Firewalls: Re: Protecting a web page

Firewalls
(February 1996)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Protecting a web page
From:	C Matthew Curtin <cmcurtin @ gatekeeper . cb . att . com>
Date:	Sat, 17 Feb 1996 09:35:24 -0500
To:	Marc Kneppers <marc @ eeyore . pamco . com>
Cc:	"Bryan D. Boyle" <bdboyle @ erenj . com>, John Schoonover <100655 . 1065 @ compuserve . com>, Firewall List <firewalls @ GreatCircle . COM>
In-reply-to:	<Pine . SGI . 3 . 91 . 960216105720 . 13218B-100000 @ eeyore>
References:	<31249E12 . 167E @ erenj . com> <Pine . SGI . 3 . 91 . 960216105720 . 13218B-100000 @ eeyore>
Reply-to:	cmcurtin @ gatekeeper . cb . att . com

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Marc" == Marc Kneppers <marc @
 eeyore .
 pamco .
 com> writes:

Marc> You could sign the page with a public/private key signature and
Marc> then at least if people saw your info on a different web site,
Marc> they could grab your public key and check from the signature
Marc> that the info hadn't been altered (my understanding of these
Marc> types of signature is that the signature contains some
Marc> combination of your private/public key and a checksum of the
Marc> data - so only the person possessing the private key can create
Marc> the signature and the file checksum could be verified with the
Marc> public key).

This is really the best way to handle "secure" information, such as
prices, etc., that you don't want someone to be able to altar (and not
be able to prove the altaration is a fake) - even once it's on their
client. For an excellent of how digital signatures work in a public
key crypto system, see Schneier's book "Applied Cryptography,"
published by Wiley.

Now, incorporating the signature could get slightly tricky; you've
basically got two options:
  1. Sign the entire HTML file or whatever part you want to protect,
     putting the signature in a seperate file. (This would allow you
     to have functional markup, etc.)
  2. Sign a section of your page (price list, etc.), leave the
     signature on the page, and slap <pre> and </pre> tags around the
     signed part of the message and signature so the browser won't
     screw around with the spacing (which will cause the signature to
     not check out correctly.)  

ViaCrypt PGP can be used for this purpose (it's only like $500) and
would actually be optimal - given what's available today - since just
about every paranoid has PGP, and everyone who doesn't can get it free
for their own use.

Check them out:
    http://www.viacrypt.com/

Oh, one other thing... you'll need to make sure that your public key
is sitting somewhere highly visible on your server so that people can
easily get it. You might want to consider putting it into the PGP
keyservers as well.

- ---
C Matthew Curtin    [AT&T|Bell] Labs     Internet Gateway Applications Group
http://www.att.com/homes/matt_curtin.html PGP OK cmcurtin @
 gatekeeper .
 att .
 com

-----BEGIN PGP SIGNATURE-----
Version: 2.7.1
Comment: Have you encrypted your data today?

iQCVAwUBMSXnnxhyYuO2QvP9AQFjpQQAh/Z0DUEXjyjFUTQZx4OYQdm8vpgX3vb8
Zb9zzMSNpFaz4EF2xfAqoxYLjaBciyuBj1ow1EGdkt4wIXbxHItnaGpD4KdhdD/R
JsIAq/vcCLdwP7+l/VVSvcg8GI7m52YRcslQLD51zf+1amnx74HrrCJn4UeUX2yP
uWcIriT7l+M=
=T+E2
-----END PGP SIGNATURE-----

References:

Re: Protecting a web page
From: "Bryan D. Boyle" <bdboyle @ erenj . com>
Re: Protecting a web page
From: Marc Kneppers <marc @ eeyore . pamco . com>

Indexed By Date	Previous:	Re: Performance on a Linux box From: sysadmin account <jclark @ picard . nib . com>
Indexed By Date	Next:	Re: port 42 - /etc/services From: Chris Woods <cjwoods @ Paladin . COM>
Indexed By Thread	Previous:	Re: Protecting a web page From: "Bryan D. Boyle" <bdboyle @ stargate . erenj . com>
Indexed By Thread	Next:	Re: Protecting a web page From: Jerry Champlin <jgc @ webspan . com>