A STUDY OF THE SSL AND BACKDOOR BASED ATTACKS IN NETWORK ENVIRONMENTS (original) (raw)
Related papers
IJERT-Overcoming Vulnerabilities in Public Key Infrastructure and Certificate Authorities
International Journal of Engineering Research and Technology (IJERT), 2014
https://www.ijert.org/overcoming-vulnerabilities-in-public-key-infrastructure-and-certificate-authorities https://www.ijert.org/research/overcoming-vulnerabilities-in-public-key-infrastructure-and-certificate-authorities-IJERTV3IS061424.pdf For several years now, digital certificates have been implemented as a means of protecting the confidentiality and integrity of data travelling over the internet. However, there have been numerous criticism of certificate based browser encryption by security experts. Several cases of Certificate Authority (CA) and Secure Sockets Layer (SSL) exploits have exposed the vulnerability of CA based authentication. In March 2011, an Iranian hacker broke into Comodo and forged bogus certificates for Google's email services. In another similar instance, in August 2011, an unauthorized intrusion into DigiNotar's CA cause several bogus public key certificate requests to be issued which subsequently led to the company getting bankrupt. In this paper, we propose encrypting web based traffic using dynamically generated keys in order to secure communications between client and server. This research aims at providing an alternative to the conventional CAbased authentication which is prone to several weaknesses as substantiated by the excerpts above. The encryption model consists of of a set of cryptographic keys which are unique to the corresponding entity. The set of keys are unique and different for each domain (website) being visited. Using these keys the traffic is encrypted and thus, the data is significantly safeguarded against man-in-the-middle (MITM) type of attacks. Keywords-certificate authority; public key infrastructure; browser security, man-in-the-middle, SSL, PKI;
Man in The Middle Attacks Against SSL/TLS: Mitigation and Defeat
Journal of Cyber Security and Mobility
Network security and related issues have been discussed thoroughly in this paper, especially at transport layer security network protocol, which concern with confidentiality, integrity, availability, authentication, and accountability. To mitigate and defeat Man-in-the-middle-attacks, we have proposed a new model which consists of sender and receiver systems and utilizes a combination of blowfish (BF) and Advanced Encryption Standard (AES) algorithms, symmetric key agreement to distribute public keys, Elliptic Curve Cryptography (ECC) to create secret key, and then Diffe Hellman (DH) for key exchange. Both SHA-256 hashing and Elliptic Curve Digital Signature Algorithm (ECDSA) have been applied for integrity, and authentication, respectively.
Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference - IMC '11, 2011
The SSL and TLS infrastructure used in important protocols like HTTPs and IMAPs is built on an X.509 public key infrastructure (PKI). X.509 certificates are thus used to authenticate services like online banking, shopping, e-mail, etc. However, it always has been felt that the certification processes of this PKI may not be conducted with enough rigor, resulting in a deployment where many certificates do not meet the requirements of a secure PKI.
Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS
2014 IEEE Symposium on Security and Privacy, 2014
TLS was designed as a transparent channel abstraction to allow developers with no cryptographic expertise to protect their application against attackers that may control some clients, some servers, and may have the capability to tamper with network connections. However, the security guarantees of TLS fall short of those of a secure channel, leading to a variety of attacks.
SecureGuard: A Certificate Validation System in Public Key Infrastructure
IEEE Transactions on Vehicular Technology, 2018
Certificate validation in Public Key Infrastructure (PKI) is a vital phase of establishing secure connections on any network. There has been a great deal of speculation on how to efficiently validate digital certificates in PKI on which the security of network communications rests. Developing such a system is challenging because digital certificates need to be quickly and securely validated for a large number of clients in a short period of time at a low cost. On the other hand, our analysis on the TLS handshakes of the Alexa Top 1 Million domains dataset indicates that the current popular certificate validation systems cannot deliver certificate validation information to the clients in a timely fashion and suffer from high overhead at the client side, making them susceptible to a number of attacks. Motivated by these observations, we present SecureGuard, a certificate validation system that can effectively handle certificate validation during TLS handshakes. Our system utilizes Internet Service Providers (ISPs) as the primary entity for certificate validation exploiting the fact that any Internet access request must pass through the ISP proxy-cache servers. We provide an extensive evaluation on SecureGuard and illustrate its efficiency. Moreover, we introduce a quantitative analysis method that can investigate the costs incurred by our system and other certificate validation approaches under the same evaluation scenarios. Our implementation results demonstrate that SecureGuard is able to validate the digital certificates within a short period of time, in a secure manner, with less network overhead.
The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software
2013
SSL (Secure Sockets Layer) is the de facto standard for secure Internet communications. Security of SSL connections against an active network attacker depends on correctly validating public-key certificates presented when the connection is established. We demonstrate that SSL certificate validation is completely broken in many security-critical applications and libraries. Vulnerable software includes Amazon’s EC2 Java library and all cloud clients based on it; Amazon’s and PayPal’s merchant SDKs responsible for transmitting payment details from e-commerce sites to payment gateways; integrated shopping carts such as osCommerce, ZenCart, Ubercart, and PrestaShop; AdMob code used by mobile websites; Chase mobile banking and several other Android apps and libraries; Java Web-services middleware—including Apache Axis, Axis 2, Codehaus XFire, and Pusher library for Android—and all applications employing this middleware. Any SSL connection from any of these programs is insecure against a m...
SSL/TLS session-aware user authentication – Or how to effectively thwart the man-in-the-middle
Computer Communications, 2006
Man-in-the-middle attacks pose a serious threat to SSL/TLSbased electronic commerce applications, such as Internet banking. In this paper, we argue that most deployed user authentication mechanisms fail to provide protection against this type of attack, even when they run on top of SSL/TLS. As a possible countermeasure, we introduce the notion of SSL/TLS session-aware user authentication, and present different possibilities for implementing it. More specifically, we start with a basic implementation that employs impersonal authentication tokens. Afterwards, we address extensions and enhancements and discuss possibilities for implementing SSL/TLS session-aware user authentication in software.
Towards securing client-server connections against man-in-the-middle attacks
2012 10th International Symposium on Electronics and Telecommunications, 2012
This paper presents the design concept for an authentication string that makes use of the server's public key and provides client's authenticity through its password without the need of a client side certificate or a second channel. Successful strategies for preventing man-in-the middle attacks are currently relying either on two channel/two factor authentication or twoway encryption. Both these strategies have their downsides, the first one requires users to carry a physical device for authentication and the second requires all the devices that connect to the server have encryption certificates.
Security and Communication Networks
Current Transport Layer Security (TLS) Public-Key Infrastructure (PKI) is a vast and complex system; it consists of processes, policies, and entities that are responsible for a secure certificate management process. Among them, Certificate Authority (CA) is the central and most trusted entity. However, recent compromises of CA result in the desire for some other secure and transparent alternative approaches. To distribute the trust and mitigate the threats and security issues of current PKI, publicly verifiable log-based approaches have been proposed. However, still, these schemes have vulnerabilities and inefficiency problems due to lack of specifying proper monitoring, data structure, and extra latency. We propose Accountable and Transparent TLS Certificate Management: an alternate Public-Key Infrastructure (PKI) with verifiable trusted parties (ATCM) that makes certificate management phases; certificate issuance, registration, revocation, and validation publicly verifiable. It al...