Cart
[Home] [By Thread] [By Date] [Recent Entries]
-----Original Message----- From: Elliotte Rusty Harold [mailto:elharo@m...] Sent: Tuesday, January 06, 2004 4:00 PM To: xml-dev@l... Subject: Re: Re: Cookies at XML Europe 2004 -- Call for Particip ation ... other text elided ... > What feels wrong about this to me is that there are scalable, secure > sites in existence today that use SSL to encrypt sensitive > transactions. It's not obvious to me why this is more expensive than > those sites. It may be more expensive for sites that are not using > SSL. However, I'm not convinced it's cost-prohibitive or subject to > DOS attacks. Perhaps there's some point I'm missing here. Is it that > SSL uses public key encryption only to exchange a symmetric key, and > actually uses 3DES or some such symmetric algorithm for most data? > But digest authentication does not require the encryption of > everything, so it's cheaper than decrypting the entire page, and you > can still use HTTP over SSL with basic authentication if you prefer. I'll try to add a little here... SSL uses public key (asymmetric) encryption to exchange keys that are used for symmetric encryption (DES or 3DES usually). So there's a relatively expensive first exchange where the symmetric keys are exchanged and from that point the symmetric key is employed along hashing (SHA-1) to a) ensure integrity and b) provide confidentially. Those scalable, secure SSL-based sites usually employ a combination of hardware encryption accelerators and/or use sticky bit to avoid the key exchange when hitting a new server in a farm. HTH, James Delmerico Senior Technical Architect, IPS Sendero
|
