Presentation is loading. Please wait.

Presentation is loading. Please wait.

K. Stoeckigt Password interception in a SSL/TLS channel Brice Canvel LASEC Memo 02/2003

Published byJune Barker Modified over 9 years ago

Similar presentations

Presentation on theme: "K. Stoeckigt Password interception in a SSL/TLS channel Brice Canvel LASEC Memo 02/2003"— Presentation transcript:

1 K. Stoeckigt (ksto033@ec.auckland.ac.nz) Password interception in a SSL/TLS channel Brice Canvel LASEC Memo 02/2003 http://lasecwww.epfl.ch/memo_ssl.shtml

2 K. Stoeckigt (ksto033@ec.auckland.ac.nz) Password interception in a SSL/TLS channel Summary/Overview Combine two attacks, a man-in-the-middle-attack and a side-attack and take the opportunity to get someone’s email password.

3 K. Stoeckigt (ksto033@ec.auckland.ac.nz) Password interception in a SSL/TLS channel Memo is not uniform about the assumption the reader already knows about security and/or networking, computer science → Information gap –“SSL stands for Secure Sockets Layer and TLS stands for Transport Layer Security. These are methods for hiding the information two parties send to each other,…” –“Then, when using a block cipher in CBC mode, the concatenated string MES|MAC is padded with padding PAD such that MES|MAC|PAD|LEN is of…” Critical Comments

4 K. Stoeckigt (ksto033@ec.auckland.ac.nz) Password interception in a SSL/TLS channel The connection between the explanation of the Timing- Attack and the Dictionary and Brute Force method in comparison to the Attack in practice is not obvious –Neither timing data nor Dictionary and Brute Force method is mentioned in the “final” explanation Attack is possible, but very complex –Man-in-the-middle attack; hacker must be able to intercept the connection between Client and Server → this is not easy Critical Comments (II)

5 K. Stoeckigt (ksto033@ec.auckland.ac.nz) Password interception in a SSL/TLS channel No further explanation to the graph (What is 0 – 800 ? What kind of diagram is it ?) Critical Comments (III)

6 K. Stoeckigt (ksto033@ec.auckland.ac.nz) Password interception in a SSL/TLS channel Client, running MS Outlook Express 6.x IMAP Mail Server Hacker The Attack in Practice User checks email using a secure connection (Outlook checks mail every 5 minutes → Hacker has a free sessions every 5 minutes) Hacker intercepts the connection (connection is redirected (DNS spoofing), man-in-the-middle-attack) Email client sends login/password to server XXXX LOGIN “username” “password” Hacker tries to decrypt authentication method using a multisession version of CBC-PAD (side-attack)

7 K. Stoeckigt (ksto033@ec.auckland.ac.nz) Password interception in a SSL/TLS channel It is just a Memo → many information are missing Attack is possible, but it costs a huge amount of effort to attack the system “Full report available soon” → not until June Counteractive measures have been released (for OpenSSL) Conclusion

8 K. Stoeckigt (ksto033@ec.auckland.ac.nz) Password interception in a SSL/TLS channel ? What else do you need to know to determine if your system is vulnerable ? Do you think this vulnerability is also a MS-Problem ? Question

Download ppt "K. Stoeckigt Password interception in a SSL/TLS channel Brice Canvel LASEC Memo 02/2003"

Similar presentations

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.

Unifying the conceptual levels of network security through use of patterns Ph.D Dissertation Proposal Candidate: Ajoy Kumar, Advisor: Dr Eduardo B. Fernandez.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.

VOYAGER: Yet Another Secure Web Browser to Demonstrate Secure Socket Layer Working and Implementation By : Shrinivas G. Deshpande Advisor: Dr. Chung E.
J. Wang. Computer Network Security Theory and Practice. Springer 2009 Chapter 5 Network Security Protocols in Practice Part II.

J. Wang. Computer Network Security Theory and Practice. Springer 2009 Chapter 5 Network Security Protocols in Practice Part II.
Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.

Hands-On Ethical Hacking and Network Defense Lecture 15 Man in the Middle Attack to get Passwords from HTTPS Sessions.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
ITA, 2.11.2011, 8-TLS.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 8 Transport.

ITA, , 8-TLS.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 8 Transport.
1 Secure Credit Card Transactions on an Untrusted Channel Source: Information Sciences in review Presenter: Tsuei-Hung Sun ( 孫翠鴻 ) Date: 2010/9/24.

1 Secure Credit Card Transactions on an Untrusted Channel Source: Information Sciences in review Presenter: Tsuei-Hung Sun ( 孫翠鴻 ) Date: 2010/9/24.
Hacker’s tricks for online users to reveal their sensitive information such as credit card, bank account, and social security. Phishing emails are designed.

Hacker’s tricks for online users to reveal their sensitive information such as credit card, bank account, and social security. Phishing s are designed.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.

Mar 12, 2002Mårten Trolin1 This lecture Diffie-Hellman key agreement Authentication Certificates Certificate Authorities SSL/TLS.
Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.

Security Overview Hofstra University University College for Continuing Education - Advanced Java Programming Lecturer: Engin Yalt May 24, 2006.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
CS682- Session 10 Prof. Katz. Well-Known Attacks By far the most common security vulnerabilities Attacks that Script-Kiddies are capable of performing.

CS682- Session 10 Prof. Katz. Well-Known Attacks By far the most common security vulnerabilities Attacks that Script-Kiddies are capable of performing.
Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.

Introduction to the Secure SMTP Server service. Secure SMTP server is a secure, reliable SMTP mail relay server for your outgoing mail. Secure SMTP service.

Similar presentations

Ads by Google