【文件属性】:
文件名称:Bulletproof SSL and TLS,PDF , Ivan Ristic
文件大小:7.22MB
文件格式:PDF
更新时间:2020-10-17 08:41:13
SSL TLS
Bulletproof SSL and TLS
by Ivan Ristić
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xv
Scope and Audience xvi
Contents xvii
SSL versus TLS xix
SSL Labs xix
Online Resources xx
Feedback xxi
About the Author xxi
Acknowledgments xxi
1. SSL, TLS, and Cryptography . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Transport Layer Security 1
Networking Layers 2
Protocol History 3
Cryptography 4
Building Blocks 5
Protocols 15
Attacking Cryptography 16
Measuring Strength 17
Man-in-the-Middle Attack 18
2. Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Record Protocol 24
Handshake Protocol 25
Full Handshake 26
Client Authentication 32
Session Resumption 34
Key Exchange 35
RSA Key Exchange 38
Diffie-Hellman Key Exchange 38
Elliptic Curve Diffie-Hellman Key Exchange 40
iii
Authentication 41
Encryption 42
Stream Encryption 42
Block Encryption 43
Authenticated Encryption 44
Renegotiation 45
Application Data Protocol 47
Alert Protocol 47
Connection Closure 47
Cryptographic Operations 48
Pseudorandom Function 48
Master Secret 48
Key Generation 49
Cipher Suites 49
Extensions 52
Application Layer Protocol Negotiation 53
Certificate Transparency 53
Elliptic Curve Capabilities 54
Heartbeat 55
Next Protocol Negotiation 56
Secure Renegotiation 57
Server Name Indication 57
Session Tickets 58
Signature Algorithms 59
OCSP Stapling 59
Protocol Limitations 60
Differences between Protocol Versions 60
SSL 3 60
TLS 1.0 61
TLS 1.1 61
TLS 1.2 61
3. Public-Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Internet PKI 63
Standards 65
Certificates 66
Certificate Fields 67
Certificate Extensions 68
Certificate Chains 71
Relying Parties 72
iv
Certification Authorities 74
Certificate Lifecycle 74
Revocation 76
Weaknesses 76
Root Key Compromise 79
Ecosystem Measurements 80
Improvements 82
4. Attacks against PKI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
VeriSign Microsoft Code-Signing Certificate 87
Thawte login.live.com 88
StartCom Breach (2008) 89
CertStar (Comodo) Mozilla Certificate 89
RapidSSL Rogue CA Certificate 90
Chosen-Prefix Collision Attack 92
Construction of Colliding Certificates 92
Predicting the Prefix 94
What Happened Next 96
Comodo Resellers Breaches 96
StartCom Breach (2011) 98
DigiNotar 99
Public Discovery 99
Fall of a Certification Authority 99
Man-in-the-Middle Attacks 102
ComodoHacker Claims Responsibility 103
DigiCert Sdn. Bhd. 104
Flame 105
Flame against Windows Update 106
Flame against Windows Terminal Services 107
Flame against MD5 107
TURKTRUST 109
ANSSI 110
5. HTTP and Browser Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Sidejacking 113
Cookie Stealing 115
Cookie Manipulation 116
Understanding HTTP Cookies 117
Cookie Manipulation Attacks 118
Impact 122
Mitigation 122
v
SSL Stripping 123
MITM Certificates 125
Certificate Warnings 126
Why So Many Invalid Certificates? 127
Effectiveness of Certificate Warnings 129
Click-Through Warnings versus Exceptions 130
Mitigation 131
Security Indicators 131
Mixed Content 133
Root Causes 134
Impact 136
Browser Treatment 136
Prevalence of Mixed Content 138
Mitigation 139
Extended Validation Certificates 140
Certificate Revocation 141
Inadequate Client-Side Support 141
Key Issues with Revocation-Checking Standards 142
Certificate Revocation Lists 143
Online Certificate Status Protocol 146
6. Implementation Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Certificate Validation Flaws 152
Library and Platform Validation Failures 152
Application Validation Failures 155
Hostname Validation Issues 156
Random Number Generation 158
Netscape Navigator (1994) 158
Debian (2006) 159
Insufficient Entropy on Embedded Devices 160
Heartbleed 162
Impact 163
Mitigation 164
Protocol Downgrade Attacks 165
Rollback Protection in SSL 3 165
Interoperability Problems 167
Voluntary Protocol Downgrade 169
Rollback Protection in TLS 1.0 and Better 171
Attacking Voluntary Protocol Downgrade 172
Modern Rollback Defenses 172
vi
Truncation Attacks 173
Truncation Attack History 175
Cookie Cutting 175
Deployment Weaknesses 177
Virtual Host Confusion 177
TLS Session Cache Sharing 178
7. Protocol Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Insecure Renegotiation 181
Why Was Renegotiation Insecure? 182
Triggering the Weakness 183
Attacks against HTTP 184
Attacks against Other Protocols 187
Insecure Renegotiation Issues Introduced by Architecture 188
Impact 188
Mitigation 188
Discovery and Remediation Timeline 189
BEAST 191
How the Attack Works 191
Client-Side Mitigation 195
Server-Side Mitigation 197
History 198
Impact 199
Compression Side Channel Attacks 201
How the Compression Oracle Works 201
History of Attacks 203
CRIME 204
Mitigation of Attacks against TLS and SPDY 212
Mitigation of Attacks against HTTP Compression 213
Padding Oracle Attacks 214
What Is a Padding Oracle? 214
Attacks against TLS 215
Impact 216
Mitigation 217
RC4 Weaknesses 218
Key Scheduling Weaknesses 218
Early Single-Byte Biases 219
Biases across the First 256 Bytes 220
Double-Byte Biases 222
Mitigation: RC4 versus BEAST and Lucky 13 222
vii
Triple Handshake Attack 224
The Attack 224
Impact 229
Prerequisites 230
Mitigation 231
Bullrun 232
Dual Elliptic Curve Deterministic Random Bit Generator 232
8. Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
Key 235
Key Algorithm 235
Key Size 236
Key Management 237
Certificate 238
Certificate Type 238
Certificate Hostnames 239
Certificate Sharing 239
Signature Algorithm 240
Certificate Chain 240
Revocation 241
Choosing the Right Certificate Authority 241
Protocol Configuration 243
Cipher Suite Configuration 244
Server cipher suite preference 244
Cipher Strength 244
Forward Secrecy 244
Performance 245
Interoperability 246
Server Configuration and Architecture 246
Shared Environments 246
Virtual Secure Hosting 247
Session Caching 247
Complex Architectures 248
Issue Mitigation 249
Renegotiation 249
BEAST (HTTP) 249
CRIME (HTTP) 250
Lucky 13 250
RC4 250
TIME and BREACH (HTTP) 251
viii
Triple Handshake Attack 252
Heartbleed 252
Pinning 253
HTTP 253
Making Full Use of Encryption 253
Cookie Security 254
Backend Certificate and Hostname Validation 254
HTTP Strict Transport Security 254
Content Security Policy 255
Protocol Downgrade Protection 255
9. Performance Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Latency and Connection Management 258
TCP Optimization 259
Connection Persistence 260
SPDY, HTTP 2.0, and Beyond 262
Content Delivery Networks 263
TLS Protocol Optimization 265
Key Exchange 265
Certificates 270
Revocation Checking 271
Session Resumption 272
Transport Overhead 273
Symmetric Encryption 275
TLS Record Buffering Latency 277
Interoperability 279
Hardware Acceleration 279
Denial of Service Attacks 280
Key Exchange and Encryption CPU Costs 281
Client-Initiated Renegotiation 282
Optimized TLS Denial of Service Attacks 282
10. HSTS, CSP, and Pinning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
HTTP Strict Transport Security 285
Configuring HSTS 286
Ensuring Hostname Coverage 287
Cookie Security 288
Attack Vectors 289
Robust Deployment Checklist 290
Browser Support 291
Privacy Implications 293
ix
Content Security Policy 293
Preventing Mixed Content Issues 294
Policy Testing 295
Reporting 295
Browser Support 296
Pinning 296
What to Pin? 297
Where to Pin? 299
Should You Use Pinning? 300
Pinning in Native Applications 300
Chrome Public Key Pinning 301
Microsoft Enhanced Mitigation Experience Toolkit 303
Public Key Pinning Extension for HTTP 303
DNS-Based Authentication of Named Entities (DANE) 305
Trust Assertions for Certificate Keys (TACK) 309
Certification Authority Authorization 310
11. OpenSSL Cookbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Getting Started 314
Determine OpenSSL Version and Configuration 314
Building OpenSSL 315
Examine Available Commands 316
Building a Trust Store 318
Key and Certificate Management 319
Key Generation 320
Creating Certificate Signing Requests 323
Creating CSRs from Existing Certificates 325
Unattended CSR Generation 325
Signing Your Own Certificates 326
Creating Certificates Valid for Multiple Hostnames 326
Examining Certificates 327
Key and Certificate Conversion 330
Configuration 333
Cipher Suite Selection 333
Performance 345
Creating a Private Certification Authority 348
Features and Limitations 348
Creating a Root CA 349
Creating a Subordinate CA 355
12. Testing with OpenSSL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 359
x
Connecting to SSL Services 359
Testing Protocols that Upgrade to SSL 363
Using Different Handshake Formats 363
Extracting Remote Certificates 364
Testing Protocol Support 365
Testing Cipher Suite Support 366
Testing Servers that Require SNI 366
Testing Session Reuse 367
Checking OCSP Revocation 368
Testing OCSP Stapling 371
Checking CRL Revocation 371
Testing Renegotiation 373
Testing for the BEAST Vulnerability 375
Testing for Heartbleed 376
13. Configuring Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
Installing Apache with Static OpenSSL 382
Enabling TLS 383
Configuring TLS Protocol 384
Configuring Keys and Certificates 385
Configuring Multiple Keys 386
Wildcard and Multisite Certificates 387
Virtual Secure Hosting 388
Reserving Default Sites for Error Messages 390
Forward Secrecy 391
OCSP Stapling 392
Configuring OCSP Stapling 392
Handling Errors 393
Using a Custom OCSP Responder 394
Configuring Ephemeral DH Key Exchange 394
TLS Session Management 395
Standalone Session Cache 395
Standalone Session Tickets 396
Distributed Session Caching 396
Distributed Session Tickets 398
Disabling Session Tickets 399
Client Authentication 400
Mitigating Protocol Issues 401
Insecure Renegotiation 402
BEAST 402
xi
CRIME 402
Deploying HTTP Strict Transport Security 403
Monitoring Session Cache Status 403
Logging Negotiated TLS Parameters 404
Advanced Logging with mod_sslhaf 406
14. Configuring Java and Tomcat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 409
Java Cryptography Components 409
Strong and Unlimited Encryption 410
Provider Configuration 411
Features Overview 411
Protocol Vulnerabilities 412
Interoperability Issues 413
Tuning via Properties 414
Common Error Messages 417
Securing Java Web Applications 420
Common Keystore Operations 425
Tomcat 430
Configuring TLS Handling 434
JSSE Configuration 436
APR and OpenSSL Configuration 439
15. Configuring Microsoft Windows and IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
Schannel 443
Features Overview 443
Protocol Vulnerabilities 445
Interoperability Issues 446
Microsoft Root Certificate Program 448
Managing System Trust Stores 448
Importing a Trusted Certificate 449
Blacklisting Trusted Certificates 449
Disabling the Auto-Update of Root Certificates 449
Configuration 450
Schannel Configuration 450
Cipher Suite Configuration 452
Key and Signature Restrictions 454
Configuring Renegotiation 460
Configuring Session Caching 461
Monitoring Session Caching 462
FIPS 140-2 463
Third-Party Utilities 465
xii
Securing ASP.NET Web Applications 466
Enforcing SSL Usage 466
Securing Cookies 467
Securing Session Cookies and Forms Authentication 467
Deploying HTTP Strict Transport Security 468
Internet Information Server 469
Managing Keys and Certificates 470
16. Configuring Nginx . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477
Installing Nginx with Static OpenSSL 478
Enabling TLS 478
Configuring TLS Protocol 479
Configuring Keys and Certificates 479
Configuring Multiple Keys 480
Wildcard and Multisite Certificates 480
Virtual Secure Hosting 481
Reserving Default Sites for Error Messages 482
Forward Secrecy 483
OCSP Stapling 483
Configuring OCSP Stapling 484
Using a Custom OCSP Responder 485
Manual Configuration of OCSP Responses 485
Configuring Ephemeral DH Key Exchange 486
Configuring Ephemeral ECDH Key Exchange 487
TLS Session Management 488
Standalone Session Cache 488
Standalone Session Tickets 488
Distributed Session Cache 489
Distributed Session Tickets 489
Disabling Session Tickets 491
Client Authentication 491
Mitigating Protocol Issues 492
Insecure Renegotiation 492
BEAST 492
CRIME 493
Deploying HTTP Strict Transport Security 493
Tuning TLS Buffers 494
Logging 494
17. Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 497
网友评论
- 这个是2014年版的,作者在2015年和2017年作了修订。