Ecosystem at Large
|
|
- Francis Underwood
- 6 years ago
- Views:
Transcription
1 Testing TLS in the Ecosystem at Large IT-SeCX 2015 Wilfried Mayer, Aaron Zauner, Martin Schmiedecker, Markus Huber
2 Overview Background Methodology Results Mitigation 2
3 Background
4 Transport Layer Security Most widely used cryptographic protocol Lots of research for HTTP + TLS = HTTPS Not for other application layer protocols Especially on high-confidentiality / traffic systems like 3
5 Many people use public mail services (E.g. Gmail) Millions of smaller mail-daemons on the Internet not invented with security in mind Crypto settings? 4
6 Flow 5
7 Protocols and TCP Ports Port TLS Protocol Usage 25 STARTTLS SMTP Transmission 110 STARTTLS POP3 Retrieval 143 STARTTLS IMAP Retrieval 465 Implicit SMTPS Submission 587 STARTTLS SMTP Submission 993 Implicit IMAPS Retrieval 995 Implicit POP3S Retrieval 6
8 STARTTLS & SMTP 7
9 TLS Handshake 8
10 Concept of Cipher Suites 9
11 Methodology
12 So we scanned the entire IPv4 space! masscan for discovery scans and X.509 Certificate collection SSLyze (customized) with queueing framework around it More than 10 billion TLS handshakes over the course of a couple of months (not counting discovery scans) 10
13 TLS enumeration 11
14 Input dataset / collection 12
15 Scan Flow 13
16 Organizational and Ethical Considerations Get an upstream ISP that is willing to help your research Randomize target networks Be transparent! Inform all responsible people WHOIS / RIPE entry explaining the research project Webpage on the scan host explaining the research project Abuse contact 14
17 Abuse Complaints People will complain!...they even might write to your management or unrelated 3rd parties Introduce an abuse contact! Handle each mail request professionally 15
18 Some Statistics Received 89 mails in total 52 auto generated by IDS / Ops tooling 16 simple blacklisting requests (sometimes large CIDR ranges) A few were blatantly rude A few very interested in our work 16
19 Results
20 Data Overview Conducted 20,270,768 scans 7 different TCP ports April to August
21 Data Overview 18,381,936 valid reponses 551 TLS handshakes per host/port combination 89.78% handshakes rejected 8.26% accepted 1.95% error 18
22 Protocol Version Support % SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2 19
23 Protocol Version Support Only SSLv2 and SSLv3 0.2% for SMTP, < 0.1% for others Only TLSv1.1 and TLSv1.2 < 0.5% for all protocols Only TLSv1 upwards 8% for SMTP, 18 45% for others 20
24 Key Exchange Methods RSA 25: 92% 465: 95% 587: 93% Retrieval: 99% DHE-RSA 25: 86% 465: 86% 587: 65% Retrieval: 74% ECDHE-RSA 25: 41% 465: 12% 587: 25% Retrieval: 8% 21
25 Key Exchange Security Diffie-Hellman - DH(E): Large amount of 512-bit DH primes in SMTP (EXPORT!) DH group size below or equal to 1024 bit is very common in all protocols Elliptic Curve Diffie-Hellman - ECDH(E): SMTP: 99% use secp256r1 curve POP/IMAP: 70% use secp384r1 cuve 22
26 Key Exchange Security: Common Primes SMTP: a 512-bit prime used by 64%, a 1024-bit prime used by 69% (Postfix) 512-bit Postfix prime: 0x00883f00affc0c8ab835cde5c20f55d f063f1607bfce1335e41c1e03f3ab17f e10d73eb4eb468c4050e691a 56e0145dec9b11f6454fad9ab4f70ba5b 23
27 Key Exchange Security: Perfect Forward Secrecy % PFS 24
28 Accepted Ciphers % RC4 AES-256 (GCM) Export grade 25
29 X.509 Certificates: Self vs. CA-signed % ok self signed unable Compared to Mozilla Truststore: ok: CA signed, unable: unable to get local issuer 26
30 X.509 Certificates (cont.) 99% of leafs use RSA (vs. e.g. ECDSA) Most SMTP(S) leafs and intermediates above 1024-bit RSA (most 2k) Less than 10% use 4096-bit RSA public keys 27
31 X.509 Certificates: Volatility 4.5M 4.0M 3.5M 3.0M Certificates 2.5M 2.0M 1.5M 1.0M 0.5M SMTP 1024 SMTP 2048 SMTP M based on scans.io data 28
32 X.509 Certificates (cont.) Name IPs Parallels Panel - Parallels 306,852 imap.example.com - IMAP server (1024bit) 261,741 Automatic...POP3 SSL key - Courier...(1024bit) 87,246 Automatic...IMAP SSL key - Courier...(1024bit) 83,976 localhost - Dovecot mail server 13,134 29
33 X.509 Certificates (cont.) Common Name Port IPs *.nazwa.pl (nazwassl) 25 40,568 b16c...6e , , , ,451 *.pair.com (USERTrust RSA Organization...) 25 15,573 a42d...768f , , , , , ,
34 X.509 Certificates: Weak RSA Keys Analyzed 40,268,806 certificates Similar to Heninger et al. Mining Your Ps and Qs Fast-GCD [algo. djb, impl. Heninger et al.] 456 GCDs found (= RSA private keys recovered) 31
35 Collateral Damage Open-source mail daemons are easily DoS ed - test carefully (Re)discovered a dovecot bug: (CVE , investigated and reported by Hanno Boeck) OpenSSL will establish EXPORT ciphersuites with TLS 1.1 and 1.2 RFC: MUST NOT AFAIK unfixed 32
36 Mitigation
37 Solid Server Configurations & Awareness Activate TLS / STARTTLS bettercrypto.org Mozilla Server TLS Security guide: RFC 7457 Summarizing Known Attacks on TLS... RFC 7525 Recommendations for Secure Use of TLS... Educating administrators and managers 33
38 Key Pinning Public keys get pinned on first use (TOFU) Elegant solution but difficult deployment model HPKP (for HTTPS) available, not really deployed yet TACK(.io) is a universal TLS extension that would also fit e.g. STARTTLS protocols (deadlock) 34
39 DNSSEC / DANE DANE is a nice protocol DNSSEC shifts trust to TLDs instead of CAs DNSSEC has deployment problems It s still one option that could work, so why not deploy in addition? 35
40 DKIM, SPF, DMARC Especially if you are hosting a large environment you MUST deploy: DKIM (DomainKeys Identified Mail) SPF (Sender Policy Framework) DMARC (Domain-based Message Authentication, Reporting, and Conformance) 36
41 Beyond Let s Encrypt by EFF et al. DEEP (Deployable Enhanced Privacy) Similar to how HSTS works for HTTPS Continued scans necessary to track change over time Published data sets: Full paper: 37
42 Questions? 38
No Need for Black Chambers
No Need for Black Chambers Testing TLS in the E-mail Ecosystem at Large Wilfried Mayer, Aaron Zauner, Martin Mulazzani, Markus Huber (FH St-Poelten) Overview Background Methodology Results Abuse-handling
More informationSSL/TLS Security Assessment of e-vo.ru
SSL/TLS Security Assessment of e-vo.ru Test SSL/TLS implementation of any service on any port for compliance with industry best-practices, NIST guidelines and PCI DSS requirements. The server configuration
More informationSSL/TLS Server Test of
SSL/TLS Server Test of www.rotenburger-gruene.de Test SSL/TLS implementation of any service on any port for compliance with PCI DSS requirements, HIPAA guidance and NIST guidelines. WWW.ROTENBURGER-GRUENE.DE
More informationHow to Configure SSL Interception in the Firewall
Most applications encrypt outgoing connections with SSL or TLS. SSL Interception decrypts SSL-encrypted HTTPS and SMTPS traffic to allow Application Control features (such as the Virus Scanner, ATP, URL
More informationSSL/TLS Server Test of grupoconsultorefe.com
SSL/TLS Server Test of grupoconsultorefe.com Test SSL/TLS implementation of any service on any port for compliance with PCI DSS requirements, HIPAA guidance and NIST guidelines. GRUPOCONSULTOREFE.COM FINAL
More informationTLS 1.1 Security fixes and TLS extensions RFC4346
F5 Networks, Inc 2 SSL1 and SSL2 Created by Netscape and contained significant flaws SSL3 Created by Netscape to address SSL2 flaws TLS 1.0 Standardized SSL3 with almost no changes RFC2246 TLS 1.1 Security
More informationUnderstand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS
Last Updated: Oct 31, 2017 Understand the TLS handshake Understand client/server authentication in TLS RSA key exchange DHE key exchange Explain certificate ownership proofs in detail What cryptographic
More informationComing of Age: A Longitudinal Study of TLS Deployment
Coming of Age: A Longitudinal Study of TLS Deployment Accepted at ACM Internet Measurement Conference (IMC) 2018, Boston, MA, USA Platon Kotzias, Abbas Razaghpanah, Johanna Amann, Kenneth G. Paterson,
More informationSSL Report: ( )
Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > www.workbench.nationaldataservice.org SSL Report: www.workbench.nationaldataservice.org (141.142.210.100) Assessed on:
More informationFUJITSU Software BS2000 internet Services. Version 3.4A May Readme
FUJITSU Software BS2000 internet Services Version 3.4A May 2016 Readme All rights reserved, including intellectual property rights. Technical data subject to modifications and delivery subject to availability.
More informationA Federal Agency Guide to Complying with Binding Operational Directive (BOD) 18-01
Table of Contents Introduction... 2 Required Actions Overview... 2 Required Actions Email Security... 3 Required Actions Web Security... 9 Status of Implementation... 11 Roles and Responsibilities... 11
More informationTLS1.2 IS DEAD BE READY FOR TLS1.3
TLS1.2 IS DEAD BE READY FOR TLS1.3 28 March 2017 Enterprise Architecture Technology & Operations Presenter Photo Motaz Alturayef Jubial Cyber Security Conference 70% Privacy and security concerns are
More informationPerformance implication of elliptic curve TLS
MSc Systems & Network Engineering Performance implication of elliptic curve TLS Maikel de Boer - maikel.deboer@os3.nl Joris Soeurt - joris.soeurt@os3.nl April 1, 2012 Abstract During our research we tested
More informationBetterCrypto org Applied Crypto Hardening
BetterCrypto org Applied Crypto Hardening David Durvaux Brussels, 12 th June 2014 Why better crypto? But of course... It is not only the NSA, who intercepts Other nations now have a blueprint (thanks
More informationOne Year of SSL Internet Measurement ACSAC 2012
One Year of SSL Internet Measurement ACSAC 2012 Olivier Levillain, Arnaud Ébalard, Benjamin Morin and Hervé Debar ANSSI / Télécom SudParis December 5th 2012 Outline 1 SSL/TLS: a brief tour 2 Methodology
More informationBIG-IP System: SSL Administration. Version
BIG-IP System: SSL Administration Version 13.0.0 Table of Contents Table of Contents About SSL Administration on the BIG-IP System...7 About SSL administration on the BIG-IP system... 7 Device Certificate
More informationSECRETS OF THE ENCRYPTED INTERNET: WORLDWIDE CRYPTOGRAPHIC TRENDS
SESSION ID: PDAC-F02 SECRETS OF THE ENCRYPTED INTERNET: WORLDWIDE CRYPTOGRAPHIC TRENDS David Holmes Threat Researcher F5 Networks, Inc. @dholmesf5 Who is that Guy? David Holmes Childhood crypto enthusiast
More informationAbout FIPS, NGE, and AnyConnect
About FIPS, NGE, and AnyConnect, on page 1 Configure FIPS for the AnyConnect Core VPN Client, on page 4 Configure FIPS for the Network Access Manager, on page 5 About FIPS, NGE, and AnyConnect AnyConnect
More informationChapter 4: Securing TCP connections
Managing and Securing Computer Networks Guy Leduc Chapter 5: Securing TCP connections Computer Networking: A Top Down Approach, 6 th edition. Jim Kurose, Keith Ross Addison-Wesley, March 2012. (section
More informationBIG-IP System: SSL Administration. Version
BIG-IP System: SSL Administration Version 13.1.0 Table of Contents Table of Contents About SSL Administration on the BIG-IP System...7 About SSL administration on the BIG-IP system... 7 Device Certificate
More informationUnderstanding Traffic Decryption
The following topics provide an overview of SSL inspection, describe the prerequisites for SSL inspection configuration, and detail deployment scenarios. About Traffic Decryption, page 1 SSL Inspection
More informationSSL Report: printware.co.uk ( )
1 of 5 26/06/2015 14:27 Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > printware.co.uk SSL Report: printware.co.uk (194.143.166.5) Assessed on: Fri, 26 Jun 2015 12:53:08
More informationUnderstanding Traffic Decryption
The following topics provide an overview of SSL inspection, describe the prerequisites for SSL inspection configuration, and detail deployment scenarios. Traffic Decryption Overview, page 1 SSL Handshake
More informationSSL Report: bourdiol.xyz ( )
Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > bourdiol.xyz > 217.70.180.152 SSL Report: bourdiol.xyz (217.70.180.152) Assessed on: Sun Apr 19 12:22:55 PDT 2015 HIDDEN
More informationOndřej Caletka. November 2015
A measurement of SMTP over TLS Ondřej Caletka November 2015 Ondřej Caletka (CESNET, z s p o) A measurement of SMTP over TLS November 2015 1 / 13 The principle SMTP To: bob@borg From alice@aorg Dear Bob
More informationCS 356 Internet Security Protocols. Fall 2013
CS 356 Internet Security Protocols Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5
More informationDesigning Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015
Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015 What Could It Cost You? Average of $0.58 a record According to the Verizon
More informationIPsec and SSL/TLS. Applied Cryptography. Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, /43
0/43 IPsec and SSL/TLS Applied Cryptography 0 Andreas Hülsing (Slides mostly by Ruben Niederhagen) Dec. 1st, 2016 Cryptography in the TCP/IP stack application layer transport layer network layer data-link
More informationEncryption Everywhere
Encryption Everywhere Adapting to a New Reality that favors Security and Privacy Kathleen Moriarty EMC Office of CTO IETF Security Area Director (Speaking for myself, not the IETF) 1 Agenda Protocol and
More informationSharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer
SharkFest 17 Europe SSL/TLS Decryption uncovering secrets Wednesday November 8th, 2017 Peter Wu Wireshark Core Developer peter@lekensteyn.nl 1 About me Wireshark contributor since 2013, core developer
More informationSecurity by Any Other Name:
Security by Any Other Name: On the Effectiveness of Provider Based Email Security Ian Foster, Jon Larson, Max Masich, Alex C. Snoeren, Stefan Savage, and Kirill Levchenko University of California, San
More information32c3. December 28, Nick https://crypto.dance. goto fail;
32c3 December 28, 2015 Nick Sullivan @grittygrease nick@cloudflare.com https://crypto.dance goto fail; a compendium of transport security calamities Broken Key 2 Lock 3 Lock 4 5 6 HTTP HTTPS The S stands
More informationSSL Accelerated Services. Feature Description
Feature Description UPDATED: 28 March 2018 Copyright Notices Copyright 2002-2018 KEMP Technologies, Inc. All rights reserved. KEMP Technologies and the KEMP Technologies logo are registered trademarks
More informationTLS in the wild. An Internet-wide analysis of TLS-based protocols for electronic communication. Ralph Holz
TLS in the wild An Internet-wide analysis of TLS-based protocols for electronic communication Ralph Holz School of Information Technologies Faculty of Engineering & Information Technologies Team This is
More informationSSL Report: sharplesgroup.com ( )
1 of 5 26/06/2015 14:28 Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > sharplesgroup.com SSL Report: sharplesgroup.com (176.58.116.26) Assessed on: Fri, 26 Jun 2015
More informationMTAT Applied Cryptography
MTAT.07.017 Applied Cryptography Transport Layer Security (TLS) Advanced Features University of Tartu Spring 2016 1 / 16 Client Server Authenticated TLS ClientHello ServerHello, Certificate, ServerHelloDone
More informationconcerto: A Methodology Towards Reproducible Analyses of TLS Datasets
concerto: A Methodology Towards Reproducible Analyses of TLS Datasets Olivier Levillain, Maxence Tury and Nicolas Vivet ANSSI Real World Crypto January 6th 2017 Levillain, Tury, Vivet (ANSSI) concerto
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationLecture 9a: Secure Sockets Layer (SSL) March, 2004
Internet and Intranet Protocols and Applications Lecture 9a: Secure Sockets Layer (SSL) March, 2004 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu Security Achieved by
More informationSSL Report: cartridgeworld.co.uk ( )
1 of 5 26/06/2015 14:21 Home Projects Qualys.com Contact You are here: Home > Projects > SSL Server Test > cartridgeworld.co.uk SSL Report: cartridgeworld.co.uk (95.138.147.104) Assessed on: Fri, 26 Jun
More informationSSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1
SSL/TLS & 3D Secure CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk CS470, A.A.Selçuk SSL/TLS & 3DSec 1 SSLv2 Brief History of SSL/TLS Released in 1995 with Netscape 1.1 Key generation algorithm
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationbuilding an effective action plan for the Department of Homeland Security
Customer Guide building an effective action plan for the Department of Homeland Security Binding The recently issued directive from the Department of Homeland Security (DHS), Binding Operational Directive
More informationCipher Suite Practices and Pitfalls:
Cipher Suite Practices and Pitfalls: An Overview of Cipher Suite Configuration and Pitfalls on BIG-IP PRESENTED BY: A cipher suite is a named combination of authentication, encryption, message authentication
More informationConfiguring SSL. SSL Overview CHAPTER
7 CHAPTER This topic describes the steps required to configure your ACE appliance as a virtual Secure Sockets Layer (SSL) server for SSL initiation or termination. The topics included in this section are:
More informationNayanamana Samarasinghe and Mohammad Mannan. Concordia University, Montreal, Canada
Nayanamana Samarasinghe and Mohammad Mannan Concordia University, Montreal, Canada Background Rapid growth of Internet-connected devices (IoT) Forecast: 25- billion devices (Cisco, Ericson, Gartner) by
More informationWAP Security. Helsinki University of Technology S Security of Communication Protocols
WAP Security Helsinki University of Technology S-38.153 Security of Communication Protocols Mikko.Kerava@iki.fi 15.4.2003 Contents 1. Introduction to WAP 2. Wireless Transport Layer Security 3. Other WAP
More informationNetwork Security. Thierry Sans
Network Security Thierry Sans HTTP SMTP DNS BGP The Protocol Stack Application TCP UDP Transport IPv4 IPv6 ICMP Network ARP Link Ethernet WiFi The attacker is capable of confidentiality integrity availability
More informationIBM Education Assistance for z/os V2R1
IBM Education Assistance for z/os V2R1 Items: TLS V1.2 Suite B RFC 5280 Certificate Validation Element/Component: Cryptographic Services - System SSL Material is current as of June 2013 Agenda Trademarks
More informationConfiguring SSL CHAPTER
7 CHAPTER This chapter describes the steps required to configure your ACE appliance as a virtual Secure Sockets Layer (SSL) server for SSL initiation or termination. The topics included in this section
More information2015 Online Trust Audit & Honor Roll Methodology
2015 Online Trust Audit & Honor Roll Methodology Jeff Wilbur VP Marketing, Iconix Craig Spiezle Executive Director & President, OTA 2015 All rights reserved. Online Trust Alliance (OTA) Slide 1 Who Is
More informationNonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS. Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic
Nonce-Disrespecting Adversaries: Practical Forgery Attacks on GCM in TLS Hanno Böck, Aaron Zauner, Sean Devlin, Juraj Somorovsky, Philipp Jovanovic 1 TLS Encryption 1. Asymmetric key exchange RSA, DHE,
More informationInstall the ExtraHop session key forwarder on a Windows server
Install the ExtraHop session key forwarder on a Windows server Published: 2018-12-17 Perfect Forward Secrecy (PFS) is a property of secure communication protocols that enables short-term, completely private
More informationVPN Overview. VPN Types
VPN Types A virtual private network (VPN) connection establishes a secure tunnel between endpoints over a public network such as the Internet. This chapter applies to Site-to-site VPNs on Firepower Threat
More informationLet's Encrypt - Free SSL certificates for the masses. Pete Helgren Bible Study Fellowship International San Antonio, TX
Let's Encrypt - Free SSL certificates for the masses Pete Helgren Bible Study Fellowship International San Antonio, TX Agenda Overview of data security Encoding and Encryption SSL and TLS Certficate options
More informationCSCE 813 Internet Security Secure Services I
CSCE 813 Internet Security Secure E-Mail Services I Professor Lisa Luo Fall 2017 Previous Class Why do we need cloud computing? Three models of cloud service Software as a service (SaaS) Platform as a
More informationConfiguring SSL. SSL Overview CHAPTER
CHAPTER 8 Date: 4/23/09 This topic describes the steps required to configure your ACE (both the ACE module and the ACE appliance) as a virtual Secure Sockets Layer (SSL) server for SSL initiation or termination.
More informationCryptography and Network Security Chapter 16. Fourth Edition by William Stallings
Cryptography and Network Security Chapter 16 Fourth Edition by William Stallings Chapter 16 IP Security If a secret piece of news is divulged by a spy before the time is ripe, he must be put to death,
More informationRequirements from the. Functional Package for Transport Layer Security (TLS)
Requirements from the Functional Package for Transport Layer Security (TLS) Version: 1.0 2018-12-17 National Information Assurance Partnership Revision History Version Date Comment Introduction Purpose.
More informationTLS 1.2 Protocol Execution Transcript
Appendix C TLS 1.2 Protocol Execution Transcript In Section 2.3, we overviewed a relatively simple protocol execution transcript for SSL 3.0. In this appendix, we do something similar for TLS 1.2. Since
More informationSecure Socket Layer Health Assessment
Secure Socket Layer Health Assessment Mick Pouw, Eric van den Haak February 5, 2014 1 Introduction Background Research Questions 2 Research Implementing SSL, the right way Common mistakes Classifying mistakes
More informationFindings for
Findings for 198.51.100.23 Scan started: 2017-07-11 12:30 UTC Scan ended: 2017-07-11 12:39 UTC Overview Medium: Port 443/tcp - NEW Medium: Port 443/tcp - NEW Medium: Port 443/tcp - NEW Medium: Port 80/tcp
More informationState of TLS usage current and future. Dave Thompson
State of TLS usage current and future Dave Thompson TLS Client/Server surveys Balancing backward compatibility with security. As new vulnerabilities are discovered, when can we shutdown less secure TLS
More informationSecuring Connections for IBM Traveler Apps. Bill Wimer STSM for IBM Collaboration Solutions December 13, 2016
Securing Connections for IBM Traveler Apps Bill Wimer (bwimer@us.ibm.com), STSM for IBM Collaboration Solutions December 13, 2016 IBM Technote Article #21989980 Securing Connections for IBM Traveler mobile
More informationA look at the PGP keyserver data
A look at the PGP keyserver data Hanno Böck 1 / 23 The PGP Ecosystem Should we care? PGP problems Is PGP here to stay? Conclusion The PGP Ecosystem The OpenPGP standard (RFC 4880) Software packages (Original
More informationHigh-Tech Bridge s Free SSL Server Test API Developer Documentation Version v1.2 24th of January 2018
HTB_SSLDOCS_v1.2.pdf Page 1 of 55 High-Tech Bridge s Free SSL Server Test API Developer Documentation Version v1.2 24th of January 2018 Table of Contents... 1 General overview... 2 Server information...
More informationVerifying Real-World Security Protocols from finding attacks to proving security theorems
Verifying Real-World Security Protocols from finding attacks to proving security theorems Karthik Bhargavan http://prosecco.inria.fr + many co-authors at INRIA, Microsoft Research, Formal security analysis
More informationScan Report Executive Summary. Part 2. Component Compliance Summary IP Address :
Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: Date scan was completed: Vin65 ASV Company: Comodo CA Limited 03/18/2015 Scan expiration date: 06/16/2015 Part 2. Component
More informationSecuring IoT applications with Mbed TLS Hannes Tschofenig
Securing IoT applications with Mbed TLS Hannes Tschofenig Part#2: Public Key-based authentication March 2018 Munich Agenda For Part #2 of the webinar we are moving from Pre-Shared Secrets (PSKs) to certificated-based
More informationSecure Internet Communication
Secure Internet Communication Can we prevent the Cryptocalypse? Dr. Gregor Koenig Barracuda Networks AG 09.04.2014 Overview Transport Layer Security History Orientation Basic Functionality Key Exchange
More informationCIP Security Phase 1 Secure Transport for EtherNet/IP
CIP Security Phase 1 Secure Transport for EtherNet/IP Brian Batke, Rockwell Automation Dennis Dubé, Schneider Electric Joakim Wiberg, HMS Industrial Networks October 14, 2015 The Need for a Secure Transport
More informationE-commerce security: SSL/TLS, SET and others. 4.1
E-commerce security: SSL/TLS, SET and others. 4.1 1 Electronic payment systems Purpose: facilitate the safe and secure transfer of monetary value electronically between multiple parties Participating parties:
More informationBetterCrypto - three years in..
Aaron Zauner @a_z_e_t azet@azet.org Timeline We start at the beginning. The year is 2013. June: Snowden revelations Summer: More leaks start apprearing... People start talking about a Crypto-Apocalypse
More informationThe State of TLS in httpd 2.4. William A. Rowe Jr.
The State of TLS in httpd 2.4 William A. Rowe Jr. wrowe@apache.org Getting Started Web references have grown stale Web references have grown stale Guidance is changing annually https://www.ssllabs.com/ssltest/analyze.ht
More informationTransport Level Security
2 Transport Level Security : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l12, Steve/Courses/2013/s2/css322/lectures/transport.tex,
More informationSSL Server Rating Guide
SSL Server Rating Guide version 2009k (14 October 2015) Copyright 2009-2015 Qualys SSL Labs (www.ssllabs.com) Abstract The Secure Sockets Layer (SSL) protocol is a standard for encrypted network communication.
More informationA Technology Brief on SSL/TLS Traffic
A Technology Brief on SSL/TLS Traffic This document provides an overview of SSL/TLS technology and offers examples of how Symantec solutions can help manage the increasing SSL traffic within enterprise
More informationSecurity Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel
Security Protocols Professor Patrick McDaniel CSE545 - Advanced Network Security Spring 2011 CSE545 - Advanced Network Security - Professor McDaniel 1 Case Study: Host Access The first systems used telnet
More informationSSL / TLS. Crypto in the Ugly Real World. Malvin Gattinger
SSL / TLS Crypto in the Ugly Real World Malvin Gattinger 2016-03-17 SSL/TLS Figure 1: The General Picture SSL or TLS Goal: Authentication and Encryption Secure Sockets Layer SSL 1 (never released), 2 (1995-2011)
More informationIOS Common Cryptographic Module (IC2M)
IOS Common Cryptographic Module (IC2M) FIPS 140-2 Non Proprietary Security Policy Level 1 Validation Version 0.3 April 18, 2013 Table of Contents 1 INTRODUCTION... 3 1.1 PURPOSE... 3 1.2 MODULE VALIDATION
More informationMDaemon Vs. Kerio Connect
Comparison Guide Vs. The following chart is a side-by-side feature comparison of Email Server and. Flex Licensing Maximum Accounts Unlimited Unlimited SMTP, POP3, DomainPOP, and MultiPOP SSL / TLS / StartTLS
More informationCryptography (Overview)
Cryptography (Overview) Some history Caesar cipher, rot13 substitution ciphers, etc. Enigma (Turing) Modern secret key cryptography DES, AES Public key cryptography RSA, digital signatures Cryptography
More informationMDaemon Vs. IceWarp Unified Communications Server
Comparison Guide Vs. The following chart is a side-by-side feature comparison of Email Server and. Flex Licensing Maximum Accounts Unlimited Unlimited SMTP, POP3, DomainPOP, and MultiPOP SSL / TLS / StartTLS
More informationTransport Layer Security
Transport Layer Security TRANSPORT LAYER SECURITY PERFORMANCE TESTING OVERVIEW Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL), are the most popular cryptographic protocols
More informationProtecting TLS from Legacy Crypto
Protecting TLS from Legacy Crypto http://mitls.org Karthikeyan Bhargavan + many, many others. (INRIA, Microsoft Research, LORIA, IMDEA, Univ of Pennsylvania, Univ of Michigan, JHU) Popular cryptographic
More informationHow to Configure SSL Interception in the Firewall
Most applications encrypt outgoing connections with SSL or TLS. SSL Interception decrypts SSL-encrypted traffic to allow Application Control features (such as the Virus Scanner, ATD, URL Filter, Safe Search,
More informationThe Security Impact of HTTPS Interception
The Security Impact of HTTPS Interception Zakir Durumeric, Zane Ma, Drew Springall, Richard Barnes, Nick Sullivan, Elie Bursztein, Michael Bailey, J. Alex Halderman, Vern Paxson University of Michigan,
More informationScan Report Executive Summary
Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: Date scan was completed: Vin65 ASV Company: Comodo CA Limited 08/28/2017 Scan expiration date: 11/26/2017 Part 2. Component
More informationSIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017
SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017 WHAT WE DO What we do Robust and Efficient Cryptographic Protocols Research in Cryptography and
More informationInternet security and privacy
Internet security and privacy SSL/TLS 1 Application layer App. TCP/UDP IP L2 L1 2 Application layer App. SSL/TLS TCP/UDP IP L2 L1 3 History of SSL/TLS Originally, SSL Secure Socket Layer, was developed
More informationThe World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to
1 The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to compromises of various sorts, with a range of threats
More informationScan Report Executive Summary
Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: Date scan was completed: Vin65 ASV Company: Comodo CA Limited 11/20/2017 Scan expiration date: 02/18/2018 Part 2. Component
More informationIntroduction and Overview. Why CSCI 454/554?
Introduction and Overview CSCI 454/554 Why CSCI 454/554? Get Credits and Graduate Security is important More job opportunities More research funds 1 Workload Five homework assignments Two exams (open book
More informationNetwork Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014
Network Security: TLS/SSL Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2014 Outline 1. Diffie-Hellman key exchange (recall from earlier) 2. Key exchange using public-key encryption
More informationDiffie-Hellman. Part 1 Cryptography 136
Diffie-Hellman Part 1 Cryptography 136 Diffie-Hellman Invented by Williamson (GCHQ) and, independently, by D and H (Stanford) A key exchange algorithm o Used to establish a shared symmetric key Not for
More informationLet s Encrypt and DANE
Let s Encrypt and DANE CaribNOG 13 Barbados 18 Apr 2017 The Deploy360 Programme The Challenge: The IETF creates protocols based on open standards, but some are not widely known or deployed People seeking
More informationFRAUD DEFENSE: How To Fight The Next Generation of Targeted BEC Attacks
EMAIL FRAUD DEFENSE: How To Fight The Next Generation of Targeted BEC Attacks Brian Westnedge bwestnedge@proofpoint.com November 8, 2017 1 2017 Proofpoint, Inc. THE BUSINESS PROBLEM BUSINESS EMAIL COMPROMISE
More informationYour Apps and Evolving Network Security Standards
Session System Frameworks #WWDC17 Your Apps and Evolving Network Security Standards 701 Bailey Basile, Secure Transports Engineer Chris Wood, Secure Transports Engineer 2017 Apple Inc. All rights reserved.
More informationConfiguring OpenVPN on pfsense
Configuring OpenVPN on pfsense Configuring OpenVPN on pfsense Posted by Glenn on Dec 29, 2013 in Networking 0 comments In this article I will go through the configuration of OpenVPN on the pfsense platform.
More informationComprehensive Setup Guide for TLS on ESA
Comprehensive Setup Guide for TLS on ESA Contents Introduction Prerequisites Requirements Components Used Background Information Functional Overview and Requirements Bring Your Own Certificate Update a
More information