tls/ssl - how and why
DESCRIPTION
TLS/SSL - How and Why. PCI Flags it but why do we care? By: MadHat Unspecific. SSL – How and Why. What is TLS/SSL? How does TLS/SSL work? What is the difference between TLS and SSL? What is it used for? Weak Ciphers How this relates to PCI Exploitable - PowerPoint PPT PresentationTRANSCRIPT
TLS/SSL - How and WhyPCI Flags it but why do we care?
By: MadHat Unspecific
SSL – How and Why
• What is TLS/SSL?• How does TLS/SSL work?• What is the difference between TLS and SSL?• What is it used for?• Weak Ciphers• How this relates to PCI• Exploitable• SSL-Cipher-Check (tool from Unspecific.com)
What is TLS/SSL?
• Transport Layer Security• Secure Socket Layers• Application Layer Protocols• Public/Asymmetric Key Cryptography• OSI Layer 6
How does TLS/SSL work?
• Encryption Protocol, Key Length, Hashing Algorithm
• Authentication• Handshake– Request– Protocols Supported– Digital Certificate– Session Keys
What is it used for?
• Security & Data Integrity• Prevents Eavesdropping, tampering
& message forgery• HTTP is most famous as HTTPS• Any layer 7 protocol, POP3, IMAP, SMTP, FTP• OpenVPN• Stunnel• Ncat (included with Nmap)
Weak Ciphers
• Old Protocols– SSLv2
• Key Strength– 40bit & 56bit ciphers– RC2, RC4, NULL
• Weak Hash Algorithms– DES
• ADH - anonymous DH cipher
How this relates to PCI& Other Standards
• PCI 4.1 - Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.
Exploitable
• Man in the Middle• Decryption of Communications
SSL-Cipher-Check
• OpenSSL binary• Checks ALL supported Ciphers • openssl ciphers • openssl s_client -$protocol -cipher $cipher -connect $host:$port
• ssl_dump.logRaw openssl output
SSL-Cipher-Check
• $ ./ssl-cipher-check.pl : SSL Cipher Check: 1.1 : written by Lee 'MadHat' Heath (at) Unspecific.comUsage: ./ssl-cipher-check.pl [ -dvwas ] <host> [<port>]default port is 443-d Add debug info (show it all, lots of stuff)-v Verbose. Show more info about what is found-w Show only weak ciphers enabled.-a Show all ciphers, enabled or not-s Show only the STRONG ciphers enabled.
References
• http://en.wikipedia.org/wiki/Public-key_cryptography• http://en.wikipedia.org/wiki/Transport_Layer_Security• http://www.openssl.org/• http://www.verisign.com/ssl/ssl-information-center/ssl-basics/index.html• http://en.wikipedia.org/wiki/OSI_model• http://www.gnu.org/software/gnutls/• http://openvpn.net/• http://www.stunnel.org/• http://lasecwww.epfl.ch/memo/memo_ssl.shtml• http://www.owasp.org/index.php/Testing_for_SSL-TLS• http://www.unspecific.com/2009/02/16/ssl-cipher-check• http://www.schneier.com/paper-ssl.pdf• https://www.pcisecuritystandards.org/security_standards/download.html?
id=pci_dss_v1-2.pdf
• Future Meetings/Talks• T-Shirt• DefCon