Presentation is loading. Please wait.

Presentation is loading. Please wait.

TLS/SSL - How and Why PCI Flags it but why do we care? By: MadHat Unspecific.

Published byBrian Glenn Modified over 9 years ago

Similar presentations

Presentation on theme: "TLS/SSL - How and Why PCI Flags it but why do we care? By: MadHat Unspecific."— Presentation transcript:

1 TLS/SSL - How and Why PCI Flags it but why do we care? By: MadHat Unspecific

2 SSL – How and Why What is TLS/SSL? How does TLS/SSL work? What is the difference between TLS and SSL? What is it used for? Weak Ciphers How this relates to PCI Exploitable SSL-Cipher-Check (tool from Unspecific.com)

3 What is TLS/SSL? Transport Layer Security Secure Socket Layers Application Layer Protocols Public/Asymmetric Key Cryptography OSI Layer 6

4 How does TLS/SSL work? Encryption Protocol, Key Length, Hashing Algorithm Authentication Handshake – Request – Protocols Supported – Digital Certificate – Session Keys

5 What is it used for? Security & Data Integrity Prevents Eavesdropping, tampering & message forgery HTTP is most famous as HTTPS Any layer 7 protocol, POP3, IMAP, SMTP, FTP OpenVPN Stunnel Ncat (included with Nmap)

6 Weak Ciphers Old Protocols – SSLv2 Key Strength – 40bit & 56bit ciphers – RC2, RC4, NULL Weak Hash Algorithms – DES ADH - anonymous DH cipher

7 How this relates to PCI & Other Standards PCI 4.1 - Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.

8 Exploitable Man in the Middle Decryption of Communications

9 SSL-Cipher-Check OpenSSL binary Checks ALL supported Ciphers openssl ciphers openssl s_client -$protocol -cipher $cipher -connect $host:$port ssl_dump.log Raw openssl output

10 SSL-Cipher-Check $./ssl-cipher-check.pl : SSL Cipher Check: 1.1 : written by Lee 'MadHat' Heath (at) Unspecific.com Usage:./ssl-cipher-check.pl [ -dvwas ] [ ] default port is 443 -d Add debug info (show it all, lots of stuff) -v Verbose. Show more info about what is found -w Show only weak ciphers enabled. -a Show all ciphers, enabled or not -s Show only the STRONG ciphers enabled.

11 References http://en.wikipedia.org/wiki/Public-key_cryptography http://en.wikipedia.org/wiki/Transport_Layer_Security http://www.openssl.org/ http://www.verisign.com/ssl/ssl-information-center/ssl-basics/index.html http://en.wikipedia.org/wiki/OSI_model http://www.gnu.org/software/gnutls/ http://openvpn.net/ http://www.stunnel.org/ http://lasecwww.epfl.ch/memo/memo_ssl.shtml http://www.owasp.org/index.php/Testing_for_SSL-TLS http://www.unspecific.com/2009/02/16/ssl-cipher-check http://www.schneier.com/paper-ssl.pdf https://www.pcisecuritystandards.org/security_standards/download.html?id= pci_dss_v1-2.pdf https://www.pcisecuritystandards.org/security_standards/download.html?id= pci_dss_v1-2.pdf

12 Future Meetings/Talks T-Shirt DefCon

Download ppt "TLS/SSL - How and Why PCI Flags it but why do we care? By: MadHat Unspecific."

Similar presentations

Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.

Security and Privacy over the Internet Chan Hing Wing, Anthony Mphil Yr. 1, CSE, CUHK Oct 19, 1998.
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.

Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York.
TLS. 14.1 Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.

TLS Introduction 14.2 TLS Record Protocol 14.3 TLS Handshake Protocol 14.4 Summary.
Cryptography and Network Security

Cryptography and Network Security
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, I've Got You under My Skin“ by Cole Porter.

7-1 Chapter 7 – Web Security Use your mentality Wake up to reality —From the song, "I've Got You under My Skin“ by Cole Porter.
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.

Chapter 7 Web Security MSc. NGUYEN CAO DAT Dr. TRAN VAN HOAI.
Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.

Transport Layer Security (TLS) Protocol Introduction to networks and communications(CS555) Prof : Dr Kurt maly Student:Abhinav y.
ITA, 2.11.2011, 8-TLS.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 8 Transport.

ITA, , 8-TLS.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 8 Transport.
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Securing Network Communication. 2 Security Issues in Communication Privacy  Anyone can see content Integrity  Someone might alter content Authentication.

Securing Network Communication. 2 Security Issues in Communication Privacy  Anyone can see content Integrity  Someone might alter content Authentication.
Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.

Netprog: Cryptgraphy1 Cryptography Reference: Network Security PRIVATE Communication in a PUBLIC World. by Kaufman, Perlman & Speciner.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
© 2004, The Technology Firm WWW.THETECHFIRM.COM SSL Packet Decodes From Wikipedia, the free encyclopedia.  Secure Sockets Layer (SSL) is a cryptographic.

© 2004, The Technology Firm SSL Packet Decodes From Wikipedia, the free encyclopedia.  Secure Sockets Layer (SSL) is a cryptographic.
Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)

Java Security Model Lab#1 I. Omaima Al-Matrafi. Safety features built into the JVM Type-safe reference casting Structured memory access (no pointer arithmetic)
Cryptography and Network Security Chapter 17

Cryptography and Network Security Chapter 17

Similar presentations

Ads by Google