TLS/SSL Renegotiation Vulnerability Thai N. Duong [email_address]
Agenda <ul><li>SSL/TLS protocol </li></ul><ul><li>SSL/TLS renegotiation vulnerability </li></ul><ul><li>Q & A </li></ul>
About me <ul><li>CISO at DongA Bank </li></ul><ul><li>Blogger -  http://vnhacker.blogspot.com   </li></ul><ul><li>Administ...
Copyright notice <ul><li>Most of subsequent slides are copied from else  where on the Internet </li></ul><ul><li>You shoul...
 
 
 
 
DHE -RSA-AES256-SHA
DHE - RSA -AES256-SHA
DHE - RSA - AES256 -SHA
DHE - RSA - AES256 - SHA
Renegotiation vulnerability <ul><li>Active MITM attacker </li></ul><ul><li>Inject an arbitrary amount of chosen plaintext ...
 
 
 
 
Trigger renegotiation <ul><li>Client certificate authentication </li></ul><ul><li>Differing server cryptographic requireme...
 
Reference <ul><li>http://clicky.me/tlsvuln  </li></ul><ul><li>http://extendedsubset.com/Renegotiating_TLS.pdf </li></ul><u...
Thank you! Question?
Upcoming SlideShare
Loading in …5
×

SSL

563 views
507 views

Published on

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
563
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
14
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

SSL

  1. 1. TLS/SSL Renegotiation Vulnerability Thai N. Duong [email_address]
  2. 2. Agenda <ul><li>SSL/TLS protocol </li></ul><ul><li>SSL/TLS renegotiation vulnerability </li></ul><ul><li>Q & A </li></ul>
  3. 3. About me <ul><li>CISO at DongA Bank </li></ul><ul><li>Blogger - http://vnhacker.blogspot.com </li></ul><ul><li>Administrator – http://www.hvaonline.net </li></ul><ul><li>Member – Team CLGT - http://vnsecurity.net </li></ul><ul><li>Bug Hunter – Yahoo!, Oracle/SUN, Apache Foundation, etc. </li></ul>
  4. 4. Copyright notice <ul><li>Most of subsequent slides are copied from else where on the Internet </li></ul><ul><li>You should be careful if you want to reuse them </li></ul><ul><li>This compilation is in public domain </li></ul>
  5. 9. DHE -RSA-AES256-SHA
  6. 10. DHE - RSA -AES256-SHA
  7. 11. DHE - RSA - AES256 -SHA
  8. 12. DHE - RSA - AES256 - SHA
  9. 13. Renegotiation vulnerability <ul><li>Active MITM attacker </li></ul><ul><li>Inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream </li></ul><ul><li>Execute a HTTP transaction, authenticated by a legitimate user </li></ul>
  10. 18. Trigger renegotiation <ul><li>Client certificate authentication </li></ul><ul><li>Differing server cryptographic requirements </li></ul><ul><li>Client-initiated renegotiation </li></ul>
  11. 20. Reference <ul><li>http://clicky.me/tlsvuln </li></ul><ul><li>http://extendedsubset.com/Renegotiating_TLS.pdf </li></ul><ul><li>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 </li></ul>
  12. 21. Thank you! Question?

×