Norbert Muehr (Siemens PLM GTAC EMEA)
|
|
- Diane Bradford
- 5 years ago
- Views:
Transcription
1 Presentation date: Presenter name: Room name: Presentation title: Norbert Muehr (Siemens PLM GTAC EMEA) Room Paris Hardening SSL Configuring a Teamcenter-System for Perfect Forward Secrecy PLM Europe 2018 All rights reserved Your name/company Your name/company Page 1
2 Although, for many companies using encrypted communication has become an IT security principle, much of the data sent across the globe still uses weak encryption which is in danger of getting recorded and decrypted by external parties to steal information. This presentation will focus on the TLS/SSL implementation of elliptic curve cryptography in Teamcenter and related PLM applications. Currently, EC cryptography is stronger encryption than the commonly used RSA-based encryption if its correctly applied. Abstract The presenter will try to illustrate the many influencing factors such as Browsers, Operating systems and middleware creating risks which limit the strength of the encryption and the level of security gained.
3 Agenda: 01. Why hardening SSL/TLS configurations 02. Comparison of RSA and Elliptic Curve cryptography 03. Which connections we cover in this presentation (TC System Architecture) 04. Level of security is the result of a negotiation 05. Sample Configuration: 4Tier RichClient - WebTier 06. Sample Configuration: FCC-FSC 07. Sample Configuration: NX 4Tier to TC Webtier
4 Why hardening SSL/TLS configurations Various parties are interested to get intellectual property from companies: Intelligence Services of countries or hacking groups doing business with them Have replicated access to Internet exchange points or large backbone providers Establish replication at Submarine communications cables or use satellites for this Hence affect especially WAN communication between offices and sites Try to decrypt communication and record what they cannot decrypt for later playback and cracking Organized Crime, Individual hackers or hacking groups selling to competitors Often attack from inside the LAN Page 6
5 Why hardening SSL/TLS configurations The consequence: In large companies or in open Internet, data is in high risk to be revealed during the transport. Hence, SSL/TLS is not enough! It should be state of art SSL/TLS! The structure and quality of a TLS connection is determined by the Cipher suite asynchronous synchronous Key Exchange Authentication (certificate key) Bulk Ciphers (transport) Message Authentication Code (integrity) Page 7 Technical life cycle
6 Synchronous versus asynchronous encryption asynchronous synchronous public private common Page 8
7 Life cycle of encryption algorithm Developed in lab Removed by software vendors Defined as standard Cracked realtime in datacenter Adopted by major software vendors operating systems, browsers, middleware, cloud providers Page 9 Cracked in lab vulnerable careless software providers Innovation of hardware (Moore s law, quant computers) Published weaknesses of algorithm
8 Evolution of SSL/TLS protocols TLS 1.0 TLS 1.2 TLS 1.3 Robot attack Weaker please! SSL 3.0 Weak session tickets 0-RTT Governments Weaker please! BANKS Faster please! Poodle attack BEAST attack CRIME attack Heartbleed attack (Open SSL related) Page 10
9 Comparison of RSA and Elliptic Curve cryptography To put things into perspective, according a Universal Security study of 2013, breaking a 228-bit RSA key would take less energy than what is needed to boil a teaspoon of water. Alternatively, breaking a 228-bit ECC key would require more energy than it would take to boil all the water on earth. [taken from ] Key Exchange (Over insecure connection) Authentication (private and public key) Bulk Ciphers (symmetric encryption during transport) Message Authentication (integrity) Page 11 In focus of this presentation!
10 Comparison of RSA and Elliptic Curve cryptography RSA asymmetric key (private + public) one key during the entire communication Key is created by prime number factorization ECC asymmetric key (private + public + curve) various keys during the entire communication All keys get calculated by a particular elliptic curve Bit size When key is cracked, entire communication can be decrypted if not now, than in future from recorded communication with better technology Higher performance during encryption Lower performance during encryption, but mostly acceptable when properly configured When key is cracked and a suitable algorithm is used, only a portion of communication can be decrypted even in future, hence its called ->see Perfect Forward Secrecy Page 12
11 Comparison of RSA and Elliptic Curve cryptography ECC 256 bit key size 384 bit key size (top secret) RSA 3072 bit key size to be equally strong 7680 bit key size to be equally strong Page 13
12 What is perfect Forward secrecy (PFS)? Current Gold standard in available strong encryption Based on the Ephemeral Diffie-Hellman algorithm (ECDHE) Ephemeral means not static since each new TLS session uses a new key on the same elliptic curve Preventing some known to-be-vulnerable ECC algorithms Due to the strength, preferred by banks, military and other security-sensitive uses cases Consider: As in any ECC, Security level depends on which curve is picked As in any encryption, Security level depends on the bit-size of the keys How long is a TLS session? Page 14
13 Target Cipher TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 Naming get my keys through the evil internet via Create my private and public key via Encrypt all the data being transferred after handshake using shared secret Checksum to prevent modificatio n during transport GCM better than CBC Page 15
14 Why does that relate to Teamcenter? Teamcenter got a distributed architecture Much of the communication between the elements of this architecture communicate via TCP and support SSL/TLS. Many customers of Teamcenter work hard to protect their intellectual property and need to exchange data across offices and countries. Most of the manuals and white papers, I read in the past base on the weaker RSA encryption. Large enterprise TLS encryption Teamcenter web tier behind reverse proxies SME TLS encryption Teamcenter web tier involved in TLS communication Page 16 PS: By the way, SSL and TLS are both technologies for encrypted communication. Still many people say SSL when they mean TLS.
15 Client-Server handshake TLS Client (3) Verify server cert, check crypto params (1)Client Hello Supported ciphers, protocol version, random no#1 with time, session ID (2) Server Hello Selected ciphers, Cert (public key), random no#2, session ID Client cert request (2way) (4) Client key exchange Send secret key (Pre-Master Secret, encrypted with public key) (7) Client finished (5) Send client cert (2way) TLS Server (6) Verify client cert (2way) (8) Server finished (9) Exchange messages Encrypted with shared key Page 17
16 What do we have at the end of handshake? TLS Client TLS Server Public key of server Private, Public key of server Master secret Master secret Bulk-Key MAC-Key Bulk-Key MAC-Key Cipher Suite agreed by client and server Protocol agreed by client and server Cipher Suite agreed by client and server Protocol agreed by client and server Page 18
17 Honour order! Cipher negotiation TLS Client Boo, I have sniffed (recorded) your handshake! TLS Server (1)Client Hello Cipher list client could be browser i.e. Chrome for AWC Java JSSE Schannel (windows) Another web server Supported cipher (2) Server Hello Selected ciphers Cipher list server 1. My best cipher 2. My second-best cipher 3. My worst acceptable cipher Sorry, I am old and don t know new ciphers Old server--> old ciphers! Page 19 Old client--> old ciphers! No common Cipher: Handshake failed!
18 TLS 1.2 Resumed sessions - session tickets/ids Solutions: Use TLS 1.3 Disable SessionTickets Tomcat: Only for APR connector IIS: Powershell: Disable-TlsSessionTicketKey 1. Resumed connections don't perform any Diffie-Hellman exchange 2. Session Tickets contain the session keys of the original connection, so a compromised Session Ticket lets the attacker decrypt not only the resumed connection, but also the original connection. 3. Session Tickets are sent in the clear at the beginning of the original connection. 4. Some J2EE web servers offer modifications of session ID handling Page 20
19 Influencing factors on strength of TLS implementation Bit size of algorithm (configuration) Consider Client-Server negotiation (configuration) Prevent old browsers, require fallback to worse ciphers If IE is used, consider influence of Schannel settings Software versions Check Web server config in detail Cipher Suite list as strict as possible and ordered PFS, frequency of new TLS sessions OpenSSL version should be very latest (after update, regen keys!) Download Or Enable latest Java version with Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction where possible After finishing configuration and TLS connection works, test the used cipher suites with Wireshark!! If you are paranoid, also consider the strength and algorithm of your CA cert and intermediate certs and check which root certs are installed in your OS. Page 21
20 (Teamcenter) PFS Implementation steps JSSE-Versions Test TLS clients: 1 1 supported ciphers Protocols Avail. Root certs Required cert format 2 Updated client list 2 Distribute certs (signed public keys) for server+interm. + root In required key store formats Test TLS servers: supported ciphers Protocols Avail. Root certs Required cert format Check whether config can be improved Updated server list Generate server keys and/or buy them Download root certs and interm. certs Set encryption targets desired ciphers desired protocols Cert vendor (own, commercial, Let s Encrypt) Expected performance reduction (measure unencrypted) 3 Simple tests: Resulting Ciphers Performance impact Refresh every 2 years 7 (Pen tests) Stealing priv. keys Common TLS attacks Page 22
21 Test implementation 1 - Root Key generation Generally, keys maybe generated using OpenSSL or JAVA EC keys only possible in OpenSSL! Create my own CA: Create root cert: openssl.cnf CA config settings openssl ecparam -name prime256v1 -out rootca_param.pem openssl ecparam -in rootca_param.pem -genkey -noout -out rootca_key.pem openssl req -config openssl.cnf -key rootca_key.pem -new -x509 -days sha384 -subj "/C=DE/ST=Hessen/L=Frankfurt/O=SPLM/OU=GTAC-EMEA/CN=GTAC ROOT CA" -out rootca_cert.pem openssl pkcs12 -export -in rootca_cert.pem -inkey rootca_key.pem -nokeys -name root -out trust.p12 -password pass: generate rootca_key.pem copy rootca_cert.pem copy trust.p12 pw: Page 23
22 Test implementation 2 Server Key generation Create main cert: openssl.cnf CA config settings openssl ecparam -name prime256v1 -out prime256v1_param.pem openssl ecparam -in prime256v1_param.pem -genkey -noout -out prime256v1_key.pem openssl req -new -sha384 -key prime256v1_key.pem -out prime256v1_key.csr -subj "/C=DE/ST=Hessen/L=Frankfurt/O=SPLM/OU=GTAC- EMEA/CN=decgnvsrv" openssl ca -config openssl.cnf -extensions server_cert -in prime256v1_key.csr -days 375 -keyfile rootca_key.pem -notext -md sha256 - notext -batch -cert rootca_cert.pem -out prime256v1_cert.pem (openssl req -in prime256v1_key.csr -text -noout) generate rootca_key.pem Often you would pay a commercial vendor for that step prime256v1_param.csr create prime256v1_key.csr signed prime256v1_cert.pem trust Page 24
23 Test implementation 3 - Which key store for which purpose? For Tomcat Server: JKS, PKCS11 or PKCS12 keystore PW: prime256v1_cert For Java JSSE Client JKS truststore cacerts PW:.. rootca_cert For Tomcat Server: JKS, PKCS11 or PKCS12 truststore PW: rootca_cert For NX-cURL No keystore, just pem file rootca_cert default CA Root certs Versisign, Thawte, Lets Encrypt, default CA Root certs Versisign, Thawte, Lets Encrypt, Page 25
24 Teamcenter PFS Implementation overview 4-Tier RAC HTTP HTTPS (PFS) SOA NX pkcs12 file CURL Thin Client in browser: IE11 Windows keystore Schannel SSP->OS Named PIPE (Secured OS Pipes to TCCS) Client Tier TCCS TcServerProxy Truststore FCC Java JSSE TcMEM Keystore OpenSSL Root CA PEM file RootCA key ( ) Main PEM file Web Tier NIO Connector BIO Connector APR Connector Java JSSE OpenSSL Tomcat 8 WAS Keystore Truststore Java JSSE Jetty FSC Main key NX pkcs12 file Main cert (Pub) Enterprise Tier Page 26 Teamcenter Server Manager TCServer FSCproxy CURL Java JSSE Boo, I have hacked your server and stolen your private keys Java 8 JSSE Truststore
25 Teamcenter Large company TLS Implementation overview HTTP 4-Tier RAC Thin Client in browser: IE11 HTTPS (PFS) SOA Windows keystore Schannel SSP->OS Named PIPE (Secured OS Pipes to TCCS) TCCS TcServerProxy FCC TcMEM Client Tier Truststore Java JSSE Keystore Reverse proxy Web Tier NIO Connector BIO Connector APR Connector Java JSSE OpenSSL Tomcat 8 WAS Keystore Truststore Java JSSE Jetty FSC Enterprise Tier Teamcenter Server Manager TCServer Page 27 FSCproxy
26 Cipher Suite testing Page 28
27 TLS 1.3 Coming to you soon! Coming up No more RSA! Tomcat: as minimum since: , onwards IIS 10 (Schannel) on Windows Server 2016 not yet available Java 11- the first release officially implementing TLS 1.3 Firefox since v57 Chrome since v63 Other browsers not yet Page 29
28 Vulnerability testing and config tools Online, requires Internet connection: Any Web server: Offline Config: IIS: Page 30
29 Obtaining state-of-the-art encryption information testing tools, server rating, cipher collections Oracle JSSE reference guide: supported protocols, algorithms and key sizes for your JAVA version Tools to test the actually used cipher free TLS signed certificates Latest OpenSSL versions (includes tools to test CURL TLS) Page 31
30 Thank you.
31 October 2018 Your name/company Page 33
Information Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationCryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea
Cryptography SSL/TLS Network Security Workshop 3-5 October 2017 Port Moresby, Papua New Guinea 1 History Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent
More informationOverview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.
Overview of SSL/TLS Luke Anderson luke@lukeanderson.com.au 12 th May 2017 University Of Sydney Overview 1. Introduction 1.1 Raw HTTP 1.2 Introducing SSL/TLS 2. Certificates 3. Attacks Introduction Raw
More informationWAP Security. Helsinki University of Technology S Security of Communication Protocols
WAP Security Helsinki University of Technology S-38.153 Security of Communication Protocols Mikko.Kerava@iki.fi 15.4.2003 Contents 1. Introduction to WAP 2. Wireless Transport Layer Security 3. Other WAP
More informationSharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer
SharkFest 17 Europe SSL/TLS Decryption uncovering secrets Wednesday November 8th, 2017 Peter Wu Wireshark Core Developer peter@lekensteyn.nl 1 About me Wireshark contributor since 2013, core developer
More informationLet's Encrypt - Free SSL certificates for the masses. Pete Helgren Bible Study Fellowship International San Antonio, TX
Let's Encrypt - Free SSL certificates for the masses Pete Helgren Bible Study Fellowship International San Antonio, TX Agenda Overview of data security Encoding and Encryption SSL and TLS Certficate options
More informationComing of Age: A Longitudinal Study of TLS Deployment
Coming of Age: A Longitudinal Study of TLS Deployment Accepted at ACM Internet Measurement Conference (IMC) 2018, Boston, MA, USA Platon Kotzias, Abbas Razaghpanah, Johanna Amann, Kenneth G. Paterson,
More informationSSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1
SSL/TLS & 3D Secure CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk CS470, A.A.Selçuk SSL/TLS & 3DSec 1 SSLv2 Brief History of SSL/TLS Released in 1995 with Netscape 1.1 Key generation algorithm
More informationAuth. Key Exchange. Dan Boneh
Auth. Key Exchange Review: key exchange Alice and want to generate a secret key Saw key exchange secure against eavesdropping Alice k eavesdropper?? k This lecture: Authenticated Key Exchange (AKE) key
More informationTLS 1.1 Security fixes and TLS extensions RFC4346
F5 Networks, Inc 2 SSL1 and SSL2 Created by Netscape and contained significant flaws SSL3 Created by Netscape to address SSL2 flaws TLS 1.0 Standardized SSL3 with almost no changes RFC2246 TLS 1.1 Security
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationBut where'd that extra "s" come from, and what does it mean?
SSL/TLS While browsing Internet, some URLs start with "http://" while others start with "https://"? Perhaps the extra "s" when browsing websites that require giving over sensitive information, like paying
More informationSSL Visibility and Troubleshooting
Page 1 of 6 view online Avi Vantage provides a number of features to help understand the utilization of SSL traffic and troubleshoot SSL-related issues. Visibility Every virtual service provides a number
More informationTLS1.2 IS DEAD BE READY FOR TLS1.3
TLS1.2 IS DEAD BE READY FOR TLS1.3 28 March 2017 Enterprise Architecture Technology & Operations Presenter Photo Motaz Alturayef Jubial Cyber Security Conference 70% Privacy and security concerns are
More informationSECURE YOUR INTEGRATIONS. Maarten Smeets
SECURE YOUR INTEGRATIONS Maarten Smeets 07-06-2018 About Maarten Integration consultant at AMIS since 2014 Several certifications SOA, BPM, MCS, Java, SQL, PL/SQL, Mule, AWS, etc Enthusiastic blogger http://javaoraclesoa.blogspot.com
More informationCIS 5373 Systems Security
CIS 5373 Systems Security Topic 4.3: Network Security SSL/TLS Endadul Hoque Slide Acknowledgment Contents are based on slides from Cristina Nita-Rotaru (Northeastern) Analysis of the HTTPS Certificate
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationSSL/TLS Security Assessment of e-vo.ru
SSL/TLS Security Assessment of e-vo.ru Test SSL/TLS implementation of any service on any port for compliance with industry best-practices, NIST guidelines and PCI DSS requirements. The server configuration
More informationState of TLS usage current and future. Dave Thompson
State of TLS usage current and future Dave Thompson TLS Client/Server surveys Balancing backward compatibility with security. As new vulnerabilities are discovered, when can we shutdown less secure TLS
More informationInstallation and usage of SSL certificates: Your guide to getting it right
Installation and usage of SSL certificates: Your guide to getting it right So, you ve bought your SSL Certificate(s). Buying your certificate is only the first of many steps involved in securing your website.
More informationTransport Level Security
2 Transport Level Security : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l12, Steve/Courses/2013/s2/css322/lectures/transport.tex,
More informationSecuring Connections for IBM Traveler Apps. Bill Wimer STSM for IBM Collaboration Solutions December 13, 2016
Securing Connections for IBM Traveler Apps Bill Wimer (bwimer@us.ibm.com), STSM for IBM Collaboration Solutions December 13, 2016 IBM Technote Article #21989980 Securing Connections for IBM Traveler mobile
More informationSecuring IoT applications with Mbed TLS Hannes Tschofenig
Securing IoT applications with Mbed TLS Hannes Tschofenig Part#2: Public Key-based authentication March 2018 Munich Agenda For Part #2 of the webinar we are moving from Pre-Shared Secrets (PSKs) to certificated-based
More informationAN12120 A71CH for electronic anticounterfeit protection
Document information Info Keywords Abstract Content Security IC, IoT, Product support package, Secure cloud connection, Anti-counterfeit, Cryptographic authentication. This document describes how the A71CH
More informationSSL Server Rating Guide
SSL Server Rating Guide version 2009k (14 October 2015) Copyright 2009-2015 Qualys SSL Labs (www.ssllabs.com) Abstract The Secure Sockets Layer (SSL) protocol is a standard for encrypted network communication.
More informationMTAT Applied Cryptography
MTAT.07.017 Applied Cryptography Transport Layer Security (TLS) Advanced Features University of Tartu Spring 2016 1 / 16 Client Server Authenticated TLS ClientHello ServerHello, Certificate, ServerHelloDone
More informationProving who you are. Passwords and TLS
Proving who you are Passwords and TLS Basic, fundamental problem Client ( user ) How do you prove to someone that you are who you claim to be? Any system with access control must solve this Users and servers
More informationSSL/TLS Server Test of
SSL/TLS Server Test of www.rotenburger-gruene.de Test SSL/TLS implementation of any service on any port for compliance with PCI DSS requirements, HIPAA guidance and NIST guidelines. WWW.ROTENBURGER-GRUENE.DE
More informationNetwork Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014
Network Security: TLS/SSL Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2014 Outline 1. Diffie-Hellman key exchange (recall from earlier) 2. Key exchange using public-key encryption
More informationSecure Internet Communication
Secure Internet Communication Can we prevent the Cryptocalypse? Dr. Gregor Koenig Barracuda Networks AG 09.04.2014 Overview Transport Layer Security History Orientation Basic Functionality Key Exchange
More informationAlice in Cyber world
Alice in Cyber world Protecting Secrets in The Connected World K.S.Sreedharan Director IT Zoho Cast Alice Claude Eve Bob Govan Story So Far Symmetric Key Asymmetric Key Twist in the Tale Claude Convenience
More informationChapter 4: Securing TCP connections
Managing and Securing Computer Networks Guy Leduc Chapter 5: Securing TCP connections Computer Networking: A Top Down Approach, 6 th edition. Jim Kurose, Keith Ross Addison-Wesley, March 2012. (section
More informationUnderstand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS
Last Updated: Oct 31, 2017 Understand the TLS handshake Understand client/server authentication in TLS RSA key exchange DHE key exchange Explain certificate ownership proofs in detail What cryptographic
More information32c3. December 28, Nick https://crypto.dance. goto fail;
32c3 December 28, 2015 Nick Sullivan @grittygrease nick@cloudflare.com https://crypto.dance goto fail; a compendium of transport security calamities Broken Key 2 Lock 3 Lock 4 5 6 HTTP HTTPS The S stands
More informationYour Apps and Evolving Network Security Standards
Session System Frameworks #WWDC17 Your Apps and Evolving Network Security Standards 701 Bailey Basile, Secure Transports Engineer Chris Wood, Secure Transports Engineer 2017 Apple Inc. All rights reserved.
More informationGarantía y Seguridad en Sistemas y Redes
Garantía y Seguridad en Sistemas y Redes Tema 2. Cryptographic Tools Esteban Stafford Departamento de Ingeniería Informá2ca y Electrónica Este tema se publica bajo Licencia: Crea2ve Commons BY- NC- SA
More informationInstall the ExtraHop session key forwarder on a Windows server
Install the ExtraHop session key forwarder on a Windows server Published: 2018-12-17 Perfect Forward Secrecy (PFS) is a property of secure communication protocols that enables short-term, completely private
More informationPROVING WHO YOU ARE TLS & THE PKI
PROVING WHO YOU ARE TLS & THE PKI CMSC 414 MAR 29 2018 RECALL OUR PROBLEM WITH DIFFIE-HELLMAN The two communicating parties thought, but did not confirm, that they were talking to one another. Therefore,
More informationSSL Accelerated Services. Feature Description
Feature Description UPDATED: 28 March 2018 Copyright Notices Copyright 2002-2018 KEMP Technologies, Inc. All rights reserved. KEMP Technologies and the KEMP Technologies logo are registered trademarks
More informationA Technology Brief on SSL/TLS Traffic
A Technology Brief on SSL/TLS Traffic This document provides an overview of SSL/TLS technology and offers examples of how Symantec solutions can help manage the increasing SSL traffic within enterprise
More informationDefeating All Man-in-the-Middle Attacks
Defeating All Man-in-the-Middle Attacks PrecisionAccess Vidder, Inc. Defeating All Man-in-the-Middle Attacks 1 Executive Summary The man-in-the-middle attack is a widely used and highly preferred type
More informationNetwork Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010
Network Security: TLS/SSL Tuomas Aura T-110.5240 Network security Aalto University, Nov-Dec 2010 Outline 1. Diffie-Hellman 2. Key exchange using public-key encryption 3. Goals of authenticated key exchange
More informationSSL Report: printware.co.uk ( )
1 of 5 26/06/2015 14:27 Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > printware.co.uk SSL Report: printware.co.uk (194.143.166.5) Assessed on: Fri, 26 Jun 2015 12:53:08
More informationsecuring a host Matsuzaki maz Yoshinobu
securing a host Matsuzaki maz Yoshinobu Hardening a host Differs per operating system Windows: users can not be trusted to make security related decisions in almost all cases OS X : make
More informationSSL Report: ( )
Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > www.workbench.nationaldataservice.org SSL Report: www.workbench.nationaldataservice.org (141.142.210.100) Assessed on:
More informationDesigning Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015
Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015 What Could It Cost You? Average of $0.58 a record According to the Verizon
More informationSSL Report: bourdiol.xyz ( )
Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > bourdiol.xyz > 217.70.180.152 SSL Report: bourdiol.xyz (217.70.180.152) Assessed on: Sun Apr 19 12:22:55 PDT 2015 HIDDEN
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through
More informationPublic Key Infrastructure. What can it do for you?
Public Key Infrastructure What can it do for you? What is PKI? Centrally-managed cryptography, for: Encryption Authentication Automatic negotiation Native support in most modern Operating Systems Allows
More informationBIG-IP System: SSL Administration. Version
BIG-IP System: SSL Administration Version 13.0.0 Table of Contents Table of Contents About SSL Administration on the BIG-IP System...7 About SSL administration on the BIG-IP system... 7 Device Certificate
More informationSecuring Communications with your Apache HTTP Server. Lars Eilebrecht
with your Apache HTTP Server Lars Eilebrecht Lars@apache.org About Me Lars Eilebrecht Independent IT Consultant Contributor to the Apache HTTP Server project since 1996 Member of the ASF Security Team
More informationSSL Report: sharplesgroup.com ( )
1 of 5 26/06/2015 14:28 Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > sharplesgroup.com SSL Report: sharplesgroup.com (176.58.116.26) Assessed on: Fri, 26 Jun 2015
More informationSSL/TLS: Still Alive? Pascal Junod // HEIG-VD
SSL/TLS: Still Alive? Pascal Junod // HEIG-VD 26-03-2015 Agenda SSL/TLS Protocol Attacks What s next? SSL/TLS Protocol SSL/TLS Protocol Family of cryptographic protocols offering following functionalities:
More informationRandomness Extractors. Secure Communication in Practice. Lecture 17
Randomness Extractors. Secure Communication in Practice Lecture 17 11:00-12:30 What is MPC? Manoj Monday 2:00-3:00 Zero Knowledge Muthu 3:30-5:00 Garbled Circuits Arpita Yuval Ishai Technion & UCLA 9:00-10:30
More informationVPN Overview. VPN Types
VPN Types A virtual private network (VPN) connection establishes a secure tunnel between endpoints over a public network such as the Internet. This chapter applies to Site-to-site VPNs on Firepower Threat
More informationUnderstanding Traffic Decryption
The following topics provide an overview of SSL inspection, describe the prerequisites for SSL inspection configuration, and detail deployment scenarios. Traffic Decryption Overview, page 1 SSL Handshake
More informationPerformance implication of elliptic curve TLS
MSc Systems & Network Engineering Performance implication of elliptic curve TLS Maikel de Boer - maikel.deboer@os3.nl Joris Soeurt - joris.soeurt@os3.nl April 1, 2012 Abstract During our research we tested
More informationSSL/TLS Server Test of grupoconsultorefe.com
SSL/TLS Server Test of grupoconsultorefe.com Test SSL/TLS implementation of any service on any port for compliance with PCI DSS requirements, HIPAA guidance and NIST guidelines. GRUPOCONSULTOREFE.COM FINAL
More informationSecure Sockets Layer (SSL) / Transport Layer Security (TLS)
Secure Sockets Layer (SSL) / Transport Layer Security (TLS) Brad Karp UCL Computer Science CS GZ03 / M030 20 th November 2017 What Problems Do SSL/TLS Solve? Two parties, client and server, not previously
More informationBIG-IP System: SSL Administration. Version
BIG-IP System: SSL Administration Version 13.1.0 Table of Contents Table of Contents About SSL Administration on the BIG-IP System...7 About SSL administration on the BIG-IP system... 7 Device Certificate
More informationE-commerce security: SSL/TLS, SET and others. 4.1
E-commerce security: SSL/TLS, SET and others. 4.1 1 Electronic payment systems Purpose: facilitate the safe and secure transfer of monetary value electronically between multiple parties Participating parties:
More informationSSL / TLS. Crypto in the Ugly Real World. Malvin Gattinger
SSL / TLS Crypto in the Ugly Real World Malvin Gattinger 2016-03-17 SSL/TLS Figure 1: The General Picture SSL or TLS Goal: Authentication and Encryption Secure Sockets Layer SSL 1 (never released), 2 (1995-2011)
More informationConfiguring SSL Security
CHAPTER9 This chapter describes how to configure SSL on the Cisco 4700 Series Application Control Engine (ACE) appliance. This chapter contains the following sections: Overview Configuring SSL Termination
More informationSecurity issues: Encryption algorithms. Threats Methods of attack. Secret-key Public-key Hybrid protocols. CS550: Distributed OS.
Security issues: Threats Methods of attack Encryption algorithms Secret-key Public-key Hybrid protocols Lecture 15 Page 2 1965-75 1975-89 1990-99 Current Platforms Multi-user timesharing computers Distributed
More informationEncryption. INST 346, Section 0201 April 3, 2018
Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:
More informationHTTPS is Fast and Hassle-free with Cloudflare
HTTPS is Fast and Hassle-free with Cloudflare 1 888 99 FLARE enterprise@cloudflare.com www.cloudflare.com In the past, organizations had to choose between performance and security when encrypting their
More informationTLS Security and Future
TLS Security and Future Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Fixing issues in practice Trust, Checking certificates and
More informationWhite Paper for Wacom: Cryptography in the STU-541 Tablet
Issue 0.2 Commercial In Confidence 1 White Paper for Wacom: Cryptography in the STU-541 Tablet Matthew Dodd matthew@cryptocraft.co.uk Cryptocraft Ltd. Chapel Cottage Broadchalke Salisbury Wiltshire SP5
More informationNIST Cryptographic Toolkit
Cryptographic Toolkit Elaine Barker ebarker@nist.gov National InformationSystem Security Conference October 16, 2000 Toolkit Purpose The Cryptographic Toolkit will provide Federal agencies, and others
More informationLecture 9a: Secure Sockets Layer (SSL) March, 2004
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu Security Achieved by
More informationSSL Report: cartridgeworld.co.uk ( )
1 of 5 26/06/2015 14:21 Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > cartridgeworld.co.uk SSL Report: cartridgeworld.co.uk (95.138.147.104) Assessed on: Fri, 26 Jun
More informationThe State of TLS in httpd 2.4. William A. Rowe Jr.
The State of TLS in httpd 2.4 William A. Rowe Jr. wrowe@apache.org Getting Started Web references have grown stale Web references have grown stale Guidance is changing annually https://www.ssllabs.com/ssltest/analyze.ht
More informationTransport Layer Security
Transport Layer Security TRANSPORT LAYER SECURITY PERFORMANCE TESTING OVERVIEW Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL), are the most popular cryptographic protocols
More informationLecture 10: Communications Security
INF3510 Information Security Lecture 10: Communications Security Nils Gruschka University of Oslo Spring 2018 Introduction Nils Gruschka University Kiel (Diploma in Computer Science) T-Systems, Hamburg
More informationA71CH for secure connection to AWS
Document information Info Content Keywords Security IC, IoT, PSP, AWS, Secure authentication Abstract This document describes how the A71CH security IC can be used to establish a secure connection with
More informationBlackBerry Dynamics Security White Paper. Version 1.6
BlackBerry Dynamics Security White Paper Version 1.6 Page 2 of 36 Overview...4 Components... 4 What's New... 5 Security Features... 6 How Data Is Protected... 6 On-Device Data... 6 In-Transit Data... 7
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Web Security Web is now widely used by business, government, and individuals But Internet and Web are
More informationIntroduction. INF3510 Information Security. Lecture 10: Communications Security. Outline. Network Security Concepts. University of Oslo Spring 2018
Introduction INF3510 Information Security Lecture 10: Communications Security Nils Gruschka University of Oslo Spring 2018 Nils Gruschka University Kiel (Diploma in Computer Science) T-Systems, Hamburg
More informationIntroducing Hardware Security Modules to Embedded Systems
Introducing Hardware Security Modules to Embedded Systems for Electric Vehicles charging according to ISO/IEC 15118 V1.0 2017-03-17 Agenda Hardware Trust Anchors - General Introduction Hardware Trust Anchors
More informationModern cryptography 2. CSCI 470: Web Science Keith Vertanen
Modern cryptography 2 CSCI 470: Web Science Keith Vertanen Modern cryptography Overview Asymmetric cryptography Diffie-Hellman key exchange (last time) Pubic key: RSA Pretty Good Privacy (PGP) Digital
More informationCryptographic Protocols 1
Cryptographic Protocols 1 Luke Anderson luke@lukeanderson.com.au 5 th May 2017 University Of Sydney Overview 1. Crypto-Bulletin 2. Problem with Diffie-Hellman 2.1 Session Hijacking 2.2 Encrypted Key Exchange
More informationScan Report Executive Summary
Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: Date scan was completed: Vin65 ASV Company: Comodo CA Limited 11/20/2017 Scan expiration date: 02/18/2018 Part 2. Component
More informationSecuring Internet Communication: TLS
Securing Internet Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016 Today s Lecture Applying crypto technology in practice Two simple abstractions cover 80% of the use cases
More informationSecurity: Focus of Control. Authentication
Security: Focus of Control Three approaches for protection against security threats a) Protection against invalid operations b) Protection against unauthorized invocations c) Protection against unauthorized
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 24a December 2, 2013 CPSC 467, Lecture 24a 1/20 Secure Shell (SSH) Transport Layer Security (TLS) Digital Rights Management and Trusted
More informationSecuring IoT applications with Mbed TLS Hannes Tschofenig Arm Limited
Securing IoT applications with Mbed TLS Hannes Tschofenig Agenda Theory Threats Security services Hands-on with Arm Keil MDK Pre-shared secret-based authentication (covered in webinar #1) TLS Protocol
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationkey distribution requirements for public key algorithms asymmetric (or public) key algorithms
topics: cis3.2 electronic commerce 24 april 2006 lecture # 22 internet security (part 2) finish from last time: symmetric (single key) and asymmetric (public key) methods different cryptographic systems
More informationEncryption, Certificates and SSL DAVID COCHRANE PRESENTATION TO BELFAST OWASP CHAPTER OCTOBER 2018
Encryption, Certificates and SSL DAVID COCHRANE PRESENTATION TO BELFAST OWASP CHAPTER OCTOBER 2018 Agenda Basic Theory: encryption and hashing Digital Certificates Tools for Digital Certificates Design
More informationContents. SSL-Based Services: HTTPS and FTPS 2. Generating A Certificate 2. Creating A Self-Signed Certificate 3. Obtaining A Signed Certificate 4
Contents SSL-Based Services: HTTPS and FTPS 2 Generating A Certificate 2 Creating A Self-Signed Certificate 3 Obtaining A Signed Certificate 4 Enabling Secure Services 5 SSL/TLS Security Level 5 A Note
More informationVerifying Real-World Security Protocols from finding attacks to proving security theorems
Verifying Real-World Security Protocols from finding attacks to proving security theorems Karthik Bhargavan http://prosecco.inria.fr + many co-authors at INRIA, Microsoft Research, Formal security analysis
More informationCS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD
ERIK JONSSON SCHOOL OF ENGINEERING & COMPUTER SCIENCE Cyber Security Research and Education Institute CS 6324: Information Security Dr. Junia Valente Department of Computer Science The University of Texas
More informationSecurity Fundamentals
COMP 150-IDS: Internet Scale Distributed Systems (Spring 2015) Security Fundamentals Noah Mendelsohn Tufts University Email: noah@cs.tufts.edu Web: http://www.cs.tufts.edu/~noah Copyright 2012 & 2015 Noah
More informationProtocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.
P2 Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE 802.11i, IEEE 802.1X P2.2 IP Security IPsec transport mode (host-to-host), ESP and
More informationINF3510 Information Security University of Oslo Spring Lecture 9 Communication Security. Audun Jøsang
INF3510 Information Security University of Oslo Spring 2011 Lecture 9 Communication Security Audun Jøsang Outline Network security concepts Communication security Perimeter security Protocol architecture
More informationLet s Encrypt Apache Tomcat * * Full disclosure: Tomcat will not actually be encrypted.
Let s Encrypt Apache Tomcat * * Full disclosure: Tomcat will not actually be encrypted. Christopher Schultz Chief Technology Officer Total Child Health, Inc. * Slides available on the Linux Foundation
More informationDistributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018
Distributed Systems 25. Authentication Paul Krzyzanowski Rutgers University Fall 2018 2018 Paul Krzyzanowski 1 Authentication For a user (or process): Establish & verify identity Then decide whether to
More informationIBM Education Assistance for z/os V2R1
IBM Education Assistance for z/os V2R1 Items: TLS V1.2 Suite B RFC 5280 Certificate Validation Element/Component: Cryptographic Services - System SSL Material is current as of June 2013 Agenda Trademarks
More informationOne Year of SSL Internet Measurement ACSAC 2012
One Year of SSL Internet Measurement ACSAC 2012 Olivier Levillain, Arnaud Ébalard, Benjamin Morin and Hervé Debar ANSSI / Télécom SudParis December 5th 2012 Outline 1 SSL/TLS: a brief tour 2 Methodology
More informationProtecting MySQL network traffic. Daniël van Eeden 25 April 2017
Protecting MySQL network traffic Daniël van Eeden 25 April 2017 Booking.com at a glance Started in 1996; still based in Amsterdam Member of the Priceline Group since 2005 (stock: PCLN) Amazing growth;
More information