Many large internet product developers agreed to use encryption protocol known as Secure Sockets Layer (SSL) developed by Netscape for transmitting private documents over the internet. SSL works by using a private key to encrypt data that is transferred over the SSL connection. Both Netscape Navigator and Internet Explorer support SSL, and many Web sites use this protocol to obtain confidential user information, such as credit card numbers. The protocol, layered between application-level protocols such as HTTP and TCP/IP transport-level protocol, is designed to prevent eavesdropping, tampering, and message forgery. Since SSL is layered under application-level protocols, it may be used for other application-level protocol such as FTP and NNTP.
Another protocol for transmitting data securely over the Web is Secure HTTP(S-HTTP), as modified version of the standard HTTP protocol. S-HTTP was developed by Enterprise Integration Technologies (EIT), which was acquired by Verifone, Inc. in 1995. Whereas SSL creates a secure connection between a client and a server, over which any amount of data can be sent securely, S-HTTP is designed to transmit individual messages securely. SSL and S-HTTP, therefore, can be seen as complementary rather than competing technologies. Both protocols have been submitted to the Internet Engineering Task Force (IETF) for approval as standards. By conventions, Web pages that require an SSL connection starts with https: instead of http:. Not all Web browsers and servers support SSL/S-HTTP.
Basically, these protocols allow the browser and server to authenticate one another and secure information that subsequently flows between them. Through the use of cryptographic techniques such as encryption, and digital signatures, these protocols :
• Allow Web browsers and servers to authenticate each other;
• Permit Web site owners to control access to particular servers, directories, files, or services;
• Allow sensitive information (for example, credit card numbers) to be shared between browser and server, yet remain inaccessible to third parties
• Ensured that data exchanged between browser and server is reliable, that is, cannot be corrupted either accidentally or deliberately, without detection.

A key component in the establishment of secure Web sessions using SSL or S-HTTP protocols is the digital certificate, discussed above. Without authentic and trustworthy certificates, protocols like SSL and S-HTTP offer no security at all.

Kerberos is a server of secured user names and passwords (named after the three-headed monster in Greek mythology that guarded the gate of hell). The importance of Kerberos is that provides one centralized security server for all data and resources on the network. Database access, login, authorization control, and other security features are centralized on trusted Kerberos servers. Kerberos has a similar function to that of certificate server; to identify and validate user. Security companies are currently investigating a merger of Kerberos and certificate servers to provide a network-wide secure system.

A digital certificate is an attachment to an electronic message used for security purposes, most commonly to verify that a user sending a message is who he or she claims to be, and to provide the receiver with the means to encode a reply.
An individual wishing to send an encrypted message applies for a digital certificate from a Certificate Authority (CA). The CA issues an encrypted digital certificate containing the applicant’s public key and a variety of other identification information. The CA makes own public key readily available through printed material or perhaps on the internet.
The recipient of an encrypted message uses the CA’s public key to decode the digital certificate attached to the message, verifies it as issued by the CA, and then obtains the sender’s public key and identification information held within certificate. With this information, the recipient can send an encrypted reply.
Clearly, the CA’s role in this process is critical, acting as ago-between for the two parties. In a large, distributed complex network like the internet, this third-party trust model is necessary as clients and servers may not have an established mutual trust yet both parties want to have secure session. However, because each party trust the CA, and because the CA is vouching for each party’s identification and trustworthiness by signing their certificates, each party recognizes and implicitly trusts each other. The most widely used standard for digital certificates is X.509.

A message digest algorithm, or one way has function, takes an arbitrary sized string (the message) and generates a fixed length string (the digest or hash). A Digest has the following characteristics:

• It should be computationally infeasible to find another message that will generate the same digest:
• The digest does not reveal anything about the message


A digital signature consists of two pieces information: a string of bits that is computed from the data that is being ‘signed’, along with the private key of the individual or organization wishing the signature. The signature can be used to verify that the data comes from this individual or organization. Like a handwritten signature, a digital signature has many useful properties:

• Its authenticity can be verified, using a computation based on corresponding public key;
• It cannot be forged ( assuming the private key is kept secret);
• It is a function of the data signed and cannot be claimed to be the signature for any other data;
• The signed data cannot be changed, otherwise the signature will no longer verify the data as being authentic.

Some digital signature algorithms use message digest algorithms for parts of their computations; others, for efficiency, compute the digest of a message and digitally sign the digest rather than signing the message itself.

Banyak pengembang product internet setuju untuk menggunakan encryption protocol atau yang lebih dikenal Secure Socket Layer SSL yang dikembangkan oleh Netscape untuk mentransmisikan dokumen private untuk internet Netscape editor dan Internet Explorer keduannya menyuport SSL, dan banyak juga websites menggunakan protocol ini untuk mengetahui kerahasian user, seperti data- data dari kartu kredit. Protocol ini member lapisan diantara application-level protocol seperti HTTP dan TCP/IP transport-level protocol. Protocol ini didesain untuk mencegah eavesdropping (mendengar sesuatu secara diam-diam), pengubahan pesan, atau pemalsuan pesan. Dan juga SSL adalah layered di bawah application-level protokol, yang mungkin saja digunakan untuk application-level protokol lain seperti FTP dan NNTP.

Protocol lain yang juga aman untuk mentransmisikan datadi Web adalah Secure HTTP atau (S-HTTP), ini adalah modifikasi dari versi standar HTTP protocol. Secure HTTP (S-HTTP) dikembangkan oleh Enterprise Integration Technologies (EIT). Dimana SSL membuat koneksi yang aman antara client dan server, juga seberapa besar dat tersebut juga dapat dikirimkan secara aman. S-HTTP dibuat untuk mengirim individual message securely. SSL dan S-HTTP tidak saling bersaing tapi saling melngkapi kedua protocol tersebut. Kedua protocol telah dikirimkan ke Internet Engineering Task Forces (IETF) untuk dilakukan standarisasi. Sehingga Web pages memerlukan koneksi SSL dimulai dengan https: sebagai pengganti http: . Tidak semua Web browser dan server dapat menggunakan SSL/S-HTTP.

Pada dasarnya protocol ini mengijinkan browser dan server untuk melakukan authentifikasi satu sama lain dan mengamankan informasi yang sesudah itu mengalir diantara keduanya. Maka digunakan teknik melalui teknik cryptographic seperti encryption, dan dan digital signature. Dan protocol ini berguna untuk :

• Mengijinkan Web browsers dan server untuk melakukan authentifikasi satu sama lain.
• Memberi ijin kepada pemilik Web untuk mengendalikan akses ke server tertentu, direktori, file, atau melakukan servis.
• Mengijinkan sensitive information ( sebagai contoh, angka-angka pada kartu kredit) untuk saling member tahu antara browser dan server, namun tidak member akses masuk ke pihak ketiga.
• Memastikan bahwa data yang ditukar antara browser dan server reliable atau dapat dipercaya, dan tidak bisa dirusak baik secara kebetulan atau dengan sengaja dirusak, tanpa adanya pendeteksian pada kerusakan tersebut.

Komponen kunci yang harus dilakukan dala membangun sebuah web session yang aman menggunakan SSL atau S-HTTP protocol adalah digital certificate yang telah kita bahas di atas. Tanpa authentic and trustworthy certificates, protocol seperti SSL atau S-HTTP tidak akan menawarkan adanya keamanan sama sekali

Kerberos adalah suatu server yang berisi nama-nama user dan password yang sudah terjamin keamanannya. Yang penting dari kerberos adalah sebagai sebuah server yang menyediakan keamanan terpusat bagi semua data dan sumber-sumber lain. Kerberos juga mempunyai fungsi yang sama dengan certificate server, yaitu untuk mengidentifikasi dan memvalidasi user

Adalah suatu attachment pesan elektronis yang digunakan untuk tujuan keamanan, umumnya paling sering digunakan untuk membuktikan bahwa user mengirim pesan adalah orang yang sesungguhnya, dan menyediakan si penerima untuk memberi ciri khas balasan atau encode replay. Individu menginginkan untuk mengirimkan encryption messages untuk didaftarkan ke sebuah Certificate Authority (CA). CA menerbitkan suatu sertifikat digital yang telah tersandikan yang berisi public key sipemohon dan berbagai macam informasi identifikasi lainnya.

Penerima sebuah encrypted message menggunakan public key CA untuk mendekode digital certificate yang diattach ke pesan (message), dan memperoleh pengirim public key dan informasi identifikasi yang ada dalam certificate. Dengan informasi ini penerima dapat mengirim encrypted replay.

Jelasnya, peran CA di dalam masalah ini sangat penting, yang bertindak sebagai penengah dua buah bagian sertifikasi. Karena masing- masing percaya dengan standarisadi yang dilakukan CA, maka secara implicit akan terjadi kepercayaan di antara kedua bagian tersebut. Standar sertifikat yang digunakan adalah X.509