Application Generic - SSL and PCT

SSL (Secure Sockets Layer) was originally designed by Netscape Communications. There were some rival proposals, most notably by Spyglass (Mosaic) for S-HTTP (secure HTTP), and Microsoft/Visa for Secure Transaction Technology. However, SSL seems to have won the day, with even Microsoft adopting it in favour of their own STT.

SSL is an open standard, and an Internet draft specifying the protocol has been published by the IETF. In addition, Netscape makes a reference implementation available to developers. This may be used as the basis of their own code.

SSL covers each of the security issues that we have discussed: authentication of both server and client, data encryption, and message authentication. In addition, it provides a framework for on-the-fly compression.

Although Microsoft have essentially abandoned their own STT, they have taken some of the lessons learned from it and applied them on top of SSL to create something which they call Private Communication Technology (PCT). Like Netscape, they have made the specification publicly available, together with a reference implementation. The main advantage of PCT over SSL is that it separates the authentication mechanism from the encryption mechanism, it is also produces smaller messages and includes some additional security features.

SSL uses the same key for both authentication and public key encryption, this is a problem since both will be governed by the restrictive US key-length export limits. The US govt. is much more relaxed about key-lengths used for authentication, by separating authentication from public key encryption PCT can use much longer, and therefore, more secure key-lengths.

Netscape browsers and server currently support only SSL. Microsoft browsers and servers support PCT and hence are also compatible with SSL.

[ Contents ] [ DNS ] [ p6spy ] [ Weblogic Tuning ] [ Cactus ] [ The Grinder ] [ Word to PDF ]