991 Hits in 2.8 sec

On the security of TLS renegotiation

Florian Giesen, Florian Kohlar, Douglas Stebila
2013 Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security - CCS '13  
The Transport Layer Security (TLS) protocol is the most widely used security protocol on the Internet.  ...  We describe the attack of Ray and Dispensa on TLS within our model.  ...  Acknowledgements The authors gratefully acknowledge discussions with Colin Boyd, Cas Cremers, Kenny Paterson, Jörg Schwenk, and the authors of the SCSV/RIE countermeasure [31] , and the advice of anonymous  ... 
doi:10.1145/2508859.2516694 dblp:conf/ccs/GiesenKS13 fatcat:caqi4zpmwfhdjf2mnq5xuxlrom

Secure Applications without Secure Infrastructures [chapter]

Dieter Gollmann
2010 Lecture Notes in Computer Science  
The defenders retreat to the security kernel.Communications security  Focus on the design of secure channels: IPsec, IPsec over IPsec, SSL/TLS, …  Infrastructure services at network and transport layer  ...  Plausible assumptions about a plausible use case are treated as a specification of the service.  Fix: TLS renegotiation cryptographically tied to the TLS connection it is performed in (RFC 5746).  TLS  ... 
doi:10.1007/978-3-642-14706-7_2 fatcat:gmwrbkqfivfjnnodftyrqe4x6q

Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLS

Karthikeyan Bhargavan, Antoine Delignat Lavaud, Cedric Fournet, Alfredo Pironti, Pierre Yves Strub
2014 2014 IEEE Symposium on Security and Privacy  
However, the security guarantees of TLS fall short of those of a secure channel, leading to a variety of attacks.  ...  At the application level, we develop an exemplary HTTPS client library that implements several mitigations, on top of a previously verified TLS implementation, and verify that their composition provides  ...  In other words, the TLS peer on the connection has changed, and the application may not realize it, defeating the purpose of the secure renegotiation extension.  ... 
doi:10.1109/sp.2014.14 dblp:conf/sp/BhargavanDFPS14 fatcat:7jt2pm6vpzd65ijps7a7mclldu

Transport Layer Security Done Right

Michael Schneider
2014 Zenodo  
This labs describes the basics of a secure TLS configuration and shows how it can be checked for security.  ...  Often during security checks we discover that the configuration of these systems does not meet the requirements for a secure connection.  ...  suite for a TLS connection has significant influence on the security of said connection.  ... 
doi:10.5281/zenodo.3521400 fatcat:purkexckjzdhzfs7ju6jey5kxm

Client-Aware Negotiation for Secure and Efficient Data Transmission

Ziheng Wang, Heng Chen, Weiguo Wu
2020 Energies  
The first method is based on two-way authentication and renegotiation. After handshakes, the appropriate data security transmission scheme is selected according to the client requirements.  ...  Another method is based on redirection, which can be applied when the client does not support two-way authentication or renegotiation.  ...  Conflicts of Interest: The authors declare no conflict of interest.  ... 
doi:10.3390/en13215777 fatcat:6wxqrbtkrjchbckjmbtpylj4p4

Taxonomy of SSL/TLS Attacks

Keerthi Vasan K., Arun Raj Kumar P.
2016 International Journal of Computer Network and Information Security  
A novel taxonomy of the attacks against SSL/TLS has been proposed in this paper. Index Terms-SSL/TLS, vulnerabilities, Man-In-The-Middle (MITM) attack, mitigations, taxonomy of attacks. 10.  ...  Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols use cryptographic algorithms to secure data and ensure security goals such as Data Confidentiality and Integrity in networking.  ...  Based on the vulnerabilities, a malicious user can launch various attacks on the SSL/TLS protocol and the data secured by it.  ... 
doi:10.5815/ijcnis.2016.02.02 fatcat:uwdcva2fq5c5xcgqpuqhocanyy

Offline Trusted Device and Proxy Architecture Based on a new TLS Switching Technique

Migdal Denis, Christian Johansen, Audun Josang
2017 2017 International Workshop on Secure Internet of Things (SIoT)  
The proxy switches between two TLS channels, one from the client application, and another from the trusted device.  ...  Existing solutions for protecting online transactions with strong security typically involve an external trusted device, e.g., for the generation of OTPs (One-Time Password) in e-banking.  ...  Léonard Dallot) for their help during the developments.  ... 
doi:10.1109/siot.2017.00007 dblp:conf/siot/MigdalJJ17 fatcat:cdzriczzbrdc5ehtmaaxpk673i

A Tale of the OpenSSL State Machine: A Large-Scale Black-Box Analysis [chapter]

Joeri de Ruiter
2016 Lecture Notes in Computer Science  
In this paper we perform a large scale analysis of the state machines as implemented over the last 14 years in OpenSSL, one of the most widely used implementations of TLS, and in LibreSSL, a fork of OpenSSL  ...  Security vulnerabilities and other bugs related to their implementation can be observed, together with the point at which these are fixed.  ...  Introduction TLS (Transport Layer Security) is one of the most widely used security protocols and is used to secure network communications, for example, when browsing the Internet using HTTPS or using  ... 
doi:10.1007/978-3-319-47560-8_11 fatcat:r2zjlfvggndx7amndebkur4h4y

Analysis and Study of Network Security at Transport Layer

Hiren Parmar, Atul Gosai
2015 International Journal of Computer Applications  
In fact, found the de-facto standards of web security used all over the world to secure e-commerce, onlinebanking are also found insecure.  ...  Further gives direction on how to improve and strengthen security.  ...  Following are the attacks on security standards which forces us to understand attacks and improve network security by mitigating them. Authentication gap in TLS renegotiation.  ... 
doi:10.5120/21604-4716 fatcat:qjmdulgc5vfnfbaczpewrcft6q

Examining cyber security implementation through TLS/SSL on academic institutional repository in Indonesia

Irhamni Ali
2021 Berkala Ilmu Perpustakaan dan Informasi  
Indonesia is one of the countries that implement Institutional Repositories (IR) in their academic world.  ...  According to the National Library of Indonesia, there are more than 7890 academic IR in Indonesia.  ...  The Indonesian academic IR should focus on the renegotiation vulnerability in the SSLv3. This can be done with altogether disable renegotiation on the server-side.  ... 
doi:10.22146/bip.v17i2.2082 fatcat:rl7ezupezbfplgnmunbiwletua

How vulnerable are the Indian banks: A cryptographers' view [article]

Anirban Pathak, Rishi Dutt Sharma, Dhananjoy Dey
2018 arXiv   pre-print
With the advent of e-commerce and online banking it has become extremely important that the websites of the financial institutes (especially, banks) implement up-to-date measures of cyber security (in  ...  Further, the validity and quality of the security certificates of various Indian banks have been tested with the help of a set of tools (e.g., SSL Certificate Checker provided by Digicert and SSL server  ...  (ii) Secure renegotiation is not supported.  ... 
arXiv:1804.03910v1 fatcat:xmmr5n3vhzcntojjx3cggth2ya

Reactive and Proactive Standardisation of TLS [chapter]

Kenneth G. Paterson, Thyla van der Merwe
2016 Lecture Notes in Computer Science  
In the development of TLS 1.3, the IETF TLS Working Group has adopted an "analysis-prior-to-deployment" design philosophy. This is in sharp contrast to all previous versions of the protocol.  ...  In an attempt to place TLS within the broader realm of standardisation, we perform a comparative analysis of standardisation models and discuss the standardisation of TLS within this context.  ...  We thank Eric Rescorla and the anonymous reviewers of SSR 2016 for their valuable feedback on the paper.  ... 
doi:10.1007/978-3-319-49100-4_7 fatcat:33ngau3bv5a5lb3purmdqqtmxe

Security Goals and Evolving Standards [chapter]

Joshua D. Guttman, Moses D. Liskov, Paul D. Rowe
2014 Lecture Notes in Computer Science  
In this paper, we propose a criterion for one mitigation to be at least as good as another from the point of view of security. This criterion is supported by rigorous protocol analysis tools.  ...  The constraints of the deployments, and variety of independent stakeholders, mean that different ways to mitigate a flaw may be proposed and debated.  ...  One such flaw, discovered in 2009 by Marsh Ray, concerns renegotiating TLS parameters. It works on the boundary between the TLS layer and the application layer it supports.  ... 
doi:10.1007/978-3-319-14054-4_7 fatcat:b3piu22fyvddnhonip4oeazboi

miTLS: Verifying Protocol Implementations against Real-World Attacks

Karthikeyan Bhargavan, Cedric Fournet, Markulf Kohlweiss
2016 IEEE Security and Privacy  
They then reappeared in the context of user-authenticated TLS renegotiation as commonly used on the web.  ...  As we will argue, this limited the impact that either of them had on the real-world security of TLS.  ... 
doi:10.1109/msp.2016.123 fatcat:fisjry37bzexpdcl26l67e67p4

IoTVerif: Automatic Verification of SSL/TLS Certificate for IoT Applications

Anyi Liu, Ali Alqazzaz, Hua Ming, Balakrishnan Dharmalingam
2019 IEEE Access  
IoTVerif constructs the specification of an IoT protocol and verifies its security properties, without relying on prior knowledge about communication protocols.  ...  Although extensive research has been conducted on securing the Internet of Things (IoT) communication protocols, various vulnerabilities and exploits are continuously discovered and reported.  ...  We thank Khalid Alghamdi for his contribution to the conference version of this manuscript. We thank Richard D. Thomas, Esq. for proofreading of the early draft of this manuscript.  ... 
doi:10.1109/access.2019.2961918 fatcat:472mexpvxbcr7cg2nc6mbeaqnm
« Previous Showing results 1 — 15 out of 991 results