Ssl And Tls: Designing And Building Secure Systems

Ssl and Tls: Designing and Building Secure Systems

Secure Sockets Layer (SSL) is used in virtually every commercial web browser and server. In this book, one of the world's leading network security experts explains how SSL works -- and gives implementers step-by-step guidance and proven design patterns for building secure systems with SSL. Eric Rescorla also provides the first in-depth introduction to Transport Layer Security (TLS), the highly anticipated, maximum-security successor to SSL. KEY TOPICS: Rescorla starts by introducing SSL's fundamentals: how it works, and the threats it is intended to address. One step at a time, he addresses each key SSL concept and technique, including cryptography, SSL performance optimization, designing and coding, and how to work around SSL's limitations. Rescorla demonstrates TLS at work in SMTP-based Internet security applications. The book includes detailed examples of SSL/TLS implementations, with in-depth insight into the key design choices that informed them. MARKET: For all network and security designers, enterprise developers, system implementers, and suppliers of Internet security products and services.From the Inside FlapThe Secure Sockets Layer (SSL) is by far the most widely deployed security protocol in the world. Essentially every commercial Web browser and server supports secure Web transactions using SSL. When you buy online using "secure" Web pages an estimated 20 billion dollars' worth of such transactions will occur in 2000), you're almost certainly using SSL.Although its most common use is for securing Web traffic, SSL is actually quite a general protocol suitable for securing a wide variety of kinds of traffic. File transfer (FTP), remote object access (RMI, CORBA IIOP), e-mail transmission (SMTP), remote terminal service (Telnet) and directory access (LDAP) are just some of the applications that have already been secured with SSL or its successor, Transport Layer Security (TLS).The effort to secure all these protocols has taught us a number of significant lessons. First, doing a good job of using SSL/TLS to secure a protocol requires having a fairly deep knowledge of how it works. It is not possible to simply treat SSL/TLS as a black box that somehow magically provides security when used.Second, although each application is slightly different, there seems to be a set of security problems that are common to every application you wish to secure. For instance, we usually need to figure out some way for the insecure and secure versions of an application protocol to coexist. Although there aren't cookie-cutter solutions to these problems, the security community is starting to develop a common set of techniques for solving these problems using SSL/TLS.These techniques can often be applied to a new application protocol with minimal modification. In essence, we've developed a set of design patterns for securing protocols. Much of the work of securing a system is in recognizing which pattern most closely matches the system you're working with and then using the appropriate techniques.The purpose of this book, then, is to address both of these needs. After reading this book, you should know most if not all of what you need to know in order to design secure systems using SSL/TLS. You'll know enough about SSL/TLS to understand what security features it can deliver and what it can't deliver. Further, you'll be familiar with the common design patterns for using SSL/TLS and be ready to apply them to new situations.What This Book Provides This book is intended for anyone who wants to understand and use SSL/TLS.For designers, it provides information on designing systems that use SSL/TLS as well as a library of the techniques that have already been used. For programmers who program with SSL/TLS, it provides information on what your libraries are doing under the covers and what those functions you're calling are really doing. Understanding these details is critical for obtaining acceptable and predictable