learning SSL/TLS

Question

I am looking forward to learn more on implementing SSL/TLS, can anyone of you suggest me a good source to learn about it? For now I only have basic knowledge about it such as what is SSL and how it works.

Thanks.

Answer 1

To get a first working prototype:

1. Choose some convenient programming language, that offers the primitives you need: network support, easy byte-by-byte manipulations... The language should offer implementations of the basic cryptographic primitives, or else you will have to reimplement them yourself. C# or Java are adequate; Excel macros a lot less so. You should have some good prior knowledge of the language.

2. Get a compatible implementation to test against; choose an opensource one like OpenSSL or GnuTLS, that can work both as a client and server, produce tons of debugging output, and, crucially, that you can modify to dump intermediate values. For your first SSL implementation, you will probably spend a lot of times working out what exactly send to SHA-1 and MD5 to get the Finished messages properly.

3. Read the specification for the protocol version you want to implement. There are SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2. Choose just one initially; you will extend your code into support for other versions later on. TLS 1.0 is probably the simplest of the four. You may want to also read this answer as a kind of "reading guide for SSL".

4. Concentrate on a couple cipher suites, e.g. TLS_RSA_WITH_RC4_128_SHA and TLS_RSA_WITH_3DES_EDE_CBC_SHA. More options imply more complexity; start small.

5. If you have to implement some cryptographic primitives (e.g. RC4 or SHA-1), do it properly, i.e. as self-contained modules with a clean API. Test them (Google up for test vectors). You cannot do some reasonable implementation work unless you have reliable tools. Using already implemented algorithms (either from the programming framework you use, or an external library) will help you greatly.

6. Remember that writing your own SSL is for learning, not for using in production. It is a very good way to get some understanding of how things work. However, production code requires a lot of care, especially with regards to side-channel attacks. Experience has repeatedly shown that implementations get sufficiently robust only through years of experience and testing and fixing.

   Knowing the internals of SSL is a good skill that will serve you well. You can build an entire career interpreting SSL traces obtained with some network monitor tool (that's the modern Oracle way, and even incense sticks are optional).