tags:

views:

46

answers:

3
+1  Q: 

What books will help me learn everything I can about SSL/PKI?

Since SSL is the backbone of the secure internet, (now technically called TLS), what are some good books I should read up on to understand all aspects of it?

I suppose I'll need to learn some math, some PKI books, crypto, and Sysadmin books as well. Since that isn't a complete list I'm interested in hearing what you think is wise to learn as well.

+2  A: 

Here is a list of four some good books on the subject (SSL/TLS):

SSL and TLS: Theory and Practice
SSL and TLS: Designing and Building Secure Systems
SSL & TLS: Essentials Securing the Web
Network Security with OpenSSL

Here are some good books on PKI:

Understanding PKI: Concepts, Standards, and Deployment Considerations
Planning for PKI: Best Practices Guide for Deploying Public Key Infrastructure
Public Key Infrastructure: Building Trusted Applications and Web Services
PKI: Implementing & Managing E-Security

And when it comes to cryptgrapy, you can't do much better than:

Introduction to Modern Cryptography: Principles and Protocols
Applied Cryptography: Protocols, Algorithms, and Source Code in C
The Code Book: The Science of Secrecy from Ancient Egypt to Quantum Cryptography
Cryptography Engineering: Design Principles and Practical Applications

Michael Goldshteyn  2010-10-15 01:32:17
+2  A: 

As far as cryptography goes, this is the best there is:

http://www.amazon.com/Applied-Cryptography-Protocols-Algorithms-Source/dp/0471117099

You will learn all there is from the basic building blocks upwards.

Daniel Mošmondor  2010-10-15 01:32:42
+2  A: 

SSL and TLS: Designing and Building Secure Systems, Addison-Wesley, 2001 ISBN 0-201-61598-3: very detailed.

Aside from books, depending on how you like to learn, if you like practical experience, you could go through the JSSE Reference Guide (online, part of the Java documentation) and try a few tutorials based on this. Going through the documentation of other libraries is worth it too (e.g. Mozilla's NSS or OpenSSL).

If you want to see what topics are cutting edge, go through the IETF TLS mailing list archives (or subscribe to it, of course) and follow the discussions.

Going through the examples or unit tests of BouncyCastle (in Java or C#) can be interesting too.

You could also combine this with looking at what happens with existing applications using Wireshark (you won't necessarily always be able to decipher the communication, even if you have the server's private key, since it depends on the cipher suite too).

Bruno  2010-10-15 01:38:59

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
Is there a way to make Firefox ignore invalid ssl-certificates?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL