SlideShare a Scribd company logo

USAGE OF RC4 CIPHER IN SSL CONFIGURATIONS IN WEB PORTALS OF SRI LANKAN BANKING/NON-BANKING FINANCIAL INSTITUTES AND AWARENESS LEVELS OF RELEVANT STAFF ABOUT IT

Tharindu Weerasinghe
Tharindu Weerasinghe

Slides of the research presentation done at National IT Conference - Sri Lanka - 2018 by Tharindu Weerasinghe

Software
1 of 14
Download to read offline
A Research Study: Usage of RC4 cipher in SSL configurations in web portals of Sri Lankan Banking/Non- Banking Financial Institutes and Awareness Levels of relevant staff about it. Tharindu Weerasinghe Chamara Disanayake
INTRODUCTION Motivation for the research study: Knowing the fact that RC4 is used in SSL and it is vulnerable. Knowing the financial sector is using SSL for online transactions and if RC4 is used as cipher suit in SSL then it will be vulnerable. Wanted to check the SSL Cipher suits used by the Local Banking and Non Banking web portals, using available tools online. Wanted to know how much the IT Security Admins know about these... Important: This study was done during Feb 2017 to Jul 2017.
LITERATURE RC4 Cipher: RC4 is the most common stream cipher, which is widely used in applications like WPA, SSL, TLS, Kerberos, PDF and Skype. RC4 is a light weight algorithm which can be easily used in hardware and protocols which consider computational cost. Anyways its implementation itself prone to vulnerabilities. SSL: SSL (Secure Sockets Layer) is the standard security methodology for establishing an encrypted communication link between a web server and a browser. SSL is an industry standard which is used by many websites to safeguard their online transactions with their stakeholders [1]
LITERATURE… Overview of the SSL or TLS handshake [15]
LITERATURE… RC4 Usage of SSL RC4 is used in SSL Record Protocol for encryption in many SSL cipher suites. In the Handshaking Protocol, RC4 encryption keys are generated for upstream and downstream communication. In the Record Protocol, the upstream key is used for encryption of the client-to-server communication, whereas the downstream key is used for encryption of the server-to-client communication. Vulnerabilities of RC4 in SSL Several researchers and experts have proved that RC4 is vulnerable for attacks in SSL. A lot of vulnerabilities occur due to the in-variance weakness of the RC4 algorithm. [2]
RESEARCH METHODOLOGY 1.Analyze the SSL protocols used by the online web portals (where online transactions enabled) of Sri Lankan Banking and Non-Banking Financial Institutes, using the online tools available. 2.Study of the existing RC4 vulnerabilities when SSL is using RC4 cipher suit. 3.Data gathered via a Survey (aided from Google Forms) from the IT- Security Admins, Managers of some of the Sri Lankan Banks. 4.Study/Implement the suitable remedies. * Upgrading to TLS1.2 (if Apache Tomcat, then upgrade the Java version to 8 and Tomcat version to 8.0.44) * For older Tomcat versions – removal of weak RC4 cipher suit
RESULTS – SURVEY (by June 2017) SSL(HTTPS) usage of Banks in SL for their cooperate web sites 87% 13% Use SSL Does not Use SSL
RESULTS – SURVEY (by June 2017) Usage of RC4 in SSL in Sri Lankan Banking Institutes in customer login portals 85% 15% Does not use RC4 Use RC4
RESULTS – SURVEY (by June 2017) Usage of RC4 in SSL in Customer Login Portals of Non Banking Financial Institutes 88% 12% Does not use RC4 Use RC4
RESULTS – SURVEY (by June 2017) Awareness of IT System Admins of SL Banks about RC4 usage in SSL 90% 10% Aware Unware
RESULTS – SURVEY (by June 2017) Awareness of the IT System Admins of SL Banks about RC4 vulnerabilities in SSL 85% 15% Aware Unware
CONCLUSION By June 2017, 87% of the Banks use SSL in their online web portals. Out of that, 85% does not use RC4 – which is good! 90% of the relevant staff know about the usage of RC4 in SSL – which is good! Out of that, 85% know about RC4's vulnerabilities – which is OK!
CONCLUSION... IMPORTANT: TLS1.2 was not used by the most of the Sri Lankan banks until March 2017 (by the time this research started, they were not using TLS1.2 and in the same time they were vulnerable to RC4 weaknesses in SSL because of the fact that RC4 was active as a cipher suit.) It is very interesting to observe that, during the research Time, most of the banks have shifted to TLS1.2 to mitigate RC4 like vulnerabilities.
Q & A

Recommended

So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
Lancope, Inc.
 
Application Security: Last Line of Defense
Application Security: Last Line of DefenseApplication Security: Last Line of Defense
Application Security: Last Line of Defense
Narudom Roongsiriwong, CISSP
 
Secure Software Development Adoption Strategy
Secure Software Development Adoption StrategySecure Software Development Adoption Strategy
Secure Software Development Adoption Strategy
Narudom Roongsiriwong, CISSP
 
DNS Measurement Activity on ITB 2010
DNS Measurement Activity on ITB 2010DNS Measurement Activity on ITB 2010
DNS Measurement Activity on ITB 2010
Affan Basalamah
 
OWASP Nagpur Meet #4
OWASP Nagpur Meet #4 OWASP Nagpur Meet #4
OWASP Nagpur Meet #4
OWASP Nagpur
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”
Priyanka Aash
 
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting programBhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
APNIC
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable Final
Priyanka Aash
 

Recommended

So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)So You Want a Threat Intelligence Function (But Were Afraid to Ask)
So You Want a Threat Intelligence Function (But Were Afraid to Ask)
Lancope, Inc.
 
Application Security: Last Line of Defense
Application Security: Last Line of DefenseApplication Security: Last Line of Defense
Application Security: Last Line of Defense
Narudom Roongsiriwong, CISSP
 
Secure Software Development Adoption Strategy
Secure Software Development Adoption StrategySecure Software Development Adoption Strategy
Secure Software Development Adoption Strategy
Narudom Roongsiriwong, CISSP
 
DNS Measurement Activity on ITB 2010
DNS Measurement Activity on ITB 2010DNS Measurement Activity on ITB 2010
DNS Measurement Activity on ITB 2010
Affan Basalamah
 
OWASP Nagpur Meet #4
OWASP Nagpur Meet #4 OWASP Nagpur Meet #4
OWASP Nagpur Meet #4
OWASP Nagpur
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”Attacks on Critical Infrastructure: Insights from the “Big Board”
Attacks on Critical Infrastructure: Insights from the “Big Board”
Priyanka Aash
 
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting programBhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
APNIC
 
Making Threat Intelligence Actionable Final
Making Threat Intelligence Actionable FinalMaking Threat Intelligence Actionable Final
Making Threat Intelligence Actionable Final
Priyanka Aash
 
OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
Prathan Phongthiproek
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
BeyondTrust
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
Narudom Roongsiriwong, CISSP
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security Problems
Narudom Roongsiriwong, CISSP
 
See Web Security Trend from OWASP Top 10 - 2017
See Web Security Trend from OWASP Top 10 - 2017See Web Security Trend from OWASP Top 10 - 2017
See Web Security Trend from OWASP Top 10 - 2017
Chia-Lung Hsieh
 
Tools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalTools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade Final
Priyanka Aash
 
Insights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-centerInsights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-center
Priyanka Aash
 
How To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsHow To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security Flaws
Priyanka Aash
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response Architecture
Priyanka Aash
 
Secure Aware Routing Protocol
Secure Aware Routing ProtocolSecure Aware Routing Protocol
Secure Aware Routing Protocol
Hadi Fadlallah
 
From IT to IoT: Bridging the Growing Cybersecurity Divide
From IT to IoT: Bridging the Growing Cybersecurity DivideFrom IT to IoT: Bridging the Growing Cybersecurity Divide
From IT to IoT: Bridging the Growing Cybersecurity Divide
Priyanka Aash
 
Cloud Breach – Preparation and Response
Cloud Breach – Preparation and ResponseCloud Breach – Preparation and Response
Cloud Breach – Preparation and Response
Priyanka Aash
 
ICANN 50: ICANN Security Stability and Resiliency Outreach
ICANN 50: ICANN Security Stability and Resiliency OutreachICANN 50: ICANN Security Stability and Resiliency Outreach
ICANN 50: ICANN Security Stability and Resiliency Outreach
ICANN
 
Achieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesAchieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven Methodologies
Priyanka Aash
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Priyanka Aash
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
Prathan Phongthiproek
 
Predicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-managementPredicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-management
Priyanka Aash
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
Prathan Phongthiproek
 
RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?
RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?
RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?
Scott Carlson
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Ruby Meditation
 
Usage of rc4 cipher in SSL configurations of Sri Lankan financial institutes ...
Usage of rc4 cipher in SSL configurations of Sri Lankan financial institutes ...Usage of rc4 cipher in SSL configurations of Sri Lankan financial institutes ...
Usage of rc4 cipher in SSL configurations of Sri Lankan financial institutes ...
Tharindu Weerasinghe
 
State of the art realistic cryptographic
State of the art realistic cryptographicState of the art realistic cryptographic
State of the art realistic cryptographic
ijcsa
 

More Related Content

What's hot

Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Ruby Meditation
 

What's hot (20)

OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure! OWASP Day - OWASP Day - Lets secure!
OWASP Day - OWASP Day - Lets secure!
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy Defense in Depth: Implementing a Layered Privileged Password Security Strategy
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
 
Secure Code Review 101
Secure Code Review 101Secure Code Review 101
Secure Code Review 101
 
Top 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security ProblemsTop 10 Bad Coding Practices Lead to Security Problems
Top 10 Bad Coding Practices Lead to Security Problems
 
See Web Security Trend from OWASP Top 10 - 2017
See Web Security Trend from OWASP Top 10 - 2017See Web Security Trend from OWASP Top 10 - 2017
See Web Security Trend from OWASP Top 10 - 2017
 
Tools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalTools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade Final
 
Insights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-centerInsights from-NSAs-cybersecurity-threat-operations-center
Insights from-NSAs-cybersecurity-threat-operations-center
 
How To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security FlawsHow To Avoid The Top Ten Software Security Flaws
How To Avoid The Top Ten Software Security Flaws
 
Implementing An Automated Incident Response Architecture
Implementing An Automated Incident Response ArchitectureImplementing An Automated Incident Response Architecture
Implementing An Automated Incident Response Architecture
 
Secure Aware Routing Protocol
Secure Aware Routing ProtocolSecure Aware Routing Protocol
Secure Aware Routing Protocol
 
From IT to IoT: Bridging the Growing Cybersecurity Divide
From IT to IoT: Bridging the Growing Cybersecurity DivideFrom IT to IoT: Bridging the Growing Cybersecurity Divide
From IT to IoT: Bridging the Growing Cybersecurity Divide
 
Cloud Breach – Preparation and Response
Cloud Breach – Preparation and ResponseCloud Breach – Preparation and Response
Cloud Breach – Preparation and Response
 
ICANN 50: ICANN Security Stability and Resiliency Outreach
ICANN 50: ICANN Security Stability and Resiliency OutreachICANN 50: ICANN Security Stability and Resiliency Outreach
ICANN 50: ICANN Security Stability and Resiliency Outreach
 
Achieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven MethodologiesAchieving Defendable Architectures Via Threat Driven Methodologies
Achieving Defendable Architectures Via Threat Driven Methodologies
 
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill ChainOrchestrating Software Defined Networks To Disrupt The Apt Kill Chain
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
 
Jump-Start The MASVS
Jump-Start The MASVSJump-Start The MASVS
Jump-Start The MASVS
 
Predicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-managementPredicting exploitability-forecasts-for-vulnerability-management
Predicting exploitability-forecasts-for-vulnerability-management
 
Mobile App Hacking In A Nutshell
Mobile App Hacking In A NutshellMobile App Hacking In A Nutshell
Mobile App Hacking In A Nutshell
 
RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?
RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?
RSA APJ - BLOCKCHAIN SECURITY – IS IT REALLY DIFFERENT THAN ANYTHING ELSE ?
 
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
 

Similar to USAGE OF RC4 CIPHER IN SSL CONFIGURATIONS IN WEB PORTALS OF SRI LANKAN BANKING/NON-BANKING FINANCIAL INSTITUTES AND AWARENESS LEVELS OF RELEVANT STAFF ABOUT IT

State of the art realistic cryptographic
State of the art realistic cryptographicState of the art realistic cryptographic
State of the art realistic cryptographic
ijcsa
 
Hacking SSL When Using RC4
Hacking SSL When Using RC4Hacking SSL When Using RC4
Hacking SSL When Using RC4
Khairi Aiman
 
RSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
RSA and RC4 Cryptosystem Performance Evaluation Using Image and TextRSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
RSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
Yekini Nureni
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
AtiAshi
 
Abhishek-New (1)
Abhishek-New (1)Abhishek-New (1)
Abhishek-New (1)
Abhishek Sa
 

Similar to USAGE OF RC4 CIPHER IN SSL CONFIGURATIONS IN WEB PORTALS OF SRI LANKAN BANKING/NON-BANKING FINANCIAL INSTITUTES AND AWARENESS LEVELS OF RELEVANT STAFF ABOUT IT (20)

Usage of rc4 cipher in SSL configurations of Sri Lankan financial institutes ...
Usage of rc4 cipher in SSL configurations of Sri Lankan financial institutes ...Usage of rc4 cipher in SSL configurations of Sri Lankan financial institutes ...
Usage of rc4 cipher in SSL configurations of Sri Lankan financial institutes ...
 
State of the art realistic cryptographic
State of the art realistic cryptographicState of the art realistic cryptographic
State of the art realistic cryptographic
 
Hacking SSL When Using RC4
Hacking SSL When Using RC4Hacking SSL When Using RC4
Hacking SSL When Using RC4
 
RSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
RSA and RC4 Cryptosystem Performance Evaluation Using Image and TextRSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
RSA and RC4 Cryptosystem Performance Evaluation Using Image and Text
 
Secure Socket Layer
Secure Socket LayerSecure Socket Layer
Secure Socket Layer
 
Design of Hybrid Cryptography Algorithm for Secure Communication
Design of Hybrid Cryptography Algorithm for Secure CommunicationDesign of Hybrid Cryptography Algorithm for Secure Communication
Design of Hybrid Cryptography Algorithm for Secure Communication
 
Ledingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for DevelopersLedingkart Meetup #3: Security Basics for Developers
Ledingkart Meetup #3: Security Basics for Developers
 
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & SecureIntroduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
 
Ecsa LPT V8 brochure
Ecsa LPT V8 brochureEcsa LPT V8 brochure
Ecsa LPT V8 brochure
 
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
Synopsys Security Event Israel Presentation: New AppSec Paradigms with Open S...
 
SSLtalk
SSLtalkSSLtalk
SSLtalk
 
Governing in the Cloud
Governing in the CloudGoverning in the Cloud
Governing in the Cloud
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 
Abhishek-New (1)
Abhishek-New (1)Abhishek-New (1)
Abhishek-New (1)
 
Agile Security—Field of Dreams
Agile Security—Field of DreamsAgile Security—Field of Dreams
Agile Security—Field of Dreams
 
SIPNOC 2014 - Is It Time For TLS for SIP?
SIPNOC 2014 - Is It Time For TLS for SIP?SIPNOC 2014 - Is It Time For TLS for SIP?
SIPNOC 2014 - Is It Time For TLS for SIP?
 
Writing RPG Applications Using Cryptographic Services APIs
Writing RPG Applications Using Cryptographic Services APIsWriting RPG Applications Using Cryptographic Services APIs
Writing RPG Applications Using Cryptographic Services APIs
 
Zero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOpsZero-Trust SASE DevSecOps
Zero-Trust SASE DevSecOps
 
Blockchain in Retail :Omnichannel retailers can now compete and beat Amazon!
Blockchain in Retail :Omnichannel retailers can now compete and beat Amazon!Blockchain in Retail :Omnichannel retailers can now compete and beat Amazon!
Blockchain in Retail :Omnichannel retailers can now compete and beat Amazon!
 
RSA Advisory Part I
RSA Advisory Part IRSA Advisory Part I
RSA Advisory Part I
 

More from Tharindu Weerasinghe

More from Tharindu Weerasinghe (20)

C Propgramming.pdf
C Propgramming.pdfC Propgramming.pdf
C Propgramming.pdf
 
Basics of Computer Networks in Sinhala
Basics of Computer Networks in SinhalaBasics of Computer Networks in Sinhala
Basics of Computer Networks in Sinhala
 
Data Structures & Algorithms in Sinhala
Data Structures & Algorithms in SinhalaData Structures & Algorithms in Sinhala
Data Structures & Algorithms in Sinhala
 
Object Oriended Programming in Sinhala
Object Oriended Programming in Sinhala Object Oriended Programming in Sinhala
Object Oriended Programming in Sinhala
 
Tips For A Better Undergraduate Research
Tips For A Better Undergraduate ResearchTips For A Better Undergraduate Research
Tips For A Better Undergraduate Research
 
Basics of Block Chain
Basics of Block ChainBasics of Block Chain
Basics of Block Chain
 
Basics of IoT
Basics of IoTBasics of IoT
Basics of IoT
 
REST API Basics
REST API BasicsREST API Basics
REST API Basics
 
Cloud Conputing Basics and some Related Research Topics
Cloud Conputing Basics and some Related Research TopicsCloud Conputing Basics and some Related Research Topics
Cloud Conputing Basics and some Related Research Topics
 
Basic Concepts and Trends in Emerging Technologies
Basic Concepts and Trends in Emerging TechnologiesBasic Concepts and Trends in Emerging Technologies
Basic Concepts and Trends in Emerging Technologies
 
Introcution to EJB
Introcution to EJBIntrocution to EJB
Introcution to EJB
 
Introduction to Enterprise Applications and Tools
Introduction to Enterprise Applications and ToolsIntroduction to Enterprise Applications and Tools
Introduction to Enterprise Applications and Tools
 
Introduction to Agile Software Development & Python
Introduction to Agile Software Development & PythonIntroduction to Agile Software Development & Python
Introduction to Agile Software Development & Python
 
Agile Languages for Rapid Prototyping
Agile Languages for Rapid PrototypingAgile Languages for Rapid Prototyping
Agile Languages for Rapid Prototyping
 
Things to ponder before you start building [cooperate] software
Things to ponder before you start building [cooperate] softwareThings to ponder before you start building [cooperate] software
Things to ponder before you start building [cooperate] software
 
How to make screens and the internet safe for Children
How to make screens and the internet safe for Children How to make screens and the internet safe for Children
How to make screens and the internet safe for Children
 
Different Concepts on Databases
Different Concepts on DatabasesDifferent Concepts on Databases
Different Concepts on Databases
 
A Survey Study on Higher Education Trends among Sri Lankan IT Professionals
A Survey Study on Higher Education Trends among Sri Lankan IT ProfessionalsA Survey Study on Higher Education Trends among Sri Lankan IT Professionals
A Survey Study on Higher Education Trends among Sri Lankan IT Professionals
 
A Survey Study on Higher Education Trends among Information Technology Prof...
A Survey Study on Higher Education Trends among Information Technology Prof...A Survey Study on Higher Education Trends among Information Technology Prof...
A Survey Study on Higher Education Trends among Information Technology Prof...
 
Professionalism and Industry Expectations related to IT industry
Professionalism and Industry Expectations related to IT industry Professionalism and Industry Expectations related to IT industry
Professionalism and Industry Expectations related to IT industry
 

Recently uploaded

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
harshavardhanraghave
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
mohitmore19
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
anilsa9823
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
MyIntelliSource, Inc.
 

Recently uploaded (20)

Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
Reassessing the Bedrock of Clinical Function Models: An Examination of Large ...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS LiveVip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
Vip Call Girls Noida ➡️ Delhi ➡️ 9999965857 No Advance 24HRS Live
 
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
Tech Tuesday-Harness the Power of Effective Resource Planning with OnePlan’s ...
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 

USAGE OF RC4 CIPHER IN SSL CONFIGURATIONS IN WEB PORTALS OF SRI LANKAN BANKING/NON-BANKING FINANCIAL INSTITUTES AND AWARENESS LEVELS OF RELEVANT STAFF ABOUT IT

  • 1. A Research Study: Usage of RC4 cipher in SSL configurations in web portals of Sri Lankan Banking/Non- Banking Financial Institutes and Awareness Levels of relevant staff about it. Tharindu Weerasinghe Chamara Disanayake
  • 2. INTRODUCTION Motivation for the research study: Knowing the fact that RC4 is used in SSL and it is vulnerable. Knowing the financial sector is using SSL for online transactions and if RC4 is used as cipher suit in SSL then it will be vulnerable. Wanted to check the SSL Cipher suits used by the Local Banking and Non Banking web portals, using available tools online. Wanted to know how much the IT Security Admins know about these... Important: This study was done during Feb 2017 to Jul 2017.
  • 3. LITERATURE RC4 Cipher: RC4 is the most common stream cipher, which is widely used in applications like WPA, SSL, TLS, Kerberos, PDF and Skype. RC4 is a light weight algorithm which can be easily used in hardware and protocols which consider computational cost. Anyways its implementation itself prone to vulnerabilities. SSL: SSL (Secure Sockets Layer) is the standard security methodology for establishing an encrypted communication link between a web server and a browser. SSL is an industry standard which is used by many websites to safeguard their online transactions with their stakeholders [1]
  • 5. LITERATURE… RC4 Usage of SSL RC4 is used in SSL Record Protocol for encryption in many SSL cipher suites. In the Handshaking Protocol, RC4 encryption keys are generated for upstream and downstream communication. In the Record Protocol, the upstream key is used for encryption of the client-to-server communication, whereas the downstream key is used for encryption of the server-to-client communication. Vulnerabilities of RC4 in SSL Several researchers and experts have proved that RC4 is vulnerable for attacks in SSL. A lot of vulnerabilities occur due to the in-variance weakness of the RC4 algorithm. [2]
  • 6. RESEARCH METHODOLOGY 1.Analyze the SSL protocols used by the online web portals (where online transactions enabled) of Sri Lankan Banking and Non-Banking Financial Institutes, using the online tools available. 2.Study of the existing RC4 vulnerabilities when SSL is using RC4 cipher suit. 3.Data gathered via a Survey (aided from Google Forms) from the IT- Security Admins, Managers of some of the Sri Lankan Banks. 4.Study/Implement the suitable remedies. * Upgrading to TLS1.2 (if Apache Tomcat, then upgrade the Java version to 8 and Tomcat version to 8.0.44) * For older Tomcat versions – removal of weak RC4 cipher suit
  • 7. RESULTS – SURVEY (by June 2017) SSL(HTTPS) usage of Banks in SL for their cooperate web sites 87% 13% Use SSL Does not Use SSL
  • 8. RESULTS – SURVEY (by June 2017) Usage of RC4 in SSL in Sri Lankan Banking Institutes in customer login portals 85% 15% Does not use RC4 Use RC4
  • 9. RESULTS – SURVEY (by June 2017) Usage of RC4 in SSL in Customer Login Portals of Non Banking Financial Institutes 88% 12% Does not use RC4 Use RC4
  • 10. RESULTS – SURVEY (by June 2017) Awareness of IT System Admins of SL Banks about RC4 usage in SSL 90% 10% Aware Unware
  • 11. RESULTS – SURVEY (by June 2017) Awareness of the IT System Admins of SL Banks about RC4 vulnerabilities in SSL 85% 15% Aware Unware
  • 12. CONCLUSION By June 2017, 87% of the Banks use SSL in their online web portals. Out of that, 85% does not use RC4 – which is good! 90% of the relevant staff know about the usage of RC4 in SSL – which is good! Out of that, 85% know about RC4's vulnerabilities – which is OK!
  • 13. CONCLUSION... IMPORTANT: TLS1.2 was not used by the most of the Sri Lankan banks until March 2017 (by the time this research started, they were not using TLS1.2 and in the same time they were vulnerable to RC4 weaknesses in SSL because of the fact that RC4 was active as a cipher suit.) It is very interesting to observe that, during the research Time, most of the banks have shifted to TLS1.2 to mitigate RC4 like vulnerabilities.
  • 14. Q & A