REVIEW: "SSL and TLS: Theory and Practice", Rolf Oppliger
- BKSSLTTP.RVW 20091129
"SSL and TLS: Theory and Practice", Rolf Oppliger, 2009,
%A Rolf Oppliger rolf.oppliger@...
%C 685 Canton St., Norwood, MA 02062
%G 978-1-59693-447-4 1-59693-447-6
%I Artech House/Horizon
%O 617-769-9750 800-225-9977 artech@...
%O Audience i+ Tech 3 Writing 2 (see revfaq.htm for explanation)
%P 257 p.
%T "SSL and TLS: Theory and Practice"
The preface states that the book is intended to update the existing
literature on SSL (Secure Sockets Layer) and TLS (Transport Layer
Security), and to provide a design level understanding of the
protocols. (Oppliger does not address issues of implementation or
specific products.) The work assumes a basic understanding of TCP/IP,
the Internet standards process, and cryptography, altough some
fundamental cryptographic principles are given.
Chapter one is a basic introduction to security and some related
concepts. The author uses the definition of security architecture
from RFC 2828 to provide a useful starting point and analogy. The
five security services listed in ISO 7498-2 and X.800 (authentication,
access control, confidentiality, integrity, and nonrepudiation) are
clearly defined, and the resultant specific and pervasive security
mechanisms are mentioned. In chapter two, Oppliger gives a brief
overview of a number of cryptologic terms and concepts, but some (such
as steganography) may not be relevant to examination of the SSL and
TLS protocols. (There is also a slight conflict: in chapter one, a
secure system is defined as one that is proof against a specific and
defined threat, whereas, in chapter two, this is seen as conditional
security.) The author's commentary is, as in all his works, clear and
insightful, but the cryptographic theory provided does go well beyond
what is required for this topic.
Chapter three, although entitled "Transport Layer Security," is
basically a history of both SSL and TLS. SSL is examined in terms of
the protocols, structures, and messages, in chapter four. There is
also a quick analysis of the structural strength of the specification.
Since TLS is derived from SSL, the material in chapter five
concentrates on the differences between SSL 3.0 and TLS 1.0, and then
looks at algorithmic options for TLS 1.1 and 1.2. DTLS (Datagram
Transport Layer Security), for UDP (User Datagram Protocol), is
described briefly in chapter six, and seems to simply add sequence
numbers to UDP, with some additional provision for security cookie
exchanges. Chapter seven notes the use of SSL for VPN (virtual
private network) tunneling. Chapter eight reviews some aspects of
public key certificates, but provides little background for full
implementation of PKI (Public Key Infrastructure). As a finishing
touch, chapter nine notes the sidejacking attacks, concerns about man-
in-the-middle (MITM) attacks (quite germane, at the moment), and notes
that we should move from certificate based PKI to a trust and
privilege management infrastructure (PMI).
In relatively few pages, Oppliger has provided background,
introduction, and technical details of the SSL and TLS variants you
are likely to encounter. The material is clear, well structured, and
easily accessible. He has definitely enhanced the literature. not
only of TLS, but also of security in general.
copyright Robert M. Slade, 2009 BKSSLTTP.RVW 20091129
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... slade@... rslade@...
In a real dark night of the soul it is always three o'clock in
the morning, day after day. - F. Scott Fitzgerald