The internet, i.e. the World Wide Web, has become a new information-disseminating and business medium. The increasing commercialization of the internet is constantly giving rise to ideas for new types of business which can be transacted over the internet. Even today, the internet user can perform virtually all the commercial transactions involved in ordinary everyday life over the internet. In the business world too the internet has become an indispensable tool. Companies use the internet both for developing and for marketing their products.
However, there are also dangers to these opportunities offered by the internet. To an increasing extent, even confidential information is being exchanged between clients and servers over the internet. This is particularly true of the exchange of confidential knowhow. The client and the server therefore need to be sure that access to the confidential information is impossible while it is being transmitted over the internet. As well as this it must also be ensured that the authenticity of the receiver of the confidential information can be relied on. Finally, more and more providers of web servers are starting to restrict access to web contents, i.e. are permitting access only in return for the input of a user ID and password. In the prior art there are certain methods which have become established on guaranteeing authenticity between client and server and of ensuring that no unauthorized access is possible during transmission.
Where access to web pages is restricted by means of a user ID and password, the browser is told that this is the case and it then opens a dialog box to allow a user ID and/or a password to be entered. Once the user ID and password have been entered, the browser sends them to the web server and if they are correct the latter opens access to the web pages.
A disadvantage of this method lies in the alloting and management of the user ID's and passwords may be misused by unauthorized persons or may be listened in on by such persons when they are being transmitted from the client to the web server.
In an improved method the web server stores the client's TCP/IP address in a table. The TCP/IP address is thus considered to be authorized. A disadvantage of this method is that the TCP/IP address of the authorized client can be replaced by another TCP/IP address belonging to an unauthorized client if the unauthorized client has covertly found out the user ID and password. When this is the case the unauthorized person can still again access to the web server.
SSL (secure socket layer) is a transmission protocol for the secure transmission of information. Contemporary browsers largely support this protocol. Browsers which support SSL contain a database holding certificates for public keys. Each public key is certified by a certificate issued by a recognized certification center. The protected-access web server contains a private key, with one public key being assigned to each such private key. For the public key in question, there is also a certificate on the web server.
The web server sends the certificate to the client. The certificate comprises the public key, identity data and a signature. The signature was generated by the web server by means of the private key. The client checks the validity of the certificate by reference to the certificates held in store and generates a signature by using an encryption algorithm and the public key. If the signature in the certificate is the same as the signature generated, the server has authenticated itself.
The same method can also be used to authenticate the client.
In this case too it is essential for the client to have a private key and a certificate.
The private key must be protected against access. Therefore it must not be stored on the client's hard disk. As an alternative to this the private key can be stored on a card. What is a disadvantage in this case however is that the card has to be capable of performing a public key procedure and to do this it requires a cryptographic co-processor. This however makes the card expensive.
To provide a secure channel for communications, the SSL protocol makes it possible for the information for transmission to be encrypted by means of a session key on which the client and the web server have agreed. The session key is a symmetrical key. It is used to encrypt the information which is going to be transmitted.