Shen: Security Extensions for HTTP
=================================
In response to a number of requests a number of security extensions
to the HTTP protocol have been implemented. These provide for secure
password based authentication using message digest functions, secure
authentication using public key cryptography and secure message
encryption.
A web of the proposal can be found at:
<http://info.cern.ch/hypertext/WWW/Shen/ref/shen.html>
Please note, discussion of these proposals is ENCOURAGED. None of them
are set in stone (as yet).
This work is builds on the proposal by Tony Sanders of BSDI and the
original authentication scheme. It is hoped that integration with the
Secure HTTP proposal from CommerceNet will result in a common Web
standard for security systems.
One area in which debate is encouraged is on the subject of how to
ship key certificates about. I have views on this but I don't want to
be seen as trying to impose my ideas on such an important issue. The
structure of the WWW key certificate system may IMHO be the most
important discussion for the future of the web.
Executive Summary
-----------------
The following changes to the spec are proposed:
1) The BASIC scheme is discouraged. This scheme is supported for
the moment as a compatibility mode and should IMHO be
phased out in the near future.
2) A DIGEST scheme is proposed as a direct replacement for the password
scheme. This uses only a message digest function and it is hoped
that it can be used without legal problems. Under this system
the password is never sent over the net in plaintext.
3) A Public Key Authentication system based on PEM.
4) A Public Key encryption system based on PEM.
Discussion List
---------------
A WIT on the security issues has been started on:
<http://info.cern.ch/hypertext/WWW/Shen/Discussion>
Code
----
Because of the various export restrictions we cannot make the source
code avaliable on a free for all basis at the moment. Because of the
laws banning import and export of cryptographic systems to and from
the USA a portion of the code will have to be rewritten there.
Because of this limitation the first release is demonstration
only. Although the binaries provide secure encryption
and decryption the server also sends the session key across in
plaintext. This means that the encryption portion of the product
is useful only for testing compatibility - which is the purpose
of this release.
The initial release consists of a patched version of Mosaic and a
patched version of the CERN httpd. Binaries compiled for SUN under
SunOS are avaliable under the Shen Web.
Patched versions of the source code for Mosaic and the Daemon
will appear as soon as the interface has been cleaned up and made
conformant with the libwww coding standards.
NB these portions do *NOT* contain the cryptographic interface
library "Shen". This will be made avaliable on a discresionary
basis to users in certain countries only.
Copyright
---------
The Shen extensions are copyright CERN and do not form part of the
public domain code release. This restriction is necessary for the
time being for legal reasons.
Use is permitted at present for research purposes only.
Accessories
-----------
The first Security extension accessories, a mail server CGI module
will be released in the `near' future.
Funding
-------
This work was funded by CERN and the European Union.
Dr Phillip M. Hallam-Baker
Henrik Frystyk Nielsen
CERN