Implementing SSL / TLS Using Cryptography and PKI

Introduction xxvii Chapter 1 Understanding Internet Security 1 What Are Secure Sockets? 2 “Insecure” Communications: Understanding the HTTP Protocol 4 Implementing an HTTP Client 5 Adding Support for HTTP Proxies 12 Reliable Transmission of Binary Data with Base64 Encoding 17 Implementing an HTTP Server 21 Roadmap for the Rest of This Book 27 Chapter 2 Protecting Against Eavesdroppers with Symmetric Cryptography 29 Understanding Block Cipher Cryptography Algorithms 30 Implementing the Data Encryption Standard (DES) Algorithm 31 DES Initial Permutation 34 DES Key Schedule 38 DES Expansion Function 40 DES Decryption 45 Padding and Chaining in Block Cipher Algorithms 46 Using the Triple-DES Encryption Algorithm to Increase Key Length 55 Faster Encryption with the Advanced Encryption Standard (AES) Algorithm 60 AES Key Schedule Computation 60 AES Encryption 67 Other Block Cipher Algorithms 83 Understanding Stream Cipher Algorithms 83 Understanding and Implementing the RC4 Algorithm 84 Chapter 3 Converting a Block Cipher to a Stream Cipher: The OFB and COUNTER Block-Chaining Modes 90 Secure Key Exchange over an Insecure Medium with Public Key Cryptography 91 Understanding the Theory Behind the RSA Algorithm 92 Performing Arbitrary Precision Binary Math to Implement Public-Key Cryptography 93 Implementing Large-Number Addition 93 Implementing Large-Number Subtraction 98 Implementing Large-Number Multiplication 101 Implementing Large-Number Division 106 Comparing Large Numbers 109 Optimizing for Modulo Arithmetic 112 Using Modulus Operations to Efficiently Compute Discrete Logarithms in a Finite Field 113 Encryption and Decryption with RSA 114 Encrypting with RSA 115 Decrypting with RSA 119 Encrypting a Plaintext Message 120 Decrypting an RSA-Encrypted Message 124 Testing RSA Encryption and Decryption 126 Achieving Perfect Forward Secrecy with Diffie-Hellman Key Exchange 130 Getting More Security per Key Bit: Elliptic Curve Cryptography 132 How Elliptic Curve Cryptography Relies on Modular Inversions 135 Using the Euclidean Algorithm to compute Greatest Common Denominators 135 Computing Modular Inversions with the Extended Euclidean Algorithm 137 Adding Negative Number Support to the Huge Number Library 138 Supporting Negative Remainders 147 Making ECC Work with Whole Integers: Elliptic-Curve Cryptography over Fp 150 Reimplementing Diffie-Hellman to Use ECC Primitives 150 Why Elliptic-Curve Cryptography? 154 Chapter 4 Authenticating Communications Using Digital Signatures 157 Using Message Digests to Create Secure Document Surrogates 158 Implementing the MD5 Digest Algorithm 159 Understanding MD 5 160 A Secure Hashing Example 161 Securely Hashing a Single Block of Data 166 MD5 Vulnerabilities 169 Increasing Collision Resistance with the SHA- 1 Digest Algorithm 171 Understanding SHA-1 Block Computation 171 Understanding the SHA-1 Input Processing Function 174 Understanding SHA-1 Finalization 176 Even More Collision Resistance with the SHA- 256 Digest Algorithm 180 Preventing Replay Attacks with the HMAC Keyed-Hash Algorithm 184 Implementing a Secure HMAC Algorithm 186 Completing the HMAC Operation 190 Creating Updateable Hash Functions 190 Defining a Digest Structure 191 Appending the Length to the Last Block 194 Computing the MD5 Hash of an Entire File 196 Where Does All of This Fit into SSL? 200 Understanding Digital Signature Algorithm (DSA) Signatures 201 Implementing Sender-Side DSA Signature Generation 202 Implementing Receiver-Side DSA Signature Verification 205 How to Make DSA Efficient 209 Getting More Security per Bit: Elliptic Curve DSA 210 Rewriting the Elliptic-Curve Math Functions to Support Large Numbers 211 Implementing ECDSA 215 Generating ECC Keypairs 218 Chapter 5 Creating a Network of Trust Using X.509 Certificates 221 Putting It Together: The Secure Channel Protocol 222 Encoding with ASN.1 225 Understanding Signed Certificate Structure 225 Version 226 serialNumber 227 signature 227 issuer 229 validity 232 subject 233 subjectPublicKeyInfo 235 extensions 237 Signed Certificates 238 Summary of X.509 Certificates 241 Transmitting Certificates with ASN.1 Distinguished Encoding Rules (DER) 241 Encoded Values 241 Strings and Dates 242 Bit Strings 243 Sequences and Sets: Grouping and Nesting ASN.1 Values 243 ASN.1 Explicit Tags 244 A Real-World Certificate Example 244 Using OpenSSL to Generate an RSA KeyPair and Certificate 244 Using OpenSSL to Generate a DSA KeyPair and Certificate 251 Developing an ASN.1 Parser 252 Converting a Byte Stream into an ASN.1 Structure 252 The asn1parse Code in Action 259 Turning a Parsed ASN.1 Structure into X.509 Certificate Components 264 Joining the X.509 Components into a Completed X. 509 Certificate Structure 268 Parsing Object Identifiers (OIDs) 270 Parsing Distinguished Names 271 Parsing Certificate Extensions 275 Signature Verification 279 Validating PKCS #7-Formatted RSA Signatures 280 Verifying a Self-Signed Certificate 281 Adding DSA Support to the Certificate Parser 286 Managing Certificates 292 How Authorities Handle Certificate Signing Requests (CSRs) 292 Correlating Public and Private Keys Using PKCS # 12 Formatting 293 Blacklisting Compromised Certificates Using Certificate Revocation Lists (CRLs) 294 Keeping Certificate Blacklists Up-to-Date with the Online Certificate Status Protocol (OCSP) 295 Other Problems with Certificates 296 Chapter 6 A Usable, Secure Communications Protocol: Client-Side TLS 297 Implementing the TLS 1.0 Handshake (Client Perspective) 299 Adding TLS Support to the HTTP Client 300 Understanding the TLS Handshake Procedure 303 TLS Client Hello 304 Tracking the Handshake State in the TLSParameters Structure 304 Describing Cipher Suites 308 Flattening and Sending the Client Hello Structure 309 TLS Server Hello 316 Adding a Receive Loop 317 Sending Alerts 318 Parsing the Server Hello Structure 319 Reporting Server Alerts 323 TLS Certificate 324 TLS Server Hello Done 328 TLS Client Key Exchange 329 Sharing Secrets Using TLS PRF (Pseudo-Random Function) 329 Creating Reproducible, Unpredictable Symmetric Keys with Master Secret Computation 336 RSA Key Exchange 337 Diffie-Hellman Key Exchange 343 TLS Change Cipher Spec 344 TLS Finished 346 Computing the Verify Message 347 Correctly Receiving the Finished Message 352 Secure Data Transfer with TLS 353 Assigning Sequence Numbers 353 Supporting Outgoing Encryption 355 Adding Support for Stream Ciphers 358 Updating Each Invocation of send_message 359 Decrypting and Authenticating 361 TLS Send 364 TLS Receive 365 Implementing TLS Shutdown 368 Examining HTTPS End-to-end Examples (TLS 1.0) 369 Dissecting the Client Hello Request 370 Dissecting the Server Response Messages 372 Dissecting the Key Exchange Message 373 Decrypting the Encrypted Exchange 374 Exchanging Application Data 377 Differences Between SSL 3.0 and TLS 1.0 378 Differences Between TLS 1.0 and TLS 1.1 379 Chapter 7 Adding Server-Side TLS 1.0 Support 381 Implementing the TLS 1.0 Handshake from the Server’s Perspective 381 TLS Client Hello 387 TLS Server Hello 390 TLS Certificate 391 TLS Server Hello Done 393 TLS Client Key Exchange 394 RSA Key Exchange and Private Key Location 395 Supporting Encrypted Private Key Files 399 Checking That Decryption was Successful 406 Completing the Key Exchange 407 TLS Change Cipher Spec 409 TLS Finished 409 Avoiding Common Pitfalls When Adding HTTPS Support to a Server 411 When a Browser Displays Errors: Browser Trust Issues 412 Chapter 8 Advanced SSL Topics 415 Passing Additional Information with Client Hello Extensions 415 Safely Reusing Key Material with Session Resumption 420 Adding Session Resumption on the Client Side 421 Requesting Session Resumption 422 Adding Session Resumption Logic to the Client 422 Restoring the Previous Session’s Master Secret 424 Testing Session Resumption 425 Viewing a Resumed Session 427 Adding Session Resumption on the Server Side 428 Assigning a Unique Session ID to Each Session 429 Adding Session ID Storage 429 Modifying parse_client_hello to Recognize Session Resumption Requests 433 Drawbacks of This Implementation 435 Avoiding Fixed Parameters with Ephemeral Key Exchange 436 Supporting the TLS Server Key Exchange Message 437 Authenticating the Server Key Exchange Message 439 Examining an Ephemeral Key Exchange Handshake 442 Verifying Identity with Client Authentication 448 Supporting the CertificateRequest Message 449 Adding Certificate Request Parsing Capability for the Client 450 Handling the Certificate Request 452 Supporting the Certificate Verify Message 453 Refactoring rsa_encrypt to Support Signing 453 Testing Client Authentication 458 Viewing a Mutually-Authenticated TLS Handshake 460 Dealing with Legacy Implementations: Exportable Ciphers 463 Export-Grade Key Calculation 463 Step-up Cryptography 465 Discarding Key Material Through Session Renegotiation 465 Supporting the Hello Request 466 Renegotiation Pitfalls and the Client Hello Extension 0xFF01 468 Defending Against the Renegotiation Attack 469 Implementing Secure Renegotiation 471 Chapter 9 Adding TLS 1.2 Support to Your TLS Library 479 Supporting TLS 1.2 When You Use RSA for the Key Exchange 479 TLS 1.2 Modifications to the PRF 481 TLS 1.2 Modifications to the Finished Messages Verify Data 483 Impact to Diffie-Hellman Key Exchange 485 Parsing Signature Types 485 Adding Support for AEAD Mode Ciphers 490 Maximizing Throughput with Counter Mode 490 Reusing Existing Functionality for Secure Hashes with CBC-MAC 494 Combining CTR and CBC-MAC into AES-CCM 496 Maximizing MAC Throughput with Galois-Field Authentication 502 Combining CTR and Galois-Field Authentication with AES-GCM 505 Authentication with Associated Data 510 Incorporating AEAD Ciphers into TLS 1.2 517 Working ECC Extensions into the TLS Library 523 ECDSA Certificate Parsing 527 ECDHE Support in TLS 533 ECC Client Hello Extensions 540 The Current State of TLS 1.2 540 Chapter 10 Other Applications of SSL 543 Adding the NTTPS Extension to the NTTP Algorithm 543 Implementing “Multi-hop” SMTP over TLS and Protecting Email Content with S/MIME 545 Understanding the Email Model 545 The SSL/TLS Design and Email 546 Multipurpose Internet Mail Extensions (MIME) 547 Protecting Email from Eavesdroppers with S/MIME 549 Securing Email When There Are Multiple Recipients 550 S/MIME Certificate Management 552 Securing Datagram Traffic 552 Securing the Domain Name System 553 Using the DNS Protocol to Query the Database 555 Disadvantages of the DNS Query 555 Preventing DNS Cache Poisoning with DNSSEC 556 TLS Without TCP — Datagram TLS 559 Supporting SSL When Proxies Are Involved 560 Possible Solutions to the Proxy Problem 560 Adding Proxy Support Using Tunneling 561 SSL with OpenSSL 564 Final Thoughts 566 Appendix A Binary Representation of Integers: A Primer 567 The Decimal and Binary Numbering Systems 567 Understanding Binary Logical Operations 568 The AND Operation 568 The OR Operation 569 The NOT Operation 569 The XOR Operation 569 Position Shifting of Binary Numbers 570 Two’s-Complement Representation of Negative Numbers 570 Big-Endian versus Little-Endian Number Formats 571 Appendix B Installing TCPDump and OpenSSL 573 Installing TCPDump 573 Installing TCPDump on a Windows System 574 Installing TCPDump on a Linux System 575 Installing OpenSSL 575 Installing OpenSSL on a Windows System 575 Installing OpenSSL on a Linux system 577 Appendix C Understanding the Pitfalls of SSLv 2 579 Implementing the SSL Handshake 582 SSL Client Hello 588 SSL Server Hello 592 SSL Client Master Key 600 SSL Client Finished 607 SSL Server Verify 612 SSL Server Finished 616 SSL send 617 SSL recv 617 Examining an HTTPS End-to-End Example 619 Viewing the TCPDump Output 619 Problems with SSLv 2 626 Man-in-the-Middle Attacks 626 Truncation Attacks 626 Same Key Used for Encryption and Authentication 626 No Extensions 627 Index 629