USAGE OF RC4 CIPHER IN SSL CONFIGURATIONS IN WEB PORTALS OF SRI LANKAN BANKING/NON-BANKING FINANCIAL INSTITUTES AND AWARENESS LEVELS OF RELEVANT STAFF ABOUT IT
Data encryption for Ruby web applications - Dmytro Shapovalov (RUS) | Ruby Me...
Similar to USAGE OF RC4 CIPHER IN SSL CONFIGURATIONS IN WEB PORTALS OF SRI LANKAN BANKING/NON-BANKING FINANCIAL INSTITUTES AND AWARENESS LEVELS OF RELEVANT STAFF ABOUT IT
Similar to USAGE OF RC4 CIPHER IN SSL CONFIGURATIONS IN WEB PORTALS OF SRI LANKAN BANKING/NON-BANKING FINANCIAL INSTITUTES AND AWARENESS LEVELS OF RELEVANT STAFF ABOUT IT (20)
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
USAGE OF RC4 CIPHER IN SSL CONFIGURATIONS IN WEB PORTALS OF SRI LANKAN BANKING/NON-BANKING FINANCIAL INSTITUTES AND AWARENESS LEVELS OF RELEVANT STAFF ABOUT IT
1. A Research Study:
Usage of RC4 cipher in SSL configurations in
web portals of Sri Lankan Banking/Non-
Banking Financial Institutes and Awareness
Levels of relevant staff about it.
Tharindu Weerasinghe
Chamara Disanayake
2. INTRODUCTION
Motivation for the research study:
Knowing the fact that RC4 is used in SSL and it is vulnerable.
Knowing the financial sector is using SSL for online transactions and if
RC4 is used as cipher suit in SSL then it will be vulnerable.
Wanted to check the SSL Cipher suits used by the Local Banking and Non
Banking web portals, using available tools online.
Wanted to know how much the IT Security Admins know about these...
Important: This study was done during Feb 2017 to Jul 2017.
3. LITERATURE
RC4 Cipher:
RC4 is the most common stream cipher, which is widely used in
applications like WPA, SSL, TLS, Kerberos, PDF and Skype.
RC4 is a light weight algorithm which can be easily used in hardware and
protocols which consider computational cost. Anyways its implementation
itself prone to vulnerabilities.
SSL:
SSL (Secure Sockets Layer) is the standard security methodology for
establishing an encrypted communication link between a web server and a
browser. SSL is an industry standard which is used by many websites to
safeguard their online transactions with their stakeholders [1]
5. LITERATURE…
RC4 Usage of SSL
RC4 is used in SSL Record Protocol for encryption in many SSL cipher
suites. In the Handshaking Protocol, RC4 encryption keys are generated for
upstream and downstream communication.
In the Record Protocol, the upstream key is used for encryption of the
client-to-server communication, whereas the downstream key is used for
encryption of the server-to-client communication.
Vulnerabilities of RC4 in SSL
Several researchers and experts have proved that RC4 is vulnerable for attacks in
SSL. A lot of vulnerabilities occur due to the in-variance weakness of the RC4
algorithm. [2]
6. RESEARCH METHODOLOGY
1.Analyze the SSL protocols used by the online web portals (where online
transactions enabled) of Sri Lankan Banking and Non-Banking Financial
Institutes, using the online tools available.
2.Study of the existing RC4 vulnerabilities when SSL is using RC4 cipher
suit.
3.Data gathered via a Survey (aided from Google Forms) from the IT-
Security Admins, Managers of some of the Sri Lankan Banks.
4.Study/Implement the suitable remedies.
* Upgrading to TLS1.2 (if Apache Tomcat, then upgrade the Java
version to 8 and Tomcat version to 8.0.44)
* For older Tomcat versions – removal of weak RC4 cipher suit
7. RESULTS – SURVEY (by June 2017)
SSL(HTTPS) usage of Banks in SL for their cooperate web sites
87%
13%
Use SSL
Does not Use SSL
8. RESULTS – SURVEY (by June 2017)
Usage of RC4 in SSL in Sri Lankan Banking Institutes in customer
login portals
85%
15%
Does not use RC4
Use RC4
9. RESULTS – SURVEY (by June 2017)
Usage of RC4 in SSL in Customer Login Portals of Non Banking
Financial Institutes
88%
12%
Does not use RC4
Use RC4
10. RESULTS – SURVEY (by June 2017)
Awareness of IT System Admins of SL Banks about RC4 usage in SSL
90%
10%
Aware
Unware
11. RESULTS – SURVEY (by June 2017)
Awareness of the IT System Admins of SL Banks about RC4
vulnerabilities in SSL
85%
15%
Aware
Unware
12. CONCLUSION
By June 2017, 87% of the Banks use SSL in their online web
portals.
Out of that, 85% does not use RC4 – which is good!
90% of the relevant staff know about the usage of RC4 in
SSL – which is good!
Out of that, 85% know about RC4's vulnerabilities – which is
OK!
13. CONCLUSION...
IMPORTANT:
TLS1.2 was not used by the most of the Sri Lankan banks until
March 2017 (by the time this research started, they were not
using TLS1.2 and in the same time they were vulnerable to
RC4 weaknesses in SSL because of the fact that RC4 was
active as a cipher suit.)
It is very interesting to observe that, during the research Time,
most of the banks have shifted to TLS1.2 to mitigate RC4 like
vulnerabilities.