Produktbild: Implementing SSL / TLS Using Cryptography and PKI

Implementing SSL / TLS Using Cryptography and PKI

Fr. 84.90

inkl. gesetzl. MwSt., Versandkostenfrei


Beschreibung

Produktdetails

Einband

Taschenbuch

Erscheinungsdatum

11.01.2011

Verlag

John Wiley & Sons Inc

Seitenzahl

704

Maße (L/B/H)

23.5/19.1/3.8 cm

Gewicht

1295 g

Auflage

1. Auflage

Sprache

Englisch

ISBN

978-0-470-92041-1

Beschreibung

Produktdetails

Einband

Taschenbuch

Erscheinungsdatum

11.01.2011

Verlag

John Wiley & Sons Inc

Seitenzahl

704

Maße (L/B/H)

23.5/19.1/3.8 cm

Gewicht

1295 g

Auflage

1. Auflage

Sprache

Englisch

ISBN

978-0-470-92041-1

Herstelleradresse

Libri GmbH
Europaallee 1
36244 Bad Hersfeld
DE

Email: gpsr@libri.de

Noch keine Bewertungen vorhanden

Verfassen Sie die erste Bewertung zu diesem Artikel

Helfen Sie anderen Kundinnen und Kunden durch Ihre Meinung.

Kundinnen und Kunden meinen

Bewertungen (0)

Die Leseprobe wird geladen.
  • Produktbild: Implementing SSL / TLS Using Cryptography and PKI
  • Introduction xxvii

    Chapter 1 Understanding Internet Security 1

    What Are Secure Sockets? 2

    "Insecure" Communications: Understanding the HTTP Protocol 4

    Implementing an HTTP Client 5

    Adding Support for HTTP Proxies 12

    Reliable Transmission of Binary Data with Base64 Encoding 17

    Implementing an HTTP Server 21

    Roadmap for the Rest of This Book 27

    Chapter 2 Protecting Against Eavesdroppers with Symmetric Cryptography 29

    Understanding Block Cipher Cryptography Algorithms 30

    Implementing the Data Encryption Standard (DES) Algorithm 31

    DES Initial Permutation 34

    DES Key Schedule 38

    DES Expansion Function 40

    DES Decryption 45

    Padding and Chaining in Block Cipher Algorithms 46

    Using the Triple-DES Encryption Algorithm to Increase Key Length 55

    Faster Encryption with the Advanced Encryption Standard (AES) Algorithm 60

    AES Key Schedule Computation 60

    AES Encryption 67

    Other Block Cipher Algorithms 83

    Understanding Stream Cipher Algorithms 83

    Understanding and Implementing the RC4 Algorithm 84

    Chapter 3 Converting a Block Cipher to a Stream Cipher: The OFB and COUNTER Block-Chaining Modes 90

    Secure Key Exchange over an Insecure Medium with Public Key Cryptography 91

    Understanding the Theory Behind the RSA Algorithm 92

    Performing Arbitrary Precision Binary Math to Implement Public-Key Cryptography 93

    Implementing Large-Number Addition 93

    Implementing Large-Number Subtraction 98

    Implementing Large-Number Multiplication 101

    Implementing Large-Number Division 106

    Comparing Large Numbers 109

    Optimizing for Modulo Arithmetic 112

    Using Modulus Operations to Efficiently Compute Discrete Logarithms in a Finite Field 113

    Encryption and Decryption with RSA 114

    Encrypting with RSA 115

    Decrypting with RSA 119

    Encrypting a Plaintext Message 120

    Decrypting an RSA-Encrypted Message 124

    Testing RSA Encryption and Decryption 126

    Achieving Perfect Forward Secrecy with Diffie-Hellman Key Exchange 130

    Getting More Security per Key Bit: Elliptic Curve Cryptography 132

    How Elliptic Curve Cryptography Relies on Modular Inversions 135

    Using the Euclidean Algorithm to compute Greatest Common Denominators 135

    Computing Modular Inversions with the Extended Euclidean Algorithm 137

    Adding Negative Number Support to the Huge Number Library 138

    Supporting Negative Remainders 147

    Making ECC Work with Whole Integers: Elliptic-Curve Cryptography over Fp 150

    Reimplementing Diffie-Hellman to Use ECC Primitives 150

    Why Elliptic-Curve Cryptography? 154

    Chapter 4 Authenticating Communications Using Digital Signatures 157

    Using Message Digests to Create Secure Document Surrogates 158

    Implementing the MD5 Digest Algorithm 159

    Understanding MD 5 160

    A Secure Hashing Example 161

    Securely Hashing a Single Block of Data 166

    MD5 Vulnerabilities 169

    Increasing Collision Resistance with the SHA- 1

    Digest Algorithm 171

    Understanding SHA-1 Block Computation 171

    Understanding the SHA-1 Input Processing Function 174

    Understanding SHA-1 Finalization 176

    Even More Collision Resistance with the SHA- 256

    Digest Algorithm 180

    Preventing Replay Attacks with the HMAC Keyed-Hash Algorithm 184

    Implementing a Secure HMAC Algorithm 186

    Completing the HMAC Operation 190

    Creating Updateable Hash Functions 190

    Defining a Digest Structure 191

    Appending the Length to the Last Block 194

    Computing the MD5 Hash of an Entire File 196

    Where Does All of This Fit into SSL? 200

    Understanding Digital Signature Algorithm (DSA) Signatures 201

    Implementing Sender-Side DSA Signature Generation 202

    Implementing Receiver-Side DSA Signature Verification 205

    How to Make DSA Efficient 209

    Getting More Security per Bit: Elliptic Curve DSA 210

    Rewriting the Elliptic-Curve Math Functions to Support Large Numbers 211

    Implementing ECDSA 215

    Generating ECC Keypairs 218

    Chapter 5 Creating a Network of Trust Using X.509 Certificates 221

    Putting It Together: The Secure Channel Protocol 222

    Encoding with ASN.1 225

    Understanding Signed Certificate Structure 225

    Version 226

    serialNumber 227

    signature 227

    issuer 229

    validity 232

    subject 233

    subjectPublicKeyInfo 235

    extensions 237

    Signed Certificates 238

    Summary of X.509 Certificates 241

    Transmitting Certificates with ASN.1 Distinguished Encoding Rules (DER) 241

    Encoded Values 241

    Strings and Dates 242

    Bit Strings 243

    Sequences and Sets: Grouping and Nesting ASN.1 Values 243

    ASN.1 Explicit Tags 244

    A Real-World Certificate Example 244

    Using OpenSSL to Generate an RSA KeyPair and Certificate 244

    Using OpenSSL to Generate a DSA KeyPair and Certificate 251

    Developing an ASN.1 Parser 252

    Converting a Byte Stream into an ASN.1 Structure 252

    The asn1parse Code in Action 259

    Turning a Parsed ASN.1 Structure into X.509 Certificate Components 264

    Joining the X.509 Components into a Completed X. 509 Certificate Structure 268

    Parsing Object Identifiers (OIDs) 270

    Parsing Distinguished Names 271

    Parsing Certificate Extensions 275

    Signature Verification 279

    Validating PKCS #7-Formatted RSA Signatures 280

    Verifying a Self-Signed Certificate 281

    Adding DSA Support to the Certificate Parser 286

    Managing Certificates 292

    How Authorities Handle Certificate Signing Requests (CSRs) 292

    Correlating Public and Private Keys Using PKCS # 12

    Formatting 293

    Blacklisting Compromised Certificates Using Certificate Revocation Lists (CRLs) 294

    Keeping Certificate Blacklists Up-to-Date with the Online Certificate Status Protocol (OCSP) 295

    Other Problems with Certificates 296

    Chapter 6 A Usable, Secure Communications Protocol: Client-Side TLS 297

    Implementing the TLS 1.0 Handshake (Client Perspective) 299

    Adding TLS Support to the HTTP Client 300

    Understanding the TLS Handshake Procedure 303

    TLS Client Hello 304

    Tracking the Handshake State in the TLSParameters Structure 304

    Describing Cipher Suites 308

    Flattening and Sending the Client Hello Structure 309

    TLS Server Hello 316

    Adding a Receive Loop 317

    Sending Alerts 318

    Parsing the Server Hello Structure 319

    Reporting Server Alerts 323

    TLS Certificate 324

    TLS Server Hello Done 328

    TLS Client Key Exchange 329

    Sharing Secrets Using TLS PRF (Pseudo-Random Function) 329

    Creating Reproducible, Unpredictable Symmetric Keys with Master Secret Computation 336

    RSA Key Exchange 337

    Diffie-Hellman Key Exchange 343

    TLS Change Cipher Spec 344

    TLS Finished 346

    Computing the Verify Message 347

    Correctly Receiving the Finished Message 352

    Secure Data Transfer with TLS 353

    Assigning Sequence Numbers 353

    Supporting Outgoing Encryption 355

    Adding Support for Stream Ciphers 358

    Updating Each Invocation of send_message 359

    Decrypting and Authenticating 361

    TLS Send 364

    TLS Receive 365

    Implementing TLS Shutdown 368

    Examining HTTPS End-to-end Examples (TLS 1.0) 369

    Dissecting the Client Hello Request 370

    Dissecting the Server Response Messages 372

    Dissecting the Key Exchange Message 373

    Decrypting the Encrypted Exchange 374

    Exchanging Application Data 377

    Differences Between SSL 3.0 and TLS 1.0 378

    Differences Between TLS 1.0 and TLS 1.1 379

    Chapter 7 Adding Server-Side TLS 1.0 Support 381

    Implementing the TLS 1.0 Handshake from the Server's Perspective 381

    TLS Client Hello 387

    TLS Server Hello 390

    TLS Certificate 391

    TLS Server Hello Done 393

    TLS Client Key Exchange 394

    RSA Key Exchange and Private Key Location 395

    Supporting Encrypted Private Key Files 399

    Checking That Decryption was Successful 406

    Completing the Key Exchange 407

    TLS Change Cipher Spec 409

    TLS Finished 409

    Avoiding Common Pitfalls When Adding HTTPS Support to a Server 411

    When a Browser Displays Errors: Browser Trust Issues 412

    Chapter 8 Advanced SSL Topics 415

    Passing Additional Information with Client Hello Extensions 415

    Safely Reusing Key Material with Session Resumption 420

    Adding Session Resumption on the Client Side 421

    Requesting Session Resumption 422

    Adding Session Resumption Logic to the Client 422

    Restoring the Previous Session's Master Secret 424

    Testing Session Resumption 425

    Viewing a Resumed Session 427

    Adding Session Resumption on the Server Side 428

    Assigning a Unique Session ID to Each Session 429

    Adding Session ID Storage 429

    Modifying parse_client_hello to Recognize Session Resumption Requests 433

    Drawbacks of This Implementation 435

    Avoiding Fixed Parameters with Ephemeral Key Exchange 436

    Supporting the TLS Server Key Exchange Message 437

    Authenticating the Server Key Exchange Message 439

    Examining an Ephemeral Key Exchange Handshake 442

    Verifying Identity with Client Authentication 448

    Supporting the CertificateRequest Message 449

    Adding Certificate Request Parsing Capability for the Client 450

    Handling the Certificate Request 452

    Supporting the Certificate Verify Message 453

    Refactoring rsa_encrypt to Support Signing 453

    Testing Client Authentication 458

    Viewing a Mutually-Authenticated TLS Handshake 460

    Dealing with Legacy Implementations: Exportable Ciphers 463

    Export-Grade Key Calculation 463

    Step-up Cryptography 465

    Discarding Key Material Through Session Renegotiation 465

    Supporting the Hello Request 466

    Renegotiation Pitfalls and the Client Hello Extension 0xFF01 468

    Defending Against the Renegotiation Attack 469

    Implementing Secure Renegotiation 471

    Chapter 9 Adding TLS 1.2 Support to Your TLS Library 479

    Supporting TLS 1.2 When You Use RSA for the Key Exchange 479

    TLS 1.2 Modifications to the PRF 481

    TLS 1.2 Modifications to the Finished Messages Verify Data 483

    Impact to Diffie-Hellman Key Exchange 485

    Parsing Signature Types 485

    Adding Support for AEAD Mode Ciphers 490

    Maximizing Throughput with Counter Mode 490

    Reusing Existing Functionality for Secure Hashes with CBC-MAC 494

    Combining CTR and CBC-MAC into AES-CCM 496

    Maximizing MAC Throughput with Galois-Field Authentication 502

    Combining CTR and Galois-Field Authentication with AES-GCM 505

    Authentication with Associated Data 510

    Incorporating AEAD Ciphers into TLS 1.2 517

    Working ECC Extensions into the TLS Library 523

    ECDSA Certificate Parsing 527

    ECDHE Support in TLS 533

    ECC Client Hello Extensions 540

    The Current State of TLS 1.2 540

    Chapter 10 Other Applications of SSL 543

    Adding the NTTPS Extension to the NTTP Algorithm 543

    Implementing "Multi-hop" SMTP over TLS and Protecting Email Content with S/MIME 545

    Understanding the Email Model 545

    The SSL/TLS Design and Email 546

    Multipurpose Internet Mail Extensions (MIME) 547

    Protecting Email from Eavesdroppers with S/MIME 549

    Securing Email When There Are Multiple Recipients 550

    S/MIME Certificate Management 552

    Securing Datagram Traffic 552

    Securing the Domain Name System 553

    Using the DNS Protocol to Query the Database 555

    Disadvantages of the DNS Query 555

    Preventing DNS Cache Poisoning with DNSSEC 556

    TLS Without TCP - Datagram TLS 559

    Supporting SSL When Proxies Are Involved 560

    Possible Solutions to the Proxy Problem 560

    Adding Proxy Support Using Tunneling 561

    SSL with OpenSSL 564

    Final Thoughts 566

    Appendix A Binary Representation of Integers: A Primer 567

    The Decimal and Binary Numbering Systems 567

    Understanding Binary Logical Operations 568

    The AND Operation 568

    The OR Operation 569

    The NOT Operation 569

    The XOR Operation 569

    Position Shifting of Binary Numbers 570

    Two's-Complement Representation of Negative Numbers 570

    Big-Endian versus Little-Endian Number Formats 571

    Appendix B Installing TCPDump and OpenSSL 573

    Installing TCPDump 573

    Installing TCPDump on a Windows System 574

    Installing TCPDump on a Linux System 575

    Installing OpenSSL 575

    Installing OpenSSL on a Windows System 575

    Installing OpenSSL on a Linux system 577

    Appendix C Understanding the Pitfalls of SSLv 2 579

    Implementing the SSL Handshake 582

    SSL Client Hello 588

    SSL Server Hello 592

    SSL Client Master Key 600

    SSL Client Finished 607

    SSL Server Verify 612

    SSL Server Finished 616

    SSL send 617

    SSL recv 617

    Examining an HTTPS End-to-End Example 619

    Viewing the TCPDump Output 619

    Problems with SSLv 2 626

    Man-in-the-Middle Attacks 626

    Truncation Attacks 626

    Same Key Used for Encryption and Authentication 626

    No Extensions 627

    Index 629