks: 1. Connecting a public key with an individual 2. Validating of this individual. In order to fulfil the two tasks Certification Authorities are used. This means that a Certification Authority issues a certificate (task 1), but it does this only after verifying the persons identity . For better understanding, we will explain in further detail what a Certification Authority stands for: 4.1 The Certification Authority The responsible authority for signing new public keys is called Certification Authority (CA). This authority now is a third party, which has to be trusted by both sender and receiver of the 8

data, because it certifies that public keys really belong to their claimed owners. Therefore prior to issuing a certificate, the certification authority has to confirm the identity of the person whose private key matches to the public key enclosed in a certificate. In order to do that the CA checks with a registration authority (RA) to verify information provided by the requestor of a digital certificate. If the RA verifies the requestor's information, the CA can then issue a certificate. In other words the Certification Authority can issue the electronic identity card. Besides certificating that a certain public key belongs to a certain person, other information concerning the subscriber can be given. Usually a digital certificate contains the name, a serial number, expiration dates, and a copy of the certificate holder's public key. The certification authority digitally signs all this information with its own private key in order that the recipient can verify by using the public key that the certificate is real and the information has not been changed. 4.1.2. The Hierarchy of Certification Authorities As it is obvious, trust plays an important role in the case of a Certification Authority. But in order to minimize the need of only trusting, a hierarchy of different Certification Authorities can be created. This means that a second Certification authority confirms the first Certification Authoritys public key through which the first certificate is signed by creating a new certificate with the first Certification Authoritys public key as the subject and then assuring it by connecting the own public key to it. As many Certification Authorities as wanted can be used until one is adequately assured of its authenticity. Which means until the person feels it is agreeable to trust. Popular Certification Authorities, whose Public Key's are built into most World-Wide Web browsers, include the following companies: Thawte VeriSign Canada Post United States Post Office

In other words a digital certificate is a message which at least 1. identifies the certification authority issuing it, 2. names or identifies its subscribers,

3. contains the subcribers public key, 4. identifies its operational period, and 5. is digitally signed by the certification authority issuing it. 4.2 SSL Secure Socket Layers Digital certificates encrypt data using Secure Socket Layer (SSL) technology, the industrystandard method for protecting web communications developed by Netscape Communications Corporation. The SSL security protocol provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. 4.3 Conclusions to Information Security Concluding it has to be said, that even the most advanced security standards cannot help, when an intruder has access to the individual computer. For that reason some points should be taken into consideration: using the newest browser versions always making new software updates using of a virus program using save passwords.

But when taking all this points serious doing business on the Internet is a save way of doing business.

5. Conclusions First we want to mention, that web security using digital certificates and signatures from a technical point of view are definitely secure. It is possible to see that a great potential of users for digital signatures and certificates would exist, especially in the banking sector and for financial institutions, however the system is still not that widespread as it was expected to be, because when it comes to signing documents online people still prefer the usual way in the real world, namely signing them by hand. One can see that in the case of VeriSign, the revenues decreased enormously in the last years. Security methods, such as digital signatures and certificates, have already existed for over ten years, but still they are not commonly used.

10

In our opinion, the reasons why digital signatures and certificates are still not that accepted as they were expected to be a few years ago are the following: First, the most important reason in our opinion is that people do not know much about the existence and if it is known, very little is known about the functionality. Like it is usually the case with a new technology, the willingness of accepting it is very low in the beginning. Second, psychological reasons are of major importance. People that know about the existence and functionality of digital signatures and certificates should logically also know that this system is definitely secure, however they refuse to use it. Take the example of fear of flying. There are many people who are afraid of flying, but have no problems with driving cars, although it is proved in various statistics, that driving is much more dangerous than flying. Knowing that, people are still afraid due to psychological reasons. People feel that they cannot do anything while sitting in an airplane, because it is off their hands, as it is the case with digital signatures and certificates. While signing a contract in the real world, psychologically one has the feeling of really signing, while signing a contract online the encryption and decryption (the security) cannot psychologically be felt and therefore does not have the same effect. Third, signing documents digitally has not yet reached the status of a normal task and therefore it is not commonly accepted by the end-users and people still have some fear. We assume, as it will get more common and people get more used to it, people will also start trusting the system and therefore using it. Summing up it can be said that digital signatures and certificates definitely play a big role in establishing trust on the Internet when it comes to online transactions of data or documents. However, as the system is still not that common and widespread, people prefer wet ink signatures to digital signatures. Finally, it can be stated that the bigger trust in information security is and gets, the bigger will be its success. 6. References 1.Data Communications and Networking by B.A.Forouzan. 2. The Complete Reference Linux by R. Petersen. 3. www.google.com.

11