“SSL and TLS: Theory and Practice”, Rolf Oppliger, 2009, 978-1-59693-447-4
%A Rolf Oppliger email@example.com
%C 685 Canton St., Norwood, MA 02062
%G 978-1-59693-447-4 1-59693-447-6
%I Artech House/Horizon
%O 617-769-9750 800-225-9977 firstname.lastname@example.org
%O Audience i+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P 257 p.
%T “SSL and TLS: Theory and Practice”
The preface states that the book is intended to update the existing literature on SSL (Secure Sockets Layer) and TLS (Transport Layer Security), and to provide a design level understanding of the protocols. (Oppliger does not address issues of implementation or specific products.) The work assumes a basic understanding of TCP/IP, the Internet standards process, and cryptography, altough some fundamental cryptographic principles are given.
Chapter one is a basic introduction to security and some related concepts. The author uses the definition of security architecture from RFC 2828 to provide a useful starting point and analogy. The five security services listed in ISO 7498-2 and X.800 (authentication, access control, confidentiality, integrity, and nonrepudiation) are clearly defined, and the resultant specific and pervasive security mechanisms are mentioned. In chapter two, Oppliger gives a brief overview of a number of cryptologic terms and concepts, but some (such as steganography) may not be relevant to examination of the SSL and TLS protocols. (There is also a slight conflict: in chapter one, a secure system is defined as one that is proof against a specific and defined threat, whereas, in chapter two, this is seen as conditional security.) The author’s commentary is, as in all his works, clear and insightful, but the cryptographic theory provided does go well beyond what is required for this topic.
Chapter three, although entitled “Transport Layer Security,” is basically a history of both SSL and TLS. SSL is examined in terms of the protocols, structures, and messages, in chapter four. There is also a quick analysis of the structural strength of the specification.
Since TLS is derived from SSL, the material in chapter five concentrates on the differences between SSL 3.0 and TLS 1.0, and then looks at algorithmic options for TLS 1.1 and 1.2. DTLS (Datagram Transport Layer Security), for UDP (User Datagram Protocol), is described briefly in chapter six, and seems to simply add sequence numbers to UDP, with some additional provision for security cookie exchanges. Chapter seven notes the use of SSL for VPN (virtual private network) tunneling. Chapter eight reviews some aspects of
public key certificates, but provides little background for full implementation of PKI (Public Key Infrastructure). As a finishing touch, chapter nine notes the sidejacking attacks, concerns about man-in-the-middle (MITM) attacks (quite germane, at the moment), and notes that we should move from certificate based PKI to a trust and privilege management infrastructure (PMI).
In relatively few pages, Oppliger has provided background, introduction, and technical details of the SSL and TLS variants you are likely to encounter. The material is clear, well structured, and easily accessible. He has definitely enhanced the literature, not only of TLS, but also of security in general.
copyright Robert M. Slade, 2009 BKSSLTTP.RVW 20091129
The Russians obviously did not read my earlier posts on why longer passwords are often less secure than shorter ones.
So they forced their agents to use a 27-character password which was easily retrieved by the FBI… since it was written on a piece of paper.
The time it takes to break a 27-character password: a few hours (going through the post-it notes and paper scraps)
The time it takes to break an 8-character password: 242 Days (assuming uppercase/lowercase letters only, brute forcing 10,000 passwords per second).
We’ve got a new law coming up in Canada: C-32, otherwise known as DMCA-lite.
Lemme quote you a section:
29.22 (1) It is not an infringement of copyright for an individual to reproduce a work or other subject-matter or any substantial part of a work or other subject-matter if
(c) the individual, in order to make the reproduction, did not circumvent, as defined in section 41, a technological protection measure, as defined in that section, or cause one to be circumvented.
Now, of course, if you want to examine a virus, or other malware, you have to make a copy, right? So, if the virus writer has obfuscated the code, say by doing a little simple encryption, obviously he was trying to use a “technological protection measure, as defined in that section,” right? So, decrypting the file is illegal.
Of course, it’s been illegal in the US for some years, now …