Prohibiting RC4 Cipher Suites in TLS By: Andrei Popov

Slides:

Advertisements

Similar presentations

SSL/TLS Protocol Network Security Gene Itkis. Basic paradigmatic application: on-line purchase Client contacts Server (possibly for the first time) Spontaneity.

Advertisements

Cryptography and Network Security Chapter 16

SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

Cryptography and Network Security

Secure Socket Layer.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

Bradley Cowie, Barry Irwin and Richard Barnett Security and Networks Research Group Department of Computer Science Rhodes University MANAGEMENT, PROCESSING.

ITA, , 8-TLS.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 8 Transport.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

Cryptography and Network Security

1 MD5 Cracking One way hash. Used in online passwords and file verification.

Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.

16-1 Last time Internet Application Security and Privacy Authentication Security controls using cryptography Link-layer security: WEP.

Chalmers University of Technology Wireless security Breaking WEP and WPA.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

How To Not Make a Secure Protocol WEP Dan Petro.

Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.

0 SSL3.0 / TLS1.0 Secure Communication over Insecure Line.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.

IEEE Wireless Local Area Networks (WLAN’s).

Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Security – Wired Equivalent Privacy (WEP) By Shruthi B Krishnan.

CS682- Session 10 Prof. Katz. Well-Known Attacks By far the most common security vulnerabilities Attacks that Script-Kiddies are capable of performing.

Seguridad en Sistemas de Información Francisco Rodríguez Henríquez SSL/TLS: An Introduction.

AJ Mancini IV Paul Schiffgens Jack O’Hara. WIRELESS SECURITY  Brief history of Wi-Fi  Wireless encryption standards  WEP/WPA  The problem with WEP.

Application Layer Protocol Negotiation

Announcement Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed. 1.

Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),

CSC-682 Advanced Computer Security

COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Network Security Essentials Chapter 5

Wireless Security Presented by: Amit Kumar Singh Instructor : Dr. T. Andrew Yang.

Web Security : Secure Socket Layer Secure Electronic Transaction.

Cryptography and Network Security (SSL)

Chapter 20 Symmetric Encryption and Message Confidentiality.

The Misuse of RC4 in Microsoft Office A paper by: Hongjun Wu Institute for Infocomm Research, Singapore ECE 578 Matthew Fleming.

Analyzing Wireless Security in Columbia, Missouri Matthew Chittum Clayton Harper John Mixon Johnathan Walton.

COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.

SSL (TLS) Part 2 Generating the Premaster and Master Secrets + Encryption.

Web Security Web now widely used by business, government, individuals but Internet & Web are vulnerable have a variety of threats – integrity – confidentiality.

Network and Internet Security Prepared by Dr. Lamiaa Elshenawy

Encryption protocols Monil Adhikari. What is SSL / TLS? Transport Layer Security protocol, ver 1.0 De facto standard for Internet security “The primary.

SSL(HandShake) Protocol By J.STEPHY GRAFF IIM.SC(C.S)

Giuseppe Bianchi Warm-up example WEP. Giuseppe Bianchi WEP lessons  Good cipher is far from being enough  You must make good USAGE of cipher.

IEEE Security Specifically WEP, WPA, and WPA2 Brett Boge, Presenter CS 450/650 University of Nevada, Reno.

Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.

COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

1 A New Weakness in the RC4 Keystream Generator and an Approach to Improve the Security of the Cipher Souradyuti Paul and Bart Preneel K.U. Leuven, ESAT/COSIC.

Lecture 6 (Chapter 16,17,18) Network and Internet Security Prepared by Dr. Lamiaa M. Elshenawy 1.

Cryptography CSS 329 Lecture 13:SSL.

Page 1 of 17 M. Ufuk Caglayan, CmpE 476 Spring 2000, SSL and SET Notes, March 29, 2000 CmpE 476 Spring 2000 Notes on SSL and SET Dr. M. Ufuk Caglayan Department.

Wireless LAN Security Daniel Reichle Seminar Security Protocols and Applications SS2003.

Secure Sockets Layer (SSL)

Visit for more Learning Resources

CSE 4095 TLS Attacks.

Originally by Yu Yang and Lilly Wang Modified by T. A. Yang

Wireless Security Ian Bodley.

SSL Protocol Figures used in the presentation

By: Anthony Gervasi & Adam Dickinson

Presentation transcript:

Prohibiting RC4 Cipher Suites in TLS By: Andrei Popov

RC4 is Popular Been around since High performance (7 cycles per byte on Pentium). Stream cipher: immune to BEAST attack on TLS1.0. As a result, ~90% of HTTPS sites surveyed by trustworthyinternet.org support some RC4 cipher suites. The popularity of RC4 on the server side prevents browser vendors from disabling this cipher.

RC4 is Insecure For over a decade, RC4 was known to have biases in the keystream: Fluhrer, S., Mantin, I., and A. Shamir, "Weaknesses in the Key Scheduling Algorithm of RC4. Selected Areas in Cryptography, pp. 1-24", Mantin, I. and A. Shamir, "A Practical Attack on Broadcast RC4. FSE, pp ", Paul, G. and S. Maitra, "Permutation after RC4 Key Scheduling Reveals the Secret Key. In Proceedings of the 14th Workshop on Selected Areas in Cryptography (SAC), pp , vol. 4876, LNCS, Springer.", Recent cryptanalysis results exploit biases in the RC4 keystream to recover repeatedly encrypted plaintexts: AlFardan, N., Bernstein, D., Paterson, K., Poettering, B., and J. Schuldt, "On the security of RC4 in TLS and WPA. USENIX Security Symposium.", 2013.

Applicability of Attacks to HTTPS The latest known attacks are on the verge of becoming practically exploitable. Currently they require 2^26 sessions or 13x2^30 encryptions. The attacker causes a browser to transmit many HTTP requests. Each request contains the same secret (cookie). Known biases in RC4 are used to recover plaintext. The attacker does not need to be located close to the server, and no packet injection capability is required. It suffices for the attacker to record encrypted traffic for later offline analysis.

Prohibiting RC4 Cipher Suites TLS clients MUST NOT include RC4 cipher suites in the ClientHello message. TLS servers MUST NOT select an RC4 cipher suite when a TLS client sends such a cipher suite in the ClientHello message. If the TLS client only offers RC4 cipher suites, the TLS server MUST terminate the handshake. The TLS server MAY send the insufficient_security fatal alert in this case.

Links and Contact Information AlFardan, N., Bernstein, D., Paterson, K., Poettering, B., and J. Schuldt, "On the security of RC4 in TLS and WPA. USENIX Security Symposium.", 2013, /conference/usenixsecurity13/security-rc4-tls Prohibiting RC4 Internet-Draft: popov-tls-prohibiting-rc4http://datatracker.ietf.org/doc/draft- popov-tls-prohibiting-rc4 Andrei Popov