SSL and TLS: Theory and Practice, Second Edition

E-Mail: rolf.oppliger@esecurity.ch
Phone: +41 79 654 84 37

Aims and Scope

This book provides a comprehensive overview and discussion of the SSL/TLS and DTLS protocols, and specifically addresses their security. This includes the most recent attacks against the SSL/TLS protocols that have made press headlines (e.g., BEAST, CRIME, Lucky 13, POODLE, FREAK, Logjam, ... ). The book also addresses related topics, like TLS extensions, firewall traversal, as well as public key certificates and Internet PKI.

Target Audience

The book is intended for anyone who has a basic understanding of cryptography and TCP/IP networking, and who wants to learn more about the SSL/TLS and DTLS protocols and their proper use. It speaks to both theorists and practitioners.

Table of Contents

Preface
1. Introduction
2. SSL Protocol
3. TLS Protocol
4. DTLS Protocol
5. Firewall Traversal
6. Public Key Certificates and Internet PKI
7. Concluding Remarks
Registered TLS Cipher Suites
Padding Oracle Attacks
Abbreviations and Acronyms
About the Author
Index

Reviews

Errata List

• Page 36, Table 2.4: The key exchange algorithm associated with SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA is "DH_anon_EXPORT" (instead of "DH_anon")
• Page 69, line 10 from the bottom: The note in brackets should read as "referring to a Finished message" (instead of "referring to a CertificateVerify message")
• Page 83, line 2: Insert "minus one" after "... refer to the padding length"
• Page 85, line 8: The last term in the square brackets should read as C_{i-1}[k-1] (instead of C_{n-1}[k-1])
• Page 166, lines 2 and 9 in paragraph 2: The overline of C should also comprise the Delta
• page 167, line 8: "the" must be replaced with "then"
• Page 248, 9th line from the bottom: The note in brackets should read as "that has been encrypted with e" (instead of d)
• Page 248, 8th line from the bottom: The note in brackets should read as "using the respective private key d" (instead of "using the same key d")
• Page 250, 3rd line after Algorithm B.1: "interated" must be replaced with "iterated"

News

• In November 2018, Eyal Ronen et al. published a paper in which they show that most TLS implementations in use today are still vulnerable to Bleichenbacher-like padding oracle attacks. The term coined to refer to these attacks is Cache-like ATtacks, and hence the acronym used here is CAT (equal to the respective research project name).
• At the 25rd ACM Conference on Computer and Communications Security (CCS) that will take place in October 2018, Eyal Ronen, Kenneth G. Paterson, and Adi Shamir will present three new types of attack that are similar to Lucky 13, and that are still feasible even though some pseudo constant time countermeasures are put in place. A preprint of the paper is available in the Cryptology ePrint Archive.
• In August 2018, the TLS 1.3 specification was published in RFC 8446 and submitted to the Internet Standards Track.
• In December 2017, Hanno Böck, Juraj Somorovsky, and Craig Young published a paper in which they showed that many currently deployed products and sites are still vulnerable to the Bleichenbacher attack. The respective attack is called ROBOT, and acronym standing for Return Of Bleichenbacher's Oracle Threat.
• At the 23rd ACM Conference on Computer and Communications Security (CCS) that took place in October 2016, Karthikeyan Bhargavan and Gaëtan Leurent presented a new attack - called Sweet32 - that exploits collisions on block ciphers with a relatively short block length, such as 3DES used in HTTPS.
• At BlackHat 2016, Mathy Vanhoef and Tom Van Goethem demonstrated possibilities to mount compression-related attacks, such as CRIME or BREACH, entirely in a modern browser that supports a specific API, i.e., the ServiceWorkers API, without any network sniffing or MITM deployment. The respective attack has been named HTTP Encrypted Information can be Stolen through TCP-Windows (HEIST).
• On May 25, 2016, Radu Caragea published a paper in which he decribed forensic techniques to read out a server's master key from the memory of a virtual machine executed in a hypervisor. This work has an impact on the security that can be achieved if the operation of an SSL/TLS-enabled Web server is outsourced, for example, to an external cloud provider.
• On May 3, 2016, Juraj Somorovsky announced a vulnerability in OpenSSL (CVE-2016-2107) that was introduced to fix Lucky 13, and that can be exploited in a new padding oracle attack. Filippo Valsorda later coined the term LuckyMinus20 (or LuckyNegative20) to refer to it.
• On March 1, 2016, a group of researchers announced a new attack against (all versions of) the TLS protocol. The attack is called DROWN, an acronmy standing for Decrypting RSA with Obsolete and Weakened eNcryption. It is basically a cross-protocol attack that exploits the fact that the usual countermasure against the Bleichenbacher attack (cf. Section 2.4 on top of page 81) does not properly work in an SSLv2 setting (due to the way the master secret is generated combined with the fact that this secret can be as small as 40 bits in exportable cipher suites). So if a server supports SSLv2 and uses the same RSA key for TLS, then the DROWN attack can be used to actually mount a variation of the Bleichenbacher attack. There are two versions of the attack: A general DROWN attack and a special DROWN attack. While the general DROWN attack is not particularly efficient, the special DROWN attack is highly efficient and devastating. To defeat the attack, it is necessary to remove support for SSLv2 on the server side entirely.
• At the 2016 Internet Society's Network and Distributed System Security Symposium (NDSS 2016), Karthikeyan Bhargavan and Gaëtan Leurent presented some transcript collision attacks against cryptographic hash functions that are yet known to have weaknesses regarding their collision resistance (e.g., MD5 and SHA-1) but are still used in TLS (as well as many other Internet security protocols, such as IKE and SSH). The attacks are collectively called SLOTH, an acronym standing for Security Loss due to the use of Obsolete and Truncated Hash constructions.
• In November 2015, Martin R. Albrecht and Kenneth G. Paterson released a technical report in which they explain how a variant of the Lucky 13 attack - named Lucky Microseconds - can still be mounted against Amazon's new implementation of the TLS protocol (i.e., s2n) even though protections against Lucky 13 had been put in place.
• In August 2015 (24th USEXIX Security Symposium), two research groups presented papers on how to actually break RC4 in a TLS setting (paper1, paper2). The results of the second paper are also known as the RC4 NOMORE attack.

Additional Material

• David Wong has created an animated TLS 1.3 specification that is more readable and accessible than the purely text-based RFC 8446.
• An interactive illustration of a TLS 1.3 protocol execution transcript is available here (a similar illustration for TLS 1.2 is available here).
• On November 30 and December 1, 2017, Rolf Oppliger taught a 2-day course on the security of SSL and TLS. The course is scheduled to take place again on March 21 - 22, 2019, in the eSECURITY Academy (download flyer).
• A TLS 1.3 protocol execution transcript has been captured with Wireshark (TLS13Handshake.pcapng).
• A TLS 1.2 protocol execution transcript has been captured with Wireshark (TLS12Handshake.pcapng) and is discussed in a new Appendix C that will be included in the next edition of the book.
• Ivan Ristić has compiled a Web page that provides a comprehensive history of the most important events that shaped the SSL/TLS and PKI ecosystem.
• On November 15 and 16, 2016, Rolf Oppliger taught a 2-day seminar on the theory and practice of SSL/TLS together with Compass Security Schweiz AG (SSL/TLS Security Lab).
• On May 26 and June 9, 2016, Rolf Oppliger gave a beer talk entitled about attacks and countermeasures related to SSL/TLS. The respective slides are available here.