SSL/TLS after DigiNotar and BEAST

Slides:



Advertisements
Similar presentations
The Dog’s Biggest Bite. Overview History Start Communication Protocol Weakness POODLE Issues.
Advertisements

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
Cryptography and Network Security
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
ITA, , 8-TLS.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 8 Transport.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
January 2011 As a precaution, re-check the exam time in early January. Various rooms are used, your room will be on your personal timetable, available.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
Cryptography and Network Security Chapter 17
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.
Chapter 8 Web Security.
By Swapnesh Chaubal Rohit Bhat. BEAST : Browser Exploit Against SSL/TLS Julianno Rizzo and Thai Duong demonstrated this attack.
1 Chapter 8 Securing Information Systems. Outline Security Threats (External: malware, spoofing/phishing, sniffing, & data theft: Internal: unauthorized.
How HTTPS Works J. David Giese. Hyper Text Transfer Protocol BrowserHTTP Server GET / HTTP/1.1 HOST: edge-effect.github.io HEADERS BODY HTTP/ OK.
Computer Networks NYUS FCSIT Spring 2008 Milos STOLIC, Bs.C. Teaching Assistant
Network Security. An Introduction to Cryptography The encryption model (for a symmetric-key cipher).
OpenVPN OpenVPN: an open source, cross platform client/server, PKI based VPN.
SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.
Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)
Chapter 37 Network Security. Aspects of Security data integrity – data received should be same as data sent data availability – data should be accessible.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
E-Commerce Security Professor: Morteza Anvari Student: Xiaoli Li Student ID: March 10, 2001.
Security Protocols and E-commerce University of Palestine Eng. Wisam Zaqoot April 2010 ITSS 4201 Internet Insurance and Information Hiding.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Network Security Essentials Chapter 5
Cryptography and Network Security (CS435) Part Fourteen (Web Security)
Web Security : Secure Socket Layer Secure Electronic Transaction.
Cryptography and Network Security (SSL)
IM NTU Distributed Information Systems 2004 Security -- 1 Security Yih-Kuen Tsay Dept. of Information Management National Taiwan University.
CS 4244: Internet Programming Security 1.0. Introduction Client identification and cookies Basic Authentication Digest Authentication Secure HTTP.
Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats – integrity – confidentiality.
Cryptography and Network Security Chapter 16 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.
Gold Coast Campus School of Information Technology 2003/16216/3112INT Network Security 1Copyright © Griffith University, INT / 3112INT Network.
Network and Internet Security Prepared by Dr. Lamiaa Elshenawy
Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.
Threats and Solutions of Information Security - Confidentiality, Integrity and Availability Hyunsung Kim.
1 Chapter 7 WEB Security. 2 Outline Web Security Considerations Secure Socket Layer (SSL) and Transport Layer Security (TLS) Secure Electronic Transaction.
INFORMATION SECURITY MANAGEMENT P ROTECTION M ECHANISMS - C RYPTOGRAPHY.
@Yuan Xue CS 285 Network Security Fall 2012 Yuan Xue.
Can SSL and TOR be intercepted? Secure Socket Layer.
Lecture 6 (Chapter 16,17,18) Network and Internet Security Prepared by Dr. Lamiaa M. Elshenawy 1.
Lecture 10 Page 1 CS 236 Online SSL and TLS SSL – Secure Socket Layer TLS – Transport Layer Security The common standards for securing network applications.
Database Management Systems, 3ed, R. Ramakrishnan and J. Gehrke1 Database architecture and security Workshop 4.
Henric Johnson1 Chapter 7 WEB Security Henric Johnson Blekinge Institute of Technology, Sweden
Cryptography and Network Security
Visit for more Learning Resources
Cryptography and Network Security
Chapter 7 STRENGTH OF ENCRYPTION & Public Key Infrastructure
The Secure Sockets Layer (SSL) Protocol
Electronic Payment Security Technologies
Cryptography and Network Security
Presentation transcript:

SSL/TLS after DigiNotar and BEAST Course: Cyberdefence Seminar Lecturer: Ahto Buldas Author: Mikheil Basilaia a106936 25.10.2011

The Plan SSL/TLS overview BEAST hack DigiNotar hack Future of communication security in internet

What is SSL? Stands for Secure Socket Layer Cryptographic protocol securing connections Predecessor of Transport Layer Security (TLS) Foundation for communication security in internet

Functions SSL/TLS uses: Certificates for authentication Digital signatures and message digests for integrity Encryption for privacy/confidentiality

Versions SSL 1.0 (never released for wide usage) SSL 2.0 (1995) TLS 1.0 / SSL 3.1 (1999) TLS 1.1 / SSL 3.2 (2006) TLS 1.2 / SSL 3.3 (2008)

Usage By Qualys

BEAST Stands for Browser Exploit Against SSL/TLS Attacks SSL 3.0 and TLS 1.0 Breaches confidentiality (while other attacks aim authentication) Published in September, 2011 by Duong and Rizzo Exampled on PayPal payment

BEAST – Technical Details Attacks active SSL/TLS connections Decrypts cookies Plaintext recovery attack Exploits vulnerability connected to cipher block chaining (CBC)

BEAST – Requirements/Limitations Needs JavaScript code running Needs control over victim’s network Needs to overcome same-origin policy Some ciphers (RC4) does not use CBC (AES and DES use)

BEAST – What can we do? Update IE Use Chrome (uses RC4) Disable JavaScript in Firefox

DigiNotar Hack Dutch Certification Authority Over 500 certificates lost (including certificates for Google, Microsoft, Skype, Dutch government, CIA, Mossad. . .) Hacked in July, went public in August, declared bankruptcy in September, 2011

DigiNotar – Other Details DigiNotar system used to issue fake certificates Farsi-speaking hacker Failed because technical negligence The case posed a question of security in internet

Usage Iranian Gmail users eavesdropped Man-in-the-middle-attack (attack on confidentiality) Needs traffic to be rerouted to other servers – probably government involvement

What can we do? Disable DigiNotar certificates (do it manually or update browsers) Mac products/Windows XP/Windows Server 2003 may need manual deletion

An Example

What if. . . Other CAs also fail? VeriSign – too big to fail? Swedbank/SEB/Nordea use certificates by VeriSign Security in internet will be undermined

Future Implement TLS 1.2/TLS 1.3 Maybe needs bigger failure than DigiNotar DigiNotar example can be attractive for powerful cyber actors

Thank You

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.