 |
|
Rescorla begins with a rapid introduction to security and cryptography and a brief history of SSL protocols (TLS or Transport Layer Security is the IETF-endorsed version). Two chapters then describe SSL itself, the first covering server authentication using RSA (the original motivation for SSL and still by far its most common use) and the second covering other algorithms (Kerberos, FORTEZZA) and modes such as client authentication and session resumption.
The remaining chapters cover specialized topics. A chapter on security looks at protecting keys, random-number generation, certificate chain verification, and some of the known attacks on SSL, such as timing cryptanalysis and the "million message attack." A chapter on performance explains the basic problem (cryptography is expensive), then goes into the details of variations with algorithm and mode (and language, with C recommended over Java) and the use of hardware acceleration. There is also a chapter on designing with SSL and one on coding (and Appendix A has 40-odd pages of sample code).
Two chapters consider special issues with running HTTP over SSL (HTTPS) and SMTP over TLS. Issues with HTTP include reference integrity (ensuring the client is talking to server it thinks it's talking to), virtual hosts, proxies, and downgrade attacks. With SMTP, relaying introduces major complications. A final chapter looks at some alternative approaches, most importantly IPsec, Secure HTTP, and S/MIME. This material provides some interesting examples of interaction between complex protocols.
Thanks to Timothy Lord for suggestions for this review.
-- Danny Yee (editor@dannyreviews.com)