SSL and TLS: Theory and Practice, Second Edition
A book published by
Artech House Publishers in the Information
Security and Privacy Series
(ISBN 978-1-60807-998-8)
Order book from Amazon.com
Rolf Oppliger, Ph.D.
eSECURITY Technologies Rolf Oppliger
Breichtenstrasse 18
CH-3074 Muri b. Bern, Switzerland
E-Mail: rolf.oppliger@esecurity.ch
Phone: +41 79 654 84 37
This book provides a comprehensive overview and discussion of the SSL/TLS and DTLS protocols, and specifically
addresses their security. This includes the most recent attacks against the SSL/TLS protocols that have made
press headlines (e.g., BEAST, CRIME, Lucky 13, POODLE, FREAK, Logjam, ... ). The book also addresses related
topics, like TLS extensions, firewall traversal, as well as public key certificates and Internet PKI.
The book is intended for anyone who has a basic understanding of cryptography and TCP/IP networking, and who
wants to learn more about the SSL/TLS and DTLS protocols and their proper use. It speaks to both theorists
and practitioners.
Preface
1. Introduction
2. SSL Protocol
3. TLS Protocol
4. DTLS Protocol
5. Firewall Traversal
6. Public Key Certificates and Internet PKI
7. Concluding Remarks
Registered TLS Cipher Suites
Padding Oracle Attacks
Abbreviations and Acronyms
About the Author
Index
- Page 36, Table 2.4: The key exchange algorithm associated with SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
is "DH_anon_EXPORT" (instead of "DH_anon")
- Page 69, line 10 from the bottom: The note in brackets should read as "referring to a Finished message"
(instead of "referring to a CertificateVerify message")
- Page 83, line 2: Insert "minus one" after "... refer to the padding length"
- Page 85, line 8: The last term in the square brackets should read as C_{i-1}[k-1] (instead of
C_{n-1}[k-1])
- Page 166, lines 2 and 9 in paragraph 2: The overline of C should also comprise the Delta
- page 167, line 8: "the" must be replaced with "then"
- Page 248, 9th line from the bottom: The note in brackets should read as "that has been encrypted
with e" (instead of d)
- Page 248, 8th line from the bottom: The note in brackets should read as "using the respective
private key d" (instead of "using the same key d")
- Page 250, 3rd line after Algorithm B.1: "interated" must be replaced with "iterated"
- In December 2017, Hanno Böck, Juraj Somorovsky, and Craig Young published a
paper in which they
showed that many currently deployed products and sites are still vulnerable to the Bleichenbacher
attack. The respective attack is called ROBOT, and acronym standing for Return Of Bleichenbacher's
Oracle Threat.
- At the ACM Conference on Computer and Communications Security (CCS) that will take place in October 2016, Karthikeyan
Bhargavan and Gaëtan Leurent will present a new attack - called Sweet32 - that exploits collisions on block ciphers with a relatively short block length,
such as 3DES used in HTTPS.
- At BlackHat 2016, Mathy Vanhoef and Tom Van Goethem demonstrated possibilities to mount compression-related attacks,
such as CRIME or BREACH, entirely in a modern browser that supports a specific API, i.e., the ServiceWorkers API,
without any network sniffing or MITM deployment. The respective attack has been named HTTP Encrypted Information
can be Stolen through TCP-Windows
(HEIST).
- On May 25, 2016, Radu Caragea published a
paper in which he decribed forensic techniques to read out a server's master key from the memory of a
virtual machine executed in a hypervisor. This work has an impact on the security that can be achieved if the operation
of an SSL/TLS-enabled Web server is outsourced, for example, to an external cloud provider.
- On May 3, 2016, Juraj Somorovsky announced a vulnerability in OpenSSL (CVE-2016-2107) that was introduced to fix Lucky
13, and that can be exploited in a new padding oracle attack. Filippo Valsorda later coined the term
LuckyMinus20 (or LuckyNegative20) to refer to it.
- On March 1, 2016, a group of researchers announced a new attack against (all versions of) the TLS protocol.
The attack is called DROWN, an acronmy standing for
Decrypting RSA with Obsolete and Weakened eNcryption. It is basically a cross-protocol attack that exploits the fact
that the usual countermasure against the Bleichenbacher attack (cf. Section 2.4 on top of page 81) does
not properly work in an SSLv2 setting (due to the way the master secret is generated combined with the fact that
this secret can be as small as 40 bits in exportable cipher suites). So if a server supports SSLv2 and uses
the same RSA key for TLS, then the DROWN attack can be used to actually mount a variation of the
Bleichenbacher attack. There are two versions of the attack: A general DROWN attack and a special DROWN attack.
While the general DROWN attack is not particularly efficient, the special DROWN attack is highly efficient and
devastating. To defeat the attack, it is necessary to remove support for SSLv2 on the server side entirely.
- At the Internet Society's Network and Distributed System Security Symposium 2016
(NDSS 2016), Karthikeyan Bhargavan
and Gaëtan Leurent presented some transcript collision attacks against cryptographic hash functions that
are yet known to have weaknesses regarding their collision resistance (e.g., MD5 and SHA-1) but are still used
in TLS (as well as many other Internet security protocols, such as IKE and SSH). The attacks are collectively called
SLOTH, an acronym standing for Security
Loss due to the use of Obsolete and Truncated Hash constructions.
- In November 2015, Martin R. Albrecht and Kenneth G. Paterson released a technical report in which they explain how a variant of the Lucky 13 attack - named Lucky Microseconds - can still be
mounted against Amazon's new implementation of the TLS protocol (i.e., s2n) even though protections against Lucky 13 had been
put in place.
- At the 24th USEXIX Security Symposium that took place in August 2015, two papers were presented on how to break RC4 in
a TLS setting (paper1,
paper2).
- On November 30 and December 1, 2017, Rolf Oppliger carried out a 2-day seminar on the security of SSL/TLS on behalf of
the eSECURITY EDUCATION CENTER. The seminar will
be repeated on May 3 and 4, 2018. A respective flyer is available
here.
- A detailed TLS 1.2 protocol execution transcript has been captured with Wireshark
(TLSHandshake.pcapng) and is discussed in a new Appendix C that will be included in the next edition of the book.
- Ivan Ristić has compiled a Web page
that provides a comprehensive history of the most important events that shaped the SSL/TLS and PKI ecosystem.
- On November 15 and 16, 2016, Rolf Oppliger taught a 2-day seminar on the theory and practice of SSL/TLS together with
Compass Security Schweiz AG (SSL/TLS Security Lab).
- On May 26 and June 9, 2016, Rolf Oppliger gave a beer talk entitled about attacks and countermeasures related
to SSL/TLS. The respective slides are available here.
© 2017 Rolf Oppliger