See more Amazon Details

Contents Listing

Foreword
Preface
1. Safe Initialization
1.1 Sanitizing the Environment
1.2 Restricting Privileges on Windows
1.3 Dropping Privileges in setuid Programs
1.4 Limiting Risk with Privilege Separation
1.5 Managing File Descriptors Safely
1.6 Creating a Child Process Securely
1.7 Executing External Programs Securely
1.8 Executing External Programs Securely
1.9 Disabling Memory Dumps in the Event of a Crash
2. Access Control
2.1 Understanding the Unix Access Control Model
2.2 Understanding the Windows Access Control Model
2.3 Determining Whether a User Has Access to a File on Unix
2.4 Determining Whether a Directory Is Secure
2.5 Erasing Files Securely
2.6 Accessing File Information Securely
2.7 Restricting Access Permissions for New Files on Unix
2.8 Locking Files
2.9 Synchronizing Resource Access Across Processes on Unix
2.10 Synchronizing Resource Access Across Processes on Windows
2.11 Creating Files for Temporary Use
2.12 Restricting Filesystem Access on Unix
2.13 Restricting Filesystem and Network Access on FreeBSD
3. Input Validation
3.1 Understanding Basic Data Validation Techniques
3.2 Preventing Attacks on Formatting Functions
3.3 Preventing Buffer Overflows
3.4 Using the SafeStr Library
3.5 Preventing Integer Coercion and Wrap-Around Problems
3.6 Using Environment Variables Securely
3.7 Validating Filenames and Paths
3.8 Evaluating URL Encodings
3.9 Validating Email Addresses
3.10 Preventing Cross-Site Scripting
3.11 Preventing SQL Injection Attacks
3.12 Detecting Illegal UTF-8 Characters
3.13 Preventing File Descriptor Overflows When Using select( )
4. Symmetric Cryptography Fundamentals
4.1 Representing Keys for Use in Cryptographic Algorithms
4.2 Generating Random Symmetric Keys
4.3 Representing Binary Keys (or Other Raw Data) as Hexadecimal
4.4 Turning ASCII Hex Keys (or Other ASCII Hex Data) into Binary
4.5 Performing Base64 Encoding
4.6 Performing Base64 Decoding
4.7 Representing Keys (or Other Binary Data) as English Text
4.8 Converting Text Keys to Binary Keys
4.9 Using Salts, Nonces, and Initialization Vectors
4.10 Deriving Symmetric Keys from a Password
4.11 Algorithmically Generating Symmetric Keys from One Base Secret
4.12 Encrypting in a Single Reduced Character Set
4.13 Managing Key Material Securely
4.14 Timing Cryptographic Primitives
5. Symmetric Encryption
5.1 Deciding Whether to Use Multiple Encryption Algorithms
5.2 Figuring Out Which Encryption Algorithm Is Best
5.3 Selecting an Appropriate Key Length
5.4 Selecting a Cipher Mode
5.5 Using a Raw Block Cipher
5.6 Using a Generic CBC Mode Implementation
5.7 Using a Generic CFB Mode Implementation
5.8 Using a Generic OFB Mode Implementation
5.9 Using a Generic CTR Mode Implementation
5.10 Using CWC Mode
5.11 Manually Adding and Checking Cipher Padding
5.12 Precomputing Keystream in OFB, CTR, CCM, or CWC Modes (or with Stream Ciphers)
5.13 Parallelizing Encryption and Decryption in Modes That Allow It (Without Breaking Compatibility)
5.14 Parallelizing Encryption and Decryption in Arbitrary Modes (Breaking Compatibility)
5.15 Performing File or Disk Encryption
5.16 Using a High-Level, Error-Resistant Encryption and Decryption API
5.17 Performing Block Cipher Setup (for CBC, CFB, OFB, and ECB Modes) in OpenSSL
5.18 Using Variable Key-Length Ciphers in OpenSSL
5.19 Disabling Cipher Padding in OpenSSL in CBC Mode
5.20 Performing Additional Cipher Setup in OpenSSL
5.21 Querying Cipher Configuration Properties in OpenSSL
5.22 Performing Low-Level Encryption and Decryption with OpenSSL
5.23 Setting Up and Using RC4
5.24 Using One-Time Pads
5.25 Using Symmetric Encryption with Microsoft's CryptoAPI
5.26 Creating a CryptoAPI Key Object from Raw Key Data
5.27 Extracting Raw Key Data from a CryptoAPI Key Object
6. Hashes and Message Authentication
6.1 Understanding the Basics of Hashes and MACs
6.2 Deciding Whether to Support Multiple Message Digests or MACs
6.3 Choosing a Cryptographic Hash Algorithm
6.4 Choosing a Message Authentication Code
6.5 Incrementally Hashing Data
6.6 Hashing a Single String
6.7 Using a Cryptographic Hash
6.8 Using a Nonce to Protect Against Birthday Attacks
6.9 Checking Message Integrity
6.10 Using HMAC
6.11 Using OMAC (a Simple Block Cipher-Based MAC)
6.12 Using HMAC or OMAC with a Nonce
6.13 Using a MAC That's Reasonably Fast in Software and Hardware
6.14 Using a MAC That's Optimized for Software Speed
6.15 Constructing a Hash Function from a Block Cipher
6.16 Using a Block Cipher to Build a Full-Strength Hash Function
6.17 Using Smaller MAC Tags
6.18 Making Encryption and Message Integrity Work Together
6.19 Making Your Own MAC
6.20 Encrypting with a Hash Function
6.21 Securely Authenticating a MAC (Thwarting Capture Replay Attacks)
6.22 Parallelizing MACs
7. Public Key Cryptography
7.1 Determining When to Use Public Key Cryptography
7.2 Selecting a Public Key Algorithm
7.3 Selecting Public Key Sizes
7.4 Manipulating Big Numbers
7.5 Generating a Prime Number (Testing for Primality)
7.6 Generating an RSA Key Pair
7.7 Disentangling the Public and Private Keys in OpenSSL
7.8 Converting Binary Strings to Integers for Use with RSA
7.9 Converting Integers into Binary Strings for Use with RSA
7.10 Performing Raw Encryption with an RSA Public Key
7.11 Performing Raw Decryption Using an RSA Private Key
7.12 Signing Data Using an RSA Private Key
7.13 Verifying Signed Data Using an RSA Public Key
7.14 Securely Signing and Encrypting with RSA
7.15 Using the Digital Signature Algorithm (DSA)
7.16 Representing Public Keys and Certificates in Binary (DER Encoding)
7.17 Representing Keys and Certificates in Plaintext (PEM Encoding)
8. Authentication and Key Exchange
8.1 Choosing an Authentication Method
8.2 Getting User and Group Information on Unix
8.3 Getting User and Group Information on Windows
8.4 Restricting Access Based on Hostname or IP Address
8.5 Generating Random Passwords and Passphrases
8.6 Testing the Strength of Passwords
8.7 Prompting for a Password
8.8 Throttling Failed Authentication Attempts
8.9 Performing Password-Based Authentication with crypt( )
8.10 Performing Password-Based Authentication with MD5-MCF
8.11 Performing Password-Based Authentication with PBKDF2
8.12 Authenticating with PAM
8.13 Authenticating with Kerberos
8.14 Authenticating with HTTP Cookies
8.15 Performing Password-Based Authentication and Key Exchange
8.16 Performing Authenticated Key Exchange Using RSA
8.17 Using Basic Diffie-Hellman Key Agreement
8.18 Using Diffie-Hellman and DSA Together
8.19 Minimizing the Window of Vulnerability When Authenticating Without a PKI
8.20 Providing Forward Secrecy in a Symmetric System
8.21 Ensuring Forward Secrecy in a Public Key System
8.22 Confirming Requests via Email
9. Networking
9.1 Creating an SSL Client
9.2 Creating an SSL Server
9.3 Using Session Caching to Make SSL Servers More Efficient
9.4 Securing Web Communication on Windows Using the WinInet API
9.5 Enabling SSL without Modifying Source Code
9.6 Using Kerberos Encryption
9.7 Performing Interprocess Communication Using Sockets
9.8 Performing Authentication with Unix Domain Sockets
9.9 Performing Session ID Management
9.10 Securing Database Connections
9.11 Using a Virtual Private Network to Secure Network Connections
9.12 Building an Authenticated Secure Channel Without SSL
10. Public Key Infrastructure
10.1 Understanding Public Key Infrastructure (PKI)
10.2 Obtaining a Certificate
10.3 Using Root Certificates
10.4 Understanding X.509 Certificate Verification Methodology
10.5 Performing X.509 Certificate Verification with OpenSSL
10.6 Performing X.509 Certificate Verification with CryptoAPI
10.7 Verifying an SSL Peer's Certificate
10.8 Adding Hostname Checking to Certificate Verification
10.9 Using a Whitelist to Verify Certificates
10.10 Obtaining Certificate Revocation Lists with OpenSSL
10.11 Obtaining CRLs with CryptoAPI
10.12 Checking Revocation Status via OCSP with OpenSSL
11. Random Numbers
11.1 Determining What Kind of Random Numbers to Use
11.2 Using a Generic API for Randomness and Entropy
11.3 Using the Standard Unix Randomness Infrastructure
11.4 Using the Standard Windows Randomness Infrastructure
11.5 Using an Application-Level Generator
11.6 Reseeding a Pseudo-Random Number Generator
11.7 Using an Entropy Gathering Daemon-Compatible Solution
11.8 Getting Entropy or Pseudo-Randomness Using EGADS
11.9 Using the OpenSSL Random Number API
11.10 Getting Random Integers
11.11 Getting a Random Integer in a Range
11.12 Getting a Random Floating-Point Value with Uniform Distribution
11.13 Getting Floating-Point Values with Nonuniform Distributions
11.14 Getting a Random Printable ASCII String
11.15 Shuffling Fairly
11.16 Compressing Data with Entropy into a Fixed-Size Seed
11.17 Getting Entropy at Startup
11.18 Statistically Testing Random Numbers
11.19 Performing Entropy Estimation and Management
11.20 Gathering Entropy from the Keyboard
11.21 Gathering Entropy from Mouse Events on Windows
11.22 Gathering Entropy from Thread Timings
11.23 Gathering Entropy from System State
12. Anti-Tampering
12.1 Understanding the Problem of Software Protection
12.2 Detecting Modification
12.3 Obfuscating Code
12.4 Performing Bit and Byte Obfuscation
12.5 Performing Constant Transforms on Variables
12.6 Merging Scalar Variables
12.7 Splitting Variables
12.8 Disguising Boolean Values
12.9 Using Function Pointers
12.10 Restructuring Arrays
12.11 Hiding Strings
12.12 Detecting Debuggers
12.13 Detecting Unix Debuggers
12.14 Detecting Windows Debuggers
12.15 Detecting SoftICE
12.16 Countering Disassembly
12.17 Using Self-Modifying Code
13. Other Topics
13.1 Performing Error Handling
13.2 Erasing Data from Memory Securely
13.3 Preventing Memory from Being Paged to Disk
13.4 Using Variable Arguments Properly
13.5 Performing Proper Signal Handling
13.6 Protecting against Shatter Attacks on Windows
13.7 Guarding Against Spawning Too Many Threads
13.8 Guarding Against Creating Too Many Network Sockets
13.9 Guarding Against Resource Starvation Attacks on Unix
13.10 Guarding Against Resource Starvation Attacks on Windows
13.11 Following Best Practices for Audit Logging
Index