SSL - How and Why

Download Report

Transcript SSL - How and Why 

TLS/SSL - How and Why
PCI Flags it but why do we care?
By: MadHat Unspecific
SSL – How and Why
•
•
•
•
•
•
•
•
What is TLS/SSL?
How does TLS/SSL work?
What is the difference between TLS and SSL?
What is it used for?
Weak Ciphers
How this relates to PCI
Exploitable
SSL-Cipher-Check (tool from Unspecific.com)
What is TLS/SSL?
•
•
•
•
•
Transport Layer Security
Secure Socket Layers
Application Layer Protocols
Public/Asymmetric Key Cryptography
OSI Layer 6
How does TLS/SSL work?
• Encryption Protocol, Key Length, Hashing
Algorithm
• Authentication
• Handshake
– Request
– Protocols Supported
– Digital Certificate
– Session Keys
What is it used for?
• Security & Data Integrity
• Prevents Eavesdropping, tampering
& message forgery
• HTTP is most famous as HTTPS
• Any layer 7 protocol, POP3, IMAP, SMTP, FTP
• OpenVPN
• Stunnel
• Ncat (included with Nmap)
Weak Ciphers
• Old Protocols
– SSLv2
• Key Strength
– 40bit & 56bit ciphers
– RC2, RC4, NULL
• Weak Hash Algorithms
– DES
• ADH - anonymous DH cipher
How this relates to PCI
& Other Standards
• PCI 4.1 - Use strong cryptography and security
protocols such as SSL/TLS or IPSEC to
safeguard sensitive cardholder data during
transmission over open, public networks.
Exploitable
• Man in the Middle
• Decryption of Communications
SSL-Cipher-Check
• OpenSSL binary
• Checks ALL supported Ciphers
• openssl ciphers
• openssl s_client -$protocol -cipher
$cipher -connect $host:$port
• ssl_dump.log
Raw openssl output
SSL-Cipher-Check
•
$ ./ssl-cipher-check.pl
: SSL Cipher Check: 1.1
: written by Lee 'MadHat' Heath (at) Unspecific.com
Usage:
./ssl-cipher-check.pl [ -dvwas ] <host> [<port>]
default port is 443
-d Add debug info (show it all, lots of stuff)
-v Verbose. Show more info about what is found
-w Show only weak ciphers enabled.
-a Show all ciphers, enabled or not
-s Show only the STRONG ciphers enabled.
References
•
•
•
•
•
•
•
•
•
•
•
•
•
http://en.wikipedia.org/wiki/Public-key_cryptography
http://en.wikipedia.org/wiki/Transport_Layer_Security
http://www.openssl.org/
http://www.verisign.com/ssl/ssl-information-center/ssl-basics/index.html
http://en.wikipedia.org/wiki/OSI_model
http://www.gnu.org/software/gnutls/
http://openvpn.net/
http://www.stunnel.org/
http://lasecwww.epfl.ch/memo/memo_ssl.shtml
http://www.owasp.org/index.php/Testing_for_SSL-TLS
http://www.unspecific.com/2009/02/16/ssl-cipher-check
http://www.schneier.com/paper-ssl.pdf
https://www.pcisecuritystandards.org/security_standards/download.html?id=
pci_dss_v1-2.pdf
• Future Meetings/Talks
• T-Shirt
• DefCon