Implementing SSL / TLS Using Cryptography and PKI

Joshua Davies is a principal architect for Travelocity.com, responsible for the architecture of the main Web site with a focus on networking and security. Previously, he designed distributed systems for AT&T, Digex, and the Mexican telecommunications giant Pegaso.

Introduction xxvii

Chapter 1 Understanding Internet Security 1

What Are Secure Sockets? 2

“Insecure” Communications: Understanding the HTTP Protocol 4

Implementing an HTTP Client 5

Adding Support for HTTP Proxies 12

Reliable Transmission of Binary Data with Base64 Encoding 17

Implementing an HTTP Server 21

Roadmap for the Rest of This Book 27

Chapter 2 Protecting Against Eavesdroppers with Symmetric Cryptography 29

Understanding Block Cipher Cryptography Algorithms 30

Implementing the Data Encryption Standard (DES) Algorithm 31

DES Initial Permutation 34

DES Key Schedule 38

DES Expansion Function 40

DES Decryption 45

Padding and Chaining in Block Cipher Algorithms 46

Using the Triple-DES Encryption Algorithm to Increase Key Length 55

Faster Encryption with the Advanced Encryption Standard (AES) Algorithm 60

AES Key Schedule Computation 60

AES Encryption 67

Other Block Cipher Algorithms 83

Understanding Stream Cipher Algorithms 83

Understanding and Implementing the RC4 Algorithm 84

Chapter 3 Converting a Block Cipher to a Stream Cipher: The OFB and COUNTER Block-Chaining Modes 90

Secure Key Exchange over an Insecure Medium with Public Key Cryptography 91

Understanding the Theory Behind the RSA Algorithm 92

Performing Arbitrary Precision Binary Math to Implement Public-Key Cryptography 93

Implementing Large-Number Addition 93

Implementing Large-Number Subtraction 98

Implementing Large-Number Multiplication 101

Implementing Large-Number Division 106

Comparing Large Numbers 109

Optimizing for Modulo Arithmetic 112

Using Modulus Operations to Efficiently Compute Discrete Logarithms in a Finite Field 113

Encryption and Decryption with RSA 114

Encrypting with RSA 115

Decrypting with RSA 119

Encrypting a Plaintext Message 120

Decrypting an RSA-Encrypted Message 124

Testing RSA Encryption and Decryption 126

Achieving Perfect Forward Secrecy with Diffie-Hellman Key Exchange 130

Getting More Security per Key Bit: Elliptic Curve Cryptography 132

How Elliptic Curve Cryptography Relies on Modular Inversions 135

Using the Euclidean Algorithm to compute Greatest Common Denominators 135

Computing Modular Inversions with the Extended Euclidean Algorithm 137

Adding Negative Number Support to the Huge Number Library 138

Supporting Negative Remainders 147

Making ECC Work with Whole Integers: Elliptic-Curve Cryptography over Fp 150

Reimplementing Diffie-Hellman to Use ECC Primitives 150

Why Elliptic-Curve Cryptography? 154

Chapter 4 Authenticating Communications Using Digital Signatures 157

Using Message Digests to Create Secure Document Surrogates 158

Implementing the MD5 Digest Algorithm 159

Understanding MD 5 160

A Secure Hashing Example 161

Securely Hashing a Single Block of Data 166

MD5 Vulnerabilities 169

Increasing Collision Resistance with the SHA- 1

Digest Algorithm 171

Understanding SHA-1 Block Computation 171

Understanding the SHA-1 Input Processing Function 174

Understanding SHA-1 Finalization 176

Even More Collision Resistance with the SHA- 256

Digest Algorithm 180

Preventing Replay Attacks with the HMAC Keyed-Hash Algorithm 184

Implementing a Secure HMAC Algorithm 186

Completing the HMAC Operation 190

Creating Updateable Hash Functions 190

Defining a Digest Structure 191

Appending the Length to the Last Block 194

Computing the MD5 Hash of an Entire File 196

Where Does All of This Fit into SSL? 200

Understanding Digital Signature Algorithm (DSA) Signatures 201

Implementing Sender-Side DSA Signature Generation 202

Implementing Receiver-Side DSA Signature Verification 205

How to Make DSA Efficient 209

Getting More Security per Bit: Elliptic Curve DSA 210

Rewriting the Elliptic-Curve Math Functions to Support Large Numbers 211

Implementing ECDSA 215

Generating ECC Keypairs 218

Chapter 5 Creating a Network of Trust Using X.509 Certificates 221

Putting It Together: The Secure Channel Protocol 222

Encoding with ASN.1 225

Understanding Signed Certificate Structure 225

Version 226

serialNumber 227

signature 227

issuer 229

validity 232

subject 233

subjectPublicKeyInfo 235

extensions 237

Signed Certificates 238

Summary of X.509 Certificates 241

Transmitting Certificates with ASN.1 Distinguished Encoding Rules (DER) 241

Encoded Values 241

Strings and Dates 242

Bit Strings 243

Sequences and Sets: Grouping and Nesting ASN.1 Values 243

ASN.1 Explicit Tags 244

A Real-World Certificate Example 244

Using OpenSSL to Generate an RSA KeyPair and Certificate 244

Using OpenSSL to Generate a DSA KeyPair and Certificate 251

Developing an ASN.1 Parser 252

Converting a Byte Stream into an ASN.1 Structure 252

The asn1parse Code in Action 259

Turning a Parsed ASN.1 Structure into X.509 Certificate Components 264

Joining the X.509 Components into a Completed X. 509 Certificate Structure 268

Parsing Object Identifiers (OIDs) 270

Parsing Distinguished Names 271

Parsing Certificate Extensions 275

Signature Verification 279

Validating PKCS #7-Formatted RSA Signatures 280

Verifying a Self-Signed Certificate 281

Adding DSA Support to the Certificate Parser 286

Managing Certificates 292

How Authorities Handle Certificate Signing Requests (CSRs) 292

Correlating Public and Private Keys Using PKCS # 12

Formatting 293

Blacklisting Compromised Certificates Using Certificate Revocation Lists (CRLs) 294

Keeping Certificate Blacklists Up-to-Date with the Online Certificate Status Protocol (OCSP) 295

Other Problems with Certificates 296

Chapter 6 A Usable, Secure Communications Protocol: Client-Side TLS 297

Implementing the TLS 1.0 Handshake (Client Perspective) 299

Adding TLS Support to the HTTP Client 300

Understanding the TLS Handshake Procedure 303

TLS Client Hello 304

Tracking the Handshake State in the TLSParameters Structure 304

Describing Cipher Suites 308

Flattening and Sending the Client Hello Structure 309

TLS Server Hello 316

Adding a Receive Loop 317

Sending Alerts 318

Parsing the Server Hello Structure 319

Reporting Server Alerts 323

TLS Certificate 324

TLS Server Hello Done 328

TLS Client Key Exchange 329

Sharing Secrets Using TLS PRF (Pseudo-Random Function) 329

Creating Reproducible, Unpredictable Symmetric Keys with Master Secret Computation 336

RSA Key Exchange 337

Diffie-Hellman Key Exchange 343

TLS Change Cipher Spec 344

TLS Finished 346

Computing the Verify Message 347

Correctly Receiving the Finished Message 352

Secure Data Transfer with TLS 353

Assigning Sequence Numbers 353

Supporting Outgoing Encryption 355

Adding Support for Stream Ciphers 358

Updating Each Invocation of send_message 359

Decrypting and Authenticating 361

TLS Send 364

TLS Receive 365

Implementing TLS Shutdown 368

Examining HTTPS End-to-end Examples (TLS 1.0) 369

Dissecting the Client Hello Request 370

Dissecting the Server Response Messages 372

Dissecting the Key Exchange Message 373

Decrypting the Encrypted Exchange 374

Exchanging Application Data 377

Differences Between SSL 3.0 and TLS 1.0 378

Differences Between TLS 1.0 and TLS 1.1 379

Chapter 7 Adding Server-Side TLS 1.0 Support 381

Implementing the TLS 1.0 Handshake from the Server’s Perspective 381

TLS Client Hello 387

TLS Server Hello 390

TLS Certificate 391

TLS Server Hello Done 393

TLS Client Key Exchange 394

RSA Key Exchange and Private Key Location 395

Supporting Encrypted Private Key Files 399

Checking That Decryption was Successful 406

Completing the Key Exchange 407

TLS Change Cipher Spec 409

TLS Finished 409

Avoiding Common Pitfalls When Adding HTTPS Support to a Server 411

When a Browser Displays Errors: Browser Trust Issues 412

Chapter 8 Advanced SSL Topics 415

Passing Additional Information with Client Hello Extensions 415

Safely Reusing Key Material with Session Resumption 420

Adding Session Resumption on the Client Side 421

Requesting Session Resumption 422

Adding Session Resumption Logic to the Client 422

Restoring the Previous Session’s Master Secret 424

Testing Session Resumption 425

Viewing a Resumed Session 427

Adding Session Resumption on the Server Side 428

Assigning a Unique Session ID to Each Session 429

Adding Session ID Storage 429

Modifying parse_client_hello to Recognize Session Resumption Requests 433

Drawbacks of This Implementation 435

Avoiding Fixed Parameters with Ephemeral Key Exchange 436

Supporting the TLS Server Key Exchange Message 437

Authenticating the Server Key Exchange Message 439

Examining an Ephemeral Key Exchange Handshake 442

Verifying Identity with Client Authentication 448

Supporting the CertificateRequest Message 449

Adding Certificate Request Parsing Capability for the Client 450

Handling the Certificate Request 452

Supporting the Certificate Verify Message 453

Refactoring rsa_encrypt to Support Signing 453

Testing Client Authentication 458

Viewing a Mutually-Authenticated TLS Handshake 460

Dealing with Legacy Implementations: Exportable Ciphers 463

Export-Grade Key Calculation 463

Step-up Cryptography 465

Discarding Key Material Through Session Renegotiation 465

Supporting the Hello Request 466

Renegotiation Pitfalls and the Client Hello Extension 0xFF01 468

Defending Against the Renegotiation Attack 469

Implementing Secure Renegotiation 471

Chapter 9 Adding TLS 1.2 Support to Your TLS Library 479

Supporting TLS 1.2 When You Use RSA for the Key Exchange 479

TLS 1.2 Modifications to the PRF 481

TLS 1.2 Modifications to the Finished Messages Verify Data 483

Impact to Diffie-Hellman Key Exchange 485

Parsing Signature Types 485

Adding Support for AEAD Mode Ciphers 490

Maximizing Throughput with Counter Mode 490

Reusing Existing Functionality for Secure Hashes with CBC-MAC 494

Combining CTR and CBC-MAC into AES-CCM 496

Maximizing MAC Throughput with Galois-Field Authentication 502

Combining CTR and Galois-Field Authentication with AES-GCM 505

Authentication with Associated Data 510

Incorporating AEAD Ciphers into TLS 1.2 517

Working ECC Extensions into the TLS Library 523

ECDSA Certificate Parsing 527

ECDHE Support in TLS 533

ECC Client Hello Extensions 540

The Current State of TLS 1.2 540

Chapter 10 Other Applications of SSL 543

Adding the NTTPS Extension to the NTTP Algorithm 543

Implementing “Multi-hop” SMTP over TLS and Protecting Email Content with S/MIME 545

Understanding the Email Model 545

The SSL/TLS Design and Email 546

Multipurpose Internet Mail Extensions (MIME) 547

Protecting Email from Eavesdroppers with S/MIME 549

Securing Email When There Are Multiple Recipients 550

S/MIME Certificate Management 552

Securing Datagram Traffic 552

Securing the Domain Name System 553

Using the DNS Protocol to Query the Database 555

Disadvantages of the DNS Query 555

Preventing DNS Cache Poisoning with DNSSEC 556

TLS Without TCP — Datagram TLS 559

Supporting SSL When Proxies Are Involved 560

Possible Solutions to the Proxy Problem 560

Adding Proxy Support Using Tunneling 561

SSL with OpenSSL 564

Final Thoughts 566

Appendix A Binary Representation of Integers: A Primer 567

The Decimal and Binary Numbering Systems 567

Understanding Binary Logical Operations 568

The AND Operation 568

The OR Operation 569

The NOT Operation 569

The XOR Operation 569

Position Shifting of Binary Numbers 570

Two’s-Complement Representation of Negative Numbers 570

Big-Endian versus Little-Endian Number Formats 571

Appendix B Installing TCPDump and OpenSSL 573

Installing TCPDump 573

Installing TCPDump on a Windows System 574

Installing TCPDump on a Linux System 575

Installing OpenSSL 575

Installing OpenSSL on a Windows System 575

Installing OpenSSL on a Linux system 577

Appendix C Understanding the Pitfalls of SSLv 2 579

Implementing the SSL Handshake 582

SSL Client Hello 588

SSL Server Hello 592

SSL Client Master Key 600

SSL Client Finished 607

SSL Server Verify 612

SSL Server Finished 616

SSL send 617

SSL recv 617

Examining an HTTPS End-to-End Example 619

Viewing the TCPDump Output 619

Problems with SSLv 2 626

Man-in-the-Middle Attacks 626

Truncation Attacks 626

Same Key Used for Encryption and Authentication 626

No Extensions 627

Index 629