๐”– Scriptorium
โœฆ   LIBER   โœฆ
๐Ÿ“

Network Security with OpenSSL: Cryptography for Secure Communications

โœ Scribed by John Viega; Matt Messier; Pravir Chandra

Publisher
O'Reilly Media
Year
2008
Tongue
English
Leaves
338
Category
Library
โฌ‡  Acquire This Volume

No coin nor oath required. For personal study only.

โœฆ Synopsis

Most applications these days are at least somewhat network aware, but how do you protect those applications against common network security threats? Many developers are turning to OpenSSL, an open source version of SSL/TLS, which is the most widely used protocol for secure network communications. The OpenSSL library is seeing widespread adoption for web sites that require cryptographic functions to protect a broad range of sensitive information, such as credit card numbers and other financial transactions. The library is the only free, full-featured SSL implementation for C and C++, and it can be used programmatically or from the command line to secure most TCP-based network protocols. Network Security with OpenSSL enables developers to use this protocol much more effectively. Traditionally, getting something simple done in OpenSSL could easily take weeks. This concise book gives you the guidance you need to avoid pitfalls, while allowing you to take advantage of the library?s advanced features. And, instead of bogging you down in the technical details of how SSL works under the hood, this book provides only the information that is necessary to use OpenSSL safely and effectively. In step-by-step fashion, the book details the challenges in securing network communications, and shows you how to use OpenSSL tools to best meet those challenges. As a system or network administrator, you will benefit from the thorough treatment of the OpenSSL command-line interface, as well as from step-by-step directions for obtaining certificates and setting up your own certification authority. As a developer, you will further benefit from the in-depth discussions and examples of how to use OpenSSL in your own programs. Although OpenSSL is written in C, information on how to use OpenSSL with Perl, Python and PHP is also included. OpenSSL may well answer your need to protect sensitive data. If that?s the case, Network Security with OpenSSL is the only guide available on the subject.

โœฆ Table of Contents

Network Security with OpenSSL.pdf
Table of Content
Dedication
Preface
About This Book
Conventions Used in This Book
Comments and Questions
Acknowledgments
Chapter 1. Introduction
1.1 Cryptography for the Rest of Us
1.1.1 Goals of Cryptography
1.1.2 Cryptographic Algorithms
1.1.2.1 Symmetric key encryption
Figure 1-1. Symmetric key cryptography
1.1.2.2 Public key encryption
Figure 1-2. Public key cryptography
1.1.2.3 Cryptographic hash functions and Message Authentication Codes
1.1.2.4 Digital signatures
1.2 Overview of SSL
Figure 1-3. An overview of direct communication in SSL
Figure 1-4. A man-in-the-middle attack
1.3 Problems with SSL
1.3.1 Efficiency
1.3.1.1 Cryptographic acceleration hardware
1.3.1.2 Load balancing
1.3.2 Keys in the Clear
1.3.3 Bad Server Credentials
1.3.4 Certificate Validation
1.3.5 Poor Entropy
1.3.6 Insecure Cryptography
1.4 What SSL Doesn't Do Well
1.4.1 Other Transport Layer Protocols
1.4.2 Non-Repudiation
1.4.3 Protection Against Software Flaws
1.4.4 General-Purpose Data Security
1.5 OpenSSL Basics
Example 1-1. Building and installing OpenSSL on a Unix system
1.6 Securing Third-Party Software
1.6.1 Server-Side Proxies
Figure 1-5. Stunnel proxies
Figure 1-6. Load balancing with Stunnel for cryptographic acceleration
1.6.2 Client-Side Proxies
Chapter 2. Command-Line Interface
2.1 The Basics
2.1.1 Configuration Files
Example 2-1. An excerpt from the default OpenSSL configuration file
2.2 Message Digest Algorithms
2.2.1 Examples
2.3 Symmetric Ciphers
2.3.1 Examples
2.4 Public Key Cryptography
2.4.1 Diffie-Hellman
2.4.1.1 Examples
2.4.2 Digital Signature Algorithm
2.4.2.1 Examples
2.4.3 RSA
2.4.3.1 Examples
2.5 S/MIME
2.5.1 Examples
2.6 Passwords and Passphrases
2.7 Seeding the Pseudorandom Number Generator
Chapter 3. Public Key Infrastructure (PKI)
3.1 Certificates
3.1.1 Certification Authorities
3.1.1.1 Private Certification Authorities
3.1.1.2 Public Certification Authorities
3.1.2 Certificate Hierarchies
3.1.3 Certificate Extensions
Table 3-1. Common bit settings for the keyUsage extension
Table 3-2. Purposes defined for the extKeyUsage extension
3.1.4 Certificate Revocation Lists
3.1.5 Online Certificate Status Protocol
3.2 Obtaining a Certificate
3.2.1 Personal Certificates
3.2.2 Code-Signing Certificates
3.2.3 Web Site Certificates
3.3 Setting Up a Certification Authority
3.3.1 Creating an Environment for Your Certification Authority
Example 3-1. Creating the CA's environment
3.3.2 Building an OpenSSL Configuration File
Example 3-2. A simple CA configuration definition
Example 3-3. Telling OpenSSL where to find our configuration file
3.3.3 Creating a Self-Signed Root Certificate
Example 3-4. Configuration file additions for generating a self-signed root certificate
Example 3-5. Output from generating a self-signed root certificate
the command output shown is incorrect (it shows a 1024 bit CA key, but given the
example and the configuration file, the key would in fact be 2048 bits)
3.3.4 Issuing Certificates
Example 3-6. Generating a certificate request
Example 3-7. The resulting certificate request
Example 3-8. Issuing a certificate from a certificate request
3.3.5 Revoking Certificates
Example 3-9. Revoking a certificate
Example 3-10. A certificate revocation list
Chapter 4. Support Infrastructure
4.1 Multithread Support
4.1.1 Static Locking Callbacks
Example 4-1. Static locking callbacks for WIN32 and POSIX threads systems
4.1.2 Dynamic Locking Callbacks
Example 4-2. E xtensions to the library to support the dynamic locking mechanism
4.2 Internal Error Handling
4.2.1 Manipulating Error Queues
Example 4-3. Accessing error information on the error queue
4.2.2 Human-Readable Error Messages
4.2.3 Threading and Practical Applications
4.3 Abstract Input/Output
4.3.1 Source/Sink BIOs
4.3.1.1 Memory sources/sinks
Example 4-4. Creating a memory BIO
4.3.1.2 File sources/sinks
Example 4-5. Creating a file BIO
4.3.1.3 Socket sources/sinks
Example 4-6. Creating a socket BIO
4.3.1.4 BIO pairs
Example 4-7. Creating BIO pairs
4.3.2 Filter BIOs
Example 4-8. Assembling and using a BIO chain
4.4 Random Number Generation
4.4.1 Seeding the PRNG
Example 4-9. Using RAND_load_file() and RAND_write_file()
Example 4-10. Seeding OpenSSL's PRNG with /dev/random
4.4.2 Using an Alternate Entropy Source
Example 4-11. Seeding OpenSSL's PRNG with EGADS
Example 4-12. Seeding OpenSSL's PRNG via an EGD socket
4.5 Arbitrary Precision Math
4.5.1 The Basics
Example 4-13. Creating, initializing, and destroying BIGNUMs
Example 4-14. The wrong way and the right way to copy a BIGNUM
Example 4-15. Converting between BIGNUM and binary representations
4.5.2 Mathematical Operations
Table 4-1. Arithmetic functions for BIGNUMs
4.5.3 Generating Prime Numbers
Example 4-16. Generating a pseudorandom prime number with BN_generate_prime()
4.6 Using Engines
Example 4-17. Enabling use of a hardware engine
Table 4-2. Supported hardware and software engines
Table 4-3. Flags for ENGINE_set_default
Chapter 5. SSL/TLS Programming
5.1 Programming with SSL
5.1.1 The Application(s) to Secure
Example 5-1. common.h
Example 5-2. common.c
Example 5-3. client.c
Example 5-4. The server application
5.1.2 Step 1: SSL Version Selection and Certificate Preparation
5.1.2.1 Background
Table 5-1. Functions to retrieve pointers to SSL_METHOD objects
5.1.2.2 Certificate preparation
5.1.2.3 Our example extended
Example 5-5. client1.c
Example 5-6. server1.c
5.1.3 Step 2: Peer Authentication
5.1.3.1 Background
5.1.3.2 Incorporating trusted certificates
5.1.3.3 Certificate verification
Example 5-7. A verify callback (implemented in common.c and prototyped in common.h)
5.1.3.4 Incorporating certificate revocation lists
5.1.3.5 Post-connection assertions
Example 5-8. A function to do post-connection assertions (implemented in common.c and prototyped in common.h)
5.1.3.6 Further extension of the examples
Example 5-9. client2.c
Example 5-10. server2.c
5.1.4 Step 3: SSL Options and Cipher Suites
5.1.4.1 Setting SSL options
5.1.4.2 Ephemeral keying
5.1.4.3 Cipher suite selection
5.1.4.4 The final product
Example 5-11. client3.c
Example 5-12. server3.c
5.1.4.5 Beyond the example
5.2 Advanced Programming with SSL
5.2.1 SSL Session Caching
5.2.1.1 Client-side SSL sessions
Example 5-13. Pseudocode for client-side caching
5.2.1.2 Server-side SSL sessions
5.2.1.3 An on-disk, session caching framework
Example 5-14. A framework for external session caching
5.2.2 I/O on SSL Connections
5.2.2.1 Reading and writing functions
Table 5-2. Return values of SSL_read and SSL_write
Table 5-3. Some common return values of SSL_get_error
Example 5-15. A sample I/O call template
5.2.2.2 Blocking I/O
5.2.2.3 Non-blocking I/O
Example 5-16. A sample non-blocking I/O loop
5.2.3 SSL Renegotiations
5.2.3.1 Implementing renegotiations
Example 5-17. Code fragment to force a renegotiation from a server
Example 5-18. Code to cause forced renegotiation in order to request stronger client authentication and distinguish the sessions
5.2.3.2 Renegotiations in 0.9.7
5.2.3.3 Further notes
Chapter 6. Symmetric Cryptography
6.1 Concepts in Symmetric Cryptography
6.1.1 Block Ciphers and Stream Ciphers
6.1.2 Basic Block Cipher Modes
6.2 Encrypting with the EVP API
6.2.1 Available Ciphers
6.2.1.1 AES
Table 6-1. Referencing the AES cipher (OpenSSL 0.9.7 only)
6.2.1.2 Blowfish
Table 6-2. Referencing the Blowfish cipher
6.2.1.3 CAST5
Table 6-3. Referencing the CAST5 cipher
6.2.1.4 DES
Table 6-4. Referencing standard DES
6.2.1.5 DESX
Table 6-5. Referencing DESX
6.2.1.6 Triple DES
Table 6-6. Referencing 3DES
6.2.1.7 IDEA
Table 6-7. Referencing IDEA
6.2.1.8 RC2?
Table 6-8. Referencing RC2
6.2.1.9 RC4?
Table 6-9. Referencing RC4
6.2.1.10 RC5?
Table 6-10. Referencing RC5
6.2.2 Initializing Symmetric Ciphers
Example 6-1. Preparing to use Blowfish in CBC mode for encryption
Example 6-2. Preparing to use Blowfish in CBC mode for decryption
6.2.3 Specifying Key Length and Other Options
6.2.4 Encryption
Example 6-3. Encrypting plaintext 100 bytes at a time
Example 6-4. Performing incremental encryption
6.2.5 Decryption
Example 6-5. Decrypting ciphertext
Example 6-6. Using the example encryption and decryption functions
6.2.6 Handling UDP Traffic with Counter Mode
Example 6-7. Encryption and decryption using counter mode
6.3 General Recommendations
Chapter 7. Hashes and MACs
7.1 Overview of Hashes and MACs
7.2 Hashing with the EVP API
Table 7-1. Message digests and the EVP interface
Example 7-1. Computing a hash value using the EVP API
Example 7-2. Printing the hexadecimal representation of a hash value
Example 7-3. Computing SHA1 hashes of files
7.3 Using MACs
Example 7-4. Computing a MAC with the HMAC function
Example 7-5. A binary comparison function
Example 7-6. Computing a MAC using HMAC_Init, HMAC_Update, and HMAC_Final
7.3.1 Other MACs
7.3.1.1 CBC-MAC
Example 7-7. cbcmac.h
Example 7-8. cbcmac.c
7.3.1.2 XCBC-MAC
Example 7-9. xcbcmac.h
Example 7-10. xcbcmac.c
7.3.1.3 XOR-MAC
7.3.1.4 UMAC
7.4 Secure HTTP Cookies
Example 7-11. Encrypting data for storage in a cookie
Example 7-12. Decrypting data stored in a cookie
Chapter 8. Public Key Algorithms
8.1 When to Use Public Key Cryptography
8.2 Diffie-Hellman
8.2.1 The Basics
8.2.2 Generating and Exchanging Parameters
8.2.3 Computing Shared Secrets
8.2.4 Practical Applications
8.2 Diffie-Hellman
8.2.1 The Basics
8.2.2 Generating and Exchanging Parameters
8.2.3 Computing Shared Secrets
8.2.4 Practical Applications
8.3 Digital Signature Algorithm (DSA)
8.3.1 The Basics
8.3.2 Generating Parameters and Keys
8.3.3 Signing and Verifying
8.3.4 Practical Applications
8.4 RSA
8.4.1 The Basics
8.4.2 Generating Keys
8.4.3 Data Encryption, Key Agreement, and Key Transport
8.4.4 Signing and Verifying
8.4.5 Practical Applications
8.5 The EVP Public Key Interface
8.5.1 Signing and Verifying
8.5.2 Encrypting and Decrypting
Example 8-1. Calling EVP_SealInit
8.6 Encoding and Decoding Objects
8.6.1 Writing and Reading DER-Encoded Objects
Example 8-2. DER-encoding an RSA public key
Example 8-3. DER-decoding an RSA public key
Table 8-1. Functions for reading and writing DER encodings of public key objects
Example 8-4. Reading and writing DER-encoded objects using the BIO and file functions
8.6.2 Writing and Reading PEM-Encoded Objects
Table 8-2. Functions for reading and writing PEM encodings of public key objects
Chapter 9. OpenSSL in Other Languages
9.1 Net::SSLeay for Perl
9.1.1 Net::SSLeay Variables
9.1.2 Net::SSLeay Error Handling
9.1.3 Net::SSLeay Utility Functions
9.1.4 Net::SSLeay Low-Level Bindings
9.2 M2Crypto for Python
9.2.1 Low-Level Bindings
9.2.2 High-Level Classes
9.2.2.1 M2Crypto.SSL
9.2.2.2 M2Crypto.BIO
9.2.2.3 M2Crypto.EVP
Example 9-1. Computing the cryptographic hash of data
Example 9-2. Encrypting and decrypting with a symmetric cipher
9.2.2.4 Miscellaneous crypto
9.2.3 Python Module Extensions
9.2.3.1 Extensions to httplib: httpslib
9.2.3.2 Extensions to urllib: m2urllib
9.2.3.3 Extensions to xmlrpclib: m2xmlrpclib
9.3 OpenSSL Support in PHP
9.3.1 General Functions
9.3.2 Certificate Functions
Table 9-1. Possible purpose values for openssl_x509_checkpurpose
Table 9-2. Keys for the array returned by openssl_x509_parse
9.3.3 Encryption and Signing Functions
9.3.4 PKCS#7 (S/MIME) Functions
Table 9-3. Flags: openssl_pkcs7_encrypt, openssl_pkcs7_sign, openssl_pkcs7_verify
Chapter 10. Advanced Programming Topics
10.1 Object Stacks
Example 10-1. Stack manipulation functions in generic form
10.2 Configuration Files
Example 10-2. A sample configuration file (testconf.cnf)
Example 10-3. Code to interact with the configuration file
Example 10-4. The declaration of CONF_VALUE
10.3 X.509
10.3.1 Generating Requests
10.3.1.1 Subject name
10.3.1.2 X.509 Version 3 extensions
10.3.1.3 Putting it all together
Example 10-5. A program to generate a certificate request
10.3.2 Making Certificates
Example 10-6. Creating a certificate from a request and CA credentials
10.3.3 X.509 Certificate Checking
Example 10-7. Verifying a client certificate
10.4 PKCS#7 and S/MIME
10.4.1 Signing and Verifying
Example 10-8. A signing and verifying utility
10.4.2 Encrypting and Decrypting
Example 10-9. A utility to encrypt and decrypt S/MIME messages
10.4.3 Combined Operations
10.4.4 PKCS#7 Flags
10.5 PKCS#12
10.5.1 Wrapping Information into a PKCS#12 Object
10.5.2 Importing Objects from PKCS#12 Data
Appendix A. Command-Line Reference
Options
Notes
Options
Configuration Options
Notes
Options
Notes
Options
Notes
Options
Notes
Options
Notes
Options
Notes
Options
Options
Notes
Options
Notes
Table A-1. Ciphers supported by the enc command
Option
Notes
Options
Notes
Options
Notes
Options
Notes
Options
Notes
Options
Notes
Options
Options
Options
Notes
Options
Configuration Options
Notes
Options
Notes
Options
Options
Notes
Options
Notes
Table A-2. Commands recognized by the server
Options
Options
Options
Notes
Notes
Options
Options
Notes
Options
General Options
Display Options
Trust Options
Signing Options
Name Options
Colophon

๐Ÿ“œ SIMILAR VOLUMES

Network Security with OpenSSL: Cryptogra
๐Ÿ“ Network Security with OpenSSL: Cryptography for Secure Communications
โœ Chandra, Pravir, Messier, Matt, Viega, John & Matt Messier & Pravir Chandra ๐Ÿ“‚ Library ๐Ÿ“… 2009 ๐Ÿ› O'Reilly Media, Inc ๐ŸŒ English

OpenSSL is a popular and effective open source version of SSL/TLS, the most widely used protocol for secure network communications. The only guide available on the subject, Network Security with OpenSSLdetails the challenges in securing network communications, and shows you how to use OpenSSL tools

Network Security with OpenSSL
๐Ÿ“ Network Security with OpenSSL
โœ John Viega, Matt Messier, Pravir Chandra ๐Ÿ“‚ Library ๐Ÿ“… 2002 ๐Ÿ› O'Reilly Media ๐ŸŒ English

I needed to use the SSL library for an isolated project at work, and the book worked out well as a roadmap. Knowing that I wanted to use the library to perform certain operations, this told me which functions needed to be used and in what way, using sample code and usually explanations that were as

Network Security with OpenSSL
๐Ÿ“ Network Security with OpenSSL
โœ John Viega, Matt Messier, Pravir Chandra ๐Ÿ“‚ Library ๐Ÿ“… 2002 ๐Ÿ› O'Reilly Media ๐ŸŒ English

OpenSSL is a free implementation of the SSL/TLS protocol, which is the most widely used protocol for secure network communications. This library can be used programmatically, and can be used from the command line to secure most TCP-based network protocols.OpenSSL is also a general-purpose cryptograp

Network Security with OpenSSL
๐Ÿ“ Network Security with OpenSSL
โœ John Viega, Matt Messier, Pravir Chandra ๐Ÿ“‚ Library ๐Ÿ“… 2002 ๐Ÿ› O'Reilly Media ๐ŸŒ English

I needed to use the SSL library for an isolated project at work, and the book worked out well as a roadmap. Knowing that I wanted to use the library to perform certain operations, this told me which functions needed to be used and in what way, using sample code and usually explanations that were as