book

Implementing SSL/TLS Using Cryptography and PKI

by Joshua Davies

January 2011

Intermediate to advanced

696 pages

16h 56m

English

Wiley

Read now

Unlock full access

Supplemental Web SitesRoadmap and Companion Source CodeOutline of the BookHow to Read This Book
What Are Secure Sockets?Insecure Communications: Understanding the HTTP ProtocolRoadmap for the Rest of This Book
Understanding Block Cipher Cryptography AlgorithmsUnderstanding Stream Cipher Algorithms
Understanding the Theory Behind the RSA AlgorithmPerforming Arbitrary Precision Binary Math to Implement Public-Key CryptographyEncryption and Decryption with RSAAchieving Perfect Forward Secrecy with Diffie-Hellman Key ExchangeGetting More Security per Key Bit: Elliptic Curve CryptographyMaking ECC Work with Whole Integers: Elliptic-Curve Cryptography over Fp
Using Message Digests to Create Secure Document Surrogates
Putting It Together: The Secure Channel ProtocolEncoding with ASN.1Developing an ASN.1 ParserManaging CertificatesOther Problems with Certificates
Implementing the TLS 1.0 Handshake (Client Perspective)Secure Data Transfer with TLSImplementing TLS ShutdownExamining HTTPS End-to-End Examples (TLS 1.0)Differences Between SSL 3.0 and TLS 1.0Differences Between TLS 1.0 and TLS 1.1
Implementing the TLS 1.0 Handshake from the Server's PerspectiveAvoiding Common Pitfalls When Adding HTTPS Support to a ServerWhen a Browser Displays Errors: Browser Trust Issues
Passing Additional Information with Client Hello ExtensionsSafely Reusing Key Material with Session ResumptionAvoiding Fixed Parameters with Ephemeral Key ExchangeVerifying Identity with Client AuthenticationDealing with Legacy Implementations: Exportable CiphersDiscarding Key Material Through Session Renegotiation
Supporting TLS 1.2 When You Use RSA for the Key ExchangeImpact to Diffie-Hellman Key ExchangeAdding Support for AEAD Mode CiphersWorking ECC Extensions into the TLS LibraryThe Current State of TLS 1.2
Adding the NTTPS Extension to the NTTP AlgorithmImplementing "Multi-hop" SMTP over TLS and Protecting Email Content with S/MIMESecuring Datagram TrafficSupporting SSL When Proxies Are InvolvedSSL with OpenSSL
The Decimal and Binary Numbering SystemsUnderstanding Binary Logical OperationsTwo's-Complement Representation of Negative NumbersBig-Endian versus Little-Endian Number Formats
Installing TCPDumpInstalling OpenSSL
Implementing the SSL Handshake

Content preview from Implementing SSL/TLS Using Cryptography and PKI

CHAPTER 9 Adding TLS 1.2 Support to Your TLS Library

TLS 1.2 was formally specified in 2008 after several years of debate. It represents a significant change to its predecessor TLS 1.1 — mostly in terms of increased security options and additional cipher suite choices. This chapter details the changes that you need to make to the TLS 1.0 implementation of the previous three chapters to make it compliant with TLS 1.2.

The next two sections detail the message-format level changes that TLS 1.2 introduced. I move quickly here, assuming a good familiarity with the material in the previous three chapters — if you don't remember what the PRF is or what messages are involved in the TLS handshake, you may want to jump back and briefly review at least Chapter 6. Alternatively, if you're more interested in what TLS 1.2 does, rather than how it does it, you can skip ahead to the section in the chapter on AEAD encryption.

Supporting TLS 1.2 When You Use RSA for the Key Exchange

This section covers changes sufficient enough to support TLS 1.2 in the most straightforward case: when RSA is used directly for key exchange. To do so, you would follow these basic steps.

Obviously, you should change the version number declared in the header file from 3.1 to 3.3 as shown in Listing 9-1.
```
Listing 9-1: "tls.h" TLS 1.2 version declaration
```
```
#define TLS_VERSION_MAJOR 3
#define TLS_VERSION_MINOR 3
```
After this, you need to make the code TLS 1.1 compliant. If you recall from Chapter 6, the most significant ...