Secure Socket Layer Health Assessment

Similar documents
SSL Visibility and Troubleshooting

SSL/TLS Server Test of

Findings for

Cryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea

SSL Report: bourdiol.xyz ( )

SSL/TLS Security Assessment of e-vo.ru

SSL Report: ( )

SSL Report: printware.co.uk ( )

One Year of SSL Internet Measurement ACSAC 2012

The State of TLS in httpd 2.4. William A. Rowe Jr.

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

SSL Report: sharplesgroup.com ( )

TLS/sRTP Voice Recording AddPac Technology

TLS1.2 IS DEAD BE READY FOR TLS1.3

SSL Report: cartridgeworld.co.uk ( )

But where'd that extra "s" come from, and what does it mean?

Install the ExtraHop session key forwarder on a Windows server

Transport Level Security

Nayanamana Samarasinghe and Mohammad Mannan. Concordia University, Montreal, Canada

Chapter 4: Securing TCP connections

Your Apps and Evolving Network Security Standards

SSL GOOD PRACTICE GUIDE

SSL/TLS Server Test of grupoconsultorefe.com

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Coming of Age: A Longitudinal Study of TLS Deployment

TLS 1.1 Security fixes and TLS extensions RFC4346

1.264 Lecture 28. Cryptography: Asymmetric keys

Genesys Security Pack on UNIX. Release Notes 8.5.x

CIS 5373 Systems Security

Ecosystem at Large

UCS Manager Communication Services

Scan Report Executive Summary. Part 2. Component Compliance Summary IP Address :

Defeating All Man-in-the-Middle Attacks

How to Configure SSL Interception in the Firewall

Transport Layer Security

COSC 301 Network Management. Lecture 15: SSL/TLS and HTTPS

Internet security and privacy

SSL Server Rating Guide

State of TLS usage current and future. Dave Thompson

David Wetherall, with some slides from Radia Perlman s security lectures.

MTAT Applied Cryptography

WAP Security. Helsinki University of Technology S Security of Communication Protocols

IBM i Version 7.2. Security Secure Sockets Layer IBM

SharkFest 17 Europe. SSL/TLS Decryption. uncovering secrets. Wednesday November 8th, Peter Wu Wireshark Core Developer

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Information Security CS 526

Exinda How To Guide: SSL Acceleration. Exinda ExOS Version Exinda Networks, Inc.

32c3. December 28, Nick goto fail;

How to Configure SSL Interception in the Firewall

SSL/TLS. Pehr Söderman Natsak08/DD2495

Overview. SSL Cryptography Overview CHAPTER 1

Cryptography and Network Security

HTTPS Setup using mod_ssl on CentOS 5.8. Jeong Chul. tland12.wordpress.com. Computer Science ITC and RUPP in Cambodia

Crypto meets Web Security: Certificates and SSL/TLS

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Version: $Revision: 1142 $

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Install the ExtraHop session key forwarder on a Windows server

Install the ExtraHop session key forwarder on a Windows server

Understand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS

Install the ExtraHop session key forwarder on a Windows server

Secure Internet Communication

Introduction to information Security

Encryption. INST 346, Section 0201 April 3, 2018

U.S. E-Authentication Interoperability Lab Engineer

feature HTTPS Posture Assessment Ideal Configuration

Securing Connections for IBM Traveler Apps. Bill Wimer STSM for IBM Collaboration Solutions December 13, 2016

SHA-1 to SHA-2. Migration Guide

Information Security CS526

Computers and Security

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Designing Network Encryption for the Future Emily McAdams Security Engagement Manager, Security & Trust Organization BRKSEC-2015

CRYPTOGRAPHY AND NETWORK SECURITY

ArrayOS APV Release Note

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Jaap van Ginkel Security of Systems and Networks

Cryptography MIS

Configuring Secure Socket Layer HTTP

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Foreword Preface About the Author Aperitifs The Lexicon of Cryptography Cryptographic Systems Cryptanalysis Side Information Thomas Jefferson and the

SSL/TLS Vulnerability Detection Using Black Box Approach

WHITE PAPER. Secure communication. - Security functions of i-pro system s

SECRETS OF THE ENCRYPTED INTERNET: WORLDWIDE CRYPTOGRAPHIC TRENDS

How to Implement Cryptography for the OWASP Top 10 (Reloaded)

High-Tech Bridge s Free SSL Server Test API Developer Documentation Version v1.2 24th of January 2018

Practical Issues with TLS Client Certificate Authentication

Summary on Crypto Primitives and Protocols

IBM i Version 7.2. Security Digital Certificate Manager IBM

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Overview of TLS v1.3. What s new, what s removed and what s changed?

Garantía y Seguridad en Sistemas y Redes

Internet SSL Survey 2010

Lecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005

Good Fences Make Good Neighbors: Rethinking Your Cloud Selection Strategy

How to use TLS in MyPBX

Securing Communications with your Apache HTTP Server. Lars Eilebrecht

CS 393 Network Security. Nasir Memon Polytechnic University Module 12 SSL

Integrating the Hardware Management Console s Broadband Remote Support Facility into your Enterprise

Transcription:

Secure Socket Layer Health Assessment Mick Pouw, Eric van den Haak February 5, 2014

1 Introduction Background Research Questions 2 Research Implementing SSL, the right way Common mistakes Classifying mistakes Implementation 3 Conclusion Future work 4 Demo

Background Tilburg University Lots of SSL/TLS services Background No quick SSL service checking (Manually) Existing tools lack possibility of integrating in existing monitoring software or lack in rating What about a new tool?

Research Questions How can we determine SSL health of a server side implementation? How can we determine a bad SSL implementation? What mistakes are commonly made by server administrators regarding implementing SSL? How can we classify these mistakes? How can we develop a tool that automates checking the SSL health of a server side implementation?

Implementing SSL, the right way Certificates Protocols Server settings Implementing SSL, the right way

Implementing SSL, the right way Subject Validity (Chain of) Trust Hash algorithm Debian weak key Revocation Certificates

Implementing SSL, the right way Protocols SSLv2 must be disabled SSLv3 should be disabled, backwards compatibility TLSv1.0 should be enabled TLSv1.1 should be enabled TLSv1.2 should be enabled

Implementing SSL, the right way Server Settings Compression (Crime) RC4 (Randomness) MD5 (Collision) Strong key size (Brute force) Perfect forward Secrecy (Future decryption)

Common mistakes Common mistakes Test Percentage passed Signature hash algorithm 100% Certificate (chain) trusted 100% Certificate is valid 100% No Debian weak keys 100% Subject name matches 91% Compression disabled 100% Cipher suites do not contain MD5 57% Perfect forward secrecy available 46% Cipher suites do not contain RC4 17% Key length at least 128bits 89% SSLv2 disabled 94% SSLv3 disabled 3% TLSv1.0 enabled 97% TLSv1.1 enabled 63% TLSv1.2 enabled 63%

Classifying mistakes Determining a test Weight (0 <= weight <= 100) Required (Show-stopper) Example test Name Example Proposition Requirement in order to pass the test Weight 50 Required No

Classifying mistakes Formulas {requiredtests} {passedtests} (1) The set of all required tests has to be a subset of all passed tests. 100 N p i i=1 (2) M t j Where p is a set of all weights of the passed tests and t is a set of all weights of all performed tests. j=1

Classifying mistakes Classification Description Weight Required Signature hash algorithm 80 No Certificate (chain) trusted 0 Yes Certificate is valid 0 Yes No Debian weak keys 100 No Subject name matches 0 Yes Compression disabled 50 No Cipher suites do not contain MD5 50 No Perfect forward secrecy available 50 No Cipher suites do not contain RC4 80 No Key length at least 128bits 80 No SSLv2 disabled 100 No SSLv3 disabled 30 No TLSv1.0 enabled 75 No TLSv1.1 enabled 100 No TLSv1.2 enabled 100 No

Implementation Python Used software SSLyze OpenSSL Curl Modular framework Tests Output Proof of Concept

Implementation Running the tool! Entire Tilburg University IPv4 space SURFnet IDP page hosts Score SURFconext UvT < 40% 5 27 40-50% 8 1 50-60% 82 64 60-70% 9 6 70-80 % 13 1 > 80 % 20 32

Conclusions Found a new way of determining SSL Health Developed a proof of concept that assess SSL services

Future work Future work Start TLS Server Name Indication (SNI) for HTTPS Improve framework s dependencies

Demo

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback