SPECIAL OFFERS
Keep up with new releases and promotions. Sign up to hear from us.
Register your product to gain access to bonus material or receive a coupon.
Secure Sockets Layer (SSL) is used in virtually every commercial web browser and server. In this book, one of the world's leading network security experts explains how SSL works -- and gives implementers step-by-step guidance and proven design patterns for building secure systems with SSL. Eric Rescorla also provides the first in-depth introduction to Transport Layer Security (TLS), the highly anticipated, maximum-security successor to SSL. Rescorla starts by introducing SSL's fundamentals: how it works, and the threats it is intended to address. One step at a time, he addresses each key SSL concept and technique, including cryptography, SSL performance optimization, designing and coding, and how to work around SSL's limitations. Rescorla demonstrates TLS at work in SMTP-based Internet security applications. The book includes detailed examples of SSL/TLS implementations, with in-depth insight into the key design choices that informed them. For all network and security designers, enterprise developers, system implementers, and suppliers of Internet security products and services.
Preface.
1. Security Concepts.
Introduction.
The Internet Threat Model.
The Players.
The Goals of Security.
Tools of the Trade.
Putting It All Together.
A Simple Secure Messaging System.
A Simple Secure Channel.
The Export Situation.
Real Cryptographic Algorithms.
Symmetric Encryption: Stream Ciphers.
Symmetric Encryption: Block Ciphers.
Digest Algorithms.
Key Establishment.
Digital Signature.
MACs.
Key Length.
Summary.
Introduction.
Standards and Standards Bodies.
SSL Over view.
SSL/TLS Design Goals.
SSL and the TCP/IP Suite.
SSL History.
SSL for the Web.
Everything over SSL.
Getting SSL.
Summary.
Introduction.
SSL Over view.
Handshake.
SSL Record Protocol.
Putting the Pieces Together.
A Real Connection.
Some More Connection Details.
SSL Specification Language.
Handshake Message Structure.
Handshake Messages.
Key Derivation.
Record Protocol.
Alerts and Closure.
Summary.
Introduction.
Session Resumption.
Client Authentication.
Ephemeral RSA.
Rehandshake.
Server Gated Cryptography.
DSS and DH.
Elliptic Curve Cipher Suites.
Kerberos.
FORTEZZA.
The Story So Far.
Session Resumption Details.
Client Authentication Details.
Ephemeral RSA Details.
SGC Details.
DH/DSS Details.
FORTEZZA Details.
Error Alerts.
SSLv2 Backward Compatibility.
Summary.
Introduction.
What SSL Provides.
Protect the master_secret.
Protect the Server's Private Key.
Use Good Randomness.
Check the Certificate Chain.
Algorithm Selection.
The Story So Far.
Compromise of the master_secret.
Protecting Secrets in Memory.
Securing the Server's Private Key.
Random Number Generation.
Certificate Chain Verification.
Partial Compromise.
Known Attacks.
Timing Cryptanalysis.
Million Message Attack.
Small-Subgroup Attack.
Downgrade to Export.
Summary.
Introduction.
SSL Is Slow.
Performance Principles.
Cryptography Is Expensive.
Session Resumption.
Handshake Algorithm and Key Choice.
Bulk Data Transfer.
Basic SSL Performance Rules.
The Story So Far.
Handshake Time Allocation.
Normal RSA Mode.
RSA with Client Authentication.
Ephemeral RSA.
DSS/DHE.
DSS/DHE with Client Authentication.
Performance Improvements with DH.
Record Processing.
Java.
SSL Servers under Load.
Hardware Acceleration.
Inline Hardware Accelerators.
Network Latency.
The Nagle Algorithm.
Handshake Buffering.
Advanced SSL Performance Rules.
Summary.
Introduction.
Know What You Want to Secure.
Client Authentication Options.
Reference Integrity.
Inappropriate Tasks.
Protocol Selection.
Reducing Handshake Overhead.
Design Strategy.
The Story So Far.
Separate Ports.
Upward Negotiation.
Downgrade Attacks.
Reference Integrity.
Username/Password Authentication.
SSL Client Authentication.
Mutual Username/Password Authentication.
Rehandshake.
Secondary Channels.
Closure.
Summary.
Introduction.
SSL Implementations.
Sample Programs.
Context Initialization.
Client Connect.
Server Accept.
Simple I/O Handling.
Multiplexed I/O Using Threads.
Multiplexed I/O with select().
Closure.
Session Resumption.
What's Missing?
Summary.
Introduction.
Securing the Web.
HTTP.
HTML.
URLs.
HTTP Connection Behavior.
Proxies.
Virtual Hosts.
Protocol Selection.
Client Authentication.
Reference Integrity.
HTTPS.
HTTPS Overview.
URLs and Reference Integrity.
Connection Closure.
Proxies.
Virtual Hosts.
Client Authentication.
Referrer.
Substitution Attacks.
Upgrade.
Programming Issues.
Proxy CONNECT.
Handling Multiple Clients.
Summary.
Introduction.
Internet Mail Security.
Internet Messaging Overview.
SMTP.
RFC 822 and MIME.
E-Mail Addresses.
Mail Relaying.
Virtual Hosts.
MX Records.
Client Mail Access.
Protocol Selection.
Client Authentication.
Reference Integrity.
Connection Semantics.
STARTTLS.
STARTTLS Overview.
Connection Closure.
Requiring TLS.
Virtual Hosts.
Security Indicators.
Authenticated Relaying.
Originator Authentication.
Reference Integrity Details.
Why Not CONNECT?
What's STARTTLS Good For?
Programming Issues.
Implementing STARTTLS.
Server Startup.
Summary.
Introduction.
The End-to-End Argument.
The End-to-End Argument and SMTP.
Other Protocols.
IPsec.
Security Associations.
ISAKMP and IKE.
AH and ESP.
Putting It All Together: IPsec.
IPsec versus SSL.
Secure HTTP.
CMS.
Message Format.
Cryptographic Options.
Putting It All Together: S-HTTP.
S-HTTP versus HTTPS.
S/MIME.
Basic S/MIME Formatting.
Signing Only.
Algorithm Choice.
Putting It All Together: S/MIME.
Implementation Barriers.
S/MIME versus SMTP/TLS.
Choosing the Appropriate Solution.
Summary.
Chapter 8.
Examples.
Java Examples.
Chapter 9.
HTTPS Examples.
mod_ssl Session Caching.
Introduction.
SSLv2 Overview.
Missing Features.
Security Problems.
PCT.
What about SSLv1?
The Secure Sockets Layer (SSL) is by far the most widely deployed security protocol in the world. Essentially every commercial Web browser and server supports secure Web transactions using SSL. When you buy online using "secure" Web pages an estimated 20 billion dollars' worth of such transactions will occur in 2000), you're almost certainly using SSL.
Although its most common use is for securing Web traffic, SSL is actually quite a general protocol suitable for securing a wide variety of kinds of traffic. File transfer (FTP), remote object access (RMI, CORBA IIOP), e-mail transmission (SMTP), remote terminal service (Telnet) and directory access (LDAP) are just some of the applications that have already been secured with SSL or its successor, Transport Layer Security (TLS).
The effort to secure all these protocols has taught us a number of significant lessons. First, doing a good job of using SSL/TLS to secure a protocol requires having a fairly deep knowledge of how it works. It is not possible to simply treat SSL/TLS as a black box that somehow magically provides security when used.
Second, although each application is slightly different, there seems to be a set of security problems that are common to every application you wish to secure. For instance, we usually need to figure out some way for the insecure and secure versions of an application protocol to coexist. Although there aren't cookie-cutter solutions to these problems, the security community is starting to develop a common set of techniques for solving these problems using SSL/TLS.
These techniques can often be applied to a new application protocol with minimal modification. In essence, we've developed a set of design patterns for securing protocols. Much of the work of securing a system is in recognizing which pattern most closely matches the system you're working with and then using the appropriate techniques.
The purpose of this book, then, is to address both of these needs. After reading this book, you should know most if not all of what you need to know in order to design secure systems using SSL/TLS. You'll know enough about SSL/TLS to understand what security features it can deliver and what it can't deliver. Further, you'll be familiar with the common design patterns for using SSL/TLS and be ready to apply them to new situations.
This book assumes a basic familiarity with how the TCP/IP protocols work. Readers who are unfamiliar with TCP/IP would be best served to consult one of the many fine books describing TCP/IP. TCP/IP Illustrated, Volume 1 Stevens1994a is a good choice. Postel1991a, Postel1991b, and Postel1991c provide the definitive reference for TCP/IP. Although some of this book will be understandable without a deep understanding of TCP/IP, much of the discussion of performance will be difficult to follow without an understanding of TCP behavior.
Because SSL/TLS is a cryptographic protocol, properly understanding it requires at least basic familiarity with cryptographic algorithms, including public key cryptography, symmetric cryptography, and digest algorithms. Chapter 1 provides an introduction to cryptography and communications, but space is too limited to do a complete job. We attempt to cover the requisite cryptographic details for understanding SSL/TLS; however, readers interested in a broader understanding of the cryptographic issues should consult a cryptography text such as Schneier1996a or Kaufman1995a
This book is written in two halves, matching the two primary goals described previously: understanding the protocol and understanding how to use it. The first half, Chapters 1-6, is devoted to describing SSL and TLS. We concern ourselves with the technical details of how they work and their security and performance properties in isolation.
The second half of the book, Chapters 7-11, covers the design of application protocols and systems that use SSL/TLS for security. First we describe general guidelines for using SSL/TLS and then we discuss several protocols that have already been secured using SSL/TLS.
Chapter 1 - Security Concepts provides an introduction to cryptography and communications security, with an eye towards its use in SSL/TLS. If you're already familiar with communications security, you may want to skip this chapter. If, on the other hand, you're not familiar with security, you'll want to read this chapter carefully so you don't get lost later.
Chapter 2 - Introduction to SSL is a broad overview of the history of SSL/TLS and what sorts of security features it provides. We also provide a snapshot of the status of SSL/TLS-secured protocols as of the time of this writing.
Chapter 3 - Basic SSL covers the most common SSL/TLS operational mode. We describe an entire SSL/TLS connection from start to finish. This chapter should give you a very good idea of how SSL/TLS works in practice. All the other operational modes can be easily understood once you understand this chapter.
Chapter 4 - Advanced SSL covers the rest of the major operational modes. We cover session resumption, client authentication, and a number of algorithms that are only now seeing deployment with SSL/TLS, such as DH/DSS and Kerberos.
Chapter 5 - SSL Security describes the security benefits that SSL offers as well as (even more important) those it doesn't offer. Whereas previous chapters mostly focused on describing how things work, this chapter focuses on what you need to do to make a system that uses SSL/TLS secure.
Chapter 6 - SSL Performance describes the performance profile of TLS-based systems. It's been widely observed that security imposes significant performance demands on systems, but it's not widely understood that this impact is limited to certain parts of the protocol. We'll discuss these issues with an eye to getting better performance while preserving good security.
Chapter 7 - Designing with SSL is a guide to using SSL/TLS to secure application layer protocols. We focus on identifying the required security properties and on well-understood design techniques for satisfying these properties.
Chapter 8 - Coding with SSL discusses the common program- ming idioms required to write software that uses SSL/TLS. We provide complete sample programs in C and Java using the OpenSSL and PureTLS toolkits.
Chapter 9 - HTTP over SSL describes the application that started it all. SSL was originally designed by Netscape to work with HTTP and we cover both the traditional way of doing things and the replacement that's currently being proposed.
Chapter 10 - SMTP over TLS describes the use of TLS to secure the Simple Mail Transport Protocol (SMTP) which is used for transporting email. SMTP is a bad match for TLS and this chapter illustrates some of the limitations of SSL and TLS.
Chapter 11 - Contrasting Approaches is devoted to describing other alternatives to securing your applications. SSL/TLS isn't always the best solution and part of knowing how to use a protocol is knowing when not to. This chapter tries to give you a perspective on your other choices. We discuss IPSEC, S-HTTP, and S/MIME as alternatives to SSL/TLS.
This book is suitable for a number of audiences of different technical abilities and requirements. You should read any section that interests you, but depending on your needs you may want to focus on specific sections.
If you're writing an application that uses a preexisting SSL toolkit you can safely read only the first parts of Chapters 1-6. You should also read the summaries at the end of each chapter. These sections discuss SSL and SSL implementation techniques in overview form. This will provide enough information to understand what your SSL toolkit is doing. You should carefully read Chapters 7 and 8, paying special attention to the programming techniques discussed in Chapter 8. If you are implementing HTTP or SMTP over SSL, you should also read the chapters that deal with those protocols.
If you're implementing SSL from scratch, you should read the entire book. If you're already familiar with cryptography you can skip Chapter 1; however, if you don't have a detailed knowledge of cryptography you should read the entire chapter. You should pay particular attention to Chapters 2-6, which provide a detailed description of SSL and of the various implementation techniques required to produce a fast and secure implementation.
By now you've no doubt gotten tired of seeing the name SSL/TLS. We've been using it to avoid being specific about exactly which version we mean. There are currently two versions of SSL in wide deployment: SSL version 2 (SSLv2) and SSL version 3 (SSLv3). TLS, a modification of SSLv3, was standardized by the Interenet Engineering Task Force (IETF) in 1999. Despite what you might think from the names, SSLv2 and SSLv3 are completely different protocols, and TLS is extremely similar to SSLv3. SSLv2 is essentially obsolete, and TLS isn't really in wide deployment as of this writing. In general, we'll use the term SSL to refer to SSLv3/TLS interchangeably. When we mean one or the other, we'll specify it explicitly. In the few instances when we're talking about SSL version 2, we'll use SSLv2.