TLS Cryptography In-Depth: Explore the intricacies of modern cryptography and the inner workings of TLS

Cover
Part 1: Getting Started
Title Page
Copyright and Credits
Contributors
Table of Contents
Preface
Chapter 1: The Role of Cryptography in the Connected World
	Evolution of cryptography
	The advent of TLS and the internet
	Increasing connectivity
		Connectivity versus security – larger attack surface
		Connectivity versus marginal attack cost
		Connectivity versus scaling attacks
	Increasing complexity
		Complexity versus security – features
		Complexity versus security – emergent behavior
		Complexity versus security – bugs
	Example attacks
		The Mirai botnet
		Operation Aurora
		The Jeep hack
		Commonalities
	Summary
Chapter 2: Secure Channel and the CIA Triad
	Technical requirements
	Preliminaries
	Confidentiality
	Integrity
	Authentication
		Message authentication
		Entity authentication
	Secure channels and the CIA triad
	Summary
Chapter 3: A Secret to Share
	Secret keys and Kerckhoffs\'s principle
	Cryptographic keys
		One key for each task
		Key change and session keys
	Key space
	Key length
	Crypto-agility and information half-life
	Key establishment
		Key transport
		Key agreement
	Randomness and entropy
		Information-theoretic definition of entropy
		Entropy in cryptography
		True randomness and pseudo-randomness
	Summary
Chapter 4: Encryption and Decryption
	Preliminaries
	Symmetric cryptosystems
	Information-theoretical security (perfect secrecy)
		A first example
		The one-time pad
	Computational security
		Asymptotic approach and efficient computation
		Negligible probabilities
	Pseudorandomness
		Stream ciphers
		RC4
		Pseudorandom functions and chosen-plaintext attacks
	Summary
Chapter 5: Entity Authentication
	The identity concept
		Basic principles of identification protocols
		Basic factors for identification
	Authorization and authenticated key establishment
	Message authentication versus entity authentication
	Password-based authentication
		Brief history of password-based authentication
		Storing passwords
		Disadvantages of password-based authentication
	Challenge-response protocols
		Ensuring freshness
		Challenge-response using symmetric keys
		Challenge-response using (keyed) one-way functions
		Challenge-response using public-key cryptography
	Summary
Chapter 6: Transport Layer Security at a Glance
	Birth of the World Wide Web
	Early web browsers
	From SSL to TLS
	TLS overview
		TLS terminology
		CIA triad in TLS
		TLS within the internet protocol stack
	TLS version 1.2
		Subprotocols in TLS version 1.2
		A typical TLS 1.2 connection
			Algorithm negotiation
			Key establishment
			Server authentication
			Client authentication
		Session resumption
	TLS version 1.3
		Handshake protocol
		Error handling in the TLS 1.3 handshake
		Session resumption and PSKs
		Zero round-trip time mode
	Major differences between TLS versions 1.3 and 1.2
	Summary
Part 2: Shaking Hands
Chapter 7: Public-Key Cryptography
	Preliminaries
	Groups
		Examples of groups
		The discrete logarithm problem
	The Diffie-Hellman key-exchange protocol
	Security of Diffie-Hellman key exchange
		Discrete logarithm problem
		The Diffie-Hellman problem
		Authenticity of public keys
	The ElGamal encryption scheme
	Finite fields
		Fields of order p
		Fields of order pk
	The RSA algorithm
		Euler\'s totient function
		Key pair generation
		The encryption function
		The decryption function
	Security of the RSA algorithm
		The factoring problem
		The RSA problem
		Authenticity of public keys
	Authenticated key agreement
		The Station-to-Station (STS) protocol
	Public-key cryptography in TLS 1.3
		Client key shares and server key shares
		Supported groups
		Finite Field Diffie-Hellman in TLS
	Hybrid cryptosystems
		High-level description of hybrid cryptosystems
		Hybrid encryption
		Example – Hybrid Public Key Encryption
		Hybrid cryptosystems in modern cryptography
	Summary
Chapter 8: Elliptic Curves
	What are elliptic curves?
		Reduced Weierstrass form
		Smoothness
		Projective coordinates
	Elliptic curves as abelian groups
		Geometrical viewpoint
		Explicit formulae
	Elliptic curves over finite fields
		Elliptic curves over Fp
		Elliptic curves over F2k
		Discrete logarithms and Diffie-Hellman key exchange protocol
	Security of elliptic curves
		Generic algorithms for finding discrete logarithms
			Shanks\' babystep-giantstep algorithm
			Pollard\'s  algorithm
		Algorithms for solving special cases of ECDLP
		Secure elliptic curves – the mathematical perspective
		A potential backdoor in Dual_EC_DRBG
		Secure elliptic curves: security engineering perspective
	Elliptic curves in TLS 1.3
		Curve secp256r1
		Curve secp384r1
		Curve secp521r1
		Curve 25519
		Curve 448
		Elliptic curve Diffie-Hellman in TLS 1.3
		ECDH parameters in TLS 1.3
		Example: ECDH with curve x25519
	Summary
Chapter 9: Digital Signatures
	General considerations
	RSA-based signatures
	Digital signatures based on discrete logarithms
		Digital Signature Algorithm (DSA)
		Elliptic Curve Digital Signature Algorithm (ECDSA)
	Digital signatures in TLS 1.3
		RSASSA-PKCS1-v1_5 algorithms
		RSASSA-PSS algorithms
		ECDSA algorithms
		EdDSA algorithms
		Legacy algorithms
	Summary
Chapter 10: Digital Certificates and Certification Authorities
	What is a digital certificate?
	X.509 certificates
		Minimum data fields
		X.509v3 extension fields
		Enrollment
		Certificate revocation lists
		Online Certificate Status Protocol (OCSP)
		X.509 trust model
	Main components of a public-key infrastructure
	Rogue CAs
	Digital certificates in TLS
		TLS extensions
		Encrypted extensions
		Certificate request
		Signature algorithms in TLS certificates
		Certificates and TLS authentication messages
		The Certificate message
		The CertificateVerify message
		Server certificate selection
		Client certificate selection
		OID filters
		Receiving a Certificate message
		The certificate_authorities extension
	Summary
Chapter 11: Hash Functions and Message Authentication Codes
	The need for authenticity and integrity
	What cryptographic guarantees does encryption provide?
	One-way functions
		Mathematical properties
		Candidate one-way functions
	Hash functions
		Collision resistance
		One-way property
		Merkle-Damgard construction
		Sponge construction
	Message authentication codes
		How to compute a MAC
		HMAC construction
	MAC versus CRC
	Hash functions in TLS 1.3
		Hash functions in ClientHello
		Hash Functions in TLS 1.3 signature schemes
			SHA-1
			SHA-256, SHA-384, and SHA-512 hash functions
		Hash functions in authentication-related messages
			The CertificateVerify message
			The Finished message
		Transcript hash
		Hash functions in TLS key derivation
	Summary
Chapter 12: Secrets and Keys in TLS 1.3
	Key establishment in TLS 1.3
	TLS secrets
		Early secret
		Binder key
		Bob\'s client early traffic secret.
		Exporter secrets
		Derived secrets
		Handshake secret
		Handshake traffic secrets
		Master secret
		Application traffic secrets
		Resumption master secret
	KDFs in TLS
		HKDF-Extract
		HKDF-Expand
		HKDF-Expand-Label
		Derive-Secret
	Updating TLS secrets
	TLS keys
		Exporter values
		Generation of TLS keys
		Key update
	TLS key exchange messages
		Cryptographic negotiation
		ClientHello
		ServerHello
		HelloRetryRequest
	Summary
Chapter 13: TLS Handshake Protocol Revisited
	TLS client state machine
	TLS server state machine
	Finished message
	Early data
	Post-handshake messages
		The NewSessionTicket message
		Post-handshake authentication
		Key and initialization vector update
	OpenSSL s_client
		Installing OpenSSL
		Using openssl-s_client
		TLS experiments with openssl-s_client
	Summary
Part 3: Off the Record
Chapter 14: Block Ciphers and Their Modes of Operation
	The big picture
	General principles
		Advantages and disadvantages of block ciphers
		Confusion and diffusion
		Pseudorandom functions
		Pseudorandom permutations
		Substitution-permutation networks and Feistel networks
		Constants in cryptographic algorithms
		DES S-boxes
		Nothing-up-my-sleeves numbers
	The AES block cipher
		Overall structure
		Round function
		Key scheduling
	Modes of operation
		ECB mode
		CBC mode
		CBC-MAC
		OFB mode
		CTR mode
		XTS mode
	Block ciphers in TLS 1.3
	Summary
Chapter 15: Authenticated Encryption
	Preliminaries
		Indistinguishability under a chosen-plaintext attack
		Indistinguishability under a chosen-ciphertext attack
		Non-malleability under a chosen-plaintext attack
		Plaintext integrity
		Ciphertext integrity
	Authenticated encryption – generic composition
		Encrypt-and-MAC
		MAC-then-encrypt
		Encrypt-then-MAC
	Security of generic composition
	Authenticated ciphers
		Authenticated encryption with associated data
		Avoiding predictability with nonces
	Counter with cipher block chaining message authentication code (CCM)
		Authenticated encryption with CCM
		Authenticated decryption with CCM
	AEAD in TLS 1.3
	Summary
Chapter 16: The Galois Counter Mode
	Preliminaries
		The Galois field F2128
		GHASH function
		The AES-GCM authenticated cipher
	GCM security
	GCM performance
	Summary
Chapter 17: TLS Record Protocol Revisited
	TLS Record protocol
	TLS record layer
	TLS record payload protection
	Per-record nonce
	Record padding
	Limits on key usage
	An experiment with the OpenSSL s_client
		Getting started
		Retrieving a website via TLS
		Analyzing the TLS record
	Summary
Chapter 18: TLS Cipher Suites
	Symmetric cipher suites in TLS 1.3
	Long-term security
		Advances in cryptanalysis
		Cryptographic agility
		Standby ciphers
	ChaCha20
		ChaCha20 quarter round
		The ChaCha20 block function
		ChaCha20 encryption algorithm
	Poly1305
		Generating the Poly1305 key using ChaCha20
	ChaCha20-Poly1305 AEAD construction
	Mandatory-to-implement cipher suites
	Summary
Part 4: Bleeding Hearts and Biting Poodles
Chapter 19: Attacks on Cryptography
	Preliminary remarks
	Passive versus active attacks
	Local versus remote attacks
		The scalability of local and remote attacks
	Interactive versus non-interactive attacks
	Attacks on cryptographic protocols
		Impersonation attacks
		Man-in-the-middle attacks
		Replay attacks
		Interleaving attacks
		Reflection attacks
	Attacks on encryption schemes
		Brute-force attack
		Forward search attack
		Ciphertext-only attack
		Known-plaintext attack
		Chosen-plaintext attack
		Padding oracle attacks
		Adaptive chosen-plaintext attack
		Chosen-ciphertext attack
		Adaptive chosen-ciphertext attack
	Attacks on hash functions
		Birthday attack
		Dictionary attack
		Rainbow tables
	Summary
Chapter 20: Attacks on the TLS Handshake Protocol
	Downgrade attacks
		Taxonomy of downgrade attacks
		Cipher suite downgrade attacks
		The Downgrade Dance
	Logjam
	SLOTH
	Padding oracle attacks on TLS handshake
	Bleichenbacher attack
		The attack
		Countermeasures
	Improvements of Bleichenbacher\'s attack
		Bad version oracles
		Side channel attacks
		DROWN
		ROBOT
	Insecure renegotiation
	Triple Handshake attack
		The attack
		Countermeasures in TLS 1.3
	Summary
Chapter 21: Attacks on the TLS Record Protocol
	Lucky 13
		The encryption process
		The timing signal
		The attack
	POODLE
		Attacker model
		The attack
	BEAST
		The attack
		Countermeasures
	Sweet32
		The attack
		Countermeasures in TLS 1.3
	Compression-based attacks
		Lossless compression algorithms
		The compression side channel
		Brief history of compression in TLS
		CRIME
		TIME
		BREACH
		HEIST
	Summary
Chapter 22: Attacks on TLS Implementations
	SMACK
	FREAK
	Truncation attacks
	Heartbleed
		TLS Heartbeat extension
		The Heartbleed bug
		The bugfix
	Insecure encryption activation
	Random number generation
	BERserk attack
	Cloudbleed
		Details of the the Cloudbleed bug
	Timing attacks
		Side channel attacks
		Raccoon
			The attack
			Countermeasures in TLS 1.3
	Summary
Index
Other Books You Might Enjoy