Table of Contents for
Implementing SSL/TLS Using Cryptography and PKI
Implementing SSL/TLS Using Cryptography and PKI
Published by
John Wiley & Sons, 2011
- Cover Page
- Title Page
- Copyright
- Dedication
- About the Author
- About the Technical Editor
- Credits
- Acknowledgments
- Contents at a Glance
- Contents
- Introduction
- CHAPTER 1: Understanding Internet Security
- CHAPTER 2: Protecting Against Eavesdroppers with Symmetric Cryptography
- CHAPTER 3: Secure Key Exchange over an Insecure Medium with Public Key Cryptography
- CHAPTER 4: Authenticating Communications Using Digital Signatures
- CHAPTER 5: Creating a Network of Trust Using X.509 Certificates
- CHAPTER 6: A Usable, Secure Communications Protocol: Client-Side TLS
- CHAPTER 7: Adding Server-Side TLS 1.0 Support
- CHAPTER 8: Advanced SSL Topics
- CHAPTER 9: Adding TLS 1.2 Support to Your TLS Library
- CHAPTER 10: Other Applications of SSL
- APPENDIX A: Binary Representation of Integers: A Primer
- APPENDIX B: Installing TCPDump and OpenSSL
- APPENDIX C: Understanding the Pitfalls of SSLv2
- Index
Contents
Chapter 1 Understanding Internet Security
"Insecure" Communications: Understanding the HTTP Protocol
Adding Support for HTTP Proxies
Reliable Transmission of Binary Data with Base64 Encoding
Roadmap for the Rest of This Book
Chapter 2 Protecting Against Eavesdroppers with Symmetric Cryptography
Understanding Block Cipher Cryptography Algorithms
Implementing the Data Encryption Standard (DES) Algorithm
Padding and Chaining in Block Cipher Algorithms
Using the Triple-DES Encryption Algorithm to Increase Key Length
Faster Encryption with the Advanced Encryption Standard (AES) Algorithm
Understanding Stream Cipher Algorithms
Understanding and Implementing the RC4 Algorithm
Converting a Block Cipher to a Stream Cipher: The OFB and COUNTER Block-Chaining Modes
Chapter 3 Secure Key Exchange over an Insecure Medium with Public Key Cryptography
Understanding the Theory Behind the RSA Algorithm
Performing Arbitrary Precision Binary Math to Implement Public-Key Cryptography
Implementing Large-Number Addition
Implementing Large-Number Subtraction
Implementing Large-Number Multiplication
Implementing Large-Number Division
Optimizing for Modulo Arithmetic
Using Modulus Operations to Efficiently Compute Discrete Logarithms in a Finite Field
Encryption and Decryption with RSA
Encrypting a Plaintext Message
Decrypting an RSA-Encrypted Message
Testing RSA Encryption and Decryption
Achieving Perfect Forward Secrecy with Diffie-Hellman Key Exchange
Getting More Security per Key Bit: Elliptic Curve Cryptography
How Elliptic Curve Cryptography Relies on Modular Inversions
Using the Euclidean Algorithm to compute Greatest Common Denominators
Computing Modular Inversions with the Extended Euclidean Algorithm
Adding Negative Number Support to the Huge Number Library
Supporting Negative Remainders
Making ECC Work with Whole Integers: Elliptic-Curve Cryptography over Fp
Reimplementing Diffie-Hellman to Use ECC Primitives
Why Elliptic-Curve Cryptography?
Chapter 4 Authenticating Communications Using Digital Signatures
Using Message Digests to Create Secure Document Surrogates
Implementing the MD5 Digest Algorithm
Securely Hashing a Single Block of Data
Increasing Collision Resistance with the SHA-1 Digest Algorithm
Understanding SHA-1 Block Computation
Understanding the SHA-1 Input Processing Function
Understanding SHA-1 Finalization
Even More Collision Resistance with the SHA-256 Digest Algorithm
Preventing Replay Attacks with the HMAC Keyed-Hash Algorithm
Implementing a Secure HMAC Algorithm
Creating Updateable Hash Functions
Appending the Length to the Last Block
Computing the MD5 Hash of an Entire File
Where Does All of This Fit into SSL?
Understanding Digital Signature Algorithm (DSA) Signatures
Implementing Sender-Side DSA Signature Generation
Implementing Receiver-Side DSA Signature Verification
Getting More Security per Bit: Elliptic Curve DSA
Rewriting the Elliptic-Curve Math Functions to Support Large Numbers
Chapter 5 Creating a Network of Trust Using X.509 Certificates
Putting It Together: The Secure Channel Protocol
Understanding Signed Certificate Structure
Transmitting Certificates with ASN.1 Distinguished Encoding Rules (DER)
Sequences and Sets: Grouping and Nesting ASN.1 Values
A Real-World Certificate Example
Using OpenSSL to Generate an RSA KeyPair and Certificate
Using OpenSSL to Generate a DSA KeyPair and Certificate
Converting a Byte Stream into an ASN.1 Structure
Turning a Parsed ASN.1 Structure into X.509 Certificate Components
Joining the X.509 Components into a Completed X.509 Certificate Structure
Parsing Object Identifiers (OIDs)
Parsing Certificate Extensions
Validating PKCS #7-Formatted RSA Signatures
Verifying a Self-Signed Certificate
Adding DSA Support to the Certificate Parser
How Authorities Handle Certificate Signing Requests (CSRs)
Correlating Public and Private Keys Using PKCS #12 Formatting
Blacklisting Compromised Certificates Using Certificate Revocation Lists (CRLs)
Keeping Certificate Blacklists Up-to-Date with the Online Certificate Status Protocol (OCSP)
Other Problems with Certificates
Chapter 6 A Usable, Secure Communications Protocol: Client-Side TLS
Implementing the TLS 1.0 Handshake (Client Perspective)
Adding TLS Support to the HTTP Client
Understanding the TLS Handshake Procedure
Tracking the Handshake State in the TLSParameters Structure
Flattening and Sending the Client Hello Structure
Parsing the Server Hello Structure
Sharing Secrets Using TLS PRF (Pseudo-Random Function)
Creating Reproducible, Unpredictable Symmetric Keys with Master Secret Computation
Correctly Receiving the Finished Message
Supporting Outgoing Encryption
Adding Support for Stream Ciphers
Updating Each Invocation of send_message
Examining HTTPS End-to-end Examples (TLS 1.0)
Dissecting the Client Hello Request
Dissecting the Server Response Messages
Dissecting the Key Exchange Message
Decrypting the Encrypted Exchange
Differences Between SSL 3.0 and TLS 1.0
Differences Between TLS 1.0 and TLS 1.1
Chapter 7 Adding Server-Side TLS 1.0 Support
Implementing the TLS 1.0 Handshake from the Server's Perspective
RSA Key Exchange and Private Key Location
Supporting Encrypted Private Key Files
Checking That Decryption was Successful
Avoiding Common Pitfalls When Adding HTTPS Support to a Server
When a Browser Displays Errors: Browser Trust Issues
Passing Additional Information with Client Hello Extensions
Safely Reusing Key Material with Session Resumption
Adding Session Resumption on the Client Side
Adding Session Resumption Logic to the Client
Restoring the Previous Session's Master Secret
Adding Session Resumption on the Server Side
Assigning a Unique Session ID to Each Session
Modifying parse_client_hello to Recognize Session Resumption Requests
Drawbacks of This Implementation
Avoiding Fixed Parameters with Ephemeral Key Exchange
Supporting the TLS Server Key Exchange Message
Authenticating the Server Key Exchange Message
Examining an Ephemeral Key Exchange Handshake
Verifying Identity with Client Authentication
Supporting the CertificateRequest Message
Adding Certificate Request Parsing Capability for the Client
Handling the Certificate Request
Supporting the Certificate Verify Message
Refactoring rsa_encrypt to Support Signing
Viewing a Mutually-Authenticated TLS Handshake
Dealing with Legacy Implementations: Exportable Ciphers
Discarding Key Material Through Session Renegotiation
Renegotiation Pitfalls and the Client Hello Extension 0xFF01
Defending Against the Renegotiation Attack
Implementing Secure Renegotiation
Chapter 9 Adding TLS 1.2 Support to Your TLS Library
Supporting TLS 1.2 When You Use RSA for the Key Exchange
TLS 1.2 Modifications to the PRF
TLS 1.2 Modifications to the Finished Messages Verify Data
Impact to Diffie-Hellman Key Exchange
Adding Support for AEAD Mode Ciphers
Maximizing Throughput with Counter Mode
Reusing Existing Functionality for Secure Hashes with CBC-MAC
Combining CTR and CBC-MAC into AES-CCM
Maximizing MAC Throughput with Galois-Field Authentication
Combining CTR and Galois-Field Authentication with AES-GCM
Authentication with Associated Data
Incorporating AEAD Ciphers into TLS 1.2
Working ECC Extensions into the TLS Library
Chapter 10 Other Applications of SSL
Adding the NTTPS Extension to the NTTP Algorithm
Implementing "Multi-hop" SMTP over TLS and Protecting Email Content with S/MIME
Multipurpose Internet Mail Extensions (MIME)
Protecting Email from Eavesdroppers with S/MIME
Securing Email When There Are Multiple Recipients
Securing the Domain Name System
Using the DNS Protocol to Query the Database
Disadvantages of the DNS Query
Preventing DNS Cache Poisoning with DNSSEC
TLS Without TCP—Datagram TLS
Supporting SSL When Proxies Are Involved
Possible Solutions to the Proxy Problem
Adding Proxy Support Using Tunneling
Appendix A Binary Representation of Integers: A Primer
The Decimal and Binary Numbering Systems
Understanding Binary Logical Operations
Position Shifting of Binary Numbers
Two's-Complement Representation of Negative Numbers
Big-Endian versus Little-Endian Number Formats
Appendix B Installing TCPDump and OpenSSL
Installing TCPDump on a Windows System
Installing TCPDump on a Linux System
Installing OpenSSL on a Windows System
Installing OpenSSL on a Linux system
Appendix C Understanding the Pitfalls of SSLv2
Implementing the SSL Handshake
Examining an HTTPS End-to-End Example