Bob Bruen's review of "SSL and TLS. Designing and Building Secure Systems" by Eric Rescorla. IEEE Cipher, E40, December 19, 2000

SSL and TLS. Designing and Building Secure Systems
by Eric Rescorla
Addison-Wesley
Index, bibliography, 2 appendicies and an acronym table
ISBN 0-201-61598-3. $39.95

Reviewed by Robert Bruen

Secure Sockets Layer (SSL) was created at Netscape in 1994 to address the problem of secure transaction over networks using HTTP. Since then it has mutated, evolved, and been transformed by Netscape, Microsoft and others, including some very enterprising individuals. The result is that SSL is the primary method for securing web based transactions. There are open versions (openssl) and one for wireless (WTLS). The most recent incantation is Transport Layer Security (TLS), still not yet widely deployed, but certainly appears to be the future of SSL.

It is always a pleasure to review a good technical book such as SSL and TLS. The author is not only knowledgeable, he explains everything with a rare sense of clarity without reverting to black magic and hand waving. Code examples are written in C and Java. Additional examples given for HTTPS and mod_ssl (used to add SSL/TLS to the Apache web server).

SSL and TLS was written for those of us who want to design systems and write code. The first part of the book covers the basics of SSL, including a background chapter on cryptography. The basics cover the history and mechanics of SSL, meaning connections, handshakes, alerts and sessions. The in between chapters cover security within SSL and SSL performance.

Although I like the book in general, I especially enjoyed the performance analysis chapter. Everyone knows that encrypting and decrypting take compute cycles, usually from places that are already somewhat overburdened. After acknowledging this the author then covers Amdahl's Law (used in performance tuning), then delves into I/O and where the locations of transmission choke points. The author's thoroughness in analyzing the performance problem helps considerably in understanding some of the details of SSL as well as how one ought to go about performance analysis. Graphs, timing charts and operation executions are presented in depth for both hardware and software. Java, C, algorithms and networks all come the microscope as the author makes it look easy.

The next part of the book covers designing and coding with SSL, presenting topics such as authentication, reference integrity implementation and threads. Then there are two good chapters on HTTP (SSL) and SMTP (TLS). Why HTTP is a better match than SMTP for SSL/TLS is shown is detail.

This a book with substance for anyone with is interested in securing systems and networks. It well written, informative and highly recommended.

IEEE Cipher, E40, December 19, 2000.