You are previewing Network Security with OpenSSL.
O'Reilly logo
Network Security with OpenSSL

Book Description

Most applications these days are at least somewhat network aware, but how do you protect those applications against common network security threats? Many developers are turning to OpenSSL, an open source version of SSL/TLS, which is the most widely used protocol for secure network communications. The OpenSSL library is seeing widespread adoption for web sites that require cryptographic functions to protect a broad range of sensitive information, such as credit card numbers and other financial transactions. The library is the only free, full-featured SSL implementation for C and C++, and it can be used programmatically or from the command line to secure most TCP-based network protocols. Network Security with OpenSSL enables developers to use this protocol much more effectively. Traditionally, getting something simple done in OpenSSL could easily take weeks. This concise book gives you the guidance you need to avoid pitfalls, while allowing you to take advantage of the library?s advanced features. And, instead of bogging you down in the technical details of how SSL works under the hood, this book provides only the information that is necessary to use OpenSSL safely and effectively. In step-by-step fashion, the book details the challenges in securing network communications, and shows you how to use OpenSSL tools to best meet those challenges. As a system or network administrator, you will benefit from the thorough treatment of the OpenSSL command-line interface, as well as from step-by-step directions for obtaining certificates and setting up your own certification authority. As a developer, you will further benefit from the in-depth discussions and examples of how to use OpenSSL in your own programs. Although OpenSSL is written in C, information on how to use OpenSSL with Perl, Python and PHP is also included. OpenSSL may well answer your need to protect sensitive data. If that?s the case, Network Security with OpenSSL is the only guide available on the subject.

Table of Contents

  1. Network Security with OpenSSL
    1. SPECIAL OFFER: Upgrade this ebook with O’Reilly
    2. A Note Regarding Supplemental Files
    3. Preface
      1. About This Book
      2. Conventions Used in This Book
      3. Comments and Questions
      4. Acknowledgments
    4. 1. Introduction
      1. 1.1. Cryptography for the Rest of Us
        1. 1.1.1. Goals of Cryptography
        2. 1.1.2. Cryptographic Algorithms
          1. 1.1.2.1. Symmetric key encryption
          2. 1.1.2.2. Public key encryption
          3. 1.1.2.3. Cryptographic hash functions and Message Authentication Codes
          4. 1.1.2.4. Digital signatures
      2. 1.2. Overview of SSL
      3. 1.3. Problems with SSL
        1. 1.3.1. Efficiency
          1. 1.3.1.1. Cryptographic acceleration hardware
          2. 1.3.1.2. Load balancing
        2. 1.3.2. Keys in the Clear
        3. 1.3.3. Bad Server Credentials
        4. 1.3.4. Certificate Validation
        5. 1.3.5. Poor Entropy
        6. 1.3.6. Insecure Cryptography
      4. 1.4. What SSL Doesn't Do Well
        1. 1.4.1. Other Transport Layer Protocols
        2. 1.4.2. Non-Repudiation
        3. 1.4.3. Protection Against Software Flaws
        4. 1.4.4. General-Purpose Data Security
      5. 1.5. OpenSSL Basics
      6. 1.6. Securing Third-Party Software
        1. 1.6.1. Server-Side Proxies
        2. 1.6.2. Client-Side Proxies
    5. 2. Command-Line Interface
      1. 2.1. The Basics
        1. 2.1.1. Configuration Files
      2. 2.2. Message Digest Algorithms
        1. 2.2.1. Examples
      3. 2.3. Symmetric Ciphers
        1. 2.3.1. Examples
      4. 2.4. Public Key Cryptography
        1. 2.4.1. Diffie-Hellman
          1. 2.4.1.1. Examples
        2. 2.4.2. Digital Signature Algorithm
          1. 2.4.2.1. Examples
        3. 2.4.3. RSA
          1. 2.4.3.1. Examples
      5. 2.5. S/MIME
        1. 2.5.1. Examples
      6. 2.6. Passwords and Passphrases
      7. 2.7. Seeding the Pseudorandom Number Generator
    6. 3. Public Key Infrastructure (PKI)
      1. 3.1. Certificates
        1. 3.1.1. Certification Authorities
          1. 3.1.1.1. Private Certification Authorities
          2. 3.1.1.2. Public Certification Authorities
        2. 3.1.2. Certificate Hierarchies
        3. 3.1.3. Certificate Extensions
        4. 3.1.4. Certificate Revocation Lists
        5. 3.1.5. Online Certificate Status Protocol
      2. 3.2. Obtaining a Certificate
        1. 3.2.1. Personal Certificates
        2. 3.2.2. Code-Signing Certificates
        3. 3.2.3. Web Site Certificates
      3. 3.3. Setting Up a Certification Authority
        1. 3.3.1. Creating an Environment for Your Certification Authority
        2. 3.3.2. Building an OpenSSL Configuration File
        3. 3.3.3. Creating a Self-Signed Root Certificate
        4. 3.3.4. Issuing Certificates
        5. 3.3.5. Revoking Certificates
    7. 4. Support Infrastructure
      1. 4.1. Multithread Support
        1. 4.1.1. Static Locking Callbacks
        2. 4.1.2. Dynamic Locking Callbacks
      2. 4.2. Internal Error Handling
        1. 4.2.1. Manipulating Error Queues
        2. 4.2.2. Human-Readable Error Messages
        3. 4.2.3. Threading and Practical Applications
      3. 4.3. Abstract Input/Output
        1. 4.3.1. Source/Sink BIOs
          1. 4.3.1.1. Memory sources/sinks
          2. 4.3.1.2. File sources/sinks
          3. 4.3.1.3. Socket sources/sinks
          4. 4.3.1.4. BIO pairs
        2. 4.3.2. Filter BIOs
      4. 4.4. Random Number Generation
        1. 4.4.1. Seeding the PRNG
        2. 4.4.2. Using an Alternate Entropy Source
      5. 4.5. Arbitrary Precision Math
        1. 4.5.1. The Basics
        2. 4.5.2. Mathematical Operations
        3. 4.5.3. Generating Prime Numbers
      6. 4.6. Using Engines
    8. 5. SSL/TLS Programming
      1. 5.1. Programming with SSL
        1. 5.1.1. The Application(s) to Secure
        2. 5.1.2. Step 1: SSL Version Selection and Certificate Preparation
          1. 5.1.2.1. Background
          2. 5.1.2.2. Certificate preparation
          3. 5.1.2.3. Our example extended
        3. 5.1.3. Step 2: Peer Authentication
          1. 5.1.3.1. Background
          2. 5.1.3.2. Incorporating trusted certificates
          3. 5.1.3.3. Certificate verification
          4. 5.1.3.4. Incorporating certificate revocation lists
          5. 5.1.3.5. Post-connection assertions
          6. 5.1.3.6. Further extension of the examples
        4. 5.1.4. Step 3: SSL Options and Cipher Suites
          1. 5.1.4.1. Setting SSL options
          2. 5.1.4.2. Ephemeral keying
          3. 5.1.4.3. Cipher suite selection
          4. 5.1.4.4. The final product
          5. 5.1.4.5. Beyond the example
      2. 5.2. Advanced Programming with SSL
        1. 5.2.1. SSL Session Caching
          1. 5.2.1.1. Client-side SSL sessions
          2. 5.2.1.2. Server-side SSL sessions
          3. 5.2.1.3. An on-disk, session caching framework
        2. 5.2.2. I/O on SSL Connections
          1. 5.2.2.1. Reading and writing functions
          2. 5.2.2.2. Blocking I/O
          3. 5.2.2.3. Non-blocking I/O
        3. 5.2.3. SSL Renegotiations
          1. 5.2.3.1. Implementing renegotiations
          2. 5.2.3.2. Renegotiations in 0.9.7
          3. 5.2.3.3. Further notes
    9. 6. Symmetric Cryptography
      1. 6.1. Concepts in Symmetric Cryptography
        1. 6.1.1. Block Ciphers and Stream Ciphers
        2. 6.1.2. Basic Block Cipher Modes
      2. 6.2. Encrypting with the EVP API
        1. 6.2.1. Available Ciphers
          1. 6.2.1.1. AES
          2. 6.2.1.2. Blowfish
          3. 6.2.1.3. CAST5
          4. 6.2.1.4. DES
          5. 6.2.1.5. DESX
          6. 6.2.1.6. Triple DES
          7. 6.2.1.7. IDEA
          8. 6.2.1.8. RC2™
          9. 6.2.1.9. RC4™
          10. 6.2.1.10. RC5™
        2. 6.2.2. Initializing Symmetric Ciphers
        3. 6.2.3. Specifying Key Length and Other Options
        4. 6.2.4. Encryption
        5. 6.2.5. Decryption
        6. 6.2.6. Handling UDP Traffic with Counter Mode
      3. 6.3. General Recommendations
    10. 7. Hashes and MACs
      1. 7.1. Overview of Hashes and MACs
      2. 7.2. Hashing with the EVP API
      3. 7.3. Using MACs
        1. 7.3.1. Other MACs
          1. 7.3.1.1. CBC-MAC
          2. 7.3.1.2. XCBC-MAC
          3. 7.3.1.3. XOR-MAC
          4. 7.3.1.4. UMAC
      4. 7.4. Secure HTTP Cookies
    11. 8. Public Key Algorithms
      1. 8.1. When to Use Public Key Cryptography
      2. 8.2. Diffie-Hellman
        1. 8.2.1. The Basics
        2. 8.2.2. Generating and Exchanging Parameters
        3. 8.2.3. Computing Shared Secrets
        4. 8.2.4. Practical Applications
      3. 8.3. Digital Signature Algorithm (DSA)
        1. 8.3.1. The Basics
        2. 8.3.2. Generating Parameters and Keys
        3. 8.3.3. Signing and Verifying
        4. 8.3.4. Practical Applications
      4. 8.4. RSA
        1. 8.4.1. The Basics
        2. 8.4.2. Generating Keys
        3. 8.4.3. Data Encryption, Key Agreement, and Key Transport
        4. 8.4.4. Signing and Verifying
        5. 8.4.5. Practical Applications
      5. 8.5. The EVP Public Key Interface
        1. 8.5.1. Signing and Verifying
        2. 8.5.2. Encrypting and Decrypting
      6. 8.6. Encoding and Decoding Objects
        1. 8.6.1. Writing and Reading DER-Encoded Objects
        2. 8.6.2. Writing and Reading PEM-Encoded Objects
    12. 9. OpenSSL in Other Languages
      1. 9.1. Net::SSLeay for Perl
        1. 9.1.1. Net::SSLeay Variables
        2. 9.1.2. Net::SSLeay Error Handling
        3. 9.1.3. Net::SSLeay Utility Functions
        4. 9.1.4. Net::SSLeay Low-Level Bindings
      2. 9.2. M2Crypto for Python
        1. 9.2.1. Low-Level Bindings
        2. 9.2.2. High-Level Classes
          1. 9.2.2.1. M2Crypto.SSL
          2. 9.2.2.2. M2Crypto.BIO
          3. 9.2.2.3. M2Crypto.EVP
          4. 9.2.2.4. Miscellaneous crypto
        3. 9.2.3. Python Module Extensions
          1. 9.2.3.1. Extensions to httplib: httpslib
          2. 9.2.3.2. Extensions to urllib: m2urllib
          3. 9.2.3.3. Extensions to xmlrpclib: m2xmlrpclib
      3. 9.3. OpenSSL Support in PHP
        1. 9.3.1. General Functions
        2. 9.3.2. Certificate Functions
        3. 9.3.3. Encryption and Signing Functions
        4. 9.3.4. PKCS#7 (S/MIME) Functions
    13. 10. Advanced Programming Topics
      1. 10.1. Object Stacks
      2. 10.2. Configuration Files
      3. 10.3. X.509
        1. 10.3.1. Generating Requests
          1. 10.3.1.1. Subject name
          2. 10.3.1.2. X.509 Version 3 extensions
          3. 10.3.1.3. Putting it all together
        2. 10.3.2. Making Certificates
        3. 10.3.3. X.509 Certificate Checking
      4. 10.4. PKCS#7 and S/MIME
        1. 10.4.1. Signing and Verifying
        2. 10.4.2. Encrypting and Decrypting
        3. 10.4.3. Combined Operations
        4. 10.4.4. PKCS#7 Flags
      5. 10.5. PKCS#12
        1. 10.5.1. Wrapping Information into a PKCS#12 Object
        2. 10.5.2. Importing Objects from PKCS#12 Data
    14. A. Command-Line Reference
      1. asn1parse
      2. ca
      3. ciphers
      4. crl
      5. crl2pkcs7
      6. dgst
      7. dhparam
      8. dsa
      9. dsaparam
      10. enc
      11. errstr
      12. gendsa
      13. genrsa
      14. nseq
      15. passwd
      16. pkcs7
      17. pkcs8
      18. pkcs12
      19. rand
      20. req
      21. rsa
      22. rsautl
      23. s_client
      24. s_server
      25. s_time
      26. sess_id
      27. smime
      28. speed
      29. spkac
      30. verify
      31. version
      32. x509
    15. Index
    16. About the Authors
    17. Colophon
    18. SPECIAL OFFER: Upgrade this ebook with O’Reilly