HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版)

所需积分/C币:21 2016-12-14 11:20:44 7.20MB PDF
8
收藏 收藏
举报


Bulletproof SsL and tls by Ivan Ristic Copyright@ 2014 Feisty Duck Limited. All rights reserved Published in august 2014 ISBN:978-1-907117-04-6 Feisty Duck Limited www.feistyduck.com contact@feistyduck.com addresss 6 Acantha court Montpelier road London w5 2QP United Kingdom Production editor: Jelena Giric-Ristic Copyeditor: Melinda rankin All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, without the prior permission in writing of the publisher The author and publisher have taken care in preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in con nection with or arising out of the use of the information or programs contained herein Feisty duck Digital Book distribution vw.feistyduck.com Licensed for the exclusive use of Richard Fussenegger <fleshgrinder @gmxat> Table of contents Preface Scope and audience Contents XV SSL versus tls Online resources Feedback About the auth Acknowledgments 1.SSL, TLS, and Cryptography Transport Layer Security Networking layers Protocol histor Cryptography Building blocks Protocols Attacking Cryptography 16 Measuring strength Man-in-the-Middle attack 18 2. Protocol 23 Record proto 24 Handshake protocol 25 Full handshake 26 Client authentication Session resumption 34 Key Exchange RSA Key exchange 38 Diffie-Hellman Key exch Elliptic Curve Diffie-Hellman Key Exchange 40 Authentication 41 Encryption 42 Stream Encryption Block encryptio Authenticated Encryption 44 Renegotiate Application Data protocol 47 Alert protocol Connection closure 47 Cryptographic Operations 48 Pseudorandom function Master secret Cipher Suite 49 Extensions Application layer protocol Negotiation Certificate Transparency Elliptic Curve capabilities Heartbeat Next protocol Negotiation 56 Secure Renegotiation 57 Server name indication 57 Tickets Signature algorithms OCSP Stapling Protocol limitations Differences between protocol versions TLS 1.0 TLS 1.1 TLS 1.2 3. Public-Key Infrastructure 63 Internet pKi Standards Certificate 66 Certificate fields 67 Certificate extensions 68 Certificate chains 71 Relying pa 72 Certification authorities Certificate lifecycle Revocation Weaknesses Root Key compromise 46690 Ecosystem Measurements Improvements 4. Attacks against PKI 87 Verisign microsoft Code-Signing Certificate Thawteloginlive.com StartCom Breach(2008 CertStar(Comodo)Mozilla certificate Rapidssl rogue CA certificate 88892 Chosen-Prefix collision attack Construction of Colliding Certificates Predicting the prefiⅸx What happened Next Comodo resellers breaches StartCom Breach(2011) Diginota Public Discovery Fall of a certification authority Man-in-the-Middle attacks Comodohacker claims responsibili DigiCert sdn. bhd Flame Flame against Windows Update Flame against Windows Terminal Services Flame against MD5 TURKTRUST 109 5. Http and browser issues 13 Sidejacking 113 Cookie stealing Cookie Manipulation Understanding httP Cookies Cookie manipulation attacks 118 npa Mitigation 122 eSL Stripping 123 MITM Certificates 125 Certificate Warnings 126 Why So Many Invalid Certificates? Effectiveness of Certificate Warnings Click-Through Warnings versus Exceptions Mitigation Security Indicators 131 Mixed Content Root causes 134 Impact Browser treatment Prevalence of mixed content 668 Mitigation Extended validation certificates 140 Certificate revocation 141 Inadequate client-Side support 141 Key Issues with Revocation-Checking Standards 142 Certificate revocation lists Online certificate status protocol 146 6. Implementation Issues.......................... ..151 Certificate validation flaws 152 Library and platform validation failures 152 Application validation failures Hostname validation Issues 156 Random number generation 158 netscape Navigator(1994) 158 Debian(2006 Insufficient Entropy on Embedded Devices Heartbleed Impact Mitigation Protocol Downgrade attacks 165 Rollback protection in ssl 3 Interoperability problems 67 Voluntary Protocol Downgrade Rollback protection in tls 1.0 and better 171 Attacking Voluntary Protocol Downgrade 172 Modern rollback defenses 172 Truncation Attacks 173 Truncation Attack History 175 Cookie Cutting 175 Deployment Weaknesses 177 Virtua| Host confusⅰon TLS Session Cache Sharing 178 7. Protocol attacks 181 Insecure Renegotiation 181 Why Was renegotiation Insecure 182 Triggering the Weakness Attacks against Http Attacks against other Protocols 87 nsecure Renegotiation Issues Introduced by architecture Impact Mitigation Discovery and remediation timeline BEAST 191 How the attack works Client-Side mitigation 195 Server-Side Mitigation History 198 Impact Compression Side channel attacks How the Compression Oracle Works 201 History of Attacks 203 CRIME Mitigation of Attacks against TLS and SPDy 212 Mitigation of Attacks against httP Compression 213 Padding Oracle attacks 214 What Is a padding oracle? Attacks against TLS 215 Impact 216 Mitigation RC4 Weaknesses 218 Key scheduling Weaknesses 218 Early Single-Byte Biases 219 Biases across the first 256 Bytes Double- Byte Biases Mitigation: RC4 versus BEAST and Lucky 13 222 Triple handshake Attack The attack 224 Impact Prerequisites 232 Dual Elliptic Curve Deterministic Random bit Generator 232 8. Deployment 235 Ke 35 Key algorithm Key size Key Management 237 Certificate Certificate Type 238 Certificate hostnames 239 Certificate Sharing Signature algorithm 240 Certificate chain 240 Revocat Choosing the right certificate authority 241 Protocol Configuration 243 Cipher Suite Configuration 244 Server cipher suite preference 244 Cipher Strength 244 Forward secrecy 244 Performance 245 Interoperability 246 Server Configuration and architecture 246 Shared environments Virtual Secure Hosting 247 Session caching 247 Complex architectures 248 Issue Mitigation 249 Renegotiation 249 BeasT (Http) 249 CrimE(htTP) 250 Lucky 13 250 RC4 250 TiMe and breach (Http) 251 Triple handshake attack 252 Heartbleed 252 Pinning 253 Http Making Full Use of Encryl Cookie security 254 Backend certificate and hostname validation 254 Http Strict Transport Security 254 Content Security Policy 255 Protocol Downgrade protection 255 9. Performance Optimization............ 257 Latency and Connection management 258 TCP Optimization 259 Connection persisten 260 Spdy, Http 2.0, and beyond 262 Content Delivery Networks TLS Protocol Optimization 265 Key Exchange 265 Certificates Revocation Checking 271 Session Resumption 272 Transport Overhead 273 Symmetric Encryption 275 TLS Record Buffering Latency 277 Interoperability 279 Hardware acceleration 279 Denial of service attacks Key Exchange and encryption cPu costs 281 Client-Initiated Renegotiation Optimized tLs Denial of Service Attacks 10. HSTS, CSP, and pinning 日日日 Http Strict Transport Security Configuring HSTS 286 Ensuring hostname coverage Cookie security Attack vectors Robust deployment Checklist Browser Support 291 Privacy Implications 293 X

...展开详情
试读 127P HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版)
立即下载 低至0.43元/次 身份认证VIP会员低至7折
一个资源只可评论一次,评论内容不能少于5个字
您会向同学/朋友/同事推荐我们的CSDN下载吗?
谢谢参与!您的真实评价是我们改进的动力~
  • GitHub

  • 脉脉勋章

  • 签到新秀

关注 私信
上传资源赚钱or赚积分
最新推荐
HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版) 21积分/C币 立即下载
1/127
HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版)第1页
HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版)第2页
HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版)第3页
HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版)第4页
HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版)第5页
HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版)第6页
HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版)第7页
HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版)第8页
HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版)第9页
HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版)第10页
HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版)第11页
HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版)第12页
HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版)第13页
HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版)第14页
HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版)第15页
HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版)第16页
HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版)第17页
HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版)第18页
HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版)第19页
HTTPS权威指南:在服务器和Web应用上部署SSL-TLS和PKI (英文版)第20页

试读结束, 可继续阅读

21积分/C币 立即下载 >