ANALISIS KEAMANAN JARINGAN UNIVERSITAS KRISTEN DUTA WACANA DENGAN SERANGAN SSL/TLS

The security of data communication over the network has become an obligation that needs to be considered in a technology ecosystem. Data security has various layers, one layer that needs to be protected is the presentation layer where SSL/TLS is located. If at this layer there are vulnerabilities where sensitive data such as cookies, usernames, and passwords are present, then data leakage will have a major impact on all stakeholders in the technology sector using SSL/TLS technology. In order to research and improve data security in Duta Wacana Christian University (DWCU) campus network, the researchers conducted SSL/TLS vulnerability testing on the  SSAT and E-Class websites using the SSL Test from Qualys and a script from testssl.sh, the author also conducted Checking Mixed Content with GeekFlare and checking HSTS Preload using the HSTS Preload website provided by Google. Researchers also conducted SSL Strip penetration tests at 12 points of the DWCU building and also in Lab D. Based on the results of the study, there were several results found. The results on the SSL Test using Qualys found that the SSAT and E-Class websites already use HTTP Strict Transport Security (HSTS) rules with Max-Age 31536000 (1 year) but HSTS Preload has not been implemented, Mixed Content testing with GeekFlare shows that all transactions on SSAT and E-Class already uses HTTPS paths, then in tests using the testssl.sh script there are vulnerabilities that are read, and SSL Strip attacks are possible in Duta Wacana Christian University network under several conditions.Keamanan komunikasi data melalui jaringan sudah menjadi kewajiban yang perlu di pertimbangkan dalam sebuah ekosistem teknologi. Keamanan data memiliki berbagai layer, salah satu layer yang perlu dilindungi adalah layer presentasi dimana SSL/TLS berada. Jika pada layer ini terdapat kerentanan dimana data sensitif seperti cookie, username, dan password, maka kebocoran data akan berdampak besar bagi semua pelaku kepentingan di bidang teknologi yang menggunakan teknologi SSL/TLS. Dalam rangka penelitian dan peningkatan keamanan data di jaringan kampus Universitas Kristen Duta Wacana (UKDW), maka peneliti melakukan pengujian kerentanan SSL/TLS pada situs web SSAT UKDW dan E-Class UKDW menggunakan Test SSL dari Qualys dan script dari testssl.sh, penulis juga melakukan pengecekan Mixed Content dengan GeekFlare serta pengecekan HSTS Preload meenggunakan situs web HSTS Preload yang disediakan Google. Peneliti juga melakukan uji penetrasi SSL Strip di 12 titik gedung Universitas Kristen Duta Wacana dan juga di Lab D. Berdasarkan hasil penelitian, ada beberapa hasil yang ditemukan. Hasil pada SSL Test menggunakan Qualys menemukan situs web SSAT dan E-Class sudah menggunakan aturan HTTP Strict Transport Security (HSTS) dengan Max-Age 31536000 (1 tahun) namun HSTS Preload belum di terapkan, pengujian Mixed Content dengan GeekFlare menunjukkan bahwa seluruh transaksi pada SSAT dan E-Class sudah menggunakan jalur HTTPS, lalu pada uji menggunakan script testssl.sh terdapat kerentanan yang terbaca, serta serangan SSL Strip dimungkinkan terjadi di jaringan Universitas Kristen Duta Wacana dengan beberapa kondisi

A Messy State of the Union: Taming the Composite State Machines of TLS

To appearInternational audienceImplementations of the Transport Layer Security (TLS) protocol must handle a variety of protocol versions and extensions, authentication modes, and key exchange methods. Confusingly, each combination may prescribe a different message sequence between the client and the server. We address the problem of designing a robust composite state machine that correctly multiplexes between these different protocol modes. We systematically test popular open-source TLS implementations for state machine bugs and discover several critical security vulnerabilities that have lain hidden in these libraries for years, and have now finally been patched due to our disclosures. Several of these vulnerabilities, including the recently publicized FREAK flaw, enable a network attacker to break into TLS connections between authenticated clients and servers. We argue that state machine bugs stem from incorrect compositions of individually correct state machines. We present the first verified implementation of a composite TLS state machine in C that can be embedded into OpenSSL and accounts for all its supported ciphersuites. Our attacks expose the need for the formal verifica- tion of core components in cryptographic protocol libraries; our implementation demonstrates that such mechanized proofs are within reach, even for mainstream TLS implementations

Proving the TLS Handshake Secure (As It Is)

International audienceThe TLS Internet Standard features a mixed bag of cryptographic algorithms and constructions, letting clients and servers negotiate their use for each run of the handshake. Although many ciphersuites are now well-understood in isolation, their composition remains problematic, and yet it is critical to obtain practical security guarantees for TLS, as all mainstream implementations support multiple related runs of the handshake and share keys between algorithms.We study the provable security of the TLS handshake, as it is implemented and deployed. To capture the details of the standard and its main extensions, we rely on miTLS, a verified reference implementation of the protocol. We propose new agile security definitions and assumptions for the signatures, key encapsulation mechanisms (KEM), and key derivation algorithms used by the TLS handshake. To validate our model of key encapsulation, we prove that both RSA and Diffie-Hellman ciphersuites satisfy our definition for the KEM. In particular, we formalize the use of PKCS#1v1.5 and build a 3,000-line EasyCrypt proof of the security of the resulting KEM against replayable chosen-ciphertext attacks under the assumption that ciphertexts are hard to re-randomize.Based on our new agile definitions, we construct a modular proof of security for the miTLS reference implementation of the handshake, including ciphersuite negotiation, key exchange, renegotiation, and resumption, treated as a detailed 3,600-line executable model. We present our main definitions, constructions, and proofs for an abstract model of the protocol, featuring series of related runs of the handshake with different ciphersuites. We also describe its refinement to account for the whole reference implementation, based on automated verification tools

Supervisor

Abstract. This thesis examines the current techniques in LTE-WiFi data handover. Handovers take place when a mobile device switches from one network to another. It is interesting to look at methods to offload the rather expensive mobile data connections to the cheaper WiFi (home) networks. This transition is usually not seamless. A good example is when you start a streaming video whilst on mobile data and a known WiFi network appears. Your mobile device automatically connects to the WiFi network and the streaming video stops. These so-called vertical handovers have not been made seamless yet. This thesis compares several techniques that operate on different layers of the OSI model. To facilitate vertical handover, it is useful to know how horizontal handovers work. This kind of handover occurs when, for example, a mobile phone switches from one cell tower to another. Contrary to vertical handover, horizontal handover occurs practically seamless. Horizontal handovers in both LTE and WiFi networks are discussed, to give a heads up for the problems that arise for vertical handovers. Vertical handovers can be done at different points in the OSI model. This thesis covers solutions that have been devised on a few of these layers. Th

Valutazione della sicurezza delle comunicazioni con i principali istituti di credito online

In questa tesi sono stati studiati in maniera approfondita i protocolli crittografici SSL/TLS mettendone in risalto le potenzialità così come le debolezze in correlazione all'uso con HTTPS. Sono stati studiati gli aspetti relativi ai certificati, all'infrastruttura a chiave pubblica e sono stati riportati vari tipi di attacchi conosciuti alla sicurezza delle comunicazioni. Successivamente, lo scopo del progetto è stato quello di sviluppare un tool per l'analisi passiva delle comunicazioni HTTPS di un sito web. In particolare il tool ha permesso di individuare ed identificare errate configurazioni e problemi legati alla sicurezza del server web. Infine si è adoperato il tool per analizzare, in anonimato, alcuni istituti di credito italiano

TLS/PKI Challenges and certificate pinning techniques for IoT and M2M secure communications

Transport Layer Security is becoming the de facto standard to provide end-to-end security in the current Internet. IoT and M2M scenarios are not an exception since TLS is also being adopted there. The ability of TLS for negotiating any security parameter, its flexibility and extensibility are responsible for its wide adoption but also for several attacks. Moreover, as it relies on Public Key Infrastructure (PKI) for authentication, it is also affected by PKI problems. Considering the advent of IoT/M2M scenarios and their particularities, it is necessary to have a closer look at TLS history to evaluate the potential challenges of using TLS and PKI in these scenarios. According to this, the article provides a deep revision of several security aspects of TLS and PKI, with a particular focus on current Certificate Pinning solutions in order to illustrate the potential problems that should be addressed