Implementing SSL / TLS Using Cryptography and PKI

Joshua Davies is a principal architect for Travelocity.com, responsible for the architecture of the main Web site with a focus on networking and security. Previously, he designed distributed systems for AT&T, Digex, and the Mexican telecommunications giant Pegaso.

• Introduction xxviiChapter 1 Understanding Internet Security 1What Are Secure Sockets? 2“Insecure” Communications: Understanding the HTTP Protocol 4Implementing an HTTP Client 5Adding Support for HTTP Proxies 12Reliable Transmission of Binary Data with Base64 Encoding 17Implementing an HTTP Server 21Roadmap for the Rest of This Book 27Chapter 2 Protecting Against Eavesdroppers with Symmetric Cryptography 29Understanding Block Cipher Cryptography Algorithms 30Implementing the Data Encryption Standard (DES) Algorithm 31DES Initial Permutation 34DES Key Schedule 38DES Expansion Function 40DES Decryption 45Padding and Chaining in Block Cipher Algorithms 46Using the Triple-DES Encryption Algorithm to Increase Key Length 55Faster Encryption with the Advanced Encryption Standard (AES) Algorithm 60AES Key Schedule Computation 60AES Encryption 67Other Block Cipher Algorithms 83Understanding Stream Cipher Algorithms 83Understanding and Implementing the RC4 Algorithm 84Chapter 3 Converting a Block Cipher to a Stream Cipher: The OFB and COUNTER Block-Chaining Modes 90Secure Key Exchange over an Insecure Medium with Public Key Cryptography 91Understanding the Theory Behind the RSA Algorithm 92Performing Arbitrary Precision Binary Math to Implement Public-Key Cryptography 93Implementing Large-Number Addition 93Implementing Large-Number Subtraction 98Implementing Large-Number Multiplication 101Implementing Large-Number Division 106Comparing Large Numbers 109Optimizing for Modulo Arithmetic 112Using Modulus Operations to Efficiently Compute Discrete Logarithms in a Finite Field 113Encryption and Decryption with RSA 114Encrypting with RSA 115Decrypting with RSA 119Encrypting a Plaintext Message 120Decrypting an RSA-Encrypted Message 124Testing RSA Encryption and Decryption 126Achieving Perfect Forward Secrecy with Diffie-Hellman Key Exchange 130Getting More Security per Key Bit: Elliptic Curve Cryptography 132How Elliptic Curve Cryptography Relies on Modular Inversions 135Using the Euclidean Algorithm to compute Greatest Common Denominators 135Computing Modular Inversions with the Extended Euclidean Algorithm 137Adding Negative Number Support to the Huge Number Library 138Supporting Negative Remainders 147Making ECC Work with Whole Integers: Elliptic-Curve Cryptography over Fp 150Reimplementing Diffie-Hellman to Use ECC Primitives 150Why Elliptic-Curve Cryptography? 154Chapter 4 Authenticating Communications Using Digital Signatures 157Using Message Digests to Create Secure Document Surrogates 158Implementing the MD5 Digest Algorithm 159Understanding MD 5 160A Secure Hashing Example 161Securely Hashing a Single Block of Data 166MD5 Vulnerabilities 169Increasing Collision Resistance with the SHA- 1Digest Algorithm 171Understanding SHA-1 Block Computation 171Understanding the SHA-1 Input Processing Function 174Understanding SHA-1 Finalization 176Even More Collision Resistance with the SHA- 256Digest Algorithm 180Preventing Replay Attacks with the HMAC Keyed-Hash Algorithm 184Implementing a Secure HMAC Algorithm 186Completing the HMAC Operation 190Creating Updateable Hash Functions 190Defining a Digest Structure 191Appending the Length to the Last Block 194Computing the MD5 Hash of an Entire File 196Where Does All of This Fit into SSL? 200Understanding Digital Signature Algorithm (DSA) Signatures 201Implementing Sender-Side DSA Signature Generation 202Implementing Receiver-Side DSA Signature Verification 205How to Make DSA Efficient 209Getting More Security per Bit: Elliptic Curve DSA 210Rewriting the Elliptic-Curve Math Functions to Support Large Numbers 211Implementing ECDSA 215Generating ECC Keypairs 218Chapter 5 Creating a Network of Trust Using X.509 Certificates 221Putting It Together: The Secure Channel Protocol 222Encoding with ASN.1 225Understanding Signed Certificate Structure 225Version 226serialNumber 227signature 227issuer 229validity 232subject 233subjectPublicKeyInfo 235extensions 237Signed Certificates 238Summary of X.509 Certificates 241Transmitting Certificates with ASN.1 Distinguished Encoding Rules (DER) 241Encoded Values 241Strings and Dates 242Bit Strings 243Sequences and Sets: Grouping and Nesting ASN.1 Values 243ASN.1 Explicit Tags 244A Real-World Certificate Example 244Using OpenSSL to Generate an RSA KeyPair and Certificate 244Using OpenSSL to Generate a DSA KeyPair and Certificate 251Developing an ASN.1 Parser 252Converting a Byte Stream into an ASN.1 Structure 252The asn1parse Code in Action 259Turning a Parsed ASN.1 Structure into X.509 Certificate Components 264Joining the X.509 Components into a Completed X. 509 Certificate Structure 268Parsing Object Identifiers (OIDs) 270Parsing Distinguished Names 271Parsing Certificate Extensions 275Signature Verification 279Validating PKCS #7-Formatted RSA Signatures 280Verifying a Self-Signed Certificate 281Adding DSA Support to the Certificate Parser 286Managing Certificates 292How Authorities Handle Certificate Signing Requests (CSRs) 292Correlating Public and Private Keys Using PKCS # 12Formatting 293Blacklisting Compromised Certificates Using Certificate Revocation Lists (CRLs) 294Keeping Certificate Blacklists Up-to-Date with the Online Certificate Status Protocol (OCSP) 295Other Problems with Certificates 296Chapter 6 A Usable, Secure Communications Protocol: Client-Side TLS 297Implementing the TLS 1.0 Handshake (Client Perspective) 299Adding TLS Support to the HTTP Client 300Understanding the TLS Handshake Procedure 303TLS Client Hello 304Tracking the Handshake State in the TLSParameters Structure 304Describing Cipher Suites 308Flattening and Sending the Client Hello Structure 309TLS Server Hello 316Adding a Receive Loop 317Sending Alerts 318Parsing the Server Hello Structure 319Reporting Server Alerts 323TLS Certificate 324TLS Server Hello Done 328TLS Client Key Exchange 329Sharing Secrets Using TLS PRF (Pseudo-Random Function) 329Creating Reproducible, Unpredictable Symmetric Keys with Master Secret Computation 336RSA Key Exchange 337Diffie-Hellman Key Exchange 343TLS Change Cipher Spec 344TLS Finished 346Computing the Verify Message 347Correctly Receiving the Finished Message 352Secure Data Transfer with TLS 353Assigning Sequence Numbers 353Supporting Outgoing Encryption 355Adding Support for Stream Ciphers 358Updating Each Invocation of send_message 359Decrypting and Authenticating 361TLS Send 364TLS Receive 365Implementing TLS Shutdown 368Examining HTTPS End-to-end Examples (TLS 1.0) 369Dissecting the Client Hello Request 370Dissecting the Server Response Messages 372Dissecting the Key Exchange Message 373Decrypting the Encrypted Exchange 374Exchanging Application Data 377Differences Between SSL 3.0 and TLS 1.0 378Differences Between TLS 1.0 and TLS 1.1 379Chapter 7 Adding Server-Side TLS 1.0 Support 381Implementing the TLS 1.0 Handshake from the Server’s Perspective 381TLS Client Hello 387TLS Server Hello 390TLS Certificate 391TLS Server Hello Done 393TLS Client Key Exchange 394RSA Key Exchange and Private Key Location 395Supporting Encrypted Private Key Files 399Checking That Decryption was Successful 406Completing the Key Exchange 407TLS Change Cipher Spec 409TLS Finished 409Avoiding Common Pitfalls When Adding HTTPS Support to a Server 411When a Browser Displays Errors: Browser Trust Issues 412Chapter 8 Advanced SSL Topics 415Passing Additional Information with Client Hello Extensions 415Safely Reusing Key Material with Session Resumption 420Adding Session Resumption on the Client Side 421Requesting Session Resumption 422Adding Session Resumption Logic to the Client 422Restoring the Previous Session’s Master Secret 424Testing Session Resumption 425Viewing a Resumed Session 427Adding Session Resumption on the Server Side 428Assigning a Unique Session ID to Each Session 429Adding Session ID Storage 429Modifying parse_client_hello to Recognize Session Resumption Requests 433Drawbacks of This Implementation 435Avoiding Fixed Parameters with Ephemeral Key Exchange 436Supporting the TLS Server Key Exchange Message 437Authenticating the Server Key Exchange Message 439Examining an Ephemeral Key Exchange Handshake 442Verifying Identity with Client Authentication 448Supporting the CertificateRequest Message 449Adding Certificate Request Parsing Capability for the Client 450Handling the Certificate Request 452Supporting the Certificate Verify Message 453Refactoring rsa_encrypt to Support Signing 453Testing Client Authentication 458Viewing a Mutually-Authenticated TLS Handshake 460Dealing with Legacy Implementations: Exportable Ciphers 463Export-Grade Key Calculation 463Step-up Cryptography 465Discarding Key Material Through Session Renegotiation 465Supporting the Hello Request 466Renegotiation Pitfalls and the Client Hello Extension 0xFF01 468Defending Against the Renegotiation Attack 469Implementing Secure Renegotiation 471Chapter 9 Adding TLS 1.2 Support to Your TLS Library 479Supporting TLS 1.2 When You Use RSA for the Key Exchange 479TLS 1.2 Modifications to the PRF 481TLS 1.2 Modifications to the Finished Messages Verify Data 483Impact to Diffie-Hellman Key Exchange 485Parsing Signature Types 485Adding Support for AEAD Mode Ciphers 490Maximizing Throughput with Counter Mode 490Reusing Existing Functionality for Secure Hashes with CBC-MAC 494Combining CTR and CBC-MAC into AES-CCM 496Maximizing MAC Throughput with Galois-Field Authentication 502Combining CTR and Galois-Field Authentication with AES-GCM 505Authentication with Associated Data 510Incorporating AEAD Ciphers into TLS 1.2 517Working ECC Extensions into the TLS Library 523ECDSA Certificate Parsing 527ECDHE Support in TLS 533ECC Client Hello Extensions 540The Current State of TLS 1.2 540Chapter 10 Other Applications of SSL 543Adding the NTTPS Extension to the NTTP Algorithm 543Implementing “Multi-hop” SMTP over TLS and Protecting Email Content with S/MIME 545Understanding the Email Model 545The SSL/TLS Design and Email 546Multipurpose Internet Mail Extensions (MIME) 547Protecting Email from Eavesdroppers with S/MIME 549Securing Email When There Are Multiple Recipients 550S/MIME Certificate Management 552Securing Datagram Traffic 552Securing the Domain Name System 553Using the DNS Protocol to Query the Database 555Disadvantages of the DNS Query 555Preventing DNS Cache Poisoning with DNSSEC 556TLS Without TCP — Datagram TLS 559Supporting SSL When Proxies Are Involved 560Possible Solutions to the Proxy Problem 560Adding Proxy Support Using Tunneling 561SSL with OpenSSL 564Final Thoughts 566Appendix A Binary Representation of Integers: A Primer 567The Decimal and Binary Numbering Systems 567Understanding Binary Logical Operations 568The AND Operation 568The OR Operation 569The NOT Operation 569The XOR Operation 569Position Shifting of Binary Numbers 570Two’s-Complement Representation of Negative Numbers 570Big-Endian versus Little-Endian Number Formats 571Appendix B Installing TCPDump and OpenSSL 573Installing TCPDump 573Installing TCPDump on a Windows System 574Installing TCPDump on a Linux System 575Installing OpenSSL 575Installing OpenSSL on a Windows System 575Installing OpenSSL on a Linux system 577Appendix C Understanding the Pitfalls of SSLv 2 579Implementing the SSL Handshake 582SSL Client Hello 588SSL Server Hello 592SSL Client Master Key 600SSL Client Finished 607SSL Server Verify 612SSL Server Finished 616SSL send 617SSL recv 617Examining an HTTPS End-to-End Example 619Viewing the TCPDump Output 619Problems with SSLv 2 626Man-in-the-Middle Attacks 626Truncation Attacks 626Same Key Used for Encryption and Authentication 626No Extensions 627Index 629