Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004.

Slides:

Advertisements

Similar presentations

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Advertisements

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

CS470, A.SelcukSSL/TLS & SET1 CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

SSLstrip Stepan Shykerynets

SSL : An Overview Bruhadeshwar Bezawada International Institute of Information Technology, Hyderabad.

More Trick For Defeating SSL

Lori Fitterling LI843 SSL Secured Sockets Layer. What is Secure Sockets Layer (SSL)? It is protection of data transferred over the Internet using encryption.

By: Hassan Waqar.  A PROTOCOL for securely transmitting data via the internet.  NETWORK LAYER application.  Developed by NETSCAPE.

Encryption, SSL and Certificates BY JOSHUA COX AND RACHAEL MEAD.

SECURITY IN E-COMMERCE VARNA FREE UNIVERSITY Prof. Teodora Bakardjieva.

CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.

Digital Signatures Dan Fleck CS 469: Security Engineering These slides are modified with permission from Bill Young (Univ of Texas) Coming up: Digital.

SSL & SharePoint IT:Network:Applications. Agenda Secure Socket Layer Encryption 101 SharePoint Customization SharePoint Integration.

Public Key Management and X.509 Certificates

OPSEC Awareness Briefing Man-In-The-Middle Attacks (MITM)

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

CSCI283 Fall 2005 GWU All slides from Bishop’s slide set Public Key Infrastructure (PKI)

Electronic Transaction Security (E-Commerce)

Intel Confidential 1 Configure PKI Web Server Certificates for each Management Controller.

Online Security Tuesday April 8, 2003 Maxence Crossley.

CERTIFICATES “a document containing a certified statement, especially as to the truth of something ”

INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 17 Prof. Crista Lopes.

Copyright, 1996 © Dale Carnegie & Associates, Inc. Digital Certificates Presented by Sunit Chauhan.

CS470, A.SelcukPKI1 Public Key Infrastructures CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

Topic 11: Key Distribution and Agreement 1 Information Security CS 526 Topic 11: Key Distribution & Agreement, Secure Communication.

1 Integrating ISA Server and Exchange Server. 2 How works.

INTRODUCTION Why Signatures? A uthenticates who created a document Adds formality and finality In many cases, required by law or rule Digital Signatures.

Domain Name System | DNSSEC. 2  Internet Protocol address uniquely identifies laptops or phones or other devices  The Domain Name System matches IP.

CSCI 6962: Server-side Design and Programming

CRYPTOGRAPHY PROGRAMMING ON ANDROID Jinsheng Xu Associate Professor North Carolina A&T State University.

Chapter 3 Mohammad Fozlul Haque Bhuiyan Assistant Professor CITI Jahangirnagar University.

IT:Network:Applications.  Single Key (Symmetric) encryption ◦ One “key” or passphrase used to encrypt and decrypt ◦ FAST – good for large amounts of.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SSL and https for Secure Web Communication CSCI 5857: Encoding and Encryption.

Masud Hasan Secue VS Hushmail Project 2.

Digital Certificates Made Easy Sam Lutgring Director of Informational Technology Services Calhoun Intermediate School District.

Secure Socket Layer (SSL)

PKI interoperability and policy in the wireless world.

SSL / TLS in ITDS Arun Vishwanathan 23 rd Dec 2003.

Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2015.

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

E-commerce What are the relationships among: – Client (i.e. you) – Server – Bank – Certification authority Other things to consider: – How to set up your.

Logo Add Your Company Slogan China Financial Certification Authority Third-party certification authority Team 13 ：吉露露、吴莹莹、潘韦韦（ CFCA ）

Introduction to Secure Sockets Layer (SSL) Protocol Based on:

Certificate-Based Operations. Module Objectives By the end of this module participants will be able to: Define how cryptography is used to secure information.

CERTIFICATES. What is a Digital Certificate? Electronic counterpart to a drive licenses or a passport. Enable individuals and organizations to secure.

Module 9: Fundamentals of Securing Network Communication.

1 DCS 835 – Computer Networking and the Internet Digital Certificate and SSL (rev ) Team 1 Rasal Mowla (project leader) Alvaro Restrepo, Carlos.

Building Security into Your System Bill Major Gregory Ponto.

Ram Santhanam Application Level Attacks - Session Hijacking & Defences

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Fall 2010/Lecture 321 CS 426 (Fall 2010) Key Distribution & Agreement.

Protocols for public-key management. Key management –two problems Distribution of public keys (for public- key cryptography) Distribution of secret keys.

X.509 Topics PGP S/MIME Kerberos. Directory Authentication Framework X.509 is part of the ISO X.500 directory standard. used by S/MIME, SSL, IPSec, and.

Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication.

Security fundamentals Topic 5 Using a Public Key Infrastructure.

SSL Certificates for Secure Websites Dan Roberts Kent Network Users Group Wednesday, 17 March 2004.

Pertemuan #10 Secure HTTP (HTTPS) Kuliah Pengaman Jaringan.

Digital Signatures and Digital Certificates Monil Adhikari.

By Team Trojans -1 Arjun Ashok Priyank Mohan Balaji Thirunavukkarasu.

An Empirical Study of Visual Security Cues to Prevent the SSLstripping Attack Source: ACSAC 2011 Authors: Dongwan Shin, Rodrigo Lopes Report: Minhao Wu.

Csci5233 Computer Security1 Bishop: Chapter 14 Representing Identity.

X509 Web Authentication From the perspective of security or An Introduction to Certificates.

INFSO-RI Enabling Grids for E-sciencE Sofia, 17 March 2009 Security, Authentication and Authorisation Mike Mineter Training, Outreach.

SSL: Secure Socket Layer By: Mike Weissert. Overview Definition History & Background SSL Assurances SSL Session Problems Attacks & Defenses.

SSL Certificates for Secure Websites

Using SSL – Secure Socket Layer

Presentation transcript:

Measures to prevent MITM attack and their effectiveness CSCI 5931 Web Security Submitted By Pradeep Rath Date : 23 rd March 2004

Introduction Definition: When two users are communicating remotely through internet, exchange public keys to start a reliable and secure communication. During this process if somehow both the keys are intercepted on its route by someone, he can send on the messages to both the parties involved in communication but with his own faked public keys.

Digital Certificates Digital certificates are an electronic file Used to uniquely identify a person or a website (server). Digital certificates are issued by certificate authority such as Verisign, thwate… They validate the public key used by the server in transaction and key exchange.

How does it work?

Is it completely foolproof? It is not completely foolproof. Ways to work around the system: Using a chain of certificates. Anyone with a valid CA-signed certificate for any domain can generate a valid CA- signed certificate for any other domain.

How Does this Work ? Whenever this is a chain of certificates. Browser is supposed to check the common name CN field of the leaf certificate is the same as the domain he is connected to. [Issuer: Verisign / Subject: Verisign] -> [Issuer: Verisign / Subject: Intermediate CA] -> [Issuer: Intermediate CA / Subject:

Contd… The browser performs a check for validity by checking the intermediate CA certificate and then the intermediate CA is signed by the Root CA (Verisign). The next check required is to check that all intermediate certificates have valid CA Basic Constraints.

Contd… The problem lies in the browser some browser do not check the valid CA basic constraints, which means Anybody with a valid CA signed certificate could generate a valid certificate for any other domain. [CERT - Issuer: Verisign / Subject: Verisign] -> [CERT - Issuer: Verisign / Subject: -> [CERT - Issuer: / Subject:

Contd… Here the browser accepts the certificate chain to be a valid amazon.com certificate. So anybody with standard tools for connection hijacking can combine this flaw into a successful MITM. Affected browser is Internet explorer whereas netscape and mozilla are unaffected.

Other Techniques There is another way MITM can be achieved that is by DNS spoofing. As there is no way for server to authenticate the client, after the client is made to believe that the attacker is the server, the attacker could perform MITM. When a attacker uses DNS spoofing he assumes that the browser is not configured to issue warnings against use of a fake certificate.

Contd… DNS spoofing is a simple redirection mechanism and can be done using tools like Dsniff. If the attacker could get the user to trust the fake certificate and install it into the list of trusted CA’s all further communications are compromised.

Solutions. The MITM attacks rely upon spoofing ARP and DNS. Sites should use static ARP tables when possible, Servers and site should migrate to DNSSEC as soon as practicable. Deploy an intrusion detection device. Use proper and better configured versions of a browser.

References Mike Benham IE SSL Vulnerability. -mitm.html -mitm.html Discussion of verisign's Technical Brief: "Building an E-Commerce Trust Infrastructure: SSL Server Certificates and Online Payment Services"

Thank You! Any Questions ?