Introduction to S-HTTP
S-HTTP (Secure HTTP) is a process that protects HTTP transactions and is based on an improvement to the HTTP protocol that was made in 1994 by EIT (Enterprise Integration Technologies). It makes it possible to establish a secure connection for e-commerce transactions by encrypting messages to guarantee customers that their bank card numbers and other personal information will remain confidential. One implementation of S-HTTP was developed by the company Terisa Systems to include a secure connection on web servers and browsers.
How S-HTTP works
Unlike SSL, which works on transport layers, S-HTTP guarantees message-based
security using the HTTP protocol, by individually marking HTML documents with certificates. Whereas SSL is independent of the application used and encrypts all of the communication, S-HTTP is closely related to the HTTP protocol and individually encrypts each message.
S-HTTP messages are based on three components:
- The HTTP message
- The sender's cryptographic preferences
- The recipient's preferences
As such, to decrypt an S-HTTP message, the message's recipient analyzes the message's headers to determine the type of method that was used to encrypt the message. Then, based on his current and past cryptographic preferences and on the sender's past cryptographic preferences, he is able to decrypt the message.
The complementary nature of S-HTTP and SSL
When SSL and S-HTTP were competitors, many people realized
that the two security protocols were complementary, given
that they do not work at the same level. SSL guarantees a secure internet connection whereas S-HTTP guarantees secure HTTP exchanges.
As a result, the company Terisa Systems, specialized in network protection, made of RSA Data Security
and EIT, developed a development kit making it possible for developers to develop Web servers implementing SSL and S-HTTP (SecureWeb Server Toolkit), as well as Web clients using these protocols (SecureWeb Client Toolkit).