SSL and TLS: Theory and Practice

E-Mail: rolf.oppliger@esecurity.ch
Phone/Fax: +41 079 654 84 37

Aims and Scope

This book provides a comprehensive overview and discussion of the SSL/TLS protocols. It also addresses related topics, such as TLS extensions, datagram TLS (DTLS), firewall traversal, as well as public key certificates and public key infrastructure (PKI).

Target Audience

The book is intended for anyone who wants to get a deep understanding of the SSL/TLS protocols and their proper use-be it a theorist or practitioner.

Table of Contents

Foreword by Taher Elgamal
Preface

1. Introduction
2. Cryptography Primer
3. Transport Layer Security
4. SSL Protocol
5. TLS Protocol
6. DTLS Protocol
7. Firewall Traversal
8. Public Key Certificates and PKI
9. Conclusions and Outlook

Appendix TLS Cipher Suites
Abbreviations and Acronyms
About the Author
Index

Reviews

• John Hughes, 2011
• Robert M. Slade, 2009

Errata List

• Page 91, line 11: "EtA" should be replaced with "AtE".
• Page 93, line 12: "employs" should be replaced with "proposes the use of" (reported on July 17, 2010, by Anthony Barnard).
• Page 101, lines 13 and 14: The note put in brackets (i.e., "(including length field)") should be removed (reported on January 23, 2011, by Michael D'Errico).
• Page 101, line 4 from the bottom: "In fact, the 2 bytes immediately following ..." should be replaced with "In fact, the byte immediately following ..." (reported on January 23, 2011, by Michael D'Errico).
• Page 126, line 4 from the bottom: s^{-1} should be replaced with r^{-1} (reported on August 27, 2009, by Samuel Walther).
• Page 117, line 5: "(referring to a CertificateVerify" should be replaced with "(referring to a Finished" with the respective type fonts.
• Page 139, line 9 in Section 5.1.2: "client_ranodm and client_random" should be replaced with "client_ranodm and server_random" "need" (reported on August 27, 2009, by Samuel Walther).
• Page 139, lines 3 and 2 from the bottom: "client_ranodm and client_random" should be replaced with "server_ranodm and server_random" "need" (reported on August 27, 2009, by Samuel Walther).
• Page 147, line 11 from the bottom: "EtA" should be replaced with "AtE".
• Page 153, Section 5.4.1, 2nd bullet: It should be mentioned that RFC 4366 was published around the same time as RFC 4346 (specification of TLS 1.1), and hence that all extensions specified in RFC 4366 apply retroactively to TLS 1.0 and later.
  The same line of argumentation applies to Section 5.4.1.13 on page 168: While the summary implies that the extensions are only usable with TLS 1.2, the extension format specified in RFC 4366 also applies to prior versions of the TLS protocol (reported on January 23, 2011, by Michael D'Errico).
• Page 180: Reference [28] appears twice. The second occurance should be labelled reference [29].
• Page 242: The HMAC-Based and Galois Counter Mode-Based Cipher Suites of RFC 5289 should be appended to the Appendix entitled "Standardized TLS Cipher Suites."

News

• In March 2009, Margaret Salter, Eric Rescorla, and Russ Housley published Informational RFC 5430 that defines a profile of TLS version 1.2 that is fully conformant with NSA Suite B Cryptography and a transitional profile for TLS versions 1.0 and 1.1 that employs Suite B algorithms to the greatest extent possible. In addition to
• In August 2009, Moxie Marlinspike gave a talk on null prefix attacks against SSL/TLS certificates and announced their implementation in the SSLStrip proxy software that can be used to mount man-in-the-middle attacks against SSL/TLS sessions.
• In November 2009, Marsh Ray and Steve Dispensa announced the feasibility of a TLS renegotiation attack that exploits SSL/TLS’s renegotiation feature to inject plaintext into a legitimate client-server exchange such that the server will accept it as if it came from the client. In February 2010, the IETF issued RFC 5746 that specifies a TLS extension to defeat the TLS renegotiation attack.

Additional Material