Log In
Or create an account ->
Imperial Library
Home
About
News
Upload
Forum
Help
Login/SignUp
Index
Secure Programming Cookbook for C and C++
SPECIAL OFFER: Upgrade this ebook with O’Reilly
A Note Regarding Supplemental Files
Foreword
Preface
More Than Just a Book
We Can't Do It All
Organization of This Book
Recipe Compatibility
Conventions Used in This Book
Comments and Questions
Acknowledgments
1. Safe Initialization
1.1. Sanitizing the Environment
1.1.1. Problem
1.1.2. Solution
1.1.3. Discussion
1.1.4. See Also
1.2. Restricting Privileges on Windows
1.2.1. Problem
1.2.2. Solution
1.2.3. Discussion
1.2.3.1. Creating restricted tokens
1.2.3.2. Modifying a process's primary token
1.2.3.3. Working with SID_AND_ATTRIBUTES structures
1.2.3.4. Working with LUID_AND_ATTRIBUTES structures
1.2.4. See Also
1.3. Dropping Privileges in setuid Programs
1.3.1. Problem
1.3.2. Solution
1.3.3. Discussion
1.3.4. See Also
1.4. Limiting Risk with Privilege Separation
1.4.1. Problem
1.4.2. Solution
1.4.3. Discussion
1.4.3.1. Privilege separation
1.4.3.2. A privilege separation library: privman
1.4.4. See Also
1.5. Managing File Descriptors Safely
1.5.1. Problem
1.5.2. Solution
1.5.3. Discussion
1.6. Creating a Child Process Securely
1.6.1. Problem
1.6.2. Solution
1.6.3. Discussion
1.6.4. See Also
1.7. Executing External Programs Securely
1.7.1. Problem
1.7.2. Solution
1.7.3. Discussion
1.7.4. See Also
1.8. Executing External Programs Securely
1.8.1. Problem
1.8.2. Solution
1.8.3. Discussion
1.9. Disabling Memory Dumps in the Event of a Crash
1.9.1. Problem
1.9.2. Solution
1.9.3. Discussion
1.9.4. See Also
2. Access Control
2.1. Understanding the Unix Access Control Model
2.1.1. Problem
2.1.2. Solution
2.1.3. Discussion
2.1.3.1. The sticky bit
2.1.3.2. The setuid bit
2.1.3.3. The setgid bit
2.1.4. See Also
2.2. Understanding the Windows Access Control Model
2.2.1. Problem
2.2.2. Solution
2.2.3. Discussion
2.3. Determining Whether a User Has Access to a File on Unix
2.3.1. Problem
2.3.2. Solution
2.3.3. Discussion
2.4. Determining Whether a Directory Is Secure
2.4.1. Problem
2.4.2. Solution
2.4.3. Discussion
2.5. Erasing Files Securely
2.5.1. Problem
2.5.2. Solution
2.5.3. Discussion
2.5.4. See Also
2.6. Accessing File Information Securely
2.6.1. Problem
2.6.2. Solution
2.6.3. Discussion
2.6.4. See Also
2.7. Restricting Access Permissions for New Files on Unix
2.7.1. Problem
2.7.2. Solution
2.7.3. Discussion
2.7.4. See Also
2.8. Locking Files
2.8.1. Problem
2.8.2. Solution
2.8.3. Discussion
2.8.3.1. Locking files on Unix
2.8.3.2. Locking files on Windows
2.9. Synchronizing Resource Access Across Processes on Unix
2.9.1. Problem
2.9.2. Solution
2.9.3. Discussion
2.9.4. See Also
2.10. Synchronizing Resource Access Across Processes on Windows
2.10.1. Problem
2.10.2. Solution
2.10.3. Discussion
2.10.4. See Also
2.11. Creating Files for Temporary Use
2.11.1. Problem
2.11.2. Solution
2.11.3. Discussion
2.11.3.1. Temporary files on Unix
2.11.3.2. Temporary files on Windows
2.11.4. See Also
2.12. Restricting Filesystem Access on Unix
2.12.1. Problem
2.12.2. Solution
2.12.3. Discussion
2.13. Restricting Filesystem and Network Access on FreeBSD
2.13.1. Problem
2.13.2. Solution
2.13.3. Discussion
2.13.4. See Also
3. Input Validation
3.1. Understanding Basic Data Validation Techniques
3.1.1. Problem
3.1.2. Solution
3.1.3. Discussion
3.1.4. See Also
3.2. Preventing Attacks on Formatting Functions
3.2.1. Problem
3.2.2. Solution
3.2.3. Discussion
3.2.4. See Also
3.3. Preventing Buffer Overflows
3.3.1. Problem
3.3.2. Solution
3.3.3. Discussion
3.3.3.1. String handling
3.3.3.2. Using C++
3.3.3.3. Stack protection technologies
3.3.4. See Also
3.4. Using the SafeStr Library
3.4.1. Problem
3.4.2. Solution
3.4.3. Discussion
3.4.4. See Also
3.5. Preventing Integer Coercion and Wrap-Around Problems
3.5.1. Problem
3.5.2. Solution
3.5.3. Discussion
3.5.3.1. Signed-to-unsigned coercion
3.5.3.2. Unsigned-to-signed coercion
3.5.3.3. Size mismatches
3.5.3.4. Wrap-around
3.5.4. See Also
3.6. Using Environment Variables Securely
3.6.1. Problem
3.6.2. Solution
3.6.3. Discussion
3.6.3.1. Obtaining the value of an environment variable
3.6.3.2. Changing the value of an environment variable
3.6.3.3. Deleting an environment variable
3.6.4. See Also
3.7. Validating Filenames and Paths
3.7.1. Problem
3.7.2. Solution
3.7.3. Discussion
3.8. Evaluating URL Encodings
3.8.1. Problem
3.8.2. Solution
3.8.3. Discussion
3.8.4. See Also
3.9. Validating Email Addresses
3.9.1. Problem
3.9.2. Solution
3.9.3. Discussion
3.9.4. See Also
3.10. Preventing Cross-Site Scripting
3.10.1. Problem
3.10.2. Solution
3.10.3. Discussion
3.11. Preventing SQL Injection Attacks
3.11.1. Problem
3.11.2. Solution
3.11.3. Discussion
3.12. Detecting Illegal UTF-8 Characters
3.12.1. Problem
3.12.2. Solution
3.12.3. Discussion
3.13. Preventing File Descriptor Overflows When Using select( )
3.13.1. Problem
3.13.2. Solution
3.13.3. Discussion
3.13.4. See Also
4. Symmetric Cryptography Fundamentals
4.1. Representing Keys for Use in Cryptographic Algorithms
4.1.1. Problem
4.1.2. Solution
4.1.3. Discussion
4.1.4. See Also
4.2. Generating Random Symmetric Keys
4.2.1. Problem
4.2.2. Solution
4.2.3. Discussion
4.2.4. See Also
4.3. Representing Binary Keys (or Other Raw Data) as Hexadecimal
4.3.1. Problem
4.3.2. Solution
4.3.3. Discussion
4.4. Turning ASCII Hex Keys (or Other ASCII Hex Data) into Binary
4.4.1. Problem
4.4.2. Solution
4.4.3. Discussion
4.5. Performing Base64 Encoding
4.5.1. Problem
4.5.2. Solution
4.5.3. Discussion
4.5.4. See Also
4.6. Performing Base64 Decoding
4.6.1. Problem
4.6.2. Solution
4.6.3. Discussion
4.6.4. See Also
4.7. Representing Keys (or Other Binary Data) as English Text
4.7.1. Problem
4.7.2. Solution
4.7.3. Discussion
4.7.4. See Also
4.8. Converting Text Keys to Binary Keys
4.8.1. Problem
4.8.2. Solution
4.8.3. Discussion
4.8.4. See Also
4.9. Using Salts, Nonces, and Initialization Vectors
4.9.1. Problem
4.9.2. Solution
4.9.3. Discussion
4.9.3.1. Salts
4.9.3.2. Nonces
4.9.3.3. Initialization vectors (IVs)
4.9.4. See Also
4.10. Deriving Symmetric Keys from a Password
4.10.1. Problem
4.10.2. Solution
4.10.3. Discussion
4.10.4. See Also
4.11. Algorithmically Generating Symmetric Keys from One Base Secret
4.11.1. Problem
4.11.2. Solution
4.11.3. Discussion
4.11.4. See Also
4.12. Encrypting in a Single Reduced Character Set
4.12.1. Problem
4.12.2. Solution
4.12.3. Discussion
4.12.4. See Also
4.13. Managing Key Material Securely
4.13.1. Problem
4.13.2. Solution
4.13.3. See Also
4.14. Timing Cryptographic Primitives
4.14.1. Problem
4.14.2. Solution
4.14.3. Discussion
4.14.3.1. Timing basics
4.14.3.2. Timing cryptographic code
5. Symmetric Encryption
5.1. Deciding Whether to Use Multiple Encryption Algorithms
5.1.1. Problem
5.1.2. Solution
5.1.3. Discussion
5.1.4. See Also
5.2. Figuring Out Which Encryption Algorithm Is Best
5.2.1. Problem
5.2.2. Solution
5.2.3. Discussion
5.2.4. See Also
5.3. Selecting an Appropriate Key Length
5.3.1. Problem
5.3.2. Solution
5.3.3. Discussion
5.3.4. See Also
5.4. Selecting a Cipher Mode
5.4.1. Problem
5.4.2. Solution
5.4.3. Discussion
5.4.3.1. Electronic Code Book (ECB) mode
5.4.3.2. Cipher Block Chaining (CBC) mode
5.4.3.3. Counter (CTR) mode
5.4.3.4. Output Feedback (OFB) mode
5.4.3.5. Cipher Feedback (CFB) mode
5.4.3.6. Carter-Wegman + CTR (CWC) mode
5.4.3.7. Offset Codebook (OCB) mode
5.4.3.8. CTR plus CBC-MAC (CCM) mode
5.4.4. See Also
5.5. Using a Raw Block Cipher
5.5.1. Problem
5.5.2. Solution
5.5.3. Discussion
5.5.3.1. Brian Gladman's AES implementation
5.5.3.2. OpenSSL block cipher implementations
5.5.4. See Also
5.6. Using a Generic CBC Mode Implementation
5.6.1. Problem
5.6.2. Solution
5.6.3. Discussion
5.6.3.1. The high-level API
5.6.3.2. SPC_CBC_CTX data type
5.6.3.3. Incremental initialization
5.6.3.4. Incremental encrypting
5.6.3.5. Incremental decryption
5.6.4. See Also
5.7. Using a Generic CFB Mode Implementation
5.7.1. Problem
5.7.2. Solution
5.7.3. Discussion
5.7.3.1. The high-level API
5.7.3.2. The incremental API
5.7.4. See Also
5.8. Using a Generic OFB Mode Implementation
5.8.1. Problem
5.8.2. Solution
5.8.3. Discussion
5.8.3.1. The high-level API
5.8.3.2. The incremental API
5.8.4. See Also
5.9. Using a Generic CTR Mode Implementation
5.9.1. Problem
5.9.2. Solution
5.9.3. Discussion
5.9.3.1. The high-level API
5.9.3.2. The incremental API
5.9.4. See Also
5.10. Using CWC Mode
5.10.1. Problem
5.10.2. Solution
5.10.3. Discussion
5.10.4. See Also
5.11. Manually Adding and Checking Cipher Padding
5.11.1. Problem
5.11.2. Solution
5.11.3. Discussion
5.12. Precomputing Keystream in OFB, CTR, CCM, or CWC Modes (or with Stream Ciphers)
5.12.1. Problem
5.12.2. Solution
5.12.3. Discussion
5.13. Parallelizing Encryption and Decryption in Modes That Allow It (Without Breaking Compatibility)
5.13.1. Problem
5.13.2. Solution
5.13.3. Discussion
5.13.4. See Also
5.14. Parallelizing Encryption and Decryption in Arbitrary Modes (Breaking Compatibility)
5.14.1. Problem
5.14.2. Solution
5.14.3. Discussion
5.14.4. See Also
5.15. Performing File or Disk Encryption
5.15.1. Problem
5.15.2. Solution
5.15.3. Discussion
5.15.4. See Also
5.16. Using a High-Level, Error-Resistant Encryption and Decryption API
5.16.1. Problem
5.16.2. Solution
5.16.3. Discussion
5.16.4. See Also
5.17. Performing Block Cipher Setup (for CBC, CFB, OFB, and ECB Modes) in OpenSSL
5.17.1. Problem
5.17.2. Solution
5.17.3. Discussion
5.17.4. See Also
5.18. Using Variable Key-Length Ciphers in OpenSSL
5.18.1. Problem
5.18.2. Solution
5.18.3. Discussion
5.19. Disabling Cipher Padding in OpenSSL in CBC Mode
5.19.1. Problem
5.19.2. Solution
5.19.3. Discussion
5.20. Performing Additional Cipher Setup in OpenSSL
5.20.1. Problem
5.20.2. Solution
5.20.3. Discussion
5.21. Querying Cipher Configuration Properties in OpenSSL
5.21.1. Problem
5.21.2. Solution
5.21.3. Discussion
5.22. Performing Low-Level Encryption and Decryption with OpenSSL
5.22.1. Problem
5.22.2. Solution
5.22.3. Discussion
5.22.4. See Also
5.23. Setting Up and Using RC4
5.23.1. Problem
5.23.2. Solution
5.23.3. Discussion
5.24. Using One-Time Pads
5.24.1. Problem
5.24.2. Solution
5.24.3. Discussion
5.24.4. See Also
5.25. Using Symmetric Encryption with Microsoft's CryptoAPI
5.25.1. Problem
5.25.2. Solution
5.25.3. Discussion
5.25.4. See Also
5.26. Creating a CryptoAPI Key Object from Raw Key Data
5.26.1. Problem
5.26.2. Solution
5.26.3. Discussion
5.26.4. See Also
5.27. Extracting Raw Key Data from a CryptoAPI Key Object
5.27.1. Problem
5.27.2. Solution
5.27.3. Discussion
5.27.4. See Also
6. Hashes and Message Authentication
6.1. Understanding the Basics of Hashes and MACs
6.1.1. Problem
6.1.2. Solution
6.1.3. Discussion
6.1.3.1. Types of primitives
6.1.3.2. Attacks against one-way constructs
6.1.4. See Also
6.2. Deciding Whether to Support Multiple Message Digests or MACs
6.2.1. Problem
6.2.2. Solution
6.2.3. Discussion
6.2.4. See Also
6.3. Choosing a Cryptographic Hash Algorithm
6.3.1. Problem
6.3.2. Solution
6.3.3. Discussion
6.3.4. See Also
6.4. Choosing a Message Authentication Code
6.4.1. Problem
6.4.2. Solution
6.4.3. Discussion
6.4.4. See Also
6.5. Incrementally Hashing Data
6.5.1. Problem
6.5.2. Solution
6.5.3. Discussion
6.5.4. See Also
6.6. Hashing a Single String
6.6.1. Problem
6.6.2. Solution
6.6.3. Discussion
6.6.4. See Also
6.7. Using a Cryptographic Hash
6.7.1. Problem
6.7.2. Solution
6.7.3. Discussion
6.7.4. See Also
6.8. Using a Nonce to Protect Against Birthday Attacks
6.8.1. Problem
6.8.2. Solution
6.8.3. Discussion
6.8.4. See Also
6.9. Checking Message Integrity
6.9.1. Problem
6.9.2. Solution
6.9.3. Discussion
6.9.4. See Also
6.10. Using HMAC
6.10.1. Problem
6.10.2. Solution
6.10.3. Discussion
6.10.4. See Also
6.11. Using OMAC (a Simple Block Cipher-Based MAC)
6.11.1. Problem
6.11.2. Solution
6.11.3. Discussion
6.11.4. See Also
6.12. Using HMAC or OMAC with a Nonce
6.12.1. Problem
6.12.2. Solution
6.12.3. Discussion
6.12.4. See Also
6.13. Using a MAC That's Reasonably Fast in Software and Hardware
6.13.1. Problem
6.13.2. Solution
6.13.3. Discussion
6.13.4. See Also
6.14. Using a MAC That's Optimized for Software Speed
6.14.1. Problem
6.14.2. Solution
6.14.3. Discussion
6.14.4. See Also
6.15. Constructing a Hash Function from a Block Cipher
6.15.1. Problem
6.15.2. Solution
6.15.3. Discussion
6.15.4. See Also
6.16. Using a Block Cipher to Build a Full-Strength Hash Function
6.16.1. Problem
6.16.2. Solution
6.16.3. Discussion
6.17. Using Smaller MAC Tags
6.17.1. Problem
6.17.2. Solution
6.17.3. Discussion
6.18. Making Encryption and Message Integrity Work Together
6.18.1. Problem
6.18.2. Solution
6.18.3. Discussion
6.18.4. See Also
6.19. Making Your Own MAC
6.19.1. Problem
6.19.2. Solution
6.19.3. Discussion
6.19.4. See Also
6.20. Encrypting with a Hash Function
6.20.1. Problem
6.20.2. Solution
6.20.3. Discussion
6.20.4. See Also
6.21. Securely Authenticating a MAC (Thwarting Capture Replay Attacks)
6.21.1. Problem
6.21.2. Solution
6.21.3. Discussion
6.21.4. See Also
6.22. Parallelizing MACs
6.22.1. Problem
6.22.2. Solution
6.22.3. Discussion
6.22.4. See Also
7. Public Key Cryptography
7.1. Determining When to Use Public Key Cryptography
7.1.1. Problem
7.1.2. Solution
7.1.3. Discussion
7.1.4. See Also
7.2. Selecting a Public Key Algorithm
7.2.1. Problem
7.2.2. Solution
7.2.3. Discussion
7.2.4. See Also
7.3. Selecting Public Key Sizes
7.3.1. Problem
7.3.2. Solution
7.3.3. Discussion
7.4. Manipulating Big Numbers
7.4.1. Problem
7.4.2. Solution
7.4.3. Discussion
7.4.3.1. Initialization and cleanup
7.4.3.2. Assigning to BIGNUM objects
7.4.3.3. Getting BIGNUM objects with random values
7.4.3.4. Outputting BIGNUM objects
7.4.3.5. Common tests on BIGNUM objects
7.4.3.6. Math operations on BIGNUM objects
7.4.4. See Also
7.5. Generating a Prime Number (Testing for Primality)
7.5.1. Problem
7.5.2. Solution
7.5.3. Discussion
7.5.4. See Also
7.6. Generating an RSA Key Pair
7.6.1. Problem
7.6.2. Solution
7.6.3. Discussion
7.6.4. See Also
7.7. Disentangling the Public and Private Keys in OpenSSL
7.7.1. Problem
7.7.2. Solution
7.7.3. Discussion
7.8. Converting Binary Strings to Integers for Use with RSA
7.8.1. Problem
7.8.2. Solution
7.8.3. Discussion
7.8.4. See Also
7.9. Converting Integers into Binary Strings for Use with RSA
7.9.1. Problem
7.9.2. Solution
7.9.3. Discussion
7.10. Performing Raw Encryption with an RSA Public Key
7.10.1. Problem
7.10.2. Solution
7.10.3. Discussion
7.10.4. See Also
7.11. Performing Raw Decryption Using an RSA Private Key
7.11.1. Problem
7.11.2. Solution
7.11.3. Discussion
7.11.4. See Also
7.12. Signing Data Using an RSA Private Key
7.12.1. Problem
7.12.2. Solution
7.12.3. Discussion
7.13. Verifying Signed Data Using an RSA Public Key
7.13.1. Problem
7.13.2. Solution
7.13.3. Discussion
7.13.4. See Also
7.14. Securely Signing and Encrypting with RSA
7.14.1. Problem
7.14.2. Solution
7.14.3. Discussion
7.14.4. See Also
7.15. Using the Digital Signature Algorithm (DSA)
7.15.1. Problem
7.15.2. Solution
7.15.3. Discussion
7.15.4. See Also
7.16. Representing Public Keys and Certificates in Binary (DER Encoding)
7.16.1. Problem
7.16.2. Solution
7.16.3. Discussion
7.16.4. See Also
7.17. Representing Keys and Certificates in Plaintext (PEM Encoding)
7.17.1. Problem
7.17.2. Solution
7.17.3. Discussion
7.17.4. See Also
8. Authentication and Key Exchange
8.1. Choosing an Authentication Method
8.1.1. Problem
8.1.2. Solution
8.1.3. Discussion
8.1.3.1. Traditional UNIX crypt( )
8.1.3.2. MD5 Modular Crypt Format (a.k.a. md5crypt or MD5-MCF)
8.1.3.3. PBKDF2
8.1.3.4. S/KEY and OPIE
8.1.3.5. CRAM
8.1.3.6. Digest-Auth (RFC 2617)
8.1.3.7. SRP
8.1.3.8. Basic public key exchange
8.1.3.9. SAX
8.1.3.10. PAX
8.1.3.11. Kerberos
8.1.3.12. Windows NT LAN Manager (NTLM)
8.1.3.13. SSL certificate-based checking
8.1.4. See Also
8.2. Getting User and Group Information on Unix
8.2.1. Problem
8.2.2. Solution
8.2.3. Discussion
8.3. Getting User and Group Information on Windows
8.3.1. Problem
8.3.2. Solution
8.3.3. Discussion
8.4. Restricting Access Based on Hostname or IP Address
8.4.1. Problem
8.4.2. Solution
8.4.3. Discussion
8.5. Generating Random Passwords and Passphrases
8.5.1. Problem
8.5.2. Solution
8.5.3. Discussion
8.5.4. See Also
8.6. Testing the Strength of Passwords
8.6.1. Problem
8.6.2. Solution
8.6.3. Discussion
8.6.4. See Also
8.7. Prompting for a Password
8.7.1. Problem
8.7.2. Solution
8.7.3. Discussion
8.7.3.1. Prompting for a password on Unix using getpass( ) or readpassphrase( )
8.7.3.2. Prompting for a password on Unix without getpass( ) or readpassphrase( )
8.7.3.3. Prompting for a password on Windows
8.8. Throttling Failed Authentication Attempts
8.8.1. Problem
8.8.2. Solution
8.8.3. Discussion
8.9. Performing Password-Based Authentication with crypt( )
8.9.1. Problem
8.9.2. Solution
8.9.3. Discussion
8.9.4. See Also
8.10. Performing Password-Based Authentication with MD5-MCF
8.10.1. Problem
8.10.2. Solution
8.10.3. Discussion
8.10.4. See Also
8.11. Performing Password-Based Authentication with PBKDF2
8.11.1. Problem
8.11.2. Solution
8.11.3. Discussion
8.11.4. See Also
8.12. Authenticating with PAM
8.12.1. Problem
8.12.2. Solution
8.12.3. Discussion
8.12.4. See Also
8.13. Authenticating with Kerberos
8.13.1. Problem
8.13.2. Solution
8.13.3. Discussion
8.13.4. See Also
8.14. Authenticating with HTTP Cookies
8.14.1. Problem
8.14.2. Solution
8.14.3. Discussion
8.14.4. See Also
8.15. Performing Password-Based Authentication and Key Exchange
8.15.1. Problem
8.15.2. Solution
8.15.3. Discussion
8.15.3.1. The server
8.15.3.2. The client
8.15.4. See Also
8.16. Performing Authenticated Key Exchange Using RSA
8.16.1. Problem
8.16.2. Solution
8.16.3. Discussion
8.16.4. See Also
8.17. Using Basic Diffie-Hellman Key Agreement
8.17.1. Problem
8.17.2. Solution
8.17.3. Discussion
8.17.4. See Also
8.18. Using Diffie-Hellman and DSA Together
8.18.1. Problem
8.18.2. Solution
8.18.3. Discussion
8.18.4. See Also
8.19. Minimizing the Window of Vulnerability When Authenticating Without a PKI
8.19.1. Problem
8.19.2. Solution
8.19.3. Discussion
8.19.4. See Also
8.20. Providing Forward Secrecy in a Symmetric System
8.20.1. Problem
8.20.2. Solution
8.20.3. Discussion
8.20.4. See Also
8.21. Ensuring Forward Secrecy in a Public Key System
8.21.1. Problem
8.21.2. Solution
8.21.3. Discussion
8.21.4. See Also
8.22. Confirming Requests via Email
8.22.1. Problem
8.22.2. Solution
8.22.3. Discussion
8.22.4. See Also
9. Networking
9.1. Creating an SSL Client
9.1.1. Problem
9.1.2. Solution
9.1.3. Discussion
9.1.4. See Also
9.2. Creating an SSL Server
9.2.1. Problem
9.2.2. Solution
9.2.3. Discussion
9.2.4. See Also
9.3. Using Session Caching to Make SSL Servers More Efficient
9.3.1. Problem
9.3.2. Solution
9.3.3. Discussion
9.3.4. See Also
9.4. Securing Web Communication on Windows Using the WinInet API
9.4.1. Problem
9.4.2. Solution
9.4.3. Discussion
9.4.4. See Also
9.5. Enabling SSL without Modifying Source Code
9.5.1. Problem
9.5.2. Solution
9.5.3. Discussion
9.5.4. See Also
9.6. Using Kerberos Encryption
9.6.1. Problem
9.6.2. Solution
9.6.3. Discussion
9.6.4. See Also
9.7. Performing Interprocess Communication Using Sockets
9.7.1. Problem
9.7.2. Solution
9.7.3. Discussion
9.7.4. See Also
9.8. Performing Authentication with Unix Domain Sockets
9.8.1. Problem
9.8.2. Solution
9.8.3. Discussion
9.9. Performing Session ID Management
9.9.1. Problem
9.9.2. Solution
9.9.3. Discussion
9.9.4. See Also
9.10. Securing Database Connections
9.10.1. Problem
9.10.2. Solution
9.10.3. Discussion
9.10.3.1. MySQL
9.10.3.2. PostgreSQL
9.10.4. See Also
9.11. Using a Virtual Private Network to Secure Network Connections
9.11.1. Problem
9.11.2. Solution
9.11.3. Discussion
9.12. Building an Authenticated Secure Channel Without SSL
9.12.1. Problem
9.12.2. Solution
9.12.3. Discussion
9.12.4. See Also
10. Public Key Infrastructure
10.1. Understanding Public Key Infrastructure (PKI)
10.1.1. Problem
10.1.2. Solution
10.1.3. Discussion
10.1.3.1. Certificates
10.1.3.2. Certification authorities
10.1.3.3. Certificate revocation
10.1.3.4. Online Certificate Status Protocol
10.1.3.5. Certificate hierarchies
10.1.3.6. X.509 certificates
10.1.4. See Also
10.2. Obtaining a Certificate
10.2.1. Problem
10.2.2. Solution
10.2.3. Discussion
10.2.3.1. Personal certificates
10.2.3.2. Code-signing certificates
10.2.3.3. Web site certificates
10.2.4. See Also
10.3. Using Root Certificates
10.3.1. Problem
10.3.2. Solution
10.3.3. Discussion
10.3.4. See Also
10.4. Understanding X.509 Certificate Verification Methodology
10.4.1. Problem
10.4.2. Solution
10.4.3. Discussion
10.4.4. See Also
10.5. Performing X.509 Certificate Verification with OpenSSL
10.5.1. Problem
10.5.2. Solution
10.5.3. Discussion
10.5.4. See Also
10.6. Performing X.509 Certificate Verification with CryptoAPI
10.6.1. Problem
10.6.2. Solution
10.6.3. Discussion
10.6.3.1. CryptoAPI certificate stores
10.6.4. See Also
10.7. Verifying an SSL Peer's Certificate
10.7.1. Problem
10.7.2. Solution
10.7.3. Discussion
10.7.4. See Also
10.8. Adding Hostname Checking to Certificate Verification
10.8.1. Problem
10.8.2. Solution
10.8.3. Discussion
10.8.4. See Also
10.9. Using a Whitelist to Verify Certificates
10.9.1. Problem
10.9.2. Solution
10.9.3. Discussion
10.10. Obtaining Certificate Revocation Lists with OpenSSL
10.10.1. Problem
10.10.2. Solution
10.10.3. Discussion
10.10.4. See Also
10.11. Obtaining CRLs with CryptoAPI
10.11.1. Problem
10.11.2. Solution
10.11.3. Discussion
10.11.4. See Also
10.12. Checking Revocation Status via OCSP with OpenSSL
10.12.1. Problem
10.12.2. Solution
10.12.3. Discussion
10.12.4. See Also
11. Random Numbers
11.1. Determining What Kind of Random Numbers to Use
11.1.1. Problem
11.1.2. Solution
11.1.3. Discussion
11.1.4. See Also
11.2. Using a Generic API for Randomness and Entropy
11.2.1. Problem
11.2.2. Solution
11.2.3. Discussion
11.2.4. See Also
11.3. Using the Standard Unix Randomness Infrastructure
11.3.1. Problem
11.3.2. Solution
11.3.3. Discussion
11.3.4. See Also
11.4. Using the Standard Windows Randomness Infrastructure
11.4.1. Problem
11.4.2. Solution
11.4.3. Discussion
11.4.4. See Also
11.5. Using an Application-Level Generator
11.5.1. Problem
11.5.2. Solution
11.5.3. Discussion
11.5.3.1. Using generators based on block ciphers
11.5.3.2. Using a stream cipher as a generator
11.5.3.3. Using a generator based on a cryptographic hash function
11.5.4. See Also
11.6. Reseeding a Pseudo-Random Number Generator
11.6.1. Problem
11.6.2. Solution
11.6.3. Discussion
11.6.4. See Also
11.7. Using an Entropy Gathering Daemon-Compatible Solution
11.7.1. Problem
11.7.2. Solution
11.7.3. Discussion
11.7.4. See Also
11.8. Getting Entropy or Pseudo-Randomness Using EGADS
11.8.1. Problem
11.8.2. Solution
11.8.3. Discussion
11.8.4. See Also
11.9. Using the OpenSSL Random Number API
11.9.1. Problem
11.9.2. Solution
11.9.3. Discussion
11.9.4. See Also
11.10. Getting Random Integers
11.10.1. Problem
11.10.2. Solution
11.10.3. Discussion
11.10.4. See Also
11.11. Getting a Random Integer in a Range
11.11.1. Problem
11.11.2. Solution
11.11.3. Discussion
11.11.4. See Also
11.12. Getting a Random Floating-Point Value with Uniform Distribution
11.12.1. Problem
11.12.2. Solution
11.12.3. Discussion
11.13. Getting Floating-Point Values with Nonuniform Distributions
11.13.1. Problem
11.13.2. Solution
11.13.3. Discussion
11.13.4. See Also
11.14. Getting a Random Printable ASCII String
11.14.1. Problem
11.14.2. Solution
11.14.3. Discussion
11.15. Shuffling Fairly
11.15.1. Problem
11.15.2. Solution
11.15.3. Discussion
11.15.4. See Also
11.16. Compressing Data with Entropy into a Fixed-Size Seed
11.16.1. Problem
11.16.2. Solution
11.16.3. Discussion
11.16.4. See Also
11.17. Getting Entropy at Startup
11.17.1. Problem
11.17.2. Solution
11.17.3. Discussion
11.17.4. See Also
11.18. Statistically Testing Random Numbers
11.18.1. Problem
11.18.2. Solution
11.18.3. Discussion
11.18.3.1. FIPS 140-1 power-up and on-demand tests
11.18.3.2. The FIPS continuous output test
11.18.4. See Also
11.19. Performing Entropy Estimation and Management
11.19.1. Problem
11.19.2. Solution
11.19.3. Discussion
11.19.3.1. Entropy in timestamps
11.19.3.2. Entropy in a key press
11.19.3.3. Entropy in mouse movements
11.19.3.4. Entropy in disk access
11.19.3.5. Entropy in data from the network
11.19.3.6. Entropy in the sound device
11.19.3.7. Entropy from thread timing and other system state
11.19.4. See Also
11.20. Gathering Entropy from the Keyboard
11.20.1. Problem
11.20.2. Solution
11.20.3. Discussion
11.20.3.1. Collecting entropy from the keyboard on Unix
11.20.3.2. Collecting entropy from the keyboard on Windows
11.20.4. See Also
11.21. Gathering Entropy from Mouse Events on Windows
11.21.1. Problem
11.21.2. Solution
11.21.3. Discussion
11.21.4. See Also
11.22. Gathering Entropy from Thread Timings
11.22.1. Problem
11.22.2. Solution
11.22.3. See Also
11.23. Gathering Entropy from System State
11.23.1. Problem
11.23.2. Solution
11.23.3. Discussion
11.23.4. See Also
12. Anti-Tampering
12.1. Understanding the Problem of Software Protection
12.1.1. Problem
12.1.2. Solution
12.1.3. Discussion
12.1.3.1. The threat of protection crackers
12.1.3.2. The goal of software protection
12.1.3.3. The cost of software protection
12.1.3.4. Anti-tampering techniques
12.1.4. See Also
12.2. Detecting Modification
12.2.1. Problem
12.2.2. Solution
12.2.3. Discussion
12.2.4. See Also
12.3. Obfuscating Code
12.3.1. Problem
12.3.2. Solution
12.3.3. Discussion
12.3.4. See Also
12.4. Performing Bit and Byte Obfuscation
12.4.1. Problem
12.4.2. Solution
12.4.3. Discussion
12.4.4. See Also
12.5. Performing Constant Transforms on Variables
12.5.1. Problem
12.5.2. Solution
12.5.3. Discussion
12.6. Merging Scalar Variables
12.6.1. Problem
12.6.2. Solution
12.6.3. Discussion
12.7. Splitting Variables
12.7.1. Problem
12.7.2. Solution
12.7.3. Discussion
12.8. Disguising Boolean Values
12.8.1. Problem
12.8.2. Solution
12.8.3. Discussion
12.8.4. See Also
12.9. Using Function Pointers
12.9.1. Problem
12.9.2. Solution
12.9.3. Discussion
12.10. Restructuring Arrays
12.10.1. Problem
12.10.2. Solution
12.10.3. Discussion
12.11. Hiding Strings
12.11.1. Problem
12.11.2. Solution
12.11.3. Discussion
12.12. Detecting Debuggers
12.12.1. Problem
12.12.2. Solution
12.12.3. Discussion
12.12.4. See Also
12.13. Detecting Unix Debuggers
12.13.1. Problem
12.13.2. Solution
12.13.3. Discussion
12.13.4. See Also
12.14. Detecting Windows Debuggers
12.14.1. Problem
12.14.2. Solution
12.14.3. Discussion
12.14.4. See Also
12.15. Detecting SoftICE
12.15.1. Problem
12.15.2. Solution
12.15.3. Discussion
12.15.4. See Also
12.16. Countering Disassembly
12.16.1. Problem
12.16.2. Solution
12.16.3. Discussion
12.17. Using Self-Modifying Code
12.17.1. Problem
12.17.2. Solution
12.17.3. Discussion
12.17.4. See Also
13. Other Topics
13.1. Performing Error Handling
13.1.1. Problem
13.1.2. Solution
13.1.3. Discussion
13.1.4. See Also
13.2. Erasing Data from Memory Securely
13.2.1. Problem
13.2.2. Solution
13.2.3. Discussion
13.3. Preventing Memory from Being Paged to Disk
13.3.1. Problem
13.3.2. Solution
13.3.3. Discussion
13.4. Using Variable Arguments Properly
13.4.1. Problem
13.4.2. Solution
13.4.3. Discussion
13.4.4. See Also
13.5. Performing Proper Signal Handling
13.5.1. Problem
13.5.2. Solution
13.5.3. Discussion
13.5.4. See Also
13.6. Protecting against Shatter Attacks on Windows
13.6.1. Problem
13.6.2. Solution
13.6.3. Discussion
13.6.4. See Also
13.7. Guarding Against Spawning Too Many Threads
13.7.1. Problem
13.7.2. Solution
13.7.3. Discussion
13.8. Guarding Against Creating Too Many Network Sockets
13.8.1. Problem
13.8.2. Solution
13.8.3. Discussion
13.9. Guarding Against Resource Starvation Attacks on Unix
13.9.1. Problem
13.9.2. Solution
13.9.3. Discussion
13.9.4. See Also
13.10. Guarding Against Resource Starvation Attacks on Windows
13.10.1. Problem
13.10.2. Solution
13.10.3. Discussion
13.11. Following Best Practices for Audit Logging
13.11.1. Problem
13.11.2. Solution
13.11.3. Discussion
13.11.3.1. Network logging
13.11.3.2. Logging to CD-R
13.11.3.3. Signing and encrypting log entries
13.11.4. See Also
Index
About the Authors
Colophon
SPECIAL OFFER: Upgrade this ebook with O’Reilly
← Prev
Back
Next →
← Prev
Back
Next →