Index

A

Abstract Syntax Notation. See ASN.1

accept system call, 23

adding/subtracting machines (computers), 570

addition

double and add approach (multiplication), 106, 116, 134, 150, 153, 213, 503

"ecc.c" point addition implementation, 212–213

"ecc_int.c" add_points routine, 152

huge numbers, 93–98

"huge.c" add (overflow expansion), 97

"huge.c" add routine, 94–95

"huge.c" add routine (addition routine), 96

"huge.c" add routine (size computation), 95

"huge."c" add with negative number support, 143–144

"huge."c" add_magnitude and subtract_magnitude, 143

Adleman, Leonard, 91. See also RSA algorithm

Advanced Encryption Standard algorithm. See AES algorithm

"Advances in Cryptology '86," 114

AEAD (Authenticated Encryption with Associated Data) mode ciphers, 490–523

AES-CCM, 496–502

"aes.c" aes_ccm_encrypt, 498–500

"aes.c" aes_ccm_process common routine for encrypt and decrypt, 500–502

"aes.c" aes_ccm_process with associated data, 511–512

"aes.c" main routine modified to accept associated data, 513–514

AES-GCM v., 505–509

"aes.h" AES-CCM and AES-GCM with associated data support, 510–511

block ciphers v., 517

diagram, 497

encryption example, 514–515

overview, 496–497

popularity, 502

stream ciphers v., 517

AES-GCM

"aes.c" aes_gcm_encrypt, 505–508

"aes.c" aes_gcm_process with associated data length declaration, 516–517

"aes.c" aes_gcm_process with associated data support, 516

"aes.c" aes_gcm_process with encrypt and decrypt support, 508–509

AES-CCM v., 505–509

"aes.h" AES-CCM and AES-GCM with associated data support, 510–511

block ciphers v., 517

Galois-Field authentication/CTR with, 505–510

GHASH and, 505–507

stream ciphers v., 517

"tls.c" init_tls with AES-GCM cipher suite, 519

"tls.h" aes-gcm cipher suite, 518

associated data, 510

"aes.c" aes_ccm_process with associated data, 511–512

"aes.c" main routine modified to accept associated data, 513–514

"aes.h" AES-CCM and AES-GCM with associated data support, 510–511

associated data and, 510

block ciphers v., 490

CBC-MAC, 494–502

aes_cbc_mac, 495

CTR and, 496–502

diagram, 495

failure of, 496

problems, 502

CTR (counter) mode, 490–494

AES-CTR mode, 491–492

CBC-MAC and, 496–502

encryption (diagram), 491

/Galois-Field authentication, with AES-GCM, 505–510

infinitely parallelizable, 491, 502

known plaintext attack, 493

OFB v., 491

embedded hardware implementers and, 523

Galois-Field authentication

"aes.c" gf_multiply, 503

/CTR, with AES-GCM, 505–510

maximizing MAC throughput, 502–505

GHASH, 502, 504–507

"aes.c" ghash, 504–505

AES-GCM and, 505–507

diagram, 504

incorporating into TLS 1.2, 517–523

"tls.c" send_message with AEAD encryption support, 521

"tls.c" send_message with Associated Data support, 519–520

"tls.c" tls_decrypt with AEAD decryption, 522

"tls.h" CipherSuite declaration with AEAD support, 518

AES (Advanced Encryption Standard) algorithm, 60–82

brute force attacks and, 60

decryption, 74–80

DES v., 60, 74

encryption, 67–82

key combination, 68

key schedule, 60–67

key schedule computation, 128-bit, 61, 65

listings

"aes.c" add_round_key, 68

"aes.c" AES encryption and decryption routines, 80–81

"aes.c" aes_block_decrypt, 78–79

"aes.c" aes_block_encrypt, 73–74

"aes.c" aes_encrypt and aes_decrypt, 79–80

"aes.c" compute_key_schedule, 66

"aes.c" dot product, 72

"aes.c" inversion routines, 75–77

"aes.c" inv_mix_columns, 77–78

"aes.c" mix_columns, 73

"aes.c" rot_word, 63

"aes.c" sbox, 63–64

"aes.c" shift_rows, 69–70

"aes.c" sub_bytes, 69

"aes.c" sub_word, 64

matrix multiplication example, 70–71

matrix operations, 70–72

Rijndael algorithm and, 60, 83

row shift, 69

s-boxes, 60, 61, 77

state mapping initialization, 67

support for, 81

XOR operation and, 60, 72

AES-CCM, 496–502

"aes.c" aes_ccm_encrypt, 498–500

"aes.c" aes_ccm_process common routine for encrypt and decrypt, 500–502

"aes.c" aes_ccm_process with associated data, 511–512

"aes.c" main routine modified to accept associated data, 513–514

AES-GCM v., 505–509

"aes.h" AES-CCM and AES-GCM with associated data support, 510–511

block ciphers v., 517

diagram, 497

encryption example, 514–515

overview, 496–497

popularity, 502

stream ciphers v., 517

AES-CTR mode, 491–492

AES-GCM

"aes.c" aes_gcm_encrypt, 505–508

"aes.c" aes_gcm_process with associated data length declaration, 516–517

"aes.c" aes_gcm_process with associated data support, 516

"aes.c" aes_gcm_process with encrypt and decrypt support, 508–509

AES-CCM v., 505–509

"aes.h" AES-CCM and AES-GCM with associated data support, 510–511

block ciphers v., 517

Galois-Field authentication/CTR with, 505–510

GHASH and, 505–507

stream ciphers v., 517

"tls.c" init_tls with AES-GCM cipher suite, 519

"tls.h" aes-gcm cipher suite, 518

AlgorithmIdentifier, 235, 236

ALU (Arithmetic Logical Unit), 568, 570

AND operation, 568–569

Andreessen, Marc, 298

ANSI X9.62 format, 528, 531, 537, 540

Apache server, 27, 370, 575

Applied Cryptography (Schneier), 83

arbitrary precision binary math module, 93–114. See also binary number representations; huge numbers; RSA algorithm

Arithmetic Logical Unit (ALU), 568, 570

ASN.1 (Abstract Syntax Notation), 225–252. See also certificate parser

certificate structure, 225–238

extensions field, 237–238

issuer field, 229–232

SEQUENCE, 226

serialNumber field, 227

signature field, 227–229

subject field, 233–235

subjectPublicKeyInfo field, 235–236

validity field, 232–233

version field, 226

listings

"asn1.c" asn1free, 258–259

"asn1.c" asn1_get_bit, 278

"asn1.c" asn1parse, 254–258

"asn1.c" asn1show, 260–263

"asn1.c" pem_decode, 263–264

"asn1.c" test routine, 259–260

"asn1.h" asn1struct definition, 252

"asn1.h" constants, 254

online overview, 226

associated data, 510. See also AEAD mode ciphers

"aes.c" aes_ccm_process with associated data, 511–512

"aes.c" main routine modified to accept associated data, 513–514

"aes.h" AES-CCM and AES-GCM with associated data support, 510–511

asymmetric/public key algorithms. See public key algorithms

attachments, email, 547–550

attackers, 2, 566

attacks

birthday attack, 170

bit-flipping attack, 494

Bleichenbacher attack, 412

brute force attacks, 29–30

AES and, 60

birthday attack, 170

DES and, 55

SSLv2 and, 626

triple DES and, 56

denial of service attacks, 318, 559

"A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroup," 236

known plaintext attacks, 186, 493

man-in-the middle attacks, 222–224

export-grade ciphers and, 626

SSLv2 and, 346, 626

"Null Prefix Attacks Against SSL Certificates" (Marlinspike), 234

OAEP and, 126

plaintext attacks, 186, 493

Pohlig-Hellman attack, 132

renegotiation attack, 468–470

replay attacks, 49, 184, 304, 336, 353, 441, 593. See also HMAC function

small subgroup attack, 236–237

timing attacks, 119

truncation attacks, 368, 626

Authenticated Encryption with Associated Data. See AEAD mode ciphers

authentication

with associated data, 510. See also AEAD mode ciphers

"aes.c" aes_ccm_process with associated data, 511–512

"aes.c" main routine modified to accept associated data, 513–514

"aes.h" AES-CCM and AES-GCM with associated data support, 510–511

/decryption (secure data transfer, TLS 1.0), 361–364

AUTHINFO extension, 544

authoritative name server, 553–555, 557. See also DNS

B

Barrett reduction, 114

base-10 numbering system, 567

Base64 encoding (HTTP client application), 17–21

BASIC, 17, 20

Basic Encoding Rules. See BER

BER (Basic Encoding Rules), 241. See also DER

big-endian number format, 571–572

computers, 313

DES, 32, 36

"huge.c" set_huge (little-endian/big-endian conversion), 104, 105

little-endian v., 571–572

SHA-1, 171, 176

binary number representations, 567–572. See also arbitrary precision binary math module

big-endian number format, 571–572

decimal number system v., 568

little-endian number format, 571–572

logical operations, 568–570

shifting binary numbers, 570

two's-complement arithmetic, 98, 123, 275, 570–571

bind system call, 23

birthday attack, 170

birthday paradox, 169–170

bit flipping functions, 160–161

bit macros, "des.c", 32–33

bit strings, 243

bit-flipping attack, 494

bits, 571

LSB, 39, 40, 93, 116, 504

MSB, 40, 93, 570–571, 595

parity bits, 39

bit-shifting operations, 571

blacklisting certificates

with CRLs, 294–295

OCSP and, 295–296

Bleichenbacher, Daniel, 412

Bleichenbacher attack, 412

blob, 266, 417

block chaining. See CBC

block cipher algorithms, 31–83. See also AEAD mode ciphers; AES algorithm; cipher suites; DES algorithm; stream cipher algorithms; triple DES

AEAD ciphers v., 490

AES-CCM v., 517

AES-GCM v., 517

Applied Cryptography (Schneier), 83

blowfish, 83

book information on, 83

Camelia, 83

CBC in, 46–55

converting, to stream ciphers, 90

defined, 31

FEAL, 83

LOKI, 83

padding in, 46–55

stream cipher algorithms v., 83, 490–491

twofish, 83

types, 83

blowfish, 83

Brown, Michael, 210

browsers

Chrome, 465

error messages, 412–414

Firefox, 229, 234, 244, 245, 410, 465

Internet Explorer, 230, 234, 238, 239, 244, 294, 410, 418, 465

Mosaic, 298, 543

Netscape, 4, 27, 298, 543, 579, 596

root CAs, 238–239

trust issues (TLS 1.0 server-side), 412–414

web clients, 4

brute force attacks, 29–30

AES and, 60

birthday attack, 170

DES and, 55

SSLv2 and, 626

triple DES and, 56

build_error_response, 26

build_success_response, 26

bytes, 571

internal byte ordering, 572

least-significant bytes, 495, 571, 572

nybble, 63, 494, 571

C

C++, 198, 199

cache poisoning, DNS, 556–559

"ca.cnf", 458–459

Caesar cipher, 30–31

Camelia, 83

Canonical Encoding Rules (CER), 549–550. See also DER

case sensitive HTTP, 8

CBC (cipher block chaining)

block cipher algorithms, 46–55

defined, 490

DES, 46–55

RSA, 126

triple DES, 56

CBC-MAC, 494–502. See also AES-CCM

aes_cbc_mac, 495

CTR and, 496–502

diagram, 495

failure of, 496

problems, 502

CCM (Counter with CBC-MAC), 496. See also AES-CCM

CER (Canonical Encoding Rules), 549–550. See also DER

certificates (X.509 certificates), 221–296

blacklisting

with CRLs, 294–295

OCSP and, 295–296

components, 527

compromised, 224, 294–295

defined, 221, 223

digital signatures and, 222

examples

DSA keypair and certificate, 251–252

RSA keypair and certificate, 244–251

expired, 232–233, 235, 295, 318, 414

issuers, 224, 227

issuing, 227

LDAP-based, 234

lifecycle, 238

listings

X.509 Certificate Structure Declaration, 225–226

X.509 Signed Certificate Declaration, 238

managing, 292–296

naive secure channel protocol, 222–224

not after date, 224

not before date, 224

problems with, 295–296

purpose of, 221, 292

revoked, 224

self-signed, 227, 238

serial IDs, 224

serial numbers, 227

S/MIME and, 552

structure (ASN.1), 225–238

extensions field, 237–238

issuer field, 229–232

SEQUENCE, 226

serialNumber field, 227

signature field, 227–229

subject field, 233–235

subjectPublicKeyInfo field, 235–236

validity field, 232–233

version field, 226

summary, 241

validity periods, 224, 232–233

certificate authorities (CAs)

CA/Browser forum, 278

CSRs and, 292–294

defined, 223

extended validation, 278

root, 238–239

trusted intermediaries, 222–223

VeriSign, 227, 230, 295, 553

Certificate Error Message, 413

certificate extensions, 237–238

CertificatePolicies, 278

critical/non-critical, 277

key usage extension, 275, 277

parsing, 275–279

SSLv2 and, 627

subjectAltName, 237, 278

certificate message

TLS 1.0 handshake (client-side), 324–328

TLS 1.0 handshake (server-side), 391–393

certificate parser, 252–292

byte stream converted to ASN.1 structure, 252–259

DSA support, 286–291

error checking, 292

goal of, 266

listings

"asn1.c" asn1free, 258–259

"asn1.c" asn1_get_bit, 278

"asn1.c" asn1parse, 254–258

"asn1.c" asn1show, 260–263

"asn1.c" pem_decode, 263–264

"asn1.c" test routine, 259–260

"asn1.h" asn1struct definition, 252

"asn1.h" constants, 254

"parse_validity", 273

"tls.c" parse_dsa_params, 289–290

"x509.c" display_x509_certificate, 283–285, 290–291

"x509.c" free_x509_certificate, 266–267

"x509.c" init_x509_certificate, 266

"x509.c" main routine, 281–283, 291

"x509.c" parse_algorithm_identifier, 270

"x509.c" parse_algorithm_identifier with DSA support, 287

"x509.c" parse_dsa_signature_value, 288–289

"x509.c" parse_extension, 276

"x509.c" parse_extension with key usage recognition, 277

"x509.c" parse_extensions, 276

"x509.c" parse_huge, 269–270

"x509.c" parse_name, 271–273

"x509.c" parse_public_key_info, 274–275

"x509.c" parse_signature_value, 279

"x509.c" parse_tbs_certificate, 268–269

"x509.c" parse_x509_certificate, 267–268

"x509.c" parse_x509_certificate with DSA support, 287–288

"x509.c" parse_x509_certificate with stored hash, 279–280

"x509.c" public key info parsing with DSA support, 289

"x509.c" validate_certificate_dsa, 291

"x509.c" validate_certificate_rsa, 280–281

"x509.h" structure definitions, 264–265

"x509.h" with DSA support, 286–287

certificate requests, 449–453

CertificateRequest, 449, 450, 452

handling, 452–453

"tls.c" parse_certificate_request, 451–452

"tls.c" receive_tls_msg with certificate request support, 450–451

"tls.c" tls_connect with support for certificate requests, 452–453

"tls.h" TLSParameters with certificate request flag, 450

certificate revocation lists (CRLs), 224, 294–295

certificate signing requests (CSRs), 292–294

certificate verify message, 449, 453–457

CertificateVerify, 449, 453

"rsa.c" rsa_encrypt and rsa_sign, 454–455

supporting, 453–457

"tls.c" send_certificate_verify, 455–457

CertificatePolicies, 278

CertificateSerialNumber, 227

Chae Hoon Lim, 236

chaining methods. See CBC; ECB; OFB

challenge password, 295

challenge token, 584, 588, 589, 593, 600, 613, 616

change cipher spec

ChangeCipherSpec, 344, 449

TLS 1.0 handshake (client-side), 344–346

TLS 1.0 handshake (server-side), 409

"tls.c" receive_tls_msg with support for change cipher spec, 345–346

"tls.c" send_change_cipher_spec, 345

checksum, 158–159, 170

Chrome, 465

cipher block chaining. See CBC

cipher suites, 304

client hello message (TLS 1.0), 308–309

DH_anon_XXX, 448

DHE_DSS_XXX, 439, 444

DHE_RSA_XXX, 439

ECDHE_ECDSA, 533, 535, 538

ephemeral, 436. See also ephemeral key exchange

"ssl.h" CipherSuite declarations, 583–584

"tls.c" cipher suites list, 340–341

"tls.h" CipherSuite declaration with AEAD support, 518

"tls.h" CipherSuite structure, 340

"tls.h" CipherSuiteIdentifier list, 308–309

"tls.h" ProtectionParameters with cipher suite, 322–323

ciphers. See AEAD mode ciphers; block cipher algorithms; export-grade ciphers; stream cipher algorithms

client authentication (TLS 1.0 handshake), 448–462

"ca.cnf", 458–459

certificate request message, 449–453

CertificateRequest, 449, 450, 452

handling, 452–453

"tls.c" parse_certificate_request, 451–452

"tls.c" receive_tls_msg with certificate request support, 450–451

"tls.c" tls_connect with support for certificate requests, 452–453

"tls.h" TLSParameters with certificate request flag, 450

certificate verify message, 449, 453–457

CertificateVerify, 449, 453

"rsa.c" rsa_encrypt and rsa_sign, 454–455

supporting, 453–457

"tls.c" send_certificate_verify, 455–457

mutally-authenticated TLS handshake, 460–462

RKM and, 449

testing, 458–460

with TLS handshake (diagram), 457

client hello

dissected (HTTPS example, TLS 1.0), 370–371

with SNI, 419

SSLv2, 588–592

structure diagram, 311

TLS 1.0 handshake (client-side), 304–316

cipher suites, 308–309

flattening/sending, 309–316

with headers, 316

tracking handshake state in TLSParameters structure, 304–308

TLS 1.0 handshake (server-side), 387–390

client hello extensions, 415–420

ECC, 540

extension 10, 540

extension 11, 540

"tls.c" client hello extension capability, 473–476

"tls.c" parse_client_hello with client hello extension support, 416–417

"tls.c" parse_client_hello_extensions, 417–418

"tls.c" parse_server_name_extension, 418–419

0xFF01, 470, 475–478, 540

0xFF02, 540

close_notify alert, 378, 435–436

CMS (Cryptographic Message Syntax), 550

CN field, 233, 234

cofactor, of elliptic curves, 152

collision resistance, 171, 180

column mixing, 65, 70

column-mixing step, 68

command-line test routine, "des.c", 52–53

comparing huge numbers, 109–112

compromised certificates, 224, 294–295

compute

"aes.c" compute_key_schedule, 66

"rsa.c" rsa_compute, 114–115

"ssl.c" compute_keys, 601–605

"tls.c" compute_verify_data, 349–350

"tls.c" compute_verify_data with temporary copy, 352–353

computers

adding/subtracting machines, 570

big-endian, 313

CPUs/switches, 567–568

Intel processors, PCLMUQDQ instruction, 523

little-endian, 313

connect

"https.c" http_connect, 562–564

"ssl.c" ssl_connect, 586–587

"tls.c" tls_connect, 306

"tls.c" tls_connect multiple handshake messages, 329

"tls.c" tls_connect with client finished message, 349

"tls.c" tls_connect with handshake digests, 347

"tls.c" tls_connect with key exchange, 337

"tls.c" tls_connect with renegotiate flag, 467

"tls.c" tls_connect with server finished support, 350

"tls.c" tls_connect with support for certificate requests, 452–453

CONNECT command, 561, 562, 563

connection_end, 385

connection-id, 585

constructed types, 243

content types, 548, 550

context-specific tags, 244

coprime, 136

Counter mode. See CTR mode

Counter with CBC-MAC (CCM), 496. See also AES-CCM

CPUs/switches, 567–568

critical/non-critical certificate extensions, 277

CRLFs, 9, 10, 25, 26, 378, 469, 547

CRLs. See certificate revocation lists

cryptographic algorithms, 29–30. See also public key algorithms; symmetric algorithms

Cryptographic Message Syntax (CMS), 550

cryptography. See also Elliptic-Curve Cryptography

Applied Cryptography (Schneier), 83

export-grade, 463

munitions classification for, 463

server gated, 462

step-up, 465

strong, 378, 463

weak, 463

CSRs. See certificate signing requests

CTR (Counter) mode, 490–494

AES-CTR mode, 491–492

CBC-MAC and, 496–502

encryption (diagram), 491

/Galois-Field authentication, with AES-GCM, 505–510

infinitely parallelizable, 491, 502

known plaintext attack, 493

OFB v., 491

D

Data Encryption Standard algorithm. See DES algorithm

database, DNS, 555

Datagram TLS (DTLS), 559

datagram traffic, 552–559

DNS security, 553–559

TLS and, 559

UDP, 553, 555, 556, 559

dates (DER), 242

Daum, Magnus, 170

DC field, 234, 237

decimal number system, 568. See also binary number representations

decryption

AES, 74–80

/authentication (secure data transfer, TLS 1.0), 361–364

defined, 29

DES, 45–46

private key/decryption, 92

RC4, 86

RSA, 119–120

DELETE, 24, 303

denial of service (DOS) attacks, 318, 559

deprecation

IDEA, 83

RC2, 83

SSLv2, 298, 579, 626

DER (Distinguished Encoding Rules), 241–252

bit strings, 243

dates, 242

encoded values, 241–242

explicit tags, 244

sequences, 243

sets, 243

strings, 242

DES (Data Encryption Standard) algorithm, 31–59

AES v., 60, 74

big-endian conventions, 32, 36

brute force attacks and, 55

decryption, 45–46

DHE/RSA/DES/SHA-1 handshake, 442–448

expansion function, 40–45

Feistel function and, 37

initial permutation, 34–38

initialization vectors and, 49–50, 51, 53, 55

key schedule, 38–40

listings

"des.c" bit macros, 32–33

"des.c" command-line test routine, 52–53

"des.c" des_block_operate, 43–45

"des.c" des_block_operate with decryption support, 45–46

"des.c" des_decrypt, 51

"des.c" des_encrypt with NIST 800-3A padding, 48

"des.c" des_encrypt with PKCS #5 padding, 49

"des.c" des_operate with CBC for encrypt or decrypt, 51

"des.c" des_operate with CBC support and padding removed from des_encrypt, 50

"des.c" des_operate with padding support, 47–48

"des.c" expansion table, 41

"des.c" final input block permutation, 42–43

"des.c" final permutation table, 38

"des.c" initial permutation table, 36

"des.c" key permutation table 1, 39

"des.c" key permutation table 2, 39

"des.c" main routine with decryption support, 54–55

"des.c" permutation, 34–35

"des.c" rotate left, 40

"des.c" rotate right, 46

"des.c" s-boxes, 42

"des.c" xor array, 33

"hex.c" hex_decode, 53–54

"hex.c" show_hex, 54

terse initial permutation, 35–36

overview diagram, 37

padding in, 46–55

s-boxes, 31, 36, 41, 42, 55

TLS 1.0 and, 342–343

triple DES v., 55–56

XOR operation and, 31–32

des_block_operate, 43–45

des_block_operate with decryption support, 45–46

des_decrypt, 51

des_encrypt with NIST 800-3A padding, 48

des_encrypt with PKCS #5 padding, 49

des_operate with CBC for encrypt or decrypt, 51

des_operate with CBC support and padding removed from des_encrypt, 50

des_operate with padding support, 47–48

destination port, 3

DH_anon_XXX, 448

DHE_DSS_XXX, 439, 444

DHE/RSA/DES/SHA-1 handshake, 442–448

DHE_RSA_XXX, 439

Dierks, Tim, 379

Diffie, Whitfield, 130

Diffie-Hellman key exchange, 130–132. See also elliptic-curve Diffie-Hellman

client key exchange (TLS 1.0), 343–344

"dh.c" Diffie-Hellman key agreement, 131–132

DHE/RSA/DES/SHA-1 handshake, 442–448

ECC primitives and, 150–154

ECDH v., 523–524

parsing signature types, 485–489

"tls.c" parse_certificate_request with TLS 1.2 support, 488–489

"tls.c" parse_server_key_exchange with signature and hash algorithm declaration, 487–488

"tls.c" TLS 1.2 signature verification, 485–486

"tls.h" signature and hash algorithms, 486–487

RSA v., 130, 132

small subgroup attack and, 236–237

S/MIME and, 550

TLS 1.0 and, 394–395

"tls.c" send_client_key_exchange with Diffie-Hellman key exchange, 343

dig tool, 556

DIGEST, 17

digest functions, updateable, 190–200

"digest.c" finalize digest, 194–195

"digest.c" update digest function, 192–194

"digest.h" digest context structure declaration, 191–192

Digital Signature Algorithm. See DSA

digital signatures, 157–220. See also DSA; RSA algorithm

certificates and, 222

email and, 551–552

RSA support for, 157–158, 201–202

discrete logarithm problem, 130, 131

Dispensa, Steve, 468

Distinguished Encoding Rules. See DER

distinguished names, 229–232

division

huge numbers, 106–109

"huge.c" divide, 108–109, 112–113

"huge."c" divide with negative number support, 146–147

DNS (Domain Name System), 553–559

cache poisoning, 556–559

database, 555

hierarchy, 554

IP addresses, 553–554

protocol, 555

queries, 555–556

DNS Security. See DNSSEC

DNSSEC (DNS Security), 556–559

Domain Name System. See DNS

domain-name components, 234, 237

DOS (denial of service) attacks, 318, 559

dot product, 72

dot product, "aes.c", 72

dotted-decimal form/hexadecimal form, 228–229

double and add approach (multiplication), 106, 116, 134, 150, 153, 213, 503

DSA (Digital Signature Algorithm), 201–210. See also elliptic-curve DSA

certificate parser and, 286–291

ECC primitives and, 210

ECDSA v., 524

efficient, 209–210

keys, 209

listings

"dsa.c" DSA Signature generation algorithm, 203–204

"dsa.c" DSA signature verification algorithm, 206–207

"dsa.c" message secret generation, 204–205

"dsa.c" test main routine, 207–209

"dsa.h" dsa_params structure, 203

"dsa.h" dsa_signature structure, 203

"tls.c" receive_tls_msg with DSA key support, 445

"tls.h" TLSParameters with dsa key support, 444–445

"x509.c" parse_x509_chain with DSA support, 445–446

SHA-1 and, 202, 204

SHA-256 and, 202, 204

signature generation, 202–205

signature verification, 205–209

DSS, 227, 228, 229, 465, 485. See also DHE_DSS_XXX

DTLS (Datagram TLS), 559

dummy block, 48

E

ECB (electronic code book), 49, 490

ECC. See Elliptic-Curve Cryptography

ECC client hello extensions, 540

ECC extensions, 523–540

ECC primitives

Diffie-Hellman and, 150–154

DSA and, 210

ECDH. See elliptic-curve Diffie-Hellman

ECDHE_ECDSA cipher suites, 533, 535, 538

ecdh_key_exchange, 539–540

ECDSA. See elliptic-curve DSA

e-commerce, 4, 27, 234, 298

electronic code book. See ECB

elliptic curves, 132–135, 524

addition, 133

cofactor of, 152

graph, 133

named curves, 218, 524–527, 530, 537, 540

order of, 152, 524

point multiplication on, 134

Elliptic-Curve Cryptography (ECC), 132–155

client hello extensions, 540

Diffie-Hellman and, 150–154

ECC primitives

Diffie-Hellman and, 150–154

DSA and, 210

GCDs, 135–137

listings

"ecc.c" point addition implementation, 212–213

"ecc.c" point-doubling algorithm, 213–214

"ecc.c" point-multiplication algorithm, 214–215

"ecc.h" elliptic curve structure declarations, 211

"ecc_int.c" add_points routine, 152

"ecc_int.c" double_point routine, 152–153

"ecc_int.c" Extended Euclidean Algorithm (small numbers), 137–138

"ecc_int.c" invert routine, 152

"ecc_int.c" multiply_point routine, 153

"ecc_int.h" structure definitions, 151–152

modular inversions and, 135–138

negative numbers support, 138–147

negative remainders support, 147–149

over prime finite field, 150

purpose, 220

reasons for using, 154–155

"Software Implementations of the NIST Elliptic Curves over Prime Fields" (Brown), 210

speed of, 220

TLS 1.2 and, 132–133, 523–524

whole integers and, 150

elliptic-curve Diffie-Hellman (ECDH), 523–524

Diffie-Hellman v., 523–524

ECDHE_ECDSA cipher suites, 533, 535, 538

ECDSA and, 524

TLS 1.2, 533–540

"tls.c" ecdh_key_exchange, 539–540

"tls.c" init_tls with ECDHE_ECDSA support, 533

"tls.c" parse_server_key_exchange with ECDH support, 534–536

"tls.c" send_client_key_exchange with ECDHE support, 538

"tls.c" verify_signature with ECDSA support, 537–538

"tls.h" TLSParameters with ECDH support, 534

elliptic-curve DSA (ECDSA), 210–220

certificate parsing (TLS 1.2), 527–533

"x509.c" parse_algorithm_identifier with ECDSA support, 528

"x509.c" parse_public_key_info with ECDSA support, 529–530

"x509.c" parse_x509_certificate with ECDSA signatures, 532–533

"x509.c" parse_x509_chain with ECDSA support, 531–532

"x509.h" ECDSA algorithm identifier, 529

"x509.h" ecdsa algorithm identifier, 528

DSA v., 524

ECDH and, 524

ECDHE_ECDSA cipher suites, 533, 535, 538

generating ECC keypairs, 218–220

implementing, 215–217

listings

"ecc.c" point addition implementation, 212–213

"ecc.c" point-doubling algorithm, 213–214

"ecc.c" point-multiplication algorithm, 214–215

"ecc.h" elliptic curve structure declarations, 211

"ecdsa.c" elliptic-curve DSA signature generation, 215–216

"ecdsa.c" elliptic-curve DSA signature verification, 216–217

"ecdsa.c" test routine, 218–220

signature generation, 215–216

signature verification, 216–217

email

attachments, 547–550

digital signatures and, 551–552

email model, 545–546

HTTP v., 547

MIME and, 547–548

multiple recipients, 550–552

PEM and, 246, 263, 281, 395, 396, 400, 546

PGP and, 1, 546

security mechanism, 546–547

S/MIME and, 546–547, 549–552

SSL/TLS design and, 546–547

TLS and, 552

embedded hardware implementers, 523

encoded values, 241–242

encryption

AES, 67–82

AES-CCM, 514–515

CTR, 491

defined, 29

matrix operations, 70–72

public key/encryption, 92

RC4, 86

RSA, 114–119

support (secure data transfer, TLS 1.0), 355–358

endian-ness, 173, 182, 183, 257

big-endian number format, 571–572

computers, 313

DES, 32, 36

"huge.c" set_huge (little-endian/ big-endian conversion), 104, 105

little-endian v., 571–572

SHA-1, 171, 176

little-endian number format, 571–572

big-endian v., 571–572

computers, 313

"huge.c" set_huge (little-endian/ big-endian conversion), 104, 105

Intel x86, 32

MD5, 161, 164, 197

"md5.c" md5 initial hash, 166

"sha.c" SHA-1 in little-endian format, 178

end-to-end example. See https application

enveloped-data, 550

ephemeral cipher suites, 436

ephemeral key exchange, 436–448, 487

handshake, 442–448

listings

"tls.c" parse_server_key_exchange, 437–438

"tls.c" parse_server_key_exchange with signature verification, 440

"tls.c" receive_tls_msg with DSA key support, 445

"tls.c" receive_tls_msg with server key exchange, 437

"tls.c" send_client_key_exchange, 445

"tls.c" verify_signature, 441, 446–448

"tls.h" TLSParameters with dsa key support, 444–445

"x509.c" parse_x509_chain with DSA support, 445–446

server key exchange message, 436–442

Epoch field, 559

error checking, 292, 405

error messages, browser, 412–414

Ethereal, 573

Euclidean algorithm, 135–138

Exclusive OR. See XOR operation

expansion function, DES, 40–45

expansion table, "des.c", 41

expired certificates, 232–233, 235, 295, 318, 414

explicit tags, 244

export-grade ciphers, 463–465

key calculation, 463–464

man-in-the-middle attacks, 626

restrictions, 464–465

SSLv2 and, 584, 607

export-grade cryptography, 463

extended Euclidean algorithm, 137–138

extended validation, 278

extension 10 (client hello extension), 540

extension 11 (client hello extension), 540

extensions. See certificate extensions; client hello extensions

extensions field, 237–238

F

FEAL, 83

Feistel function, 37

fgets, 25

"file.c" load_file_into_memory, 398–399

FIN packet, 368, 626

final input block permutation, "des.c", 42–43

final permutation table, "des.c", 38

find_stored_session, "tls.c", 431–433

finished message

TLS 1.0 handshake (client-side), 346–353

TLS 1.0 handshake (server-side), 409–411

TLS 1.2, 483–484

FIPS 186-3, 137, 202

Firefox, 229, 234, 244, 245, 410, 465

500 (status code), 10

501 (status code), 24

fixed-precision numeric representation, 140

flattening/sending client hello message, 309–316

Fortezza, 378

forward secrecy, perfect, 130, 439, 465, 524

403 (status code), 10

404 (status code), 10, 11

fstat, 393

G

Galois field arithmetic operations, 210, 502

Galois-Field authentication

"aes.c" gf_multiply, 503

/CTR, with AES-GCM, 505–510

maximizing MAC throughput, 502–505

GCDs (greatest common denominators), 135–137

gcrypt, 140

GeneralizedTime, 233

generating RSA keypairs, 129

generator point, 210, 524, 534, 540

GET command, 5–6, 8–10

GET_BIT macro, 36

gethostbyname, 7, 554–555

GHASH, 502, 504–507. See also AES-GCM

"aes.c" ghash, 504–505

AES-GCM and, 505–507

diagram, 504

GMP, 113, 140

GnuTLS, 27, 28, 123, 140, 155, 540, 541. See also TLS

got_client_hello, 385–386

greatest common denominators (GCDs), 135–137

H

handshake. See also TLS 1.0 handshake

SSLv2, 582–619

TCP, 3–4

handshake digest initialization, TLS 1.2, 484

hash functions, updateable, 190–200

HDMI video stream, 523

HEAD, 24, 303

headers, 9

Hellman, Martin, 130, 132, 185. See also Diffie-Hellman key exchange

hello request, session renegotiation and, 466–467

hexadecimal form/dotted-decimal form, 228–229

"hex.c" hex_decode, 53–54

"hex.c" show_hex, 54

Hickman, Kipp, 298

HMAC function, 184–201. See also MACs

diagram, 188

implementation, 186–190

listings

"digest.c" finalize digest, 194–195

"digest.c" update digest function, 192–194

"digest.h" digest context structure declaration, 191–192

"hmac.c" HMAC function, 186–188

"hmac.c" HMAC function prototype, 188–189

"hmac.c" main routine, 199–200

"hmac.c" modified HMAC function to use updateable digest functions, 198–199

"md5.c" MD5 digest initialization, 195

"sha.c" SHA-1 digest initialization, 195–196

"sha.c" SHA-256 digest initialization, 196

MD5 hash computation of file (example), 196–200

message digests and, 184

PRF and, 329–332

SSL and, 200–201

SSLv2 and, 611

updateable hash functions, 190–200

Hongbo Yu, 170

HTTP (Hypertext Transport Protocol), 4–5

case sensitive, 8

CONNECT command, 561, 562, 563

email v., 547

line-oriented, 25

proxies, 12–17

"proxy-less," 16

request, 24–25

response, 10–11

session resumption and, 421

SSL and, 5, 299, 543, 552

stateless, 544, 552

versions, 9

HTTP client (sample application). See also HTTPS client

Base64 encoding implementation, 17–21

implementation, 5–12

listings

"base64.c" base64_decode, 19–20

"base64.c" base64_encode, 18–19

"http.c" display_result, 11–12

"http.c" header includes, 5–6

"http.c" http_get, 9–10

"http.c" http_get (with proxy support), 16–17, 20–21

"http.c" main, 6–9

"http.c" main (with proxy support), 13–14

"http.c" parse_proxy_param, 14–16

"http.c" parse_url, 6

"tls.h" top-level function prototypes, 300–301

proxy support added, 12–17

security features, 5

TLS support added, 300–303

HTTP server (sample application)

HTTPS support added, 381–390

implementation, 21–27

listings

"ssl_webserver.c" main routine, 382

"ssl_webserver.c" process_https_request, 382–383

"ssl_webserver.c" send and read modifications, 383

"webserver.c" build responses, 26–27

"webserver.c" main routine, 21–23

"webserver.c" process_http_request, 24–25

"webserver.c" read_line, 25–26

"webserver.c" remote connection exclusion code, 24

HTTPS, 5, 27

end-to-end examples (TLS 1.0), 369–378

client hello request dissected, 370–371

decrypting encrypted exchange, 374–377

exchanging application data, 377–378

key exchange message dissected, 373–374

server response messages dissected, 372–373

HTTP server (sample application) and, 381–390

multiple ports and, 544

https application end-to-end example (SSLv2), 619–626

HTTPS client (sample application). See also HTTP client

listings

"https.c" http_connect, 562–564

"https.c" http_get and display_result, 302

"https.c" http_get with SSLv2 support, 581

"https.c" main routine, 301

"https.c" main routine with proxy support, 561–562

"https.c" main routine with session resumption, 425–427

"https.c" main routine with SSLv2 support, 580

"https.c" with OpenSSL, 564–566

proxy support, 560–564

Hudson, Tim J., 575

huge numbers. See also Elliptic-Curve Cryptography; RSA algorithm

addition, 93–98

arbitrary precision binary math module, 93–114

comparing, 109–112

division, 106–109

listings

"huge.c" add (overflow expansion), 97

"huge.c" add routine, 94–95

"huge.c" add routine (addition routine), 96

"huge.c" add routine (size computation), 95

"huge."c" add with negative number support, 143–144

"huge."c" add_magnitude and subtract_magnitude, 143

"huge.c" compare, 109–111

"huge.c" contract, 100

"huge.c" copy_huge & free huge, 103

"huge.c" divide, 108–109, 112–113

"huge."c" divide with negative number support, 146–147

"huge.c" expand, 97–98

"huge.c" exponentiate, 117–118

"huge."c" initializer routines with negative number support included, 142

"huge."c" inv routine, 148–149

"huge.c" left_shift, 106

"huge.c" load_huge, 123–124

"huge.c" mod_pow, 118–119

"huge.c" multiply, 102–103

"huge."c" multiply with negative number support, 146

"huge.c" right_shift, 112

"huge.c" set_huge, 104, 105

"huge.c" subtract, 98–99

"huge."c" subtract with negative number support, 145–146

"huge.c" unload_huge, 124

"huge.h" huge structure, 93

"huge."h" huge structure with negative number support, 141–142

modulus operations, 112–114

Barrett reduction, 114

Montgomery reduction, 114

optimizing for, 112–113

multiplication, 101–106

subtraction, 98–101

negative numbers support (ECC), 138–147

Hypertext Transport Protocol. See HTTP

I

IANA (Internet Assigned Numbers Authority), 545

ICANN (Internet Corporation for Assigned Names and Numbers), 553

ICMP timeout packets, 3

IDEA, 83, 584

identity matrix, 71

"IEEE Transactions on Information Theory," 114, 132

IETF, 27, 84, 298, 299, 546, 579, 601

#ifdef, 52

illegal parameter, 318, 322, 440

indefinite-length encoding, 549–550

infinitely parallelizable, 56, 170, 491, 502

initial hash, SHA-256, 184

initial permutation, DES, 34–38

initial permutation table, "des.c", 36

initialization vectors, DES and, 49–50, 51, 53, 55

init_parameters, "ssl.c", 587–588

init_parameters, "tls.c", 306, 387

init_parameters with saved verify data, 472

init_parameters with session resumption support, "tls.c", 435

init_protection_parameters with seq_num, "tls.c", 354–355

init_tls, 430

init_tls with ECDHE_ECDSA support, 533

init_x509_certificate, 266

input processing function, SHA-1, 174–176

Intel processors, PCLMUQDQ instruction, 523

Intel x86 little-endian conventions, 32

internal byte ordering, 572

International Telecommunications Union. See ITU

Internet

packet-switching network, 2

security, 1–5

Internet Assigned Numbers Authority (IANA), 545

Internet Corporation for Assigned Names and Numbers (ICANN), 553

Internet Explorer, 230, 234, 238, 239, 244, 294, 410, 418, 465

Internet Protocol. See IP

inversion routines, "aes.c", 75–77

inv_mix_columns, "aes.c", 77–78

IP (Internet Protocol), 2. See also TCP/IP

IP addresses/DNS security, 553–554

irreversibility, message digests, 160

issuer field, 229–232

issuers, 224, 227

issuing certificates, 227

ITU (International Telecommunications Union), 225

J

Jacobian projection, 220

Java, 5, 27, 28, 113, 140

JSSE, 123

K

Kaminsky, Dan, 556

key combination, AES, 68

key escrow system, 378

key exchange. See also Diffie-Hellman key exchange

ephemeral key exchange, 436–448, 487

handshake, 442–448

server key exchange message, 436–442

"tls.c" parse_server_key_exchange, 437–438

"tls.c" parse_server_key_exchange with signature verification, 440

"tls.c" receive_tls_msg with DSA key support, 445

"tls.c" receive_tls_msg with server key exchange, 437

"tls.c" send_client_key_exchange, 445

"tls.c" verify_signature, 441, 446–448

"tls.h" TLSParameters with dsa key support, 444–445

"x509.c" parse_x509_chain with DSA support, 445–446

key exchange message dissected (HTTPS example), 373–374

RSA, TLS1.0 and, 394–396

server key exchange message, 344, 436

TLS 1.0 handshake (client-side), 329–344

Diffie-Hellman key exchange, 343–344

master secret computation, 336–337

RSA key exchange, 337–343

using PRF, 329–335

TLS 1.0 handshake (server-side), 394–409

checking for successful decryption, 406–407

completing, 407–409

RSA key exchange and private key location, 395–399

supporting encrypted private key files, 399–406

"tls.c" tls_connect with key exchange, 337

key material block, 375–376

key permutation table 1, "des.c", 39

key permutation table 2, "des.c", 39

key schedule

AES, 60–67

defined, 39

DES, 38–40

RC4, 84–85

key usage extension, 275, 277

"A Key Recovery Attack on Discrete Log-based Schemes Using a Prime Order Subgroup," 236

keys. See also private key; public key

brute force attacks and, 29

defined, 29

DSA, 209

known plaintext attacks, 186, 493

Koblitz, Neal, 132

Koblitz curves, 525

L

large numbers. See huge numbers

LDAP-based certificates, 234

least-significant bit (LSB), 39, 40, 93, 116, 504

least-significant bytes, 495, 571, 572

least-significant digit, 571

left shift, 40, 64, 72

libpcap, 575

line-oriented HTTP, 25

Linux system

OpenSSL installation, 577

tcpdump installation, 575

Listings. See specific listings

little-endian number format, 571–572

big-endian v., 571–572

computers, 313

"huge.c" set_huge (little-endian/ big-endian conversion), 104, 105

Intel x86, 32

MD5, 161, 164, 197

"md5.c" md5 initial hash, 166

"sha.c" SHA-1 in little-endian format, 178

load_file_into_memory, 398–399

lock icon, 1, 230, 244, 278

logical operations, binary, 568–570

LOKI, 83

LSB. See least-significant bit

Lucks, Stefan, 170

LUHN consistency check, 185

M

MACs (Message Authentication Codes). See also HMAC function

GHASH, 502, 504–507

maximizing MAC throughput with Galois-Field authentication, 502–505

qualities, 494

magic constant, 504

magic numbers, 3

"magnitude/sign" approach, 140

main routine

"aes.c" main routine modified to accept associated data, 513–514

"des.c" main routine with 3DES support, 59

"des.c" main routine with decryption support, 54–55

"digest.c" main routine, 179–180

"dsa.c" test main routine, 207–209

"hmac.c" main routine, 199–200

"https.c" main routine, 301

"https.c" main routine with proxy support, 561–562

"https.c" main routine with session resumption, 425–427

"https.c" main routine with SSLv2 support, 580

"prf.c" main routine, 334–335

"privkey.c" test main routine, 397–398

"rc4.c" main routine for testing, 87

"rsa.c" test main routine, 126–129

"ssl_webserver.c" main routine, 382

"webserver.c" main routine, 21–23

"x509.c" main routine, 281–283, 291

man-in-the middle attacks, 222–224

export-grade ciphers and, 626

SSLv2 and, 346, 626

marker request, 449

Marlinspike, Moxie, 234

master key, SSLv2, 600–607

master secret, 329, 336–337

"Math Computation," 114

matrix multiplication example (AES), 70–71

matrix operations, 70–72

MD5, 159–169

birthday attack, 170

goal of, 160

implementing, 159–169

listings

"md5.c" alternate md5_block_operate implementation, 164–166

"md5.c" bit manipulation routines, 160–161

"md5.c" MD5 digest initialization, 195

"md5.c" md5 hash algorithm, 167–168

"md5.c" md5 initial hash, 166

"md5.c" md5_block_operate function, 162–164

"md5.c" ROUND macro, 161–162

little-endian number format, 161, 164, 197

MD5 hash computation of file (example), 196–200

PRF and, 329–332

SHA-1 v., 171, 174, 176

vulnerabilities, 169–171

Message Authentication Codes. See MACs

message digests, 158–159. See also MD5

checksum, 158–159, 170

defined, 158

"digest.c" finalize digest, 194–195

"digest.c" update digest function, 192–194

"digest.h" digest context structure declaration, 191–192

HMAC function and, 184

irreversibility, 160

updateable digest functions, 190–200

METHOD, 17

Miller, Victor, 132

MIME (Multipurpose Internet Mail Extensions), 547–548

mix_columns, "aes.c", 73

Modadugu, Nagendra, 559

mod_pow, 118–119, 131, 207

mod_ssl, 575

modular inversions, 135–138

modulus operations, 112–114

Barrett reduction, 114

Montgomery reduction, 114

optimizing for, 112–113

Montgomery reduction, 114

Mosaic, 298, 543

most-significant bit (MSB), 40, 93, 570–571, 595

most-significant digit, 571

MSB. See most-significant bit

"multi-hop" SMTP, 545–548

multiple ports, HTTPs and, 544

multiple recipients, email, 550–552

multiplication

double and add approach, 106, 116, 134, 150, 153, 213, 503

"ecc.c" point-multiplication algorithm, 214–215

"ecc_int.c" multiply_point routine, 153

huge numbers, 101–106

"huge.c" multiply, 102–103

"huge."c" multiply with negative number support, 146

matrix multiplication example (AES), 70–71

point multiplication on elliptic curve, 134

square and multiply, 116

Multipurpose Internet Mail Extensions. See MIME

munitions classification, cryptography and, 463

mutally-authenticated TLS handshake, 460–462

N

naive secure channel protocol, 222–224

named curves, 218, 524–527, 530, 537, 540

"ecc.c" get_named_curve, 525–527

online list, 525

SECG, 525

National Center for Supercomputing Application, 543

National Institute for Standards and Technology. See NIST

negative numbers

ECC, 138–147

two's-complement arithmetic, 570–571

Netscape, 4, 27, 298, 543, 579, 596

Network News Transfer Protocol. See NNTP

nibble (nybble), 63, 494, 571

NIST (National Institute for Standards and Technology), 46, 60, 181

NNTP (Network News Transfer Protocol), 543–545

nonce, 491, 492, 493, 523

not after date, 224

not before date, 224

NOT operation, 569

NSA, 31, 464

NSS, 123, 140

NTLM, 17

"Null Prefix Attacks Against SSL Certificates" (Marlinspike), 234

nybble (nibble), 63, 494, 571

O

OAEP, 126

object identifiers. See OIDs

OCSP (Online Certificate Status Protocol), 295–296

OFB (output-feedback mode), 50, 90, 126, 490, 491, 494

OIDs (object identifiers), 227–229

distinguished names, 231–232

dotted-decimal form/hexadecimal form, 228–229

public-key algorithm, 235–236

one's complement arithmetic, 570

Online Certificate Status Protocol (OCSP), 295–296

open-source SSL implementations, 27–28

OpenSSL

generation

DSA keypair and certificate, 251–252

RSA keypair and certificate, 244–251

"https.c" with OpenSSL, 564–566

installation, 573, 575–577

Linux system, 577

Windows system, 575–576

req command, 244, 293, 533

s_server, 458, 460, 619

SSL with, 564–566

Young and, 27

OPTIONS, 24

OR operation, 569

order, of elliptic curves, 152, 524

output-feedback mode. See OFB

P

packets, 2–3

packet-switching network, 2

padding

block cipher algorithms, 46–55

DES, 46–55

NIST 800-3A, 48

OAEP, 126

PKCS # 5, 48, 49, 51

PKCS #1.5, 126, 395, 412

RSA, 120, 122–123

triple DES, 56

zero, 123, 507, 514

padding identifiers, 120

padlock icon, 1, 230, 244, 278

paf flag, 153

parallelizable, infinitely, 56, 170, 491, 502

parity bits, 39

parse_algorithm_identifier, "x509.c", 270

parse_algorithm_identifier with DSA support, "x509.c", 287

parse_algorithm_identifier with ECDSA support, "x509.c", 528

parse_certificate_request, 451–452

parse_certificate_request with TLS 1.2 support, 488–489

parse_client_hello, "tls.c", 388–390

parse_client_hello with client hello extension support, 416–417

parse_client_hello with session resumption support, "tls.c", 433

parse_client_hello_extensions, 417–418

parse_client_key_exchange, "tls.c", 407–408

parse_dsa_signature_value, "x509.c", 288–289

parse_extension, "x509.c", 276

parse_extension with key usage recognition, "x509.c", 277

parse_extensions, "x509.c", 276

parse_huge, "x509.c", 269–270

parse_name, "x509.c", 271–273

parse_pkcs8_private_key, 402–406

parse_private_key, 396–397

parse_proxy_param, 14–16

parse_public_key_info, "x509.c", 274–275

parse_public_key_info with ECDSA support, "x509.c", 529–530

parse_renegotiation_info, 477–478

parse_server_error, "ssl.c", 597

parse_server_finished, "ssl.c", 617

parse_server_hello, "ssl.c", 597–599

parse_server_hello with extensions recognition, 476

parse_server_hello with session ID support, "tls.c", 425

parse_server_hello_extensions, 476–477

parse_server_key_exchange, "tls.c", 437–438

parse_server_key_exchange with ECDH support, 534–536

parse_server_key_exchange with signature and hash algorithm declaration, 487–488

parse_server_key_exchange with signature verification, 440

parse_server_name_extension, 418–419

parse_server_verify, "ssl.c", 615–616

parse_signature_value, "x509.c", 279

parse_tbs_certificate, "x509.c", 268–269

parse_url, 6, 14

parse_x509_certificate, 267–268

parse_x509_certificate with DSA support, 287–288

parse_x509_certificate with ECDSA signatures, 532–533

parse_x509_certificate with stored hash, 279–280

parse_x509_chain, 325–327, 531

parse_x509_chain with DSA support, 445–446

parse_x509_chain with ECDSA support, 531–532

parsing certificates (ECDSA, TLS 1.2), 527–533

parsing signature types (Diffie-Hellman, TLS 1.2), 485–489

PCLMULQDQ instruction, 523

peer_finished, 386–387

PEM (Privacy-Enhanced Mail), 246, 263, 281, 395, 396, 400, 546

perfect forward secrecy, 130, 439, 465, 524

permutation, "des.c", 34–35

permutations

defined, 31

DES initial permutation, 34–38

PGP, 1, 546

Pil Joon Lee, 236

PKCS

PKCS #1

format, 400, 454

padding, 339

PKCS #1.5 padding, 126, 395, 412

PKCS #5

format, 400, 401

padding, 48, 49, 51

Password-Based Encryption, 406

PKCS #7, 549, 550

PKCS #7-formatted RSA signatures (validation), 280–285

PKCS #8

encoded private key file, 402

format, 400, 401, 407

PKCS #10 format, 293

PKCS #12 format, 293–294, 407

PKI. See public key infrastructure

plaintext attacks, known, 186, 493

P_MD5, 330, 331

Pohlig, Stephen, 132

Pohlig-Hellman attack, 132

point at infinity, 150, 153

point multiplication on elliptic curve, 134

point-doubling algorithm, 134, 150, 213

ports

destination port, 3

multiple, HTTPS and, 544

port 53, 555

port 80, 8, 13, 16, 21, 300, 381, 544, 563

port 119, 544, 545

port 443, 300, 381, 544, 563

port 563, 545

source port, 3

position shifting binary numbers, 570

POST, 24, 300, 303, 561

premaster secret, 329, 336–339, 343–344, 373, 374, 378–379, 394, 408

PRF (pseudo-random function), 329–335

client key exchange (TLS 1.0) with, 329–335

diagram, 330

HMAC function and, 329–332

MD5 and, 329–332

modifications (TLS 1.2), 481–482

"prf.c" main routine, 334–335

"prf.c" PRF function, 333–334

SHA-1 and, 329–332

"prf.c" PRF2, 482

prime finite field, ECC over, 150

prime number 65,537, 115, 116, 129

Privacy-Enhanced Mail. See PEM

private key

decryption and, 92

/public key, reversibility and, 157

private key algorithms. See symmetric algorithms

"privkey.c" parse_pkcs8_private_key, 402–406

"privkey.c" parse_private_key, 396–397

"privkey.c" test main routine, 397–398

process_http_request, 24–25

process_https_request, 382–383

proxy server, 12, 13, 14

proxy specification, 13

proxy support

HTTP client application, 12–17

HTTPS client application, 560–564

"proxy-less" HTTP, 16

pseudo-random function. See PRF

P_SHA1, 330, 332

public key

encryption and, 92

/private key, reversibility and, 157

public key (asymmetric) algorithms, 91–155. See also RSA algorithm

arbitrary precision binary math module, 93–114. See also huge numbers

OIDs, 235–236

slowness, 129–130

symmetric algorithms v., 30, 91, 129–130

public key infrastructure (PKI), 292–293, 296, 556

PUT, 24, 300, 303

Q

Qualys Research security analysis, 235

R

rainbow tables, 185, 400, 401

Ray, Marsh, 468

RC2, 83, 584

RC4 algorithm, 84–90

cracking, 86

decryption, 84

encryption, 86

key schedule, 84–85

listings

"rc4.c" key-length wrapper functions, 89–90

"rc4.c" main routine for testing, 87

"rc4.c" rc4_operate, 84–85

"rc4.c" rc4_operate with persistent state, 88–89

"rc4.h" rc4_state structure, 88

"tls.c" calculate_keys with special RC4 exception, 359

RC4-compatible algorithm, 84

read_buffer, 323, 389

receive

"receive_tls_message" with alert support, 323

"receive_tls_msg" with optimal response buffer, 365

"ssl.c" receive_ssl_message, 594–596

"ssl.c" receive_ssl_message with encryption support, 613–614

"tls.c" receive_tls_message with session renegotiation support, 466–467

"tls.c" receive_tls_msg, 317, 318, 319–320

"tls.c" receive_tls_msg with buffering support, 366–368

"tls.c" receive_tls_msg with certificate request support, 450–451

"tls.c" receive_tls_msg with decrypt support, 361–362

"tls.c" receive_tls_msg with DSA key support, 445

"tls.c" receive_tls_msg with handshake digest update, 348–349

"tls.c" receive_tls_msg with multiple handshake support, 325

"tls.c" receive_tls_msg with server hello done support, 328

"tls.c" receive_tls_msg with server key exchange, 437

"tls.c" receive_tls_msg with support for change cipher spec, 345–346

"tls.c" tls_receive_message with server finished support, 351

tls_recv, 365–368

RelativeDistinguishedName, 231

relatively prime, 136

remember_session, "tls.c", 430–431

renegotiation. See session renegotiation

renegotiation attack, 468–470

replay attacks, 49, 184, 304, 336, 353, 441, 593. See also HMAC function

req command, 244, 293, 533

Rescorla, Eric, 299, 379, 559

resource records (RRs), 555

resumed session. See session resumption

resumption. See session resumption

reversibility

message digests and, 160

public key/private key, 157

XOR operation, 32, 569

revoked certificates, 224. See also certificate revocation lists

RFC 793, 3, 4

RFC 971, 2

RFC 977, 544

RFC 1321, 160, 191

RFC 2104, 184, 186

RFC 2246, 1, 2, 27, 83, 299, 309, 435, 436

RFC 2247, 234

RFC 2313, 121, 228

RFC 2459, 275

RFC 2535, 556

RFC 2560, 296

RFC 2595, 546

RFC 2616, 4, 10

RFC 2617, 17

RFC 2631, 132, 237

RFC 2817, 561

RFC 2818, 299

RFC 2980, 544, 545

RFC 3207, 546

RFC 3268, 83

RFC 3280, 234

RFC 3546, 416, 420, 462

RFC 4034, 557

RFC 4346, 27, 299, 379

RFC 4492, 523, 533, 540

RFC 4754, 218

RFC 5246, 27, 379, 476, 489, 516, 541

RFC 5280, 237, 278

RFC 5288, 518, 519

RFC 5652, 550

RFC 5746, 470

RFC 5751, 546, 552

right-shift, 107

Rijndael algorithm, 60, 83. See also AES algorithm

Rivest, Ron, 84, 91, 160. See also MD5; RC4 algorithm; RSA algorithm

RKM (RSA Key Manager), 449

root CAs, 238–239

rotate left, "des.c", 40

rotate right, "des.c", 46

rot_word, "aes.c", 63

round constant, 61, 64, 66, 67, 68, 72

row-shifting step, 68

RRs (resource records), 555

RSA algorithm, 91

arbitrary precision binary math module, 93–114. See also huge numbers

CBC, 126

decryption, 119–120

DHE/RSA/DES/SHA-1 handshake, 442–448

Diffie-Hellman v., 130, 132

digital signatures and, 157–158, 201–202

encryption, 114–119

key exchange (TLS client key exchange), 337–343

keypair generation, 129

listings

"huge.c" exponentiate, 117–118

"huge.c" load_huge, 123–124

"huge.c" mod_pow, 118–119

"huge.c" unload_huge, 124

"rsa.c" rsa_compute, 114–115

"rsa.c" rsa_decrypt, 124–126

"rsa.c" rsa_encrypt, 121–122

"rsa.c" rsa_encrypt and rsa_sign, 454–455

"rsa.c" rsa_key structure, 120–121

"rsa.c" test main routine, 126–129

"tls.c" rsa_key_exchange, 339

padding, 120, 122–123

PKCS #7-formatted RSA signatures, 280–285

65,537 (prime number), 115, 116, 129

speeding up, 129

testing encryption/decryption, 126–130

theory, 92–93

TLS 1.0 and, 394–396

RSA Key Manager (RKM), 449

S

salt, 49. See also initialization vectors

sbox, "aes.c", 63–64

s-boxes

AES, 60, 61, 77

DES, 31, 36, 41, 42, 55

s-boxes, "des.c", 42

Schneier, Bruce, 83

SEC (Standards for Efficient Cryptography), 525

SECG (Standards for Efficient Cryptography Group), 525

secrecy, perfect forward, 130, 439, 465, 524

secure channel protocol, 222–224

secure data transfer (TLS 1.0 client-side), 353–369

assigning sequence numbers, 353–355

decryption and authentication, 361–364

encryption support (outgoing), 355–358

listings

"receive_tls_msg" with optimal response buffer, 365

"tls.c" calculate_keys with special RC4 exception, 359

"tls.c" init_protection_parameters with seq_num, 354–355

"tls.c" receive_tls_msg with buffering support, 366–368

"tls.c" receive_tls_msg with decrypt support, 361–362

"tls.c" send buffer, 357–358

"tls.c" send_message with encryption, 358

"tls.c" send_message with MAC support, 355–357

"tls.c" send_message with padding support, 357

"tls.c" tls_connect with receive_tls_msg calls updated, 365–366

"tls.c" tls_decrypt, 362–364

"tls.c" tls_recv, 365

"tls.c" tls_send, 364–365

"tls.c" with protection parameters sent to send_message, 360

"tls.h" ProtectionParameters with seq_num, 354

"tls.h" TLSParameters with buffering support, 366

stream ciphers support, 358–359

tls_recv, 365–368

tls_send, 364–365

update each invocation of send_message, 359–360

Secure Hash Algorithm. See SHA-1

secure renegotiation. See also session renegotiation

example, 470–471

implementation, 471–478

secure sockets, 2–4

Secure Sockets Layer. See SSL

security

challenge, 566

Internet, 1–5

trade-off, 566

"security escape," 610

self-signed certificates, 227, 238

send

client hello message (flattening/sending), 309–316

send_client_key_exchange with ECDHE support, 538

"ssl.c" send_client_finished, 608

"ssl.c" send_client_hello, 589–590

"ssl.c" send_client_master_key, 606–607

"ssl.c" send_error, 599–600

"ssl.c" send_handshake_message, 590–591

"ssl.c" send_message, 591–592

"ssl.c" send_message with encryption support, 608–611

"ssl.c" ssl_send, 617

"tls.c" send buffer, 357–358

"tls.c" send_alert_message, 319

"tls.c" send_certificate_verify, 455–457

"tls.c" send_change_cipher_spec, 345

"tls.c" send_client_hello, 307–308, 310, 311

"tls.c" send_client_hello with session resumption, 424–425

"tls.c" send_client_key_exchange, 337–338

"tls.c" send_client_key_exchange with Diffie-Hellman key exchange, 343

"tls.c" send_finished, 349

"tls.c" send_handshake_message, 312–313

"tls.c" send_handshake_message updates, 348

"tls.c" send_handshake_message with handshake digest update, 347–348

"tls.c" send_message, 315–316

"tls.c" send_message with encryption, 358

"tls.c" send_message with explicit IVs, 480

"tls.c" send_message with MAC support, 355–357

"tls.c" send_message with padding support, 357

tls_send, 364–365

update each invocation of send_message, 359–360

SEQUENCE, 226

Sequence number field, 559

sequence numbers assigned (secure data transfer, TLS 1.0), 353–355

sequences (DER), 243

serial IDs, 224

serial numbers, 227

serialNumber field, 227

server gated cryptography, 465

server hello

SSLv2, 592–600

TLS 1.0 handshake (client-side), 316–324

TLS 1.0 handshake (server-side), 390–391

server hello done message

TLS 1.0 handshake (client-side), 328–329

TLS 1.0 handshake (server-side), 393

server key exchange message, 344, 436–442. See also ephemeral key exchange

server key exchange signature, 442

server name identification (SNI) extensions, 416–420

client hello with, 419

"tls.c" parse_client_hello_extensions, 417–418

"tls.c" parse_server_name_extension, 418–419

server_finished, 350, 386, 586

server_side session resumption support, 429

session ID, 304, 308, 311, 316, 320, 372, 420

session renegotiation, 465–478

hello request supported, 466–467

listings

"tls.c" client hello extension capability, 473–476

"tls.c" init_parameters with saved verify data, 472

"tls.c" parse_renegotiation_info, 477–478

"tls.c" parse_server_hello with extensions recognition, 476

"tls.c" parse_server_hello_extensions, 476–477

"tls.c" receive_tls_message with session renegotiation support, 466–467

"tls.c" Saving verify data, 472–473

"tls.c" tls_connect with renegotiate flag, 467

"tls.h" TLSParameters with saved verify data, 471–472

pitfalls, 468–470

renegotiation attack, 468–470

secure renegotiation example, 470–471

secure renegotiation implementation, 471–478

session resumption v., 465–466

session resumption, 420–436

on client side TLS, 421–428

drawbacks of server implementation, 435–436

HTTP and, 420

listings

"https.c" main routine with session resumption, 425–427

"tls.c" find_stored_session, 431–433

"tls.c" init_parameters with session resumption support, 435

"tls.c" init_tls, 430

"tls.c" parse_client_hello with session resumption support, 433

"tls.c" parse_server_hello with session ID support, 425

"tls.c" remember_session, 430–431

"tls.c" send_client_hello with session resumption, 424–425

"tls.c" server_side session resumption support, 429

"tls.c" session storage hash table, 429–430

"tls.c" tls_accept with session resumption support, 433–435

"tls.c" tls_accept with session storage, 435

"tls.c" tls_resume, 422–424

"tls.h" TLSParameters with session ID, 416–417

requesting, 422

restoring previous session's master secret, 424–425

on server side TLS, 428–436

session ID storage added, 429–433

session renegotiation v., 465–466

session resumption logic added to client, 422–424

shortened session resumption handshake sequence, 421

testing, 425–427

unique session ID assigned to each session, 429

viewing, 427–428

session storage hash table, 429–430

SET_BIT macro, 36

sets (DER), 243

setsockopt, 23

SHA-1 (Secure Hash Algorithm), 171–180

big-endian numbers, 171, 176

block computation, 171–174

DHE/RSA/DES/SHA-1 handshake, 442–448

DSA and, 202

finalization, 176–180

input processing function, 174–176

listings

"digest.c" digest_hash, 176–178

"digest.c" main routine, 179–180

"digest.h" digest_hash function prototype, 176

"md5.c" md5_finalize, 176

"sha.c" bit manipulation, initialization and block operation, 171–174

"sha.c" SHA-1 digest initialization, 195–196

"sha.c" SHA-1 hash algorithm, 174–175

"sha.c" SHA-1 in little-endian format, 178–179

"sha.c" sha1_finalize, 176

MD5 v., 171, 174, 176

PRF and, 329–332

SHA-256 v., 181, 184

SSLv2 and, 584

SHA-256, 180–184

block operation, 181–184

DSA and, 202, 204

ECDSA and, 211

finalization, 184

initial hash, 184

listings

"sha.c" SHA-256 block operate, 182–183

"sha.c" SHA-256 digest initialization, 196

"sha.c" SHA-256 Initial Hash, 184

"sha.c" SHA-256 Sigma Functions, 181

SHA-1 v., 181, 184

sigma functions, 181

SHA-256 digest update, 483–484

Shamir, Adi, 91. See also RSA algorithm

shared key algorithms. See symmetric algorithms

shifting binary numbers, 570

shift_rows, "aes.c", 69–70

Shining Light Productions, 576

shutdown (TLS 1.0 client-side), 368–369

"tls.c" free_protection_parameters, 369

"tls.c" tls_shutdown, 368–369

sigma functions, SHA-256, 181

signature and hash algorithms, "tls.h", 486–487

signature field, 227–229

signature verification, TLS 1.2, 485–486

signed-ness, of variables, 571

"sign/magnitude" approach, 140

65,537 (prime number), 115, 116, 129

small subgroup attack, 236–237

S/MIME, 546–547, 549–552

attachment format, 551

certificate management, 552

Diffie-Hellman key exchange and, 550

encoded email message, 549

multiple recipients email and, 550–552

SMTP, "multi-hop," 545–548

SNI extensions. See server name identification extensions

sockets, secure, 2–4

"Software Implementations of the NIST Elliptic Curves over Prime Fields" (Brown), 210

source port, 3

speeding up RSA decryption operation, 129

square and multiply, 116. See also double and add approach

s_server, 458, 460, 619

SSL (Secure Sockets Layer). See also OpenSSL; SSLv2; TLS

advanced topics, 415–478

applications of, 543–566

certificate problems and, 296

history of, 4, 27, 298–299

HMAC function and, 200–201

HTTP and, 5, 299, 543, 552

open-source implementations, 27–28

OpenSSL with, 564–566

original specification proposal, 4

purpose of, 5, 27

stateful, 552

support, 27

TLS/SSL design, email and, 546–547

SSLv2, 579–627

brute-force attacks and, 626

certificate extensions and, 627

client hello, 588–592

deprecation, 298, 579, 626

export-grade ciphers and, 584, 607

handshake, 582–619

history of, 298

HMAC function and, 611

https application (end-to-end example), 619–626

implementation, 579–619

listings

"https.c" http_get with SSLv2 support, 581

"https.c" main routine with SSLv2 support, 580

"ssl.c" add_mac, 611–612

"ssl.c" cipher spec declarations, 584

"ssl.c" compute_keys, 601–605

"ssl.c" init_parameters, 587–588

"ssl.c" parse_server_error, 597

"ssl.c" parse_server_finished, 617

"ssl.c" parse_server_hello, 597–599

"ssl.c" parse_server_verify, 615–616

"ssl.c" receive_ssl_message, 594–596

"ssl.c" receive_ssl_message with encryption support, 613–614

"ssl.c" send_client_finished, 608

"ssl.c" send_client_hello, 589–590

"ssl.c" send_client_master_key, 606–607

"ssl.c" send_error, 599–600

"ssl.c" send_handshake_message, 590–591

"ssl.c" send_message, 591–592

"ssl.c" send_message with encryption support, 608–611

"ssl.c" ssl_connect, 586–587

"ssl.c" ssl_recv, 617–618

"ssl.c" ssl_send, 617

"ssl.c" verify_mac, 614–615

"ssl.h" CipherSuite declarations, 583–584

"ssl.h" ClientFinished declaration, 607–608

"ssl.h" ClientHello declaration, 588

"ssl.h" ClientMasterKey declaration, 605–606

"ssl.h" ServerFinished declaration, 616

"ssl.h" ServerHello declaration, 592–594

"ssl.h" ServerVerify declaration, 613

"ssl.h" SSL function prototypes, 580

"ssl.h" SSLParameters declaration, 582–583

"ssl.h" SSLv2 CipherSpec declaration, 583

man-in-the-middle attacks and, 346, 626

master key, 600–607

problems with, 346, 579, 626–627

server hello, 592–600

SHA and, 584

successors to, 298

truncation attacks and, 368, 626

SSLv3, 27, 593, 600, 604, 619. See also TLS 1.0

history, 298–299

TLS 1.0 v., 378–379

Standards for Efficient Cryptography (SEC), 525

Standards for Efficient Cryptography Group (SECG), 525

STARTTLS, 545, 546

state, 67

state matrix, 74

state vector, 88–89, 358, 359

stateful

NNTP, 544, 545

SSL, 552

stateless

HTTP, 544, 552

UDP, 556

status codes, 10

stdout, 10, 11, 324

step-up cryptography, 465

stored_sessions table, 432

stream cipher algorithms, 83–90. See also AEAD mode ciphers; block cipher algorithms

AEAD ciphers v., 490

AES-CCM v., 517

AES-GCM v., 517

benefits, 491

block cipher algorithms v., 83, 490–491

block cipher to stream cipher conversion, 90

support (TLS 1.0 client-side), 358–359

XOR operation and, 83

strings (DER), 242

strong cryptography, 378, 463

sub_bytes, "aes.c", 69

subject field, 233–235

subjectAltName, 237, 278

subjectPublicKeyInfo field, 235–236

subtracting/adding machines (computers), 570

subtraction

huge numbers, 98–101

"huge."c" add_magnitude and subtract_magnitude, 143

"huge.c" subtract, 98–99

"huge."c" subtract with negative number support, 145–146

sub_word, "aes.c", 64

switches/CPUs, 567–568

symmetric (private/shared key) algorithms, 29–90. See also block cipher algorithms; stream cipher algorithms

challenge of, 91

public key algorithms v., 30, 91, 129–130

SYN (synchronize) packet, 3, 12

synchronize packet. See SYN packet

T

tag classes, 244

tbsCertificate, 244, 248

defined, 238

parsing, 268–269

TCP (Transport Control Protocol), 3–4

handshake, 3–4

TLS without, 559

tcpdump, 370, 371, 416, 573–575

https application and, 619–626

installation

Linux system, 575

Windows system, 574

TCP/IP, 4

terse initial permutation, 35–36

32-bit processors, 568

3DES. See triple DES

302 (status code), 10

TIME_WAIT, 23

timing attacks, 119

tin, 543

TLS (Transport Layer Security). See also SSL

advanced topics, 415–478

applications of, 543–566

challenge, 566

datagram traffic and, 559

DTLS v., 559

email and, 552. See also S/MIME

GnuTLS, 27, 28, 123, 140, 155, 540, 541

history of, 4, 27, 298–299

"multi-hop" SMTP and, 545–548

SSL/TLS design, email and, 546–547

without TCP, 559

TLS 1.0. See also TLS 1.0 handshake

client-side, 297–379

assigning sequence numbers, 353–355

decryption and authentication, 361–364

encryption support (outgoing), 355–358

secure data transfer, 353–369

stream ciphers support, 358–359

tls_recv, 365–368

tls_send, 364–365

update each invocation of send_message, 359–360

DES and, 342–343

Diffie-Hellman and, 394–395

HTTPS end-to-end examples, 369–378

client hello request dissected, 370–371

decrypting encrypted exchange, 374–377

exchanging application data, 377–378

key exchange message dissected, 373–374

server response messages dissected, 372–373

PKCS #1.5 padding, 126

PRF, 329–335

client key exchange with, 329–335

diagram, 330

HMAC function and, 329–332

MD5 and, 329–332

"prf.c" main routine, 334–335

"prf.c" PRF function, 333–334

SHA-1 and, 329–332

RSA key exchange and, 394–396

secure data transfer (client-side TLS)

"receive_tls_msg" with optimal response buffer, 365

"tls.c" calculate_keys with special RC4 exception, 359

"tls.c" init_protection_parameters with seq_num, 354–355

"tls.c" receive_tls_msg with buffering support, 366–368

"tls.c" receive_tls_msg with decrypt support, 361–362

"tls.c" send buffer, 357–358

"tls.c" send_message with encryption, 358

"tls.c" send_message with MAC support, 355–357

"tls.c" send_message with padding support, 357

"tls.c" tls_connect with receive_tls_msg calls updated, 365–366

"tls.c" tls_decrypt, 362–364

"tls.c" tls_recv, 365

"tls.c" tls_send, 364–365

"tls.c" with protection parameters sent to send_message, 360

"tls.h" ProtectionParameters with seq_num, 354

"tls.h" TLSParameters with buffering support, 366

server-side, 381–414

browser trust issues, 412–414

HTTPS support added to HTTP server application, 381–390, 411–412

shutdown, 368–369

"tls.c" free_protection_parameters, 369

"tls.c" tls_shutdown, 368–369

SSLv3 v., 378–379

TLS 1.1 v., 299, 379, 480

TLS 1.2 (message-format level) v., 489

transparency, 299

TLS 1.0 handshake (client-side/server-side), 299–353, 381–411

advanced topics, 415–478

certificate message, 324–328, 391–393

change cipher spec message, 344–346, 409

client authentication, 448–462

"ca.cnf", 458–459

certificate request message, 449–453

certificate verify message, 449, 453–457

CertificateRequest, 449, 450, 452

CertificateVerify, 449, 453

mutally-authenticated TLS handshake, 460–462

RKM and, 449

"rsa.c" rsa_encrypt and rsa_sign, 454–455

testing, 458–460

with TLS handshake (diagram), 457

"tls.c" parse_certificate_request, 451–452

"tls.c" receive_tls_msg with certificate request support, 450–451

"tls.c" send_certificate_verify, 455–457

"tls.c" tls_connect with support for certificate requests, 452–453

"tls.h" TLSParameters with certificate request flag, 450

client hello, 304–316, 387–390

cipher suites, 308–309

flattening/sending, 309–316

with headers, 316

tracking handshake state in TLSParameters structure, 304–308

client hello extensions, 415–420

"tls.c" client hello extension capability, 473–476

"tls.c" parse_client_hello with client hello extension support, 416–417

"tls.c" parse_client_hello_extensions, 417–418

"tls.c" parse_server_name_extension, 418–419

client key exchange, 329–344, 394–409

checking for successful decryption, 406–407

completing, 407–409

Diffie-Hellman key exchange, 343–344

master secret computation, 336–337

RSA key exchange, 337–343

RSA key exchange and private key location, 395–399

supporting encrypted private key files, 399–406

using PRF, 329–335

ephemeral key exchange, 436–448, 487

handshake, 442–448

server key exchange message, 436–442

"tls.c" parse_server_key_exchange, 437–438

"tls.c" parse_server_key_exchange with signature verification, 440

"tls.c" receive_tls_msg with DSA key support, 445

"tls.c" receive_tls_msg with server key exchange, 437

"tls.c" send_client_key_exchange, 445

"tls.c" verify_signature, 441, 446–448

"tls.h" TLSParameters with dsa key support, 444–445

"x509.c" parse_x509_chain with DSA support, 445–446

finished message, 346–353, 409–411

computing verify message, 347–351

correctly receiving, 352–353

HTTPS support added to HTTP server application, 381–390

HTTPS support pitfalls, 411–412

less common aspects, 415

listings

"file.c" load_file_into_memory, 398–399

"https.c" http_get and display_result, 302

"https.c" main routine, 301

"prf.c" main routine, 334–335

"prf.c" PRF function, 333–334

"privkey.c" parse_pkcs8_private_key, 402–406

"privkey.c" parse_private_key, 396–397

"privkey.c" test main routine, 397–398

"receive_tls_message" with alert support, 323

"ssl_webserver.c" main routine, 382

"ssl_webserver.c" process_https_request, 382–383

"ssl_webserver.c" send and read modifications, 383

"tls.c" append buffer, 311

"tls.c" calculate_keys, 341–342

"tls.c" calculate_keys with server support, 408–409

"tls.c" cipher suites list, 340–341

"tls.c" client hello structure, 306–307

"tls.c" compute_verify_data, 349–350

"tls.c" compute_verify_data with temporary copy, 352–353

"tls.c" dh_key_exchange, 343–344

"tls.c" init_parameters, 306, 387

"tls.c" master secret computation, 336–337

"tls.c" parse_client_hello, 388–390

"tls.c" parse_client_key_exchange, 407–408

"tls.c" parse_finished, 351

"tls.c" parse_server_hello, 321–322

"tls.c" peer_finished, 386–387

"tls.c" read_buffer, 323

"tls.c" receive_tls_message with client_hello, 387–388

"tls.c" receive_tls_message with client_key_exchange, 394–395

"tls.c" receive_tls_msg, 317, 318, 319–320

"tls.c" receive_tls_msg with handshake digest update, 348–349

"tls.c" receive_tls_msg with multiple handshake support, 325

"tls.c" receive_tls_msg with server hello done support, 328

"tls.c" receive_tls_msg with support for change cipher spec, 345–346

"tls.c" report_alert, 324

"tls.c" rsa_key_exchange, 339

"tls.c" send_alert_message, 319

"tls.c" send_certificate, 392–393

"tls.c" send_change_cipher_spec, 345

"tls.c" send_client_hello, 307–308, 310, 311

"tls.c" send_client_key_exchange, 337–338

"tls.c" send_client_key_exchange with Diffie-Hellman key exchange, 343

"tls.c" send_finished, 349

"tls.c" send_finished with server support, 410

"tls.c" send_handshake_message, 312–313

"tls.c" send_handshake_message updates, 348

"tls.c" send_handshake_message with handshake digest update, 347–348

"tls.c" send_message, 315–316

"tls.c" send_server_hello, 390–391

"tls.c" send_server_hello_done, 393

"tls.c" tls_accept, 384–386

"tls.c" tls_connect, 306

"tls.c" tls_connect multiple handshake messages, 329

"tls.c" tls_connect with client finished message, 349

"tls.c" tls_connect with handshake digests, 347

"tls.c" tls_connect with key exchange, 337

"tls.c" tls_connect with server finished support, 350

"tls.c" TLSParameters, 350–351

"tls.c" tls_receive_message with server finished support, 351

"tls.h" CipherSuite structure, 340

"tls.h" CipherSuiteIdentifier list, 308–309

"tls.h" handshake structure, 312

"tls.h" ProtectionParameters, 304

"tls.h" ProtectionParameters with cipher suite, 322–323

"tls.h" ServerHello structure, 321

"tls.h" TLSParameters, 304–305

"tls.h" TLSParameters with digest contexts, 347

"tls.h" TLSParameters with server-side support, 386

"tls.h" TLSParameters with state tracking included, 328

"tls.h" TLSPlaintext header, 313–315

"tls.h" top-level function prototypes, 300–301

"x509.c" parse_x509_chain, 325–327

mutally-authenticated, 460–462

overview, 299–300

procedure (high-level diagram), 303–304

server hello, 390–391

server hello done message, 328–329, 393

server hello message, 316–324

adding receive loop, 317–318

parsing, 319–323

reporting server alerts, 323–324

sending alerts, 318–319

structure diagram, 320

server name identification extensions, 416–420

client hello with, 419

"tls.c" parse_client_hello_extensions, 417–418

"tls.c" parse_server_name_extension, 418–419

session renegotiation, 465–478

hello request supported, 466–467

listings

"tls.c" client hello extension capability, 473–476

"tls.c" init_parameters with saved verify data, 472

"tls.c" parse_renegotiation_info, 477–478

"tls.c" parse_server_hello with extensions recognition, 476

"tls.c" parse_server_hello_extensions, 476–477

"tls.c" receive_tls_message with session renegotiation support, 466–467

"tls.c" Saving verify data, 472–473

"tls.c" tls_connect with renegotiate flag, 467

"tls.h" TLSParameters with saved verify data, 471–472

pitfalls, 468–470

renegotiation attack, 468–470

secure renegotiation example, 470–471

secure renegotiation implementation, 471–478

session resumption v., 465–466

session resumption, 420–436

on client side TLS, 421–428

drawbacks of server implementation, 435–436

HTTP and, 420

"https.c" main routine with session resumption, 425–427

requesting, 422

restoring previous session's master secret, 424–425

on server side TLS, 428–436

session ID storage added, 429–433

session renegotiation v., 465–466

session resumption logic added to client, 422–424

shortened session resumption handshake sequence, 421

testing, 425–427

"tls.c" find_stored_session, 431–433

"tls.c" init_parameters with session resumption support, 435

"tls.c" init_tls, 430

"tls.c" parse_client_hello with session resumption support, 433

"tls.c" parse_server_hello with session ID support, 425

"tls.c" remember_session, 430–431

"tls.c" send_client_hello with session resumption, 424–425

"tls.c" server_side session resumption support, 429

"tls.c" session storage hash table, 429–430

"tls.c" tls_accept with session resumption support, 433–435

"tls.c" tls_accept with session storage, 435

"tls.c" tls_resume, 422–424

"tls.h" TLSParameters with session ID, 416–417

unique session ID assigned to each session, 429

viewing, 427–428

TLS support added to HTTP client application, 300–303

TLS 1.1, 299, 379, 480

TLS 1.2, 479–541

AEAD mode ciphers, 490–523. See also AEAD mode ciphers

current state, 540–541

Diffie-Hellman key exchange, 485–489

parsing signature types, 485–489

"tls.c" parse_certificate_request with TLS 1.2 support, 488–489

"tls.c" parse_server_key_exchange with signature and hash algorithm declaration, 487–488

"tls.c" TLS 1.2 signature verification, 485–486

"tls.h" signature and hash algorithms, 486–487

ECC and, 132–133, 523–524

ECC extensions, 523–540

ECDH support, 533–540

"tls.c" ecdh_key_exchange, 539–540

"tls.c" init_tls with ECDHE_ECDSA support, 533

"tls.c" parse_server_key_exchange with ECDH support, 534–536

"tls.c" send_client_key_exchange with ECDHE support, 538

"tls.c" verify_signature with ECDSA support, 537–538

"tls.h" TLSParameters with ECDH support, 534

ECDHE_ECDSA cipher suites, 533, 535, 538

ECDSA certificate parsing, 527–533

"x509.c" parse_algorithm_identifier with ECDSA support, 528

"x509.c" parse_public_key_info with ECDSA support, 529–530

"x509.c" parse_x509_certificate with ECDSA signatures, 532–533

"x509.c" parse_x509_chain with ECDSA support, 531–532

"x509.h" ECDSA algorithm identifier, 529

"x509.h" ecdsa algorithm identifier, 528

finished message support, 483–484

history, 379

message-format level changes, 479, 489

named curves, 218, 524–527, 530, 537, 540

"ecc.c" get_named_curve, 525–527

online list, 525

SECG, 525

PRF modifications, 481–482

RSA key exchange, 479–484

"prf.c" PRF2, 482

"tls.c" send_message with explicit IVs, 480

"tls.c" SHA-256 digest update, 483–484

"tls.c" TLS 1.2 handshake digest initialization, 484

"tls.c" tls_decrypt with explicit IVs, 481

"tls.h" TLS 1.2 version declaration, 480

"tls.h" TLSParameters, 483

TLS 1.0 (message-format level) v., 489

TLS Message header, 315

tls_accept, 384–386

tls_accept with session resumption support, 433–435

tls_accept with session storage, 435

tls_decrypt with explicit IVs, 481

TLSParameters, 304–305, 350–351, 483

TLSParameters with buffering support, 366

TLSParameters with certificate request flag, 450

TLSParameters with digest contexts, 347

TLSParameters with dsa key support, 444–445

TLSParameters with ECDH support, 534

TLSParameters with saved verify data, 471–472

TLSParameters with server-side support, 386

TLSParameters with session ID, 416–417

TLSParameters with state tracking included, 328

tracking handshake state in, 304–308

tls_resume, 422–424

traceroute facility, 3

tracking certificate validity periods, 232–233

trade-off, security, 566

transparency, TLS 1.0, 299

Transport Control Protocol. See TCP

Transport Layer Security. See TLS

triple DES (3DES), 55–59

brute force attacks and, 56

DES v., 55–56

listings

"des.c" des3_encrypt, 58–59

"des.c" des_block_operate with 3DES support, 57–58

"des.c" main routine with 3DES support, 59

wrinkle in, 56

truncation attacks, 368, 626

trusted intermediary, 222–223. See also certificate authorities

trusted root certification authorities, 238, 413–414

tunneling, 561–564

200 (status code), 10

twofish, 83

two's-complement arithmetic, 98, 123, 275, 570–571

U

UDP (User Datagram Protocol), 553, 555, 556, 559. See also datagram traffic

universal tags, 244

updateable digest/hash functions, 190–200

Usenet, 543

User Datagram Protocol. See UDP

UTCTime, 233

UUCP systems, 17

V

validation

extended, 278

PKCS #7-formatted RSA signatures, 280–285

ValidationParms, 236

validity field, 232–233

validity periods, 224, 232–233

vcredist_x86.exe, 576

verify_mac, "ssl.c", 614–615

verify_signature, "tls.c", 441, 446–448

verify_signature with ECDSA support, 537–538

VeriSign, 227, 230, 295, 553

version field, 226

virtual hosting, 9, 235

Visual C++ 2008 Redistributables package, 576

W

weak cryptography, 463

web clients. See browsers

web servers, 21. See also HTTP server

WEP (Wired Equivalent Privacy), 86

wget utility, 5

whole integers, ECC and, 150

Win32 OpenSSL vx.x.x installer, 576

Windows system

OpenSSL installation, 575–576

tcpdump installation, 574

WinDump, 574

WinPcap, 574

Wired Equivalent Privacy (WEP), 86

Wireshark, 573

Wireshark packet sniffer, 20

X

X series, 225

X9.62 format, 528, 531, 537, 540

X.509 certificates. See certificates

X.509 specification

online, 225

revisions, 225

"x509.c" display_x509_certificate, 283–285, 290–291

"x509.c" free_x509_certificate, 266–267

"x509.c" init_x509_certificate, 266

"x509.c" main routine, 281–283, 291

"x509.c" parse_algorithm_identifier, 270

"x509.c" parse_algorithm_identifier with DSA support, 287

"x509.c" parse_algorithm_identifier with ECDSA support, 528

"x509.c" parse_dsa_signature_value, 288–289

"x509.c" parse_extension, 276

"x509.c" parse_extension with key usage recognition, 277

"x509.c" parse_extensions, 276

"x509.c" parse_huge, 269–270

"x509.c" parse_name, 271–273

"x509.c" parse_public_key_info, 274–275

"x509.c" parse_public_key_info with ECDSA support, 529–530

"x509.c" parse_signature_value, 279

"x509.c" parse_tbs_certificate, 268–269

"x509.c" parse_x509_certificate, 267–268

"x509.c" parse_x509_certificate with DSA support, 287–288

"x509.c" parse_x509_certificate with ECDSA signatures, 532–533

"x509.c" parse_x509_certificate with stored hash, 279–280

"x509.c" parse_x509_chain with DSA support, 445–446

"x509.c" parse_x509_chain with ECDSA support, 531–532

"x509.c" public key info parsing with DSA support, 289

"x509.c" validate_certificate_dsa, 291

"x509.c" validate_certificate_rsa, 280–281

"x509.h" ECDSA algorithm identifier, 529

"x509.h" ecdsa algorithm identifier, 528

"x509.h" structure definitions, 264–265

"x509.h" with DSA support, 286–287

Xiaoyan Wang, 170

xor array, "des.c", 33

XOR (Exclusive OR) operation, 569

AES and, 60, 72

DES and, 31–32

reversibility, 32, 569

stream cipher algorithms and, 83

Y

Young, Eric A., 27, 575. See also OpenSSL

Z

zero padding, 123, 507, 514

0xFF01 client hello extension, 470, 475–478, 540

0xFF02 client hello extension, 540