Implementing SSL / TLS Using Cryptography and PKI
Joshua Davies
Language: English
Pages: 696
ISBN: 0470920416
Format: PDF / Kindle (mobi) / ePub
Hands-on, practical guide to implementing SSL and TLS protocols for Internet security
If you are a network professional who knows C programming, this practical book is for you. Focused on how to implement Secure Socket Layer (SSL) and Transport Layer Security (TLS), this book guides you through all necessary steps, whether or not you have a working knowledge of cryptography. The book covers SSLv2, TLS 1.0, and TLS 1.2, including implementations of the relevant cryptographic protocols, secure hashing, certificate parsing, certificate generation, and more.
Coverage includes:
- Understanding Internet Security
- Protecting against Eavesdroppers with Symmetric Cryptography
- Secure Key Exchange over an Insecure Medium with Public Key Cryptography
- Authenticating Communications Using Digital Signatures
- Creating a Network of Trust Using X.509 Certificates
- A Usable, Secure Communications Protocol: Client-Side TLS
- Adding Server-Side TLS 1.0 Support
- Advanced SSL Topics
- Adding TLS 1.2 Support to Your TLS Library
- Other Applications of SSL
- A Binary Representation of Integers: A Primer
- Installing TCPDump and OpenSSL
- Understanding the Pitfalls of SSLv2
Set up and launch a working implementation of SSL with this practical guide.
Because the input stream is, obviously, a multiple of 8 bits, dividing it into 6-bit chunks creates a minor problem. Because 24 is the least-common-multiple of 6 and 8, the input must be padded to a multiple of 24 bits (three bytes). Although Base64 could just mandate that the encoding routine add padding bytes to ensure alignment, that would complicate the decoding process. Instead the encoder adds two = characters if the last chunk is one byte long, one = character if the last chunk is two
is found. To determine when he’s hit the right combination, the attacker has to know something about the message that was encrypted in the first place, obviously. However, this is usually the case. Consider the case of an HTTP exchange. The first four characters of the first request are likely to be “G E T .” The hypothetical attacker can just do a decryption using a proposed key, check the first four letters, and if they don’t match, move on to the next. This sort of attack is called a brute force
is unclear, as it serves no cryptographic purpose (the output would be just as secure without this). It may have been added for optimization for certain hardware types. Nevertheless, if you don’t include it, your output will be wrong, and you won’t be able to interoperate with other implementations. The specification describes this permutation in terms of the input bits and the output bits, but it works out to copying the second bit of the last byte into the first bit of the first byte of the
again), and check each bit of each char. If the bit is a 1, add the contents of temp to h1. If the bit is a zero, do nothing. In either case, left-shift temp by one position. Left-shifting a huge is, of course, a separate operation that works on one char at a time, right-to-left. c03.indd 105 12/24/2010 12:33:15 PM 106 Chapter 3 n Secure Key Exchange over an Insecure Medium Listing 3-12: “huge.c” left_shift void left_shift( huge *h1 ) { int i; int old_carry, carry = 0; i = h1->size; do {
0 represent positive and 1 represent negative: Listing 3-29: “huge.h” huge structure with negative number support typedef struct { int sign; unsigned int size; unsigned char *rep; } huge; c03.indd 141 12/24/2010 12:33:19 PM 142 Chapter 3 n Secure Key Exchange over an Insecure Medium 2. There are three initializer functions that create huges: set_huge, copy_huge, and load_huge. Each needs to be updated to initialize the sign bit, as shown in Listing 3-30. Listing 3-30: “huge.c” initializer