ffirs.indd iiffirs.indd ii 12/24/2010 12:41:17 PM12/24/2010 12:41:17 PM
Implementing SSL/TLS Using
Cryptography and PKI
ffirs.indd iffirs.indd i 12/24/2010 12:41:17 PM12/24/2010 12:41:17 PM
ffirs.indd iiffirs.indd ii 12/24/2010 12:41:17 PM12/24/2010 12:41:17 PM
Implementing SSL/TLS
Using Cryptography
and PKI
Joshua Davies
ffirs.indd iiiffirs.indd iii 12/24/2010 12:41:17 PM12/24/2010 12:41:17 PM
Implementing SSL/TLS Using Cryptography and PKI
Published by
Wiley Publishing, Inc.
10475 Crosspoint Boulevard
Indianapolis, IN 46256
www.wiley.com
Copyright © 2011 by Wiley Publishing, Inc., Indianapolis, Indiana
Published simultaneously in Canada
ISBN: 978-0-470-92041-1
ISBN: 978-1-118-03875-8 (ebk)
ISBN: 978-1-118-03876-5 (ebk)
ISBN: 978-1-118-03877-2 (ebk)
Manufactured in the United States of America
10 9 8 7 6 5 4 3 2 1
No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means,
electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or
108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or autho-
rization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive,
Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600. Requests to the Publisher for permission should be addressed
to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201)

748-6008, or online at />Limit of Liability/Disclaimer of Warranty: The publisher and the author make no representations or warranties with
respect to the accuracy or completeness of the contents of this work and specifi cally disclaim all warranties, including
without limitation warranties of fi tness for a particular purpose. No warranty may be created or extended by sales or
promotional materials. The advice and strategies contained herein may not be suitable for every situation. This work
is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional
services. If professional assistance is required, the services of a competent professional person should be sought.
Neither the publisher nor the author shall be liable for damages arising herefrom. The fact that an organization or
Web site is referred to in this work as a citation and/or a potential source of further information does not mean that
the author or the publisher endorses the information the organization or website may provide or recommendations
it may make. Further, readers should be aware that Internet websites listed in this work may have changed or disap-
peared between when this work was written and when it is read.
For general information on our other products and services please contact our Customer Care Department within the
United States at (877) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.
Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be avail-
able in electronic books.
Library of Congress Control Number: 2010942196
Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or
its affi liates, in the United States and other countries, and may not be used without written permission. All other
trademarks are the property of their respective owners. Wiley Publishing, Inc. is not associated with any product or
vendor mentioned in this book.
Statements of Copyright: This book refers to and incorporates portions of the Internet Engineering Task Force (IETF’s)
Request For Comments (RFCs). All RFC are protected by the following copyright. Copyright (C) The Internet Society
(1999). All Rights Reserved.
ffirs.indd ivffirs.indd iv 12/24/2010 12:41:18 PM12/24/2010 12:41:18 PM
This document and translations of it may be copied and furnished to others, and derivative works that
comment on or otherwise explain it or assist in its implementation may be prepared, copied, published and
distributed, in whole or in part, without restriction of any kind, provided that the above copyright notice
and this paragraph are included on all such copies and derivative works. However, this document itself may
not be modifi ed in any way, such as by removing the copyright notice or references to the Internet Society
or other Internet organizations, except as needed for the purpose of developing Internet standards in which

case the procedures for copyrights defi ned in the Internet Standards process must be followed, or as required
to translate it into languages other than English. The limited permissions granted above are perpetual and
will not be revoked by the Internet Society or its successors or assigns. This document and the information
contained herein is provided on an “AS IS” basis and THE INTERNET SOCIETY AND THE INTERNET
ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT
INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR
A PARTICULAR PURPOSE.
This book incorporates several examples making use of the OpenSSL software suite. OpenSSL is trademarked
and copyrighted. OpenSSL is based on the excellent SSLeay library developed by Eric A. Young and Tim J.
Hudson. The OpenSSL toolkit is licensed under an Apache-style licence which basically means that you are
free to get and use it for commercial and non-commercial purposes.
This book describes in some detail several open standards maintained and owned by FIPS, the ITU, PKCS,
and SECG. The maintainers and authors of these standards documents are attributed throughout the text.
Verisign is used as an example of a Certifi cate Authority in Chapters 3 and 4. VeriSign and other trademarks
are the registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries.
ffirs.indd vffirs.indd v 12/24/2010 12:41:18 PM12/24/2010 12:41:18 PM
ffirs.indd viffirs.indd vi 12/24/2010 12:41:18 PM12/24/2010 12:41:18 PM
For my wife, Lupita, who may not always understand but always
accepts, supports, and encourages.
ffirs.indd viiffirs.indd vii 12/24/2010 12:41:18 PM12/24/2010 12:41:18 PM
ffirs.indd viiiffirs.indd viii 12/24/2010 12:41:19 PM12/24/2010 12:41:19 PM
ix
About the Author
Joshua Davies has been hacking on computers since his
father brought home the family’s fi rst computer, a TI-99/4A,
in 1982. He holds a Bachelor’s degree in computer science
from Valdosta State University and a Masters degree in
computer science from the University of Texas at Arlington.
He has been programming professionally since 1990 and

as a result has never had to do any real work. He is cur-
rently responsible for security architecture at Travelocity
.com and previously worked internationally as a consultant for One, Inc. whose
client list included AT&T, Nieman Marcus, Intermedia, and the Mexican tele-
communications giant Pegaso. He prefers to work in C or assembler, but often
codes in Java since it pays the bills. He currently resides in Dallas, Texas with
his wife and two children.
ffirs.indd ixffirs.indd ix 12/24/2010 12:41:19 PM12/24/2010 12:41:19 PM
ffirs.indd xffirs.indd x 12/24/2010 12:41:21 PM12/24/2010 12:41:21 PM
xi
About the Technical Editor
David Chapa is a Senior Analyst with the Enterprise Strategy Group cover-
ing the Data Protection segment with a focus on Disaster Recovery, Backup/
Recovery as a Service, and Availability Solutions. David has invested over 25
years in the computer industry, focusing specifi cally on data protection, data
disaster recovery, and business resumption practices. He has held several
senior level technical positions with companies such as Cheyenne Software,
OpenVision, ADIC, Quantum, and NetApp. Prior to joining ESG, as Director
of Data Protection Strategy and Global Alliances for NetApp, David contin-
ued to evangelize “Recovery and Backup,” his mantra for over a decade now,
and the benefi ts of integrating software solutions with disk-based backup.
In his role with ESG, David will bring all of this expertise, knowledge, and
passion to raise a greater holistic awareness around data protection. David
is an energetic and dynamic speaker who brings a great deal of experiential
knowledge, humor, and keen insight to his audience. He has been a featured
speaker at VERITAS Vision, CA World, SNW, Chicago Software Association,
and CAMP/IT Conferences, and has served as panelist on various discussions
related to disaster recovery, compliance, and the use of disk, tape, and cloud
for recovery and backup strategies.
David has written several articles and blogs over the years. In addition, he is

the co-author of Implementing Backup and Recovery, the Technical Editor of Cloud
Security, Security 2020, and Web Commerce Security Design and Development with
Wiley and Sons, and is recognized worldwide as an authority on the subject
of backup and recovery. David is also a member of SNIA’s Data Protection
and Capacity Optimization (DPCO) Committee, whose mission is to foster the
growth and success of the storage market in the areas of data protection and
capacity optimization technologies.
ffirs.indd xiffirs.indd xi 12/24/2010 12:41:21 PM12/24/2010 12:41:21 PM
ffirs.indd xiiffirs.indd xii 12/24/2010 12:41:21 PM12/24/2010 12:41:21 PM
xiii
Credits
Executive Editor
Carol Long
Project Editor
Maureen Spears
Technical Editor
David A. Chapa
Production Editor
Kathleen Wisor
Copy Editor
Charlotte Kughen
Editorial Director
Robyn B. Siesky
Editorial Manager
Mary Beth Wakefi eld
Freelancer Editorial Manager
Rosemarie Graham
Marketing Manager
Ashley Zurcher
Production Manager

Tim Tate
Vice President and Executive
Group Publisher
Richard Swadley
Vice President and Executive
Publisher
Barry Pruett
Associate Publisher
Jim Minatel
Project Coordinator, Cover
Katie Crocker
Proofreader
Nancy Bell
Indexer
Robert Swanson
Cover Designer
Ryan Sneed
ffirs.indd xiiiffirs.indd xiii 12/24/2010 12:41:21 PM12/24/2010 12:41:21 PM
ffirs.indd xivffirs.indd xiv 12/24/2010 12:41:21 PM12/24/2010 12:41:21 PM
xv
My name is the name on the cover of this book, but I can’t possibly take all
of the credit for the fi nished product. I can’t thank the staff at John Wiley
and Sons enough for their hard work and dedication in bringing this book to
print — Charlotte Kughen for tirelessly correcting my overly casual use of the
English language, David Chapa for his encouragement and gentle feedback,
Maureen Spears for her infi nite patience with me every time I asked to make
last-minute changes long after the time for last-minute changes had passed (I’m
sure some day you’ll look back on this and laugh) and fi nally to Carol Long for
understanding what I was trying to accomplish and expending so much effort
to get the green light for this project in the fi rst place.

Thanks to the OpenSSL development team for their excellent software, which
I made such heavy use of while developing and testing the code in this book,
and to Thomas Hruska of Shining Light Productions for his feedback as well.
Many thanks to the IETF TLS working group who volunteer their time to gen-
erate free, openly accessibly specifi cations for no compensation beyond the
satisfaction that they are making the world a better, safer place. I’ve enjoyed
debating and discussing the fi ner points of TLS with all of you while I was lurk-
ing on the mailing list over the past three years. This book is in no small part
the culmination of the understanding I’ve achieved from listening to all of you.
I must, of course, acknowledge the support and encouragement I received
from my university professors long after graduation — especially to Dr. Roger
Lamprey, Dr. Gergely Zaruba, and Dr. Farhad Kamangar. I have no idea what
they’re paying you, but I’m sure it’s far less than you deserve.
A special thank you goes to Troy Magennis of Travelocity, who encouraged
me to take the leap from thinking about writing a book to fi nally sitting down
and making it happen. Your example and inspiration were invaluable.
Acknowledgments
ffirs.indd xvffirs.indd xv 12/24/2010 12:41:21 PM12/24/2010 12:41:21 PM
xvi Acknowledgments
Thank you to my parents and my brother and sisters who are fi ve of the
most different, unique, and interesting people on the planet. It’s amazing that
we’re all related, but somehow we pull it off. Finally, thank you to my family
for their support as I wrote this book. This took far longer and much more
effort than I ever anticipated. For putting up with my long absences and lost
evenings and weekends as I wrote, re-wrote, and re-re-wrote: Lupita, Dylan,
and Isabelle — you are my purpose on this earth and my reason for being — I
hope I can always make you proud.
And, of course, thanks to Tornado the cat for keeping my lap warm night
after night as I wrote after everybody else had gone to bed.
ffirs.indd xviffirs.indd xvi 12/24/2010 12:41:21 PM12/24/2010 12:41:21 PM

xvii
Introduction xxvii
Chapter 1 Understanding Internet Security 1
Chapter 2 Protecting Against Eavesdroppers with
Symmetric Cryptography 29
Chapter 3 Secure Key Exchange over an Insecure Medium
with Public Key Cryptography 91
Chapter 4 Authenticating Communications Using Digital Signatures 157
Chapter 5 Creating a Network of Trust Using X.509 Certifi cates 221
Chapter 6 A Usable, Secure Communications Protocol:
Client-Side TLS 297
Chapter 7 Adding Server-Side TLS 1.0 Support 381
Chapter 8 Advanced SSL Topics 415
Chapter 9 Adding TLS 1.2 Support to Your TLS Library 479
Chapter 10 Other Applications of SSL 543
Appendix A Binary Representation of Integers: A Primer 567
Appendix B Installing TCPDump and OpenSSL 573
Appendix C Understanding the Pitfalls of SSLv2 579
Index 629
Contents at a Glance
ffirs.indd xviiffirs.indd xvii 12/24/2010 12:41:21 PM12/24/2010 12:41:21 PM
ffirs.indd xviiiffirs.indd xviii 12/24/2010 12:41:21 PM12/24/2010 12:41:21 PM
xix
Introduction xxvii
Chapter 1 Understanding Internet Security 1
What Are Secure Sockets? 2
“Insecure” Communications: Understanding the HTTP Protocol 4
Implementing an HTTP Client 5
Adding Support for HTTP Proxies 12
Reliable Transmission of Binary Data with Base64 Encoding 17

Implementing an HTTP Server 21
Roadmap for the Rest of This Book 27
Chapter 2 Protecting Against Eavesdroppers with
Symmetric Cryptography 29
Understanding Block Cipher Cryptography Algorithms 30
Implementing the Data Encryption Standard (DES) Algorithm 31
DES Initial Permutation 34
DES Key Schedule 38
DES Expansion Function 40
DES Decryption 45
Padding and Chaining in Block Cipher Algorithms 46
Using the Triple-DES Encryption Algorithm to
Increase Key Length 55
Faster Encryption with the Advanced Encryption
Standard (AES) Algorithm 60
AES Key Schedule Computation 60
AES Encryption 67
Other Block Cipher Algorithms 83
Understanding Stream Cipher Algorithms 83
Understanding and Implementing the RC4 Algorithm 84
Contents
ftoc.indd xixftoc.indd xix 12/10/2010 9:48:10 AM12/10/2010 9:48:10 AM
xx Contents
Converting a Block Cipher to a Stream Cipher: The OFB and
COUNTER Block-Chaining Modes 90
Chapter 3 Secure Key Exchange over an Insecure Medium
with Public Key Cryptography 91
Understanding the Theory Behind the RSA Algorithm 92
Performing Arbitrary Precision Binary Math to
Implement Public-Key Cryptography 93

Implementing Large-Number Addition 93
Implementing Large-Number Subtraction 98
Implementing Large-Number Multiplication 101
Implementing Large-Number Division 106
Comparing Large Numbers 109
Optimizing for Modulo Arithmetic 112
Using Modulus Operations to Effi ciently Compute
Discrete Logarithms in a Finite Field 113
Encryption and Decryption with RSA 114
Encrypting with RSA 115
Decrypting with RSA 119
Encrypting a Plaintext Message 120
Decrypting an RSA-Encrypted Message 124
Testing RSA Encryption and Decryption 126
Achieving Perfect Forward Secrecy with
Diffi e-Hellman Key Exchange 130
Getting More Security per Key Bit: Elliptic
Curve Cryptography 132
How Elliptic Curve Cryptography Relies on
Modular Inversions 135
Using the Euclidean Algorithm to compute
Greatest Common Denominators 135
Computing Modular Inversions with the Extended
Euclidean Algorithm 137
Adding Negative Number Support to the Huge
Number Library 138
Supporting Negative Remainders 147
Making ECC Work with Whole Integers: Elliptic-Curve
Cryptography over F
p

150
Reimplementing Diffi e-Hellman to Use ECC Primitives 150
Why Elliptic-Curve Cryptography? 154
Chapter 4 Authenticating Communications Using Digital Signatures 157
Using Message Digests to Create Secure Document Surrogates 158
Implementing the MD5 Digest Algorithm 159
Understanding MD5 160
A Secure Hashing Example 161
Securely Hashing a Single Block of Data 166
MD5 Vulnerabilities 169
ftoc.indd xxftoc.indd xx 12/10/2010 9:48:10 AM12/10/2010 9:48:10 AM
Contents xxi
Increasing Collision Resistance with the SHA-1
Digest Algorithm 171
Understanding SHA-1 Block Computation 171
Understanding the SHA-1 Input Processing Function 174
Understanding SHA-1 Finalization 176
Even More Collision Resistance with the SHA-256
Digest Algorithm 180
Preventing Replay Attacks with the HMAC
Keyed-Hash Algorithm 184
Implementing a Secure HMAC Algorithm 186
Completing the HMAC Operation 190
Creating Updateable Hash Functions 190
Defining a Digest Structure 191
Appending the Length to the Last Block 194
Computing the MD5 Hash of an Entire File 196
Where Does All of This Fit into SSL? 200
Understanding Digital Signature Algorithm
(DSA) Signatures 201

Implementing Sender-Side DSA Signature Generation 202
Implementing Receiver-Side DSA Signature Verification 205
How to Make DSA Efficient 209
Getting More Security per Bit: Elliptic Curve DSA 210
Rewriting the Elliptic-Curve Math Functions to
Support Large Numbers 211
Implementing ECDSA 215
Generating ECC Keypairs 218
Chapter 5 Creating a Network of Trust Using X.509 Certifi cates 221
Putting It Together: The Secure Channel Protocol 222
Encoding with ASN.1 225
Understanding Signed Certifi cate Structure 225
Version 226
serialNumber 227
signature 227
issuer 229
validity 232
subject 233
subjectPublicKeyInfo 235
extensions 237
Signed Certificates 238
Summary of X.509 Certificates 241
Transmitting Certifi cates with ASN.1 Distinguished
Encoding Rules (DER) 241
Encoded Values 241
Strings and Dates 242
Bit Strings 243
Sequences and Sets: Grouping and Nesting ASN.1 Values 243
ftoc.indd xxiftoc.indd xxi 12/10/2010 9:48:10 AM12/10/2010 9:48:10 AM
xxii Contents

ASN.1 Explicit Tags 244
A Real-World Certificate Example 244
Using OpenSSL to Generate an RSA KeyPair and Certificate 244
Using OpenSSL to Generate a DSA KeyPair and Certificate 251
Developing an ASN.1 Parser 252
Converting a Byte Stream into an ASN.1 Structure 252
The asn1parse Code in Action 259
Turning a Parsed ASN.1 Structure into X.509 Certifi cate
Components 264
Joining the X.509 Components into a Completed X.509
Certifi cate Structure 268
Parsing Object Identifi ers (OIDs) 270
Parsing Distinguished Names 271
Parsing Certifi cate Extensions 275
Signature Verifi cation 279
Validating PKCS #7-Formatted RSA Signatures 280
Verifying a Self-Signed Certificate 281
Adding DSA Support to the Certificate Parser 286
Managing Certifi cates 292
How Authorities Handle Certifi cate Signing Requests (CSRs) 292
Correlating Public and Private Keys Using PKCS #12
Formatting 293
Blacklisting Compromised Certifi cates Using Certifi cate
Revocation Lists (CRLs) 294
Keeping Certifi cate Blacklists Up-to-Date with the Online
Certifi cate Status Protocol (OCSP) 295
Other Problems with Certifi cates 296
Chapter 6 A Usable, Secure Communications Protocol:
Client-Side TLS 297
Implementing the TLS 1.0 Handshake

(Client Perspective) 299
Adding TLS Support to the HTTP Client 300
Understanding the TLS Handshake Procedure 303
TLS Client Hello 304
Tracking the Handshake State in the TLSParameters
Structure 304
Describing Cipher Suites 308
Flattening and Sending the Client Hello Structure 309
TLS Server Hello 316
Adding a Receive Loop 317
Sending Alerts 318
Parsing the Server Hello Structure 319
Reporting Server Alerts 323
TLS Certifi cate 324
TLS Server Hello Done 328
ftoc.indd xxiiftoc.indd xxii 12/10/2010 9:48:10 AM12/10/2010 9:48:10 AM
Contents xxiii
TLS Client Key Exchange 329
Sharing Secrets Using TLS PRF
(Pseudo-Random Function) 329
Creating Reproducible, Unpredictable Symmetric Keys
with Master Secret Computation 336
RSA Key Exchange 337
Diffie-Hellman Key Exchange 343
TLS Change Cipher Spec 344
TLS Finished 346
Computing the Verify Message 347
Correctly Receiving the Finished Message 352
Secure Data Transfer with TLS 353
Assigning Sequence Numbers 353

Supporting Outgoing Encryption 355
Adding Support for Stream Ciphers 358
Updating Each Invocation of send_message 359
Decrypting and Authenticating 361
TLS Send 364
TLS Receive 365
Implementing TLS Shutdown 368
Examining HTTPS End-to-end Examples (TLS 1.0) 369
Dissecting the Client Hello Request 370
Dissecting the Server Response Messages 372
Dissecting the Key Exchange Message 373
Decrypting the Encrypted Exchange 374
Exchanging Application Data 377
Differences Between SSL 3.0 and TLS 1.0 378
Differences Between TLS 1.0 and TLS 1.1 379
Chapter 7 Adding Server-Side TLS 1.0 Support 381
Implementing the TLS 1.0 Handshake from the
Server’s Perspective 381
TLS Client Hello 387
TLS Server Hello 390
TLS Certifi cate 391
TLS Server Hello Done 393
TLS Client Key Exchange 394
RSA Key Exchange and Private Key Location 395
Supporting Encrypted Private Key Files 399
Checking That Decryption was Successful 406
Completing the Key Exchange 407
TLS Change Cipher Spec 409
TLS Finished 409
Avoiding Common Pitfalls When Adding HTTPS

Support to a Server 411
When a Browser Displays Errors: Browser Trust Issues 412
ftoc.indd xxiiiftoc.indd xxiii 12/10/2010 9:48:10 AM12/10/2010 9:48:10 AM