Security -filters role
Sandip Kaviman
Ranch Hand
Posts: 49
posted 8 years ago
This is question from David Bridgewater book Chapter 5-security, Question 4
The answer given is F-None of the above.
How Filter can make sure Data Integrity and Confidentiality? it can encrypt the request once it receives, but by that time somebody might have tampered with.
Can somebody clarify.
Thanks
Sandip
The answer given is F-None of the above.
How Filter can make sure Data Integrity and Confidentiality? it can encrypt the request once it receives, but by that time somebody might have tampered with.
Can somebody clarify.
Thanks
Sandip
Charles Lyons
Author
Ranch Hand
Ranch Hand
Posts: 836
posted 8 years ago
Data integrity is just checking the data is undamaged - right? So a filter could be used to check the data received in the request, and perform a checksum calculation for example, in order to verify the data is the same as when it left the client (assuming they had also done a similar checksum). If not, it aborts the request, while if the checksum passes, it continues processing of the filter chain.
Confidentiality basically means encryption. What sort of encryption is unspecified - this could be symmetric if both the server and client know a secret key. So, let's use that and as soon as the server receives the data (say a POST request where only the main body is encrypted), it decrypts it, wraps it in a new HttpServletRequest and passes that unencrypted data down the filter chain.
Of course in practise you'd be using SSL encryption. Since this encrypts the entire HTTP message, the container needs to decrypt it first before it can create an HttpServletRequest (in order to populate the various fields of that class from the headers). So in this case, a filter would be totally useless - the decryption must be done as soon as the request is received, no later.
You can sort of see what was meant when the question was written - it would have been better if he had provided a "model answer" too so you could see what he was thinking... that's what I did when I wrote the questions for my book.
Confidentiality basically means encryption. What sort of encryption is unspecified - this could be symmetric if both the server and client know a secret key. So, let's use that and as soon as the server receives the data (say a POST request where only the main body is encrypted), it decrypts it, wraps it in a new HttpServletRequest and passes that unencrypted data down the filter chain.
Of course in practise you'd be using SSL encryption. Since this encrypts the entire HTTP message, the container needs to decrypt it first before it can create an HttpServletRequest (in order to populate the various fields of that class from the headers). So in this case, a filter would be totally useless - the decryption must be done as soon as the request is received, no later.
You can sort of see what was meant when the question was written - it would have been better if he had provided a "model answer" too so you could see what he was thinking... that's what I did when I wrote the questions for my book.
Sandip Kaviman
Ranch Hand
Posts: 49
posted 8 years ago
Thanks a lot Charles,
There is explanation given by the Author, but I was not convinced.
I totally agree with this
but as per tone of question goes, filter can check data integrity and confidentiality, but it can not make sure data integrity and confidentiality
Sandip
[ July 05, 2008: Message edited by: Sandip Kaviman ]
[ July 05, 2008: Message edited by: Sandip Kaviman ]
There is explanation given by the Author, but I was not convinced.
I totally agree with this
but as per tone of question goes, filter can check data integrity and confidentiality, but it can not make sure data integrity and confidentiality
Sandip
[ July 05, 2008: Message edited by: Sandip Kaviman ]
[ July 05, 2008: Message edited by: Sandip Kaviman ]
