REVIEW: "SSL and TLS: Theory and Practice", Rolf Oppliger

Discussion in 'Computer Security' started by Rob Slade, doting grandpa of Ryan and Trevor, Jul 8, 2010.

  1. BKSSLTTP.RVW 20091129

    "SSL and TLS: Theory and Practice", Rolf Oppliger, 2009,
    %A Rolf Oppliger
    %C 685 Canton St., Norwood, MA 02062
    %D 2009
    %G 978-1-59693-447-4 1-59693-447-6
    %I Artech House/Horizon
    %O 617-769-9750 800-225-9977
    %O Audience i+ Tech 3 Writing 2 (see revfaq.htm for explanation)
    %P 257 p.
    %T "SSL and TLS: Theory and Practice"

    The preface states that the book is intended to update the existing
    literature on SSL (Secure Sockets Layer) and TLS (Transport Layer
    Security), and to provide a design level understanding of the
    protocols. (Oppliger does not address issues of implementation or
    specific products.) The work assumes a basic understanding of TCP/IP,
    the Internet standards process, and cryptography, altough some
    fundamental cryptographic principles are given.

    Chapter one is a basic introduction to security and some related
    concepts. The author uses the definition of security architecture
    from RFC 2828 to provide a useful starting point and analogy. The
    five security services listed in ISO 7498-2 and X.800 (authentication,
    access control, confidentiality, integrity, and nonrepudiation) are
    clearly defined, and the resultant specific and pervasive security
    mechanisms are mentioned. In chapter two, Oppliger gives a brief
    overview of a number of cryptologic terms and concepts, but some (such
    as steganography) may not be relevant to examination of the SSL and
    TLS protocols. (There is also a slight conflict: in chapter one, a
    secure system is defined as one that is proof against a specific and
    defined threat, whereas, in chapter two, this is seen as conditional
    security.) The author's commentary is, as in all his works, clear and
    insightful, but the cryptographic theory provided does go well beyond
    what is required for this topic.

    Chapter three, although entitled "Transport Layer Security," is
    basically a history of both SSL and TLS. SSL is examined in terms of
    the protocols, structures, and messages, in chapter four. There is
    also a quick analysis of the structural strength of the specification.
    Since TLS is derived from SSL, the material in chapter five
    concentrates on the differences between SSL 3.0 and TLS 1.0, and then
    looks at algorithmic options for TLS 1.1 and 1.2. DTLS (Datagram
    Transport Layer Security), for UDP (User Datagram Protocol), is
    described briefly in chapter six, and seems to simply add sequence
    numbers to UDP, with some additional provision for security cookie
    exchanges. Chapter seven notes the use of SSL for VPN (virtual
    private network) tunneling. Chapter eight reviews some aspects of
    public key certificates, but provides little background for full
    implementation of PKI (Public Key Infrastructure). As a finishing
    touch, chapter nine notes the sidejacking attacks, concerns about man-
    in-the-middle (MITM) attacks (quite germane, at the moment), and notes
    that we should move from certificate based PKI to a trust and
    privilege management infrastructure (PMI).

    In relatively few pages, Oppliger has provided background,
    introduction, and technical details of the SSL and TLS variants you
    are likely to encounter. The material is clear, well structured, and
    easily accessible. He has definitely enhanced the literature. not
    only of TLS, but also of security in general.

    copyright Robert M. Slade, 2009 BKSSLTTP.RVW 20091129


    "Dictionary of Information Security," Syngress 1597491152
    ============= for back issues:
    [Base URL] site
    CISSP refs: [Base URL]mnbksccd.htm
    Book reviews: [Base URL]mnbk.htm
    Review mailing list: send mail to
    Rob Slade, doting grandpa of Ryan and Trevor, Jul 8, 2010
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.