SSL/TLS Under Lock and Key: A Guide to Understanding SSL/TLS Cryptography

SSL/TLS: UNDER LOCK AND KEY

Reflowable eBook Edition

by Paul Baka and Jeremy Schatten

Copyright © 2020 Keyko Pty Ltd. All rights reserved.

Keyko Pty Ltd

Suite 1A Level 2

802 Pacific Highway

Gordon NSW 2072

Australia

[email protected]

Edited by Sophie Pearce and Hollie Acres

Cover artwork by Ruslan Kholyaev

Formatting by Phillip Gessert

ISBN: 978-0-6489316-0-7 (Colour Edition)

ISBN: 978-0-6489316-3-8 (Black and White Edition)

ISBN: 978-0-6489316-2-1 (PDF eBook)

ISBN: 978-0-6489316-1-4 (Reflowable eBook)

ISBN: 978-0-6489316-4-5 (Audiobook)

All rights reserved. No part of this publication may be reproduced, distributed or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher, except in the case of brief quotations embodied in critical reviews and certain other noncommercial uses permitted by copyright law. For permission requests, write to the publisher at the address above.

The author and publisher have taken care in preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein.

Table of

Contents

Introduction: Scope and Audience

About the Authors

Paul Baka

Jeremy Schatten

Chapter 1: SSL, TLS and Cryptography

Cryptography

The Caesar Cipher

Symmetric Cryptography

Asymmetric Cryptography

SSL/TLS: The Best of Both Worlds

Hashing

Digital Signatures

SSL vs. TLS: Demystifying legacy terminology

Transport Layer Security TLS

TLS 1.0

TLS 1.1

TLS 1.2

TLS 1.3

Key Generation

Key Size

RSA

ECC

DES

AES

Chapter 2: Common Protocols

HTTPS

Handshake Protocol

Key Exchange

Authentication

Encryption over HTTPS

Renegotiation

Cipher Suites

Certificate Transparency

SNI

HSTS

HPKP

Perfect Forward Secrecy

SMTPS

Explicit SSL/TLS

StartTLS

FTPS

LDAPS

TCP

DTLS (UDP)

SCTP

SPDY

QUIC

Chapter 3: Public Key Infrastructure

Certificate Lifecycle

Key Pair Generation

Certificate Signing Request

Validation

Issuance

Revocation

Certificate Authorities

Root Certificate Authorities

Intermediate Certificate Authorities

Internal Certificate Authorities

Certificate Cross Certification

CRLs and OCSP Stapling

Certificate Authority Authorisation (CAA)

Most Utilized and Publicly Trusted Certificate Authorities

Chapter 4: X.509 Certificates

Certificate Fields

Certificate Extensions

Type of Certificates

Standard

Wildcard Certificates

SAN/UCC Certificates

Client Certificates

Code Signing Certificates

Chapter 5: Vulnerabilities and Flaws

Key Size

MITM Attack

Upstream Compromise

Key Escrow

Proxies/Middleboxes

Digital Signature Forgery

SSL Stripping

Well-Known Attacks

POODLE

Heartbleed

DROWN

CRIME, and BREACH

Targeted Nationstate Attacks

Quantum Computing

Chapter 6: Implementation

A Plethora of File Formats and Extensions

Base64 or Binary?

Public Key, Private Key, or both?

Windows SCHANNEL

Java Keystores

*nix Conventions

PKCS #7 and PKCS #12

Private Key Storage

Hardware Security Module (HSM)

DPAPI

File System ACLs

Chapter 7: OpenSSL

Setup and Using OpenSSL

Windows

Mac

Linux

Common Commands

Generating a Self Signed Certificate

Generating a CSR for third party signature

Converting a Binary certificate into a Base64 certificate

Converting a Base64 certificate into a Binary certificate

Splitting a PKCS12 (PFX) into its component public and private keys

Combining a Base64 public and private key into a PKCS12 (PFX)

Display certificates from a remote system

Generating Diffie-Hellman parameters

Checking key, file, and CSR association

Chapter 8: HTTP/2 and HTTP/3

Exciting new features

The HTTPS Everywhere Movement

Chapter 9: Quick-Start Configuration

Apache

NGINX

Microsoft Windows and IIS

SCHANNEL Registry changes

Java and Tomcat

cPanel

Terminology

Introduction:

Scope and Audience

SSL/TLS is an inherently complex topic; there are lots of resources and guides available that explain how to do something but very few which discuss why. This book seeks to address this gap, and in such a way that a beginner could pick this up, read through it cover to cover, and at least start to put together a mental map of the different facets of cryptography. SSL/TLS must be accessible to everyone because it is foundational to our modern online world. We need it to check our bank accounts, to talk to our friends online, and to compete in business. Though this book has been written for the beginner, meticulous attention has been paid to the layout such that an experienced professional could still find value in this writing as a desk reference. Finally, while it would be nice if this book serves a need, it is more important that it shares a passion. Each chapter has been written, and re-written with this in mind.

Feedback is greatly welcomed from our readers, and we will strive to keep it up-to-date and relevant. You may contact Paul via email [email protected] with any recommendations, ideas and general feedback.

About the Authors

Paul Baka

With over a decade of experience in web and online security, Paul has dedicated his career to ensuring that this sometimes complicated field is made accessible to those looking to secure their online privacy. With an intricate network of peers in the industry, Paul has not only built up his own knowledge and skill in this area, he has had the benefit of drawing knowledge from this network of field specialists. As an entrepreneur Paul has created multiple successful start-ups with a focus on the privacy of individuals and businesses alike.

When not dedicating himself to his work, Paul enjoys his time with family and friends, travelling and adventuring. With snow upon the mountains of Japan, Canada and Australia regularly carved by his well worn snowboard.

Jeremy Schatten

As a Systems Administrator with a background in Computer Science, Jeremy has never been able to pick between designing infrastructure and writing code. This inspired a lifelong fascination with digital cryptography as, like Jeremy, it has a foot in two worlds. Other than SSL/TLS, Jeremy’s areas of technical expertise include Enterprise Storage, Virtualization, and software deployment pipelines. Unlike Paul, Jeremy is an avid indoorsman, and spends his non-screen time cooking, reading, and baking bread. He lives in Rockville, Maryland with his partner Kate and their cat Dorian Gray.

Chapter 1

SSL, TLS and Cryptography

Cryptography

Cryptography is the practice of creating and solving codes. It predates the earliest computers by over 1000 years! It can be used to hide important messages so that they can only be read by the intended recipient. In-fact, any attempt at obfuscating a message qualifies as a form of cryptography. One famous example of a cryptographic scheme is often performed by school children; milk (from the dairy aisle) is applied to a piece of paper with a Q-Tip in order to form letters, these letters are invisible unless the paper is