Network Security with OpenSSL

This document was uploaded by one of our users. The uploader already confirmed that they had the permission to publish it. If you are author/publisher or own the copyright of this documents, please report to us by using this DMCA report form.

Simply click on the Download Book button.

Yes, Book downloads on Ebookily are 100% Free.

Sometimes the book is free on Amazon As well, so go ahead and hit "Search on Amazon"

I needed to use the SSL library for an isolated project at work, and the book worked out well as a roadmap. Knowing that I wanted to use the library to perform certain operations, this told me which functions needed to be used and in what way, using sample code and usually explanations that were as clear as I would expect, given the Byzantine nature of the underlying subject matter.

Author(s): John Viega, Matt Messier, Pravir Chandra
Edition: 1
Publisher: O'Reilly Media
Year: 2002

Language: English
Commentary: +OCR
Pages: 338

Cover......Page 1
Table of Content......Page 2
Preface......Page 7
About This Book......Page 8
Conventions Used in This Book......Page 10
Acknowledgments......Page 11
1.1 Cryptography for the Rest of Us......Page 13
1.1.1 Goals of Cryptography......Page 14
1.1.2 Cryptographic Algorithms......Page 15
1.1.2.1 Symmetric key encryption......Page 16
1.1.2.2 Public key encryption......Page 17
1.1.2.3 Cryptographic hash functions and Message Authentication Codes......Page 19
1.2 Overview of SSL......Page 20
1.3.1 Efficiency......Page 22
1.3.2 Keys in the Clear......Page 23
1.3.3 Bad Server Credentials......Page 24
1.3.4 Certificate Validation......Page 25
1.3.5 Poor Entropy......Page 26
1.3.6 Insecure Cryptography......Page 27
1.4.3 Protection Against Software Flaws......Page 28
1.5 OpenSSL Basics......Page 29
1.6 Securing Third-Party Software......Page 30
1.6.1 Server-Side Proxies......Page 31
1.6.2 Client-Side Proxies......Page 33
2.1.1 Configuration Files......Page 35
Example 2-1. An excerpt from the default OpenSSL configuration file......Page 36
2.2 Message Digest Algorithms......Page 37
2.2.1 Examples......Page 38
2.3 Symmetric Ciphers......Page 39
2.4 Public Key Cryptography......Page 40
2.4.2 Digital Signature Algorithm......Page 41
2.4.2.1 Examples......Page 42
2.4.3.1 Examples......Page 43
2.5 S/MIME......Page 44
2.6 Passwords and Passphrases......Page 45
2.7 Seeding the Pseudorandom Number Generator......Page 47
3.1 Certificates......Page 49
3.1.1.1 Private Certification Authorities......Page 50
3.1.2 Certificate Hierarchies......Page 51
Table 3-1. Common bit settings for the keyUsage extension......Page 52
3.1.4 Certificate Revocation Lists......Page 53
3.1.5 Online Certificate Status Protocol......Page 55
3.2 Obtaining a Certificate......Page 56
3.2.1 Personal Certificates......Page 57
3.2.2 Code-Signing Certificates......Page 58
3.3 Setting Up a Certification Authority......Page 59
3.3.1 Creating an Environment for Your Certification Authority......Page 60
3.3.2 Building an OpenSSL Configuration File......Page 61
3.3.3 Creating a Self-Signed Root Certificate......Page 62
3.3.4 Issuing Certificates......Page 65
3.3.5 Revoking Certificates......Page 69
4.1 Multithread Support......Page 72
4.1.1 Static Locking Callbacks......Page 73
4.1.2 Dynamic Locking Callbacks......Page 75
4.2.1 Manipulating Error Queues......Page 78
4.2.2 Human-Readable Error Messages......Page 80
4.3 Abstract Input/Output......Page 82
4.3.1.2 File sources/sinks......Page 87
4.3.1.3 Socket sources/sinks......Page 88
4.3.1.4 BIO pairs......Page 90
4.3.2 Filter BIOs......Page 91
4.4 Random Number Generation......Page 92
4.4.1 Seeding the PRNG......Page 93
4.4.2 Using an Alternate Entropy Source......Page 96
4.5 Arbitrary Precision Math......Page 97
4.5.1 The Basics......Page 98
4.5.2 Mathematical Operations......Page 100
4.5.3 Generating Prime Numbers......Page 101
4.6 Using Engines......Page 103
5.1.1 The Application(s) to Secure......Page 105
5.1.2 Step 1: SSL Version Selection and Certificate Preparation......Page 109
5.1.2.1 Background......Page 110
5.1.2.2 Certificate preparation......Page 111
5.1.2.3 Our example extended......Page 113
5.1.3.2 Incorporating trusted certificates......Page 119
5.1.3.3 Certificate verification......Page 120
5.1.3.5 Post-connection assertions......Page 123
5.1.3.6 Further extension of the examples......Page 127
5.1.4 Step 3: SSL Options and Cipher Suites......Page 131
5.1.4.2 Ephemeral keying......Page 132
5.1.4.3 Cipher suite selection......Page 133
5.1.4.4 The final product......Page 134
5.1.4.5 Beyond the example......Page 136
5.2 Advanced Programming with SSL......Page 137
5.2.1.1 Client-side SSL sessions......Page 138
5.2.1.2 Server-side SSL sessions......Page 139
5.2.1.3 An on-disk, session caching framework......Page 140
5.2.2.1 Reading and writing functions......Page 142
5.2.2.3 Non-blocking I/O......Page 144
5.2.3 SSL Renegotiations......Page 150
5.2.3.1 Implementing renegotiations......Page 151
5.2.3.3 Further notes......Page 153
6.1.1 Block Ciphers and Stream Ciphers......Page 155
6.1.2 Basic Block Cipher Modes......Page 156
6.2.1 Available Ciphers......Page 157
6.2.1.3 CAST5......Page 158
6.2.1.6 Triple DES......Page 159
6.2.1.9 RC4?......Page 160
6.2.2 Initializing Symmetric Ciphers......Page 161
6.2.3 Specifying Key Length and Other Options......Page 164
6.2.4 Encryption......Page 166
6.2.5 Decryption......Page 169
6.2.6 Handling UDP Traffic with Counter Mode......Page 170
6.3 General Recommendations......Page 173
7.1 Overview of Hashes and MACs......Page 174
7.2 Hashing with the EVP API......Page 175
7.3 Using MACs......Page 180
7.3.1.1 CBC-MAC......Page 184
7.3.1.2 XCBC-MAC......Page 187
7.4 Secure HTTP Cookies......Page 191
8.1 When to Use Public Key Cryptography......Page 196
8.2 Diffie-Hellman......Page 197
8.2.2 Generating and Exchanging Parameters......Page 198
8.2.3 Computing Shared Secrets......Page 200
8.2.1 The Basics......Page 202
8.2.2 Generating and Exchanging Parameters......Page 203
8.2.3 Computing Shared Secrets......Page 205
8.2.4 Practical Applications......Page 206
8.3.1 The Basics......Page 207
8.3.2 Generating Parameters and Keys......Page 208
8.3.3 Signing and Verifying......Page 209
8.3.4 Practical Applications......Page 211
8.4.2 Generating Keys......Page 212
8.4.3 Data Encryption, Key Agreement, and Key Transport......Page 213
8.4.4 Signing and Verifying......Page 215
8.5 The EVP Public Key Interface......Page 217
8.5.1 Signing and Verifying......Page 218
8.5.2 Encrypting and Decrypting......Page 221
8.6 Encoding and Decoding Objects......Page 225
8.6.1 Writing and Reading DER-Encoded Objects......Page 226
8.6.2 Writing and Reading PEM-Encoded Objects......Page 228
9.1 Net::SSLeay for Perl......Page 232
9.1.1 Net::SSLeay Variables......Page 233
9.1.3 Net::SSLeay Utility Functions......Page 234
9.2 M2Crypto for Python......Page 237
9.2.2.1 M2Crypto.SSL......Page 238
9.2.2.2 M2Crypto.BIO......Page 239
9.2.2.3 M2Crypto.EVP......Page 240
9.2.2.4 Miscellaneous crypto......Page 242
9.2.3.1 Extensions to httplib: httpslib......Page 243
9.2.3.3 Extensions to xmlrpclib: m2xmlrpclib......Page 244
9.3.1 General Functions......Page 245
9.3.2 Certificate Functions......Page 246
9.3.3 Encryption and Signing Functions......Page 248
9.3.4 PKCS#7 (S/MIME) Functions......Page 250
10.1 Object Stacks......Page 253
10.2 Configuration Files......Page 254
10.3 X.509......Page 257
10.3.1.2 X.509 Version 3 extensions......Page 258
10.3.1.3 Putting it all together......Page 259
10.3.2 Making Certificates......Page 262
10.3.3 X.509 Certificate Checking......Page 267
10.4.1 Signing and Verifying......Page 271
10.4.2 Encrypting and Decrypting......Page 276
10.4.4 PKCS#7 Flags......Page 279
10.5.1 Wrapping Information into a PKCS#12 Object......Page 280
10.5.2 Importing Objects from PKCS#12 Data......Page 281
Appendix A. Command-Line Reference......Page 282
Colophon......Page 338