What books will help me learn everything I can about SSL/PKI? [closed]
-
30-09-2019 - |
Question
Since SSL is the backbone of the secure internet, (now technically called TLS), what are some good books I should read up on to understand all aspects of it?
I suppose I'll need to learn some math, some PKI books, crypto, and Sysadmin books as well. Since that isn't a complete list I'm interested in hearing what you think is wise to learn as well.
Solution
Here is a list of four good books on the subject (SSL/TLS):
SSL and TLS: Theory and Practice
SSL and TLS: Designing and Building Secure Systems
SSL & TLS: Essentials Securing the Web
Network Security with OpenSSL
Here are some good books on PKI:
Understanding PKI: Concepts, Standards, and Deployment Considerations
Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure
Public Key Infrastructure: Building Trusted Applications and Web Services
PKI: Implementing & Managing E-Security
And when it comes to cryptograpy, you can't do much better than:
Introduction to Modern Cryptography: Principles and Protocols
Applied Cryptography: Protocols, Algorithms, and Source Code in C
The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography
Cryptography Engineering: Design Principles and Practical Applications
OTHER TIPS
As far as cryptography goes, this is the best there is:
Applied Cryptography: Protocols, Algorithms, and Source Code in C
You will learn all there is from the basic building blocks upwards.
SSL and TLS: Designing and Building Secure Systems, Addison-Wesley, 2001 ISBN 0-201-61598-3: very detailed.
Aside from books, depending on how you like to learn, if you like practical experience, you could go through the JSSE Reference Guide (online, part of the Java documentation) and try a few tutorials based on this. Going through the documentation of other libraries is worth it too (e.g. Mozilla's NSS or OpenSSL).
If you want to see what topics are cutting edge, go through the IETF TLS mailing list archives (or subscribe to it, of course) and follow the discussions.
Going through the examples or unit tests of BouncyCastle (in Java or C#) can be interesting too.
You could also combine this with looking at what happens with existing applications using Wireshark (you won't necessarily always be able to decipher the communication, even if you have the server's private key, since it depends on the cipher suite too).