BULLETPROOF SSL AND TLS Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications 90 Ivan Ristic buay Last update:Mon Apr01334BST015(build 59)
BULLETPROOF SSL AND TLS Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web Applications Ivan Ristić Free edition: Getting Started Last update: Mon Apr 20 19:30:34 BST 2015 (build 592)
Table of Contents Preface. .XV Scope and Audience Contents SSL versus TLS SSLLabs Online Resources 女 Feedback About the Author Acknowledgment 1.SSL,TLS,and Cryptography 1 Transport Layer Security 1 Networking Layers 2 History 3 Cryptography 4 Building Blocks 5 Protocols Attacking Cryptography 6 Measuring Strength 17 Man-in-the-Middle Attack 8 2.Protocol. Record Protocol Handshake Protocol 25 Full Handshake 26 Session Resumption 234 Key Exchange rsa key exchange 358 Diffie-Hellman Key Exchange Elliptic Curve Diffie-Hellman Key Exchange 80
Table of Contents Preface . xv Scope and Audience xvi Contents xvii SSL versus TLS xix SSL Labs xix Online Resources xx Feedback xxi About the Author xxi Acknowledgments xxi 1. SSL, TLS, and Cryptography . 1 Transport Layer Security 1 Networking Layers 2 Protocol History 3 Cryptography 4 Building Blocks 5 Protocols 15 Attacking Cryptography 16 Measuring Strength 17 Man-in-the-Middle Attack 18 2. Protocol . 23 Record Protocol 24 Handshake Protocol 25 Full Handshake 26 Client Authentication 32 Session Resumption 34 Key Exchange 35 RSA Key Exchange 38 Dife-Hellman Key Exchange 38 Elliptic Curve Dife-Hellman Key Exchange 40 iii
Authentication Encryption Stream Encryption Block Encryption Authenticated Encryptior Renegotiation 445 Alert Protocol Connection Closure Cryptographic Operations Pseudorandom Functior Master Secret Cipher Suites 499 Extensions Application Layer Protoco Negotiation Certificate transparency 288 Eliptic Curve Capabilti Heartheat 45 Next Protoco Negotiation Secure Renegotiation Server Name Indication Session Tickets 758 Signature Algorithms OCSP Stapling 959 Protoco Limitations Differences between Protocol Versions SSI 3 s1.0 61 TISL1 Ts1.2 62 3.Public-Key Infrastructure 6 Standards Certificate Fields 6切 Certificate Certificate Chains 8刀 Relying Parties
Authentication 41 Encryption 42 Stream Encryption 42 Block Encryption 43 Authenticated Encryption 44 Renegotiation 45 Application Data Protocol 47 Alert Protocol 47 Connection Closure 47 Cryptographic Operations 48 Pseudorandom Function 48 Master Secret 48 Key Generation 49 Cipher Suites 49 Extensions 52 Application Layer Protocol Negotiation 53 Certicate Transparency 53 Elliptic Curve Capabilities 54 Heartbeat 55 Next Protocol Negotiation 56 Secure Renegotiation 57 Server Name Indication 57 Session Tickets 58 Signature Algorithms 59 OCSP Stapling 59 Protocol Limitations 60 Differences between Protocol Versions 60 SSL 3 60 TLS 1.0 61 TLS 1.1 61 TLS 1.2 62 3. Public-Key Infrastructure . 63 Internet PKI 63 Standards 65 Certicates 66 Certicate Fields 67 Certicate Extensions 68 Certicate Chains 71 Relying Parties 72 iv
Certification Authorities 74 Certificate Lifecycle Revocation 24万 Weaknesses Root Key Compromise Ecosystem Measurements Improvements 4.Attacks against PKI VeriSign Microsoft Code-Signing Certificate 87 Thawte login.live.com StartCom Breach (2008 CertStar (Comodo)mozilla certificate RapidSSL Rogue CA Certificate Chosen-Prefix Collision Attack Construction of Colliding Certificates Predicting the Prefix What Happened Nex Comodo Resellers Breaches StartCom Breach (2011) DigiNota Public Discovery Fall of a Certification Authority Man-in-the-Middle Attacks ComodoHacker Claims Responsibility DigiCert Sdn.Bhd. Flame Flame against Windows Update 899022466999004660090 Flame against Windows Terminal Services Flame against MD5 TURKTRUST ANSSI Widespread SSL Interception Gogo 5.HTTP and Browser Issues. Sidejacking Cookie Stealing Cookie Manipulation 118 Understanding HTTP Cookies 119
Certication Authorities 74 Certicate Lifecycle 74 Revocation 76 Weaknesses 76 Root Key Compromise 79 Ecosystem Measurements 80 Improvements 82 4. Attacks against PKI . 87 VeriSign Microsoft Code-Signing Certicate 87 Thawte login.live.com 88 StartCom Breach (2008) 89 CertStar (Comodo) Mozilla Certicate 89 RapidSSL Rogue CA Certicate 90 Chosen-Prex Collision Attack 92 Construction of Colliding Certicates 92 Predicting the Prex 94 What Happened Next 96 Comodo Resellers Breaches 96 StartCom Breach (2011) 98 DigiNotar 99 Public Discovery 99 Fall of a Certication Authority 99 Man-in-the-Middle Attacks 102 ComodoHacker Claims Responsibility 103 DigiCert Sdn. Bhd. 104 Flame 105 Flame against Windows Update 106 Flame against Windows Terminal Services 107 Flame against MD5 107 TURKTRUST 109 ANSSI 110 Widespread SSL Interception 111 Gogo 111 Supersh and Friends 112 5. HTTP and Browser Issues . 115 Sidejacking 115 Cookie Stealing 117 Cookie Manipulation 118 Understanding HTTP Cookies 119 v
Cookie Manipulation Attacks Impact Mitigation SSL Stripping MITM Certificates Certificate Warnings Why So Many Invalid Certificates? Effectiveness of Certificate Warnings Click-Through Warnings versus Exceptions Mitigation Security Indicators Mixed Content Root Causes Impact Browser Treatment Prevalence of Mixed Conten Mitigation 222722ME%4444 Certificate Revocation Inadequate Client-Side Support Key Issues with Revocation-Checking Standards Certificate Revocation Lists Online Certificate Status Protocol Certificate Validation Flaws Library and Platform Validation Failures Application Validation Failures Hostname validation issues Random Number Generation Netscape Navigator (1994 Debian(2006) Insufficient Entropy on Embedded Devices Heartbleed Impact Mitigatior FREAK Export Cryptography Attack mpact and Mitigatior 171
Cookie Manipulation Attacks 120 Impact 124 Mitigation 124 SSL Stripping 125 MITM Certicates 127 Certicate Warnings 128 Why So Many Invalid Certicates? 129 Effectiveness of Certicate Warnings 131 Click-Through Warnings versus Exceptions 132 Mitigation 133 Security Indicators 133 Mixed Content 135 Root Causes 136 Impact 138 Browser Treatment 138 Prevalence of Mixed Content 140 Mitigation 141 Extended Validation Certicates 142 Certicate Revocation 143 Inadequate Client-Side Support 143 Key Issues with Revocation-Checking Standards 144 Certicate Revocation Lists 145 Online Certicate Status Protocol 148 6. Implementation Issues . 153 Certicate Validation Flaws 154 Library and Platform Validation Failures 154 Application Validation Failures 157 Hostname Validation Issues 158 Random Number Generation 160 Netscape Navigator (1994) 160 Debian (2006) 161 Insufcient Entropy on Embedded Devices 162 Heartbleed 164 Impact 165 Mitigation 166 FREAK 167 Export Cryptography 168 Attack 168 Impact and Mitigation 171 vi
Protocol Downgrade Attacks 172 Rollback Protection in SSL3 Interoperability problems Voluntary Rollback Protection in Tls l0 and Better Attacking Voluntary Protocol Downgrade Modern Rollback Defenses Truncation attacks Truncation Attack History Cookie cutting Deployment Weaknesses Virtual Host confusion TLS Session Cache Sharing 7.Protocol Attacks. Isure Renegotiation Why Was Renegotiation Insecure? Triggering the Weakness Attacks against HTTP Attacks against Other Protocos Insecure Renegotiation Issues Introduced by Architecture Impact Mitigation Discovery and remediation timeline BEAST How the Attack Works Client-Side Mitigation Server-Side Mitigation History Impact Compression Side Channel Attacks How the Compression Oracle Works History of Attacks 1757777888888899994990902020000000002420222 CRIME Mitigation of Attacks against TLS and SPDY Mitigation of Attacks against HTTP Compression Lucky 13 What Is a Padding Oracle? Attacks against TLS Impact
Protocol Downgrade Attacks 172 Rollback Protection in SSL 3 173 Interoperability Problems 174 Voluntary Protocol Downgrade 176 Rollback Protection in TLS 1.0 and Better 178 Attacking Voluntary Protocol Downgrade 179 Modern Rollback Defenses 179 Truncation Attacks 181 Truncation Attack History 182 Cookie Cutting 182 Deployment Weaknesses 184 Virtual Host Confusion 185 TLS Session Cache Sharing 186 7. Protocol Attacks . 187 Insecure Renegotiation 187 Why Was Renegotiation Insecure? 188 Triggering the Weakness 189 Attacks against HTTP 190 Attacks against Other Protocols 193 Insecure Renegotiation Issues Introduced by Architecture 194 Impact 194 Mitigation 194 Discovery and Remediation Timeline 195 BEAST 197 How the Attack Works 197 Client-Side Mitigation 201 Server-Side Mitigation 203 History 204 Impact 205 Compression Side Channel Attacks 207 How the Compression Oracle Works 207 History of Attacks 209 CRIME 210 Mitigation of Attacks against TLS and SPDY 218 Mitigation of Attacks against HTTP Compression 219 Lucky 13 220 What Is a Padding Oracle? 220 Attacks against TLS 221 Impact 222 vii
Mitigation 223 RC4 Weaknesses Key Scheduling Weaknesses Early Single-Byte Biases Biases across the First 256 Bytes Double-Byte Biases Improved Attacks against Passwords Mitigation:RC4 versus BEAST,Lucky 13,and POODLE Triple Handshake Attack The Attack Impact Prerequisites Mitigation POODLE Practical Attack Impact Mitigation Bullrur Dual Elliptic Curve Deterministic Random Bit Generator 8.Deploymen Key Key Algorithm Key Size Key Management Certificate Certificate Hostnames Certificate Sharing Signature Algorithm Certificate Chain Revocation Choosing the Right certificate authority Cipher Suite Configuration Server cipher suite erence Cipher Strength Forward Secrec Performance 258
Mitigation 223 RC4 Weaknesses 224 Key Scheduling Weaknesses 224 Early Single-Byte Biases 225 Biases across the First 256 Bytes 226 Double-Byte Biases 228 Improved Attacks against Passwords 229 Mitigation: RC4 versus BEAST, Lucky 13, and POODLE 229 Triple Handshake Attack 230 The Attack 231 Impact 234 Prerequisites 235 Mitigation 236 POODLE 237 Practical Attack 240 Impact 241 Mitigation 242 Bullrun 243 Dual Elliptic Curve Deterministic Random Bit Generator 244 8. Deployment . 247 Key 247 Key Algorithm 247 Key Size 248 Key Management 249 Certicate 250 Certicate Type 250 Certicate Hostnames 251 Certicate Sharing 251 Signature Algorithm 252 Certicate Chain 253 Revocation 254 Choosing the Right Certicate Authority 254 Protocol Conguration 255 Cipher Suite Conguration 256 Server cipher suite preference 256 Cipher Strength 257 Forward Secrecy 257 Performance 258 Interoperability 258 viii
Server Configuration and Architecture Shared Virtual Secure Hosting Session Caching Complex Architectures Issue Mitigation Renegotiation BEAST (HTTP CRIME(HTTP Lucky 13 RC4 TIME and BREACH (HTTP) Triple Handshake Attack Heartbleed Pinning HTTP Making Full Use of Encryption Cookie Security Backend Certificate and Hostname Validatior HTTP Strict Transport Security Protocol Downgrade Protection 9 Performance ontimization Latency and Connection Management TCP Optimization Connection Persistence SPDY,HTTP 2.0.and Beyond Content Delivery Network TLS Protocol Optimization Key Exchange Certificates Revocation Checking Session Resumption Transport Overhead Svmmetric Encrvption TLS Record Buffering Latency Interoperability Hardware Acceleration Denial of Service Attacks
Server Conguration and Architecture 259 Shared Environments 259 Virtual Secure Hosting 259 Session Caching 260 Complex Architectures 260 Issue Mitigation 262 Renegotiation 262 BEAST (HTTP) 262 CRIME (HTTP) 262 Lucky 13 263 RC4 263 TIME and BREACH (HTTP) 264 Triple Handshake Attack 265 Heartbleed 265 Pinning 266 HTTP 266 Making Full Use of Encryption 266 Cookie Security 267 Backend Certicate and Hostname Validation 267 HTTP Strict Transport Security 267 Content Security Policy 268 Protocol Downgrade Protection 268 9. Performance Optimization . 269 Latency and Connection Management 270 TCP Optimization 271 Connection Persistence 272 SPDY, HTTP 2.0, and Beyond 274 Content Delivery Networks 275 TLS Protocol Optimization 277 Key Exchange 277 Certicates 281 Revocation Checking 282 Session Resumption 283 Transport Overhead 284 Symmetric Encryption 286 TLS Record Buffering Latency 288 Interoperability 290 Hardware Acceleration 290 Denial of Service Attacks 291 ix
Key Exchange and Encryption CPU Costs 2 Client-Initiated Renegotiation Optimized TLS Denial of Service Attacks 10.HSTS,CSP,and Pinning. HTTP Strict Transport Security Configuring HSTS Ensuring Hostname Coverage Cookie Security Attack Vectors Robust Deployment Checklist Browser Support Privacy Implications Content security Policy Preventing Mixed Content Issues Policy Testing Reporting Browser Support Pinning What to Pin? Where to Pin? Should You Use Pinning? Native Application Chrome Public Key Pinning Microsoft Enhanced Mitigation Experience Toolkit Public Key Pinning Extension for HTTP DANE Trust Assertions for Certificate Keys (TACK) Certification Authority Authorization 第9909000000000400000000000001111111101320244081 11.OpenSSL Getting Started Determine OpenSSL Version and Configuration Building OpenSSL Examine Available Commands Building a Trust Store Key and Certificate Managemen Key Generation 20 Creating Certificate Signing Requests Creating CSRs from Existing Certificates Unattended CSR Generation 335
Key Exchange and Encryption CPU Costs 292 Client-Initiated Renegotiation 293 Optimized TLS Denial of Service Attacks 293 10. HSTS, CSP, and Pinning . 295 HTTP Strict Transport Security 295 Conguring HSTS 296 Ensuring Hostname Coverage 297 Cookie Security 298 Attack Vectors 299 Robust Deployment Checklist 300 Browser Support 302 Privacy Implications 303 Content Security Policy 303 Preventing Mixed Content Issues 304 Policy Testing 305 Reporting 306 Browser Support 306 Pinning 307 What to Pin? 308 Where to Pin? 309 Should You Use Pinning? 310 Pinning in Native Applications 311 Chrome Public Key Pinning 312 Microsoft Enhanced Mitigation Experience Toolkit 314 Public Key Pinning Extension for HTTP 314 DANE 316 Trust Assertions for Certicate Keys (TACK) 320 Certication Authority Authorization 321 11. OpenSSL . 323 Getting Started 324 Determine OpenSSL Version and Conguration 324 Building OpenSSL 325 Examine Available Commands 326 Building a Trust Store 328 Key and Certicate Management 329 Key Generation 330 Creating Certicate Signing Requests 333 Creating CSRs from Existing Certicates 335 Unattended CSR Generation 335 x
Signing Your Own Certificates 336 Examining Certificates Key and Certificate Conversior Configuration Cipher Suite Selection Performance Creating a Private Certification Authority Features and Limitations Creating a Root CA Creating a Subordinate CA 12.Testing with OpenSSL Connecting to SSL Services Testing Protocols that Upgrade to SSL Using Different Handshake Formats Extracting Remote Certificates Testing Protoco Suppor Testing Cipher Suite Support Testing Servers that Require SN Testing Session Reuse Checking OCSP Revocatior Testing OCSP Stapling Checking CRL Revocation Testing Renegotiation Testing for the BEAST Vulnerability Testing for Heartbleed 13.Configuring Apache stalling Apache with Static OpenSS Enabling TLS Configuring TLS Protoco Configuring Keys and Certificates Configuring Multiple Keys Wildcard and Multisite Certificates Virtual Secure Hosting Reserving Default Sites for Error Messages Forward Secrecy OCSP Stapling Configuring OCSP Stapling 4 Handling Errors 403
Signing Your Own Certicates 336 Creating Certicates Valid for Multiple Hostnames 336 Examining Certicates 337 Key and Certicate Conversion 340 Conguration 343 Cipher Suite Selection 343 Performance 355 Creating a Private Certication Authority 358 Features and Limitations 358 Creating a Root CA 359 Creating a Subordinate CA 365 12. Testing with OpenSSL . 369 Connecting to SSL Services 369 Testing Protocols that Upgrade to SSL 374 Using Different Handshake Formats 374 Extracting Remote Certicates 374 Testing Protocol Support 375 Testing Cipher Suite Support 376 Testing Servers that Require SNI 377 Testing Session Reuse 377 Checking OCSP Revocation 379 Testing OCSP Stapling 381 Checking CRL Revocation 382 Testing Renegotiation 384 Testing for the BEAST Vulnerability 386 Testing for Heartbleed 387 13. Conguring Apache . 391 Installing Apache with Static OpenSSL 392 Enabling TLS 393 Conguring TLS Protocol 394 Conguring Keys and Certicates 395 Conguring Multiple Keys 396 Wildcard and Multisite Certicates 397 Virtual Secure Hosting 398 Reserving Default Sites for Error Messages 400 Forward Secrecy 401 OCSP Stapling 402 Conguring OCSP Stapling 402 Handling Errors 403 xi