SSL and TLS: Designing and Building Secure Systems

Chapter 1: Security Concepts\ Introduction\ This chapter is intended to provide a basic introduction to communications security and cryptography. Communications security is a complicated topic and many fine books have been written about it. Our intent here is not to provide an exhaustive discussion of the topic but rather to teach you enough to understand the concepts and terminology that will be used throughout the rest of the book. Readers who are already familiar with cryptography and communications security should feel free to skip this chapter entirely.\ We start by explaining the sorts of threats we're concerned about and the various sorts of security services we can provide. Next we provide a broad overview of cryptographic algorithms and how to put them together to provide these security services. Finally, we discuss some details of the various algorithms which will be relevant when we discuss their use in SSL/TLS.\ The Internet Threat Model\ The first thing that we need to do is define our threat model. A threat model describes what resources we expect the attacker to have available and what attacks the attacker can be expected to mount. Nearly every security system is vulnerable to some threat or another. To see this, imagine that you keep your papers in a completely unbreakable safe. That's all well and good, but if someone has planted a video camera in your office they can see your confidential information whenever you take it out to use it, so the safe hasn't bought you that much.\ Therefore, when we define a threat model, we're concerned not only with defining what attacks we are going to worry about but also those we're not going to worry about. Failure to take this important step typically leads to complete deadlock as designers try to figure out how to counter every possible threat. What's important is to figure out which threats are realistic and which ones we can hope to counter with the tools available to us.\ Designers of Internet security protocols typically share a more or less common threat model. First, it's assumed that the actual end systems that the protocol is being executed on are secure. Protecting against attacks where one of the end systems is under the control of the attacker is extraordinarily difficult, if not impossible. This assumption comes with two caveats. First, compromise of any single end system shouldn't break security for everyone. There should be no single point of' failure. For instance, if an attacker breaks system A, then all communications between B and A may be compromised, but communications between B and C should be safe. If we must have a single point of failure it must be possible to harden it against attack. Second, attackers may control systems that attempt to pose as legitimate end systems. All we're assuming is that users can expect that their own machines haven't been compromised.\ Other than that, we assume that the attacker has more or less complete control of the communications channel between any two machines. He can certainly inject packets into the network with arbitrary address information, both for the sender and the receiver, and can read any packet that is on the network and remove any packet packet he chooses. Any packet you receive must be assumed to potentially come from the attacker and any packet you send might be modified in transit. An attack that depends on the attacker writing data to the network is known as an active attack. An attack that merely involves reading data off the network is known as a passive attack.\ An obvious corollary of the assumption that the attacker can modify traffic is that the attacker can shut down all communication between any pair of machines simply by removing all relevant packets. This is one form of denial-of-service attack. Another form would be to force you to use up enormous CPU resources responding to connections. Conventionally, protocol designers don't worry about denial-of-service attacks, not because these attacks aren't important but because they're extraordinarily difficult to prevent.\ One of the most important functions of a threat model is to arrange that security doesn't become more expensive than it is worth. Security measures should be employed only up to the point where the cost to implement them doesn't exceed the expected risk. Failure to make this judgment correctly can easily lead to a situation where no risk is judged acceptable and thus no acceptable system can be designed.\ Part of the risk calculation is the effort required by the attacker to mount a given attack, and cost generally increases with each attack prevented. No security system is resistant to every attack. The function of a security model is to allow designers to determine which attacks are worthwhile to prevent. However, accurately estimating how much security you need requires accurately estimating the attacker's capabilities. If an attack that was originally considered impractical is discovered to be simple, then there will be a window of vulnerability while people adjust their security models and implementations to compensate.\ The Players\ To make it easier to understand the various examples we'll be discussing in this chapter, we'll use the same names repeatedly for the various parties. By convention, the two communicating parties are referred to as Alice and Bob, after the names used in the original RSA paper [Rivest1979]. The attacker is known merely as "the attacker...

Preface. 1. Security Concepts. Introduction. The Internet Threat Model. The Players. The Goals of Security. Tools of the Trade. Putting It All Together. A Simple Secure Messaging System. A Simple Secure Channel. The Export Situation. Real Cryptographic Algorithms. Symmetric Encryption: Stream Ciphers. Symmetric Encryption: Block Ciphers. Digest Algorithms. Key Establishment. Digital Signature. MACs. Key Length. Summary. 2. Introduction to SSL. Introduction. Standards and Standards Bodies. SSL Over view. SSL/TLS Design Goals. SSL and the TCP/IP Suite. SSL History. SSL for the Web. Everything over SSL. Getting SSL. Summary. 3. Basic SSL. Introduction. SSL Over view. Handshake. SSL Record Protocol. Putting the Pieces Together. A Real Connection. Some More Connection Details. SSL Specification Language. Handshake Message Structure. Handshake Messages. Key Derivation. Record Protocol. Alerts and Closure. Summary. 4. Advanced SSL. Introduction. Session Resumption. Client Authentication. Ephemeral RSA. Rehandshake. Server Gated Cryptography. DSS and DH. Elliptic Curve Cipher Suites. Kerberos. FORTEZZA. The Story So Far. Session Resumption Details. Client Authentication Details. Ephemeral RSA Details. SGC Details. DH/DSS Details. FORTEZZA Details. Error Alerts. SSLv2 Backward Compatibility. Summary. 5. SSL Security. Introduction. What SSL Provides. Protect the master_secret. Protect the Server's Private Key. UseGood Randomness. Check the Certificate Chain. Algorithm Selection. The Story So Far. Compromise of the master_secret. Protecting Secrets in Memory. Securing the Server's Private Key. Random Number Generation. Certificate Chain Verification. Partial Compromise. Known Attacks. Timing Cryptanalysis. Million Message Attack. Small-Subgroup Attack. Downgrade to Export. Summary. 6. SSL Performance. Introduction. SSL Is Slow. Performance Principles. Cryptography Is Expensive. Session Resumption. Handshake Algorithm and Key Choice. Bulk Data Transfer. Basic SSL Performance Rules. The Story So Far. Handshake Time Allocation. Normal RSA Mode. RSA with Client Authentication. Ephemeral RSA. DSS/DHE. DSS/DHE with Client Authentication. Performance Improvements with DH. Record Processing. Java. SSL Servers under Load. Hardware Acceleration. Inline Hardware Accelerators. Network Latency. The Nagle Algorithm. Handshake Buffering. Advanced SSL Performance Rules. Summary. 7. Designing with SSL. Introduction. Know What You Want to Secure. Client Authentication Options. Reference Integrity. Inappropriate Tasks. Protocol Selection. Reducing Handshake Overhead. Design Strategy. The Story So Far. Separate Ports. Upward Negotiation. Downgrade Attacks. Reference Integrity. Username/Password Authentication. SSL Client Authentication. Mutual Username/Password Authentication. Rehandshake. Secondary Channels. Closure. Summary. 8. Coding with SSL. Introduction. SSL Implementations. Sample Programs. Context Initialization. Client Connect. Server Accept. Simple I/O Handling. Multiplexed I/O Using Threads. Multiplexed I/O with select(). Closure. Session Resumption. What's Missing? Summary. 9. HTTP over SSL. Introduction. Securing the Web. HTTP. HTML. URLs. HTTP Connection Behavior. Proxies. Virtual Hosts. Protocol Selection. Client Authentication. Reference Integrity. HTTPS. HTTPS Overview. URLs and Reference Integrity. Connection Closure. Proxies. Virtual Hosts. Client Authentication. Referrer. Substitution Attacks. Upgrade. Programming Issues. Proxy CONNECT. Handling Multiple Clients. Summary. 10. SMTP over TLS. Introduction. Internet Mail Security. Internet Messaging Overview. SMTP. RFC 822 and MIME. E-Mail Addresses. Mail Relaying. Virtual Hosts. MX Records. Client Mail Access. Protocol Selection. Client Authentication. Reference Integrity. Connection Semantics. STARTTLS. STARTTLS Overview. Connection Closure. Requiring TLS. Virtual Hosts. Security Indicators. Authenticated Relaying. Originator Authentication. Reference Integrity Details. Why Not CONNECT? What's STARTTLS Good For? Programming Issues. Implementing STARTTLS. Server Startup. Summary. 11. Contrasting Approaches. Introduction. The End-to-End Argument. The End-to-End Argument and SMTP. Other Protocols. IPsec. Security Associations. ISAKMP and IKE. AH and ESP. Putting It All Together: IPsec. IPsec versus SSL. Secure HTTP. CMS. Message Format. Cryptographic Options. Putting It All Together: S-HTTP. S-HTTP versus HTTPS. S/MIME. Basic S/MIME Formatting. Signing Only. Algorithm Choice. Putting It All Together: S/MIME. Implementation Barriers. S/MIME versus SMTP/TLS. Choosing the Appropriate Solution. Summary. Appendix A: Example Code. Chapter 8. Examples. Java Examples. Chapter 9. HTTPS Examples. mod_ssl Session Caching. Appendix B: SSLv2. Introduction. SSLv2 Overview. Missing Features. Security Problems. PCT. What about SSLv1? Bibliography. Index.

\ From Barnes & Noble"This is the best book on SSL/TLS. Rescorla knows SSL/TLS as well as anyone and presents it both clearly and completely.... At times, I felt like he's been looking over my shoulder when I designed SSL v3. If network security matters to you, buy this book."\ Paul Kocher, Cryptography Research, Inc. \ Co-Designer of SSL v3\ "Having the right crypto is necessary but not sufficient to having secure communications. If you're using SSL/TLS, you should have SSL and TLS sitting on your shelf right next to Applied Cryptography."\ Bruce Schneier, Counterpane Internet Security, Inc. Author of Applied Cryptography\ "Everything you wanted to know about SSL/TLS in one place. It covers the protocols down to the level of packet traces. It covers how to write software that uses SSL/TLS. And it contrasts SSL with other approaches. All this while being technically sound and readable!"\ Radia Perlman, Sun Microsystems, Inc. Author of Interconnections\ \ \ \ \ \ \ Danny YeeCovering, as it does, pretty much everything about the Secure Sockets Layer in some depth, Eric Rescorla's SSL and TLS: Designing and Building Secure Systems is not for those who only want to get a secure web site up and running quickly. However, the layout makes it easy to browse just those portions that interest you, and to skip unwanted detail, so it can profitably be used by those who are simply curious, as well as by protocol designers, application programmers, and SSL/TLS implementors. (It was nice that Rescorla recognized the "just curious" in the preface.) A basic understanding of TCP/IP is all that's absolutely necessary to get something from SSL and TLS, but following the details requires a solid understanding. \ Rescorla begins with a rapid introduction to security and cryptography and a brief history of SSL protocols (TLS or Transport Layer Security is the IETF-endorsed version). Two chapters then describe SSL itself, the first covering server authentication using RSA (the original motivation for SSL and still by far its most common use) and the second covering other algorithms (Kerberos, FORTEZZA) and modes such as client authentication and session resumption.\ The remaining chapters cover specialized topics. A chapter on security looks at protecting keys, random-number generation, certificate chain verification, and some of the known attacks on SSL, such as timing cryptanalysis and the "million message attack." A chapter on performance explains the basic problem (cryptography is expensive), then goes into the details of variations with algorithm and mode (and language, with C recommended over Java) and the use of hardware acceleration. There is also a chapter on designing with SSL and one on coding (and Appendix A has 40-odd pages of sample code).\ Two chapters consider special issues with running HTTP over SSL (HTTPS) and SMTP over TLS. Issues with HTTP include reference integrity (ensuring the client is talking to server it thinks it's talking to), virtual hosts, proxies, and downgrade attacks. With SMTP, relaying introduces major complications. A final chapter looks at some alternative approaches, most importantly IPsec, Secure HTTP, and S/MIME. This material provides some interesting examples of interaction between complex protocols.\ — Electronic Review of Computer Books\ \ \ \ BooknewsA specialist in Internet security, Rescorla explains secure sockets layer and its IETF successor, transport layer security, which are leading Internet security protocols. He discusses their role in network communications, their security properties, and their performance characteristics. He warns that they cannot be treated as a black box to plug systems into, but must be understood quite thoroughly to be used effectively. The bibliography is lightly annotated. Annotation c. Book News, Inc., Portland, OR (booknews.com)\ \