TLS/SSL - How and Why

blueberrystoreΑσφάλεια

9 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

310 εμφανίσεις

TLS/SSL
-

How and Why

PCI Flags it but why do we care?

By:
MadHat

Unspecific

SSL


How and Why


What is TLS/SSL?


How does TLS/SSL work?


What is the difference between TLS and SSL?


What is it used for?


Weak Ciphers


How this relates to PCI


Exploitable


SSL
-
Cipher
-
Check (tool from Unspecific.com)

What is TLS/SSL?


Transport Layer Security


Secure Socket Layers


Application Layer Protocols


Public/Asymmetric Key Cryptography


OSI Layer 6

How does TLS/SSL work?


Encryption Protocol, Key Length, Hashing
Algorithm


Authentication


Handshake


Request


Protocols Supported


Digital Certificate


Session Keys

What is it used for?


Security & Data Integrity


Prevents Eavesdropping, tampering


& message forgery


HTTP is most famous as HTTPS


Any layer 7 protocol, POP3, IMAP, SMTP, FTP


OpenVPN


Stunnel


Ncat

(included with
Nmap
)

Weak Ciphers


Old Protocols


SSLv2


Key Strength


40bit & 56bit ciphers


RC2, RC4, NULL


Weak Hash Algorithms


DES


ADH
-

anonymous DH cipher

How this relates to PCI

& Other Standards


PCI 4.1
-

Use strong cryptography and security
protocols such as SSL/TLS or IPSEC to
safeguard sensitive cardholder data during
transmission over open, public networks.

Exploitable


Man in the Middle


Decryption of Communications


SSL
-
Cipher
-
Check


OpenSSL binary


Checks ALL supported Ciphers


openssl ciphers


openssl s_client
-
$protocol
-
cipher
$cipher
-
connect $host:$port


ssl_dump.log

Raw openssl output


SSL
-
Cipher
-
Check


$ ./ssl
-
cipher
-
check.pl


: SSL Cipher Check: 1.1


: written by Lee 'MadHat' Heath (at) Unspecific.com

Usage:


./ssl
-
cipher
-
check.pl [
-
dvwas ] <host> [<port>]

default port is 443

-
d Add debug info (show it all, lots of stuff)

-
v Verbose. Show more info about what is found

-
w Show only weak ciphers enabled.

-
a Show all ciphers, enabled or not

-
s Show only the STRONG ciphers enabled.


References


http://en.wikipedia.org/wiki/Public
-
key_cryptography


http://en.wikipedia.org/wiki/Transport_Layer_Security


http://www.openssl.org/


http://www.verisign.com/ssl/ssl
-
information
-
center/ssl
-
basics/index.html


http://en.wikipedia.org/wiki/OSI_model


http://www.gnu.org/software/gnutls/


http://openvpn.net/


http://www.stunnel.org/


http://lasecwww.epfl.ch/memo/memo_ssl.shtml


http://www.owasp.org/index.php/Testing_for_SSL
-
TLS


http://www.unspecific.com/2009/02/16/ssl
-
cipher
-
check


http://www.schneier.com/paper
-
ssl.pdf


https://www.pcisecuritystandards.org/security_standards/download.html?id=
pci_dss_v1
-
2.pdf





Future Meetings/Talks


T
-
Shirt


DefCon