551Chapter 29Security$key = get_user_key($username); $encr_hash = mcrypt_cbc(MCRYPT_BLOWFISH, $key, $hash, MCRYPT_ENCRYPT); $sfp = fopen($sig); $sig_data = fread($sig, $sig_size); fclose($sfp); if ($encr_hash != $sig_data) echo

Rejected — signature did not match

; else { echo

Accepted

; // Continue handling the uploaded file} } ?> This program parallels the uploader s steps, first hashing the uploaded file and then encrypt- ing the result with the user s key. If the results are the same, the uploader must have used thesame key, and we can assume they are genuine. If the results differ, the upload is a forgery. Secure Sockets LayerThe uses of cryptography presented so far protect the server s data. The single-key encryptionexample protects information the server stores on clients (cookies) from unwanted modifica- tion. The hashing example enables the server to detect forged files and refuse to accept them. We now turn our attention to the security of your site s visitor. The visitor often transmits private information to your site. The visitor s password and credit card information mustsomehow travel from his or her machine to the server, across the untrustworthy network. The Secure Sockets Layer(SSL) protocol provides a way to do this, making it impossible for aneavesdropper to listen in. It also provides a way for the site to prove its identity to the visitorand, optionally, for the visitor to prove its identity to the site. Although we won t delve intothe cryptographic details, SSL does its work by using public-key encryption to prove the iden- tity of the server and to exchange a new key to be used to encrypt the conversation. It thenswitches over to single-key encryption, which is much faster, using this new key. Regardless of how you acquire and license the SSL software, you must purchase a certificatefor your site from a well-known certificate authority.These authorities are the trusted thirdparties in the conversation between your server and a browser, but they do not give awaytheir services for free. It is beyond the scope of this book to make comparisons of competing SSL servers. In the tradition of open source, the authors believe that the free implementations are the best andmost reliable; indeed, many of the commercial SSL servers are based on the open sourceimplementations! If you buy a commercial implementation, however, you receive supportfrom that company, and you satisfy management s desire to pay for something. SSL is outside the scope of the book, since it really is an issue for Web server managementrather than Web scripting. For more information on how to implement SSL on your site, seea good Apache or IIS book such as Apache Server 2 Bible, Second Edition, by Mohammed J. Kabir (Wiley, 2002). Tip33
Note: In case you are looking for affordable webhost to host and run your servlet application check Vision ecommerce web hosting services

This entry was posted on Saturday, May 5th, 2007 at 4:26 pm and is filed under Domain. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.