Usage issues of SSL/TLS issues

Authors

  • Тетяна Василівна Бабенко Taras Shevchenko National University
  • Сергій Васильович Толюпа Taras Shevchenko National University
  • Вікторія Володимирівна Гречко Taras Shevchenko National University

DOI:

https://doi.org/10.18372/2410-7840.19.12218

Keywords:

secure communication session, SSL/TLS cryptographic protocol, public key infrastructure, Х.509 certificates, vulnerability, MITM attack, key exchange, SWEET32, DROWN, ROBOT, application libraries

Abstract

One of the means of creating a secure communication ses-sion is using the SSL/TLS cryptographic protocol, how-ever it does not guarantee full protection and also has its own vulnerabilities and disadvantages, which must be ana-lyzed and eliminated in the future. In particular, in this pa-per the basic terminology is analyzed, vulnerabilities of the protocol are analyzed and generalized, some aspects that make possible implementation of the “man in the middle” attack and it’s variations,the problem of certificates substi-tution and self-signed certificates, authentication defects, application libraries vulnerabilities, key exchange problem, including the Bleichenbacher’s threat, public key infra-structure problems, the problem of interoperability in Ukraine and the most recent vulnerabilities of this protocol are presented (SWEET32, DROWN, ROBOT). The result of the research is the arranged list of unsolved problems and recommendations to increase cryptoresistability level of the protocol.

Author Biographies

Тетяна Василівна Бабенко, Taras Shevchenko National University

full professor, Professor of the Cybersecurity and Information Security Department of the Information Technology Faculty of Taras Shevchenko National University of Kyiv

Сергій Васильович Толюпа, Taras Shevchenko National University

full professor, Professor of the Cybersecurity and Information Security Department of the Information Technology Faculty of Taras Shevchenko National University of Kyiv

Вікторія Володимирівна Гречко, Taras Shevchenko National University

student of the Cybersecurity and Information Security Department of the Information Technology Faculty of Taras Shevchenko National University of Kyiv

References

Stephen Thomas, "SSL&TSL Essentials, securing the Web", Wiley Computer publishing, 2000.

Cooper, "Standards Track, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL)", RFC 5280, 2008.

M. Georgiev, "The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software", Proceedings of the 2012 ACM conference on Computer and communications security, 2012.

J. Sunshine, S. Egelman, "Crying Wolf: An Empirical Study of SSL Warning Efectiveness", SSYM'09 Pro-ceedings of the 18th conference on USENIX security symposi-um, 2009.

S. Santesson, "X.509 Internet Public Key Infrastruc-ture Online Certificate Status Protocol – OCSP", RFC 6960, 2013.

A. Klein, "Attacks on the RC4 stream cipher", Designs, codes and cryptography, 2008.

С. Леонтьєв, В. Попов, С. Смишляев, "Противо-действие атакам на протокол TLS", Системи високої доступності, 2012.

I. Grigorik, "High Performance Browser Network-ing", O Reilly Media, 2013.

A. Sotirov, M. Stevens, "MD5 considered harmful today: Creating a rogue CA certificate", International Journal of Applied Cryptography, 2009.

T. Zoller, G-Sec, TLS/SSLv3 renegotiation vulnerability explained, University of Luxembourg, 2011.

Ah. Kioon, M. Cindy, Z. Wang, Deb. Das. S., "Analy-sis of MD5 Algorithm in Password Storage", Applied Mechanics and Materials Security, 2013.

N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger, M. Dankel, "DROWN: Breaking TLS using SSLv2", USENIX Security Symposium, 2016.

K. Bhargavan, G. Leurent, "On the Practical (In-) Security of 64-bit Block Ciphers Collision Attacks on HTTP over TLS and OpenVPN", Proceedings of the 2016 ACM SIGSAC Conference on Computer and Commu-nications Security, 2016.

T. Jager, J. Schwenk, J. Somorovsky, "On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption", Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Secu-rity, 2015.

H. Böck, J. Somorovsky, C. Young, "Return Of Bleichenbacher's Oracle Threat (ROBOT)", Cryptology ePrint Archive: Report 2017/1189, 2017.

Published

2017-12-11

Issue

Section

Articles