REVIEW: "SSL and TLS: Theory and Practice", Rolf Oppliger

Discussion in 'Computer Security' started by Rob Slade, doting grandpa of Ryan and Trevor, Jul 8, 2010.

  1. BKSSLTTP.RVW 20091129

    "SSL and TLS: Theory and Practice", Rolf Oppliger, 2009,
    978-1-59693-447-4
    %A Rolf Oppliger
    %C 685 Canton St., Norwood, MA 02062
    %D 2009
    %G 978-1-59693-447-4 1-59693-447-6
    %I Artech House/Horizon
    %O 617-769-9750 800-225-9977
    %O http://books.esecurity.ch/ssltls.html
    %O http://www.amazon.com/exec/obidos/ASIN/1596934476/robsladesinterne
    http://www.amazon.co.uk/exec/obidos/ASIN/1596934476/robsladesinte-21
    %O http://www.amazon.ca/exec/obidos/ASIN/1596934476/robsladesin03-20
    %O Audience i+ Tech 3 Writing 2 (see revfaq.htm for explanation)
    %P 257 p.
    %T "SSL and TLS: Theory and Practice"

    The preface states that the book is intended to update the existing
    literature on SSL (Secure Sockets Layer) and TLS (Transport Layer
    Security), and to provide a design level understanding of the
    protocols. (Oppliger does not address issues of implementation or
    specific products.) The work assumes a basic understanding of TCP/IP,
    the Internet standards process, and cryptography, altough some
    fundamental cryptographic principles are given.

    Chapter one is a basic introduction to security and some related
    concepts. The author uses the definition of security architecture
    from RFC 2828 to provide a useful starting point and analogy. The
    five security services listed in ISO 7498-2 and X.800 (authentication,
    access control, confidentiality, integrity, and nonrepudiation) are
    clearly defined, and the resultant specific and pervasive security
    mechanisms are mentioned. In chapter two, Oppliger gives a brief
    overview of a number of cryptologic terms and concepts, but some (such
    as steganography) may not be relevant to examination of the SSL and
    TLS protocols. (There is also a slight conflict: in chapter one, a
    secure system is defined as one that is proof against a specific and
    defined threat, whereas, in chapter two, this is seen as conditional
    security.) The author's commentary is, as in all his works, clear and
    insightful, but the cryptographic theory provided does go well beyond
    what is required for this topic.

    Chapter three, although entitled "Transport Layer Security," is
    basically a history of both SSL and TLS. SSL is examined in terms of
    the protocols, structures, and messages, in chapter four. There is
    also a quick analysis of the structural strength of the specification.
    Since TLS is derived from SSL, the material in chapter five
    concentrates on the differences between SSL 3.0 and TLS 1.0, and then
    looks at algorithmic options for TLS 1.1 and 1.2. DTLS (Datagram
    Transport Layer Security), for UDP (User Datagram Protocol), is
    described briefly in chapter six, and seems to simply add sequence
    numbers to UDP, with some additional provision for security cookie
    exchanges. Chapter seven notes the use of SSL for VPN (virtual
    private network) tunneling. Chapter eight reviews some aspects of
    public key certificates, but provides little background for full
    implementation of PKI (Public Key Infrastructure). As a finishing
    touch, chapter nine notes the sidejacking attacks, concerns about man-
    in-the-middle (MITM) attacks (quite germane, at the moment), and notes
    that we should move from certificate based PKI to a trust and
    privilege management infrastructure (PMI).

    In relatively few pages, Oppliger has provided background,
    introduction, and technical details of the SSL and TLS variants you
    are likely to encounter. The material is clear, well structured, and
    easily accessible. He has definitely enhanced the literature. not
    only of TLS, but also of security in general.

    copyright Robert M. Slade, 2009 BKSSLTTP.RVW 20091129

    --
    ======================

    "Dictionary of Information Security," Syngress 1597491152
    http://blogs.securiteam.com/index.php/archives/author/p1/
    http://blog.isc2.org/isc2_blog/slade/index.html
    http://twitter.com/rslade http://twitter.com/NoticeBored
    ============= for back issues:
    [Base URL] site http://victoria.tc.ca/techrev/
    CISSP refs: [Base URL]mnbksccd.htm
    Book reviews: [Base URL]mnbk.htm
    Review mailing list: send mail to
    or
     
    Rob Slade, doting grandpa of Ryan and Trevor, Jul 8, 2010
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Silverstrand

    Review: Battalion-101~ S Notebook Review

    Silverstrand, Jun 20, 2005, in forum: The Lounge
    Replies:
    0
    Views:
    2,233
    Silverstrand
    Jun 20, 2005
  2. Silverstrand
    Replies:
    0
    Views:
    3,474
    Silverstrand
    Jun 20, 2005
  3. Thad

    DP Review Leica Digilux 2 Review

    Thad, May 11, 2004, in forum: Digital Photography
    Replies:
    9
    Views:
    549
    ArtKramr
    May 12, 2004
  4. Mike McGee
    Replies:
    0
    Views:
    1,115
    Mike McGee
    Dec 4, 2003
  5. Replies:
    0
    Views:
    1,003
Loading...

Share This Page