SSL and TLS: Theory and Practice

E-Mail: rolf.oppliger@esecurity.ch
Phone/Fax: +41 079 654 84 37

Aims and Scope

This book provides a comprehensive overview and discussion of the SSL/TLS protocols. It also addresses related topics, such as TLS extensions, datagram TLS (DTLS), firewall traversal, as well as public key certificates and public key infrastructure (PKI).

Target Audience

The book is intended for anyone who wants to get a deep understanding of the SSL/TLS protocols and their proper use-be it a theorist or practitioner.

Table of Contents

Foreword by Taher Elgamal
Preface

1. Introduction
2. Cryptography Primer
3. Transport Layer Security
4. SSL Protocol
5. TLS Protocol
6. DTLS Protocol
7. Firewall Traversal
8. Public Key Certificates and PKI
9. Conclusions and Outlook

Appendix TLS Cipher Suites
Abbreviations and Acronyms
About the Author
Index

Reviews

• John Hughes, 2011 (page 33)
• Robert M. Slade, 2009

Errata List

• Page 91, line 11: "EtA" should be replaced with "AtE".
• Page 93, line 12: "employs" should be replaced with "proposes the use of" (reported on July 17, 2010, by Anthony Barnard).
• Page 101, lines 13 and 14: The note put in brackets (i.e., "(including length field)") should be removed (reported on January 23, 2011, by Michael D'Errico).
• Page 101, line 4 from the bottom: "In fact, the 2 bytes immediately following ..." should be replaced with "In fact, the byte immediately following ..." (reported on January 23, 2011, by Michael D'Errico).
• Page 126, line 4 from the bottom: s^{-1} should be replaced with r^{-1} (reported on August 27, 2009, by Samuel Walther).
• Page 117, line 5: "(referring to a CertificateVerify" should be replaced with "(referring to a Finished" with the respective type fonts.
• Page 139, line 9 in Section 5.1.2: "client_ranodm and client_random" should be replaced with "client_ranodm and server_random" "need" (reported on August 27, 2009, by Samuel Walther).
• Page 139, lines 3 and 2 from the bottom: "client_ranodm and client_random" should be replaced with "server_ranodm and server_random" "need" (reported on August 27, 2009, by Samuel Walther).
• Page 147, line 11 from the bottom: "EtA" should be replaced with "AtE".
• Page 153, Section 5.4.1, 2nd bullet: It should be mentioned that RFC 4366 was published around the same time as RFC 4346 (specification of TLS 1.1), and hence that all extensions specified in RFC 4366 apply retroactively to TLS 1.0 and later.
  The same line of argumentation applies to Section 5.4.1.13 on page 168: While the summary implies that the extensions are only usable with TLS 1.2, the extension format specified in RFC 4366 also applies to prior versions of the TLS protocol (reported on January 23, 2011, by Michael D'Errico).
• Page 180: Reference [28] appears twice. The second occurance should be labelled reference [29].
• Page 242: The HMAC-Based and Galois Counter Mode-Based Cipher Suites of RFC 5289 should be appended to the Appendix entitled "Standardized TLS Cipher Suites."

News

• In 2005, Onur Aciiçmez, Werner Schindler, and Çetin K. Koç significantly improved the remote timing attack of Brumley and Boneh mentioned in the book in the first paragraph of page 129. The respective conference paper is available here.
• In March 2009, Margaret Salter, Eric Rescorla, and Russ Housley published Informational RFC 5430 that defines a profile of TLS version 1.2 that is fully conformant with NSA Suite B Cryptography and a transitional profile for TLS versions 1.0 and 1.1 that employs Suite B algorithms to the greatest extent possible. In addition to
• In August 2009, Moxie Marlinspike gave a talk on null prefix attacks against SSL/TLS certificates and announced their implementation in the SSLStrip proxy software that can be used to mount man-in-the-middle attacks against SSL/TLS sessions.
• In November 2009, Marsh Ray and Steve Dispensa announced the feasibility of a TLS renegotiation attack that exploits SSL/TLS�s renegotiation feature to inject plaintext into a legitimate client-server exchange such that the server will accept it as if it came from the client. In February 2010, the IETF issued RFC 5746 that specifies a TLS extension to defeat the TLS renegotiation attack.
• In September 2011, Juliano Rizzo and Thai Duong released a tool named BEAST (Browser Exploit Against SSL/TLS) that implements and automates a blockwise adaptive chosen plaintext attack found by Gregory Bard that is briefly mentioned in the book on page 129 and at the end of page 148.
• In October 2011, a German hacker group released the tool THC-SSL-DOS to mount computational denial of service attacks against SSL/TLS servers.
• In February 2012, Nadhem AlFardan and Kenneth Paterson published a paper in which they applied the Vaudenay attack mentioned in the book in the second paragraph of page 129 against the DTLS protocol.The respective conference paper is available here.
• In April 2012, Romain Bardou et al. published an improvement of the Bleichenbacher attack that goes beyond the improvement of Klíma, Pokorný, and Rosa mentioned in the book the last paragraph of page 128. The respective technical report from INRIA is available here.
• In September 2012, Juliano Rizzo and Thai Duong (the two developers of BEAST) announced the CRIME attack that exploits some vulnerabilities in the way TLS employs compression.
• Early in 2013, Christopher Meyer and Jög Schwenk published a report in which they give a brief chronology of attacks and weaknesses related to the SSL/TLS protocols together with a summary of the lessons learned. The report is available here.
• In February 2013, Nadhem AlFardan and Kenneth Paterson published another paper in which they describe a timing attack against CBC encryption in the TLS or DTLS protocol. The paper is available here.
• In March 2013, Nadhem AlFardan, Dan Bernstein, Kenneth Paterson, Bertram Poettering, and Jacob Schuldt announced an attack that exploits the statistical flaws in the keystream generated by RC4 that allows an adversary to recover a limited amount of plaintext from an SSL/TLS connection when RC4 encryption is used. Further information is available here.

Additional Material