Decrypting SSL/TLS traffic for hidden threats detection

The paper presents an analysis of the main mechanisms of decryption of SSL/TLS traffic. Methods and technologies for detecting malicious activity in encrypted traffic that are used by leading companies are also considered. Also, the approach for intercepting and decrypting traffic transmitted over SSL/TLS is developed, tested and proposed. The developed approach has been automated and can be used for remote listening of the network, which will allow to decrypt transmitted data in a mode close to real time.Comment: 4 pages, 1 table, 1 figur

Network-based HTTPS Client Identification Using SSL/TLS Fingerprinting

The growing share of encrypted network traffic complicates network traffic analysis and network forensics. In this paper, we present real-time lightweight identification of HTTPS clients based on network monitoring and SSL/TLS fingerprinting. Our experiment shows that it is possible to estimate the User-Agent of a client in HTTPS communication via the analysis of the SSL/TLS handshake. The fingerprints of SSL/TLS handshakes, including a list of supported cipher suites, differ among clients and correlate to User-Agent values from a HTTP header. We built up a dictionary of SSL/TLS cipher suite lists and HTTP User-Agents and assigned the User-Agents to the observed SSL/TLS connections to identify communicating clients. We discuss host-based and network-based methods of dictionary retrieval and estimate the quality of the data. The usability of the proposed method is demonstrated on two case studies of network forensics

Stacco: Differentially Analyzing Side-Channel Traces for Detecting SSL/TLS Vulnerabilities in Secure Enclaves

Intel Software Guard Extension (SGX) offers software applications enclave to protect their confidentiality and integrity from malicious operating systems. The SSL/TLS protocol, which is the de facto standard for protecting transport-layer network communications, has been broadly deployed for a secure communication channel. However, in this paper, we show that the marriage between SGX and SSL may not be smooth sailing. Particularly, we consider a category of side-channel attacks against SSL/TLS implementations in secure enclaves, which we call the control-flow inference attacks. In these attacks, the malicious operating system kernel may perform a powerful man-in-the-kernel attack to collect execution traces of the enclave programs at page, cacheline, or branch level, while positioning itself in the middle of the two communicating parties. At the center of our work is a differential analysis framework, dubbed Stacco, to dynamically analyze the SSL/TLS implementations and detect vulnerabilities that can be exploited as decryption oracles. Surprisingly, we found exploitable vulnerabilities in the latest versions of all the SSL/TLS libraries we have examined. To validate the detected vulnerabilities, we developed a man-in-the-kernel adversary to demonstrate Bleichenbacher attacks against the latest OpenSSL library running in the SGX enclave (with the help of Graphene) and completely broke the PreMasterSecret encrypted by a 4096-bit RSA public key with only 57286 queries. We also conducted CBC padding oracle attacks against the latest GnuTLS running in Graphene-SGX and an open-source SGX-implementation of mbedTLS (i.e., mbedTLS-SGX) that runs directly inside the enclave, and showed that it only needs 48388 and 25717 queries, respectively, to break one block of AES ciphertext. Empirical evaluation suggests these man-in-the-kernel attacks can be completed within 1 or 2 hours.Comment: CCS 17, October 30-November 3, 2017, Dallas, TX, US

A Multilayer Secured Messaging Protocol for REST-based Services

The lack of descriptive language and security guidelines poses a big challenge to implementing security in Representational State Transfer (REST) architecture. There is over reliance on Secure Socket Layer/Transport Layer Security (SSL/TLS), which in recent times has proven to be fallible. Some recent attacks against SSL/TLS include: POODLE, BREACH, CRIME, BEAST, FREAK etc. A secure messaging protocol is implemented in this work. The protocol is further compiled into a reusable library which can be called by other REST services. Using Feature Driven Development (FDD) software methodology, a two layer security protocol was developed. The first layer is a well hardened SSL/TLS configuration. The second layer is a well-designed end-to-end protocol that handles authentication, authorization, encryption and message integrity as well as timing and replay attack prevention. The end-to-end protocol uses HMAC-512 and a hybrid encryption system using the AES and RSA algorithms. The protocol was then compiled to a reusable library using C# language. Two different tests were carried out on this protocol: Penetration test and SSL/TLS configuration test. The Penetration Test was carried out using the Open Web Application Security Project Zed Attack Proxy (OWASP ZAP) application and Fiddler Web Debugger. The SSL/TLS test sought to test the SSL/TLS layer of the protocol for known vulnerabilities using a popular SSL/TLS test tool known as SSL Lab. The raw and scaled scores obtained from SSL Lab were 95% and 93% respectively. The results of Implementation test show that the protocol is implementable. The protocol is also resistant to such attacks as: Unauthorized, Timing and Replay attacks as shown by the result of the penetration test. The grade obtained from the SSL/TLS test is “A+”. The result also shows that the implementation is not vulnerable to currently known SSL attacks. The library can be reused by .NET applications and the implementation steps can also be followed by other REST services developers using other platforms

Comparison of Cryptographic Libraries in Linux Environment

Bakalářská práce se zabývá srovnáním tří používaných kryptografických knihoven v prostředí operačního systému Linux. Jedná se o knihovny GnuTLS/nettle, NSS a OpenSSL. Tyto jsou srovnány z hlediska podpory základní kryptografické funkcionality (symetrické a asymetrické šifry, hashovací algoritmy, SSL/TLS), práce s hardwarovými tokeny a s protokoly SSL/TLS. Knihovny jsou dále srovnány z hlediska návrhu API se zaměřením na jeho stabilitu a práci s certifikáty a možnosti více nezávislých použití knihovny v rámci jednoho procesu.Bachelor's thesis deals with the comparison of the three cryptographic libraries used in the Linux environment. These are GnuTLS/nettle, NSS and OpenSSL. These are compared in terms of support for basic cryptographic functionality (symmetric and asymmetric ciphers, hash algorithms, SSL/TLS), working with hardware tokens and SSL/TLS. Libraries are also compared in terms of API design with a focus on stability and work with certificates and the possibility of more independent use of the library in a single process.

Propuesta de inclusión del criptosistema triple des 96en ssl/tls record protocol

TESIS DE INVESTIGACIÓN CIENTIFICA EL PRESENTE TRABAJO DE INVESTIGACIÓN SE CENTRA EN EL SSL/TLS RECORD PROTOCOL DONDE SE CONSTRUYE LA INCLUSIÓN DE TRIPLE DES 96 EN LA MENCIONADA SUITE DE CIFRADODebido a la seguridad requerida al momento de intercambiar información delicada a través de internet, es necesario el uso de algoritmos y protocolos criptográficos complejos como es el caso de Secure Sockets Layer y Transport Layer Security (SSL/TLS), el funcionamiento de éste está dividido en cuatro sub protocolos; Handshake Protocol, Change Cipher Spec Protocol, Alert Protocol y Record Protocol. El presente trabajo de investigación se centra en el SSL/TLS Record Protocol, donde se construye la inclusión del algoritmo Triple DES-96 en la suite de cifrado de SSL/TLS. Con este objetivo, se desarrollan en lenguaje de programación Java los algoritmos Triple DES y Triple DES-96, se realizan pruebas de cifrado y descifrado sobre 1000 archivos de diferentes tipos y tamaños, se mide el tiempo de cada algoritmo en cifrar y descifrar la información, se registran todos los resultados experimentales obtenidos y por último se comparan los resultados. Al descubrir que los resultados son favorables, en disminución de tiempo y mayor robustez en el cifrado, se plantea la inclusión del algoritmo Triple DES-96 en la suite de cifrado SSL/TLS Record Protocol.CONACY

Existing Attacks on SSL/TLS Protocol

SSL/TLS je moderní kryptografický protokol, který zabezpečuje komunikaci mezi klientem a serverem. Avšak na tento protokol existují útoky, které mohou ohrozit komunikaci buď odposloucháváním nebo jejím narušením. Obrana proti těmto útokům a testování zranitelností protokolů je ale značně náročný proces. Tato práce popisuje zranitelnosti SSL/TLS protokolu a implementuje vybrané útoky v tlsfuzzeru --- nástroj pro testování SSL/TLS implementací. Výsledná implementace útoků je demonstrována na třech SSL/TLS implementacích.SSL/TLS is a modern cryptographic protocol, which secures the communication between client and server. However, there are attacks on this protocol which can compromise communication either by eavesdropping or disruption. Defending against such attacks and testing the bulletproofness of protocols is a challenging process. This work describes attacks on SSL/TLS and implements selected attacks within tlsfuzzer --- a sophisticated solution for testing SSL/TLS implementations. The resulting implementation of attacks is demonstrated on three SSL/TLS implementations.

SSL/TLS Certificates and Their Prevalence on the Dark Web (First Report)

As organizations focus on the digital transformation of their businesses, the importance of encryption as the cornerstone of security and privacy is increasingly vital. In 2018, over 70 percent of internet traffic was encrypted. Experts believe that this figure is expected to rise to 80 percent in 2019 (Google, 2019). Secure Sockets Layer (SSL, an older standard) and Transport Layer Security (TLS, a newer standard) certificates are essential to encryption because they authorize all encrypted communication between machines. SSL/TLS certificates are instrumental in protecting privacy and improving security, providing each machine with a unique machine identity. They control the flow of sensitive data to authorized machines and are used in everything from website transactions and mobile devices to smart city initiatives, robots, artificial intelligence algorithms and containers in the cloud. Despite the pivotal role encryption plays in our digital economy and across the internet, the processes needed to protect digital certificates are not well understood or widely followed. As a result, SSL/TLS certificates are often poorly protected, making them attractive targets for attackers. In fact, illegitimate access to SSL/TLS certificates has played a key role in several high-profile, high-impact breaches—such as Snowden, Sony and Equifax. To shine a light on the availability of SSL/TLS certificates on the dark web, the Evidence-based Cybersecurity Research Group at the Andrew Young School of Policy Studies at Georgia State University and the University of Surrey spearheaded a research program, sponsored by Venafi. This report details the preliminary findings of the research and outlines the volume of SSL/TLS certificates for sale on the dark web, including information on how they are packaged and sold to attackers. These certificates can be used to eavesdrop on sensitive communications, spoof websites, trick consumers and steal data. The long-term goal of this research is to gain a more thorough understanding of the role SSL/TLS certificates play in the economy of the dark web as well as how they are being used by attackers. This is the first of three reports—the first of their kind— focused on the underground SSL/TLS marketplace and its role in the wider cybercrime economy. This report will show that there is a machine identity-as-a-service marketplace on the dark web, where fraudulent TLS certificates are readily available for purchase

Guidelines towards secure SSL pinning in mobile applicationsand

Security is a major concern in web applications for so long, but it is only recently that the use of mobile applications has reached the level of web services. This way, we are taking OWASP Top 10 Mobile as our starting point to secure mobile applications. Insecure communication is one of the most important topics to be considered. In fact, many mobile applications do not even implement SSL/TLS validations or may have SSL/TLS vulnerabilities. This paper explains how an application can be fortified using secure SSL pinning, and offers a three-step process as an improvement of OWASP Mobile recommendations to avoid SSL pinning bypassing. Therefore, following the process described in this paper, mobile application developers may establish a secure SSL/TLS communication.Ministry of Science and Technology of Spain ECLIPSE RTI2018-094283-B-C33Junta de Andalucía the PIRAMIDE and METAMORFOSIS projectsEuropean Regional Development Fund (ERDF/FEDER)Universidad de Sevilla Cátedra de Telefónica “Inteligencia en la red