TLS/SSL - How and Why
description
Transcript of TLS/SSL - How and Why
![Page 1: TLS/SSL - How and Why](https://reader036.fdocuments.us/reader036/viewer/2022082417/56813af6550346895da37e6e/html5/thumbnails/1.jpg)
TLS/SSL - How and WhyPCI Flags it but why do we care?
By: MadHat Unspecific
![Page 2: TLS/SSL - How and Why](https://reader036.fdocuments.us/reader036/viewer/2022082417/56813af6550346895da37e6e/html5/thumbnails/2.jpg)
SSL – How and Why
• What is TLS/SSL?• How does TLS/SSL work?• What is the difference between TLS and SSL?• What is it used for?• Weak Ciphers• How this relates to PCI• Exploitable• SSL-Cipher-Check (tool from Unspecific.com)
![Page 3: TLS/SSL - How and Why](https://reader036.fdocuments.us/reader036/viewer/2022082417/56813af6550346895da37e6e/html5/thumbnails/3.jpg)
What is TLS/SSL?
• Transport Layer Security• Secure Socket Layers• Application Layer Protocols• Public/Asymmetric Key Cryptography• OSI Layer 6
![Page 4: TLS/SSL - How and Why](https://reader036.fdocuments.us/reader036/viewer/2022082417/56813af6550346895da37e6e/html5/thumbnails/4.jpg)
How does TLS/SSL work?
• Encryption Protocol, Key Length, Hashing Algorithm
• Authentication• Handshake– Request– Protocols Supported– Digital Certificate– Session Keys
![Page 5: TLS/SSL - How and Why](https://reader036.fdocuments.us/reader036/viewer/2022082417/56813af6550346895da37e6e/html5/thumbnails/5.jpg)
What is it used for?
• Security & Data Integrity• Prevents Eavesdropping, tampering
& message forgery• HTTP is most famous as HTTPS• Any layer 7 protocol, POP3, IMAP, SMTP, FTP• OpenVPN• Stunnel• Ncat (included with Nmap)
![Page 6: TLS/SSL - How and Why](https://reader036.fdocuments.us/reader036/viewer/2022082417/56813af6550346895da37e6e/html5/thumbnails/6.jpg)
Weak Ciphers
• Old Protocols– SSLv2
• Key Strength– 40bit & 56bit ciphers– RC2, RC4, NULL
• Weak Hash Algorithms– DES
• ADH - anonymous DH cipher
![Page 7: TLS/SSL - How and Why](https://reader036.fdocuments.us/reader036/viewer/2022082417/56813af6550346895da37e6e/html5/thumbnails/7.jpg)
How this relates to PCI& Other Standards
• PCI 4.1 - Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.
![Page 8: TLS/SSL - How and Why](https://reader036.fdocuments.us/reader036/viewer/2022082417/56813af6550346895da37e6e/html5/thumbnails/8.jpg)
Exploitable
• Man in the Middle• Decryption of Communications
![Page 9: TLS/SSL - How and Why](https://reader036.fdocuments.us/reader036/viewer/2022082417/56813af6550346895da37e6e/html5/thumbnails/9.jpg)
SSL-Cipher-Check
• OpenSSL binary• Checks ALL supported Ciphers • openssl ciphers • openssl s_client -$protocol -cipher $cipher -connect $host:$port
• ssl_dump.logRaw openssl output
![Page 10: TLS/SSL - How and Why](https://reader036.fdocuments.us/reader036/viewer/2022082417/56813af6550346895da37e6e/html5/thumbnails/10.jpg)
SSL-Cipher-Check
• $ ./ssl-cipher-check.pl : SSL Cipher Check: 1.1 : written by Lee 'MadHat' Heath (at) Unspecific.comUsage: ./ssl-cipher-check.pl [ -dvwas ] <host> [<port>]default port is 443-d Add debug info (show it all, lots of stuff)-v Verbose. Show more info about what is found-w Show only weak ciphers enabled.-a Show all ciphers, enabled or not-s Show only the STRONG ciphers enabled.
![Page 11: TLS/SSL - How and Why](https://reader036.fdocuments.us/reader036/viewer/2022082417/56813af6550346895da37e6e/html5/thumbnails/11.jpg)
References
• http://en.wikipedia.org/wiki/Public-key_cryptography• http://en.wikipedia.org/wiki/Transport_Layer_Security• http://www.openssl.org/• http://www.verisign.com/ssl/ssl-information-center/ssl-basics/index.html• http://en.wikipedia.org/wiki/OSI_model• http://www.gnu.org/software/gnutls/• http://openvpn.net/• http://www.stunnel.org/• http://lasecwww.epfl.ch/memo/memo_ssl.shtml• http://www.owasp.org/index.php/Testing_for_SSL-TLS• http://www.unspecific.com/2009/02/16/ssl-cipher-check• http://www.schneier.com/paper-ssl.pdf• https://www.pcisecuritystandards.org/security_standards/download.html?
id=pci_dss_v1-2.pdf
![Page 12: TLS/SSL - How and Why](https://reader036.fdocuments.us/reader036/viewer/2022082417/56813af6550346895da37e6e/html5/thumbnails/12.jpg)
• Future Meetings/Talks• T-Shirt• DefCon