[
Lists Home |
Date Index |
Thread Index
]
-----Original Message-----
From: Elliotte Rusty Harold [mailto:elharo@metalab.unc.edu]
Sent: Tuesday, January 06, 2004 4:00 PM
To: xml-dev@lists.xml.org
Subject: Re: [xml-dev] Re: Cookies at XML Europe 2004 -- Call for Particip
ation
... other text elided ...
> What feels wrong about this to me is that there are scalable, secure
> sites in existence today that use SSL to encrypt sensitive
> transactions. It's not obvious to me why this is more expensive than
> those sites. It may be more expensive for sites that are not using
> SSL. However, I'm not convinced it's cost-prohibitive or subject to
> DOS attacks. Perhaps there's some point I'm missing here. Is it that
> SSL uses public key encryption only to exchange a symmetric key, and
> actually uses 3DES or some such symmetric algorithm for most data?
> But digest authentication does not require the encryption of
> everything, so it's cheaper than decrypting the entire page, and you
> can still use HTTP over SSL with basic authentication if you prefer.
I'll try to add a little here...
SSL uses public key (asymmetric) encryption to exchange keys that are used
for symmetric encryption (DES or 3DES usually). So there's a relatively
expensive first exchange where the symmetric keys are exchanged and from
that point the symmetric key is employed along hashing (SHA-1) to a) ensure
integrity and b) provide confidentially.
Those scalable, secure SSL-based sites usually employ a combination of
hardware encryption accelerators and/or use sticky bit to avoid the key
exchange when hitting a new server in a farm.
HTH,
James Delmerico
Senior Technical Architect, IPS Sendero
|
