Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SSL

668 views

Published on

Published in: Technology, Education
  • Be the first to comment

SSL

  1. 1. TLS/SSL Renegotiation Vulnerability Thai N. Duong [email_address]
  2. 2. Agenda <ul><li>SSL/TLS protocol </li></ul><ul><li>SSL/TLS renegotiation vulnerability </li></ul><ul><li>Q & A </li></ul>
  3. 3. About me <ul><li>CISO at DongA Bank </li></ul><ul><li>Blogger - http://vnhacker.blogspot.com </li></ul><ul><li>Administrator – http://www.hvaonline.net </li></ul><ul><li>Member – Team CLGT - http://vnsecurity.net </li></ul><ul><li>Bug Hunter – Yahoo!, Oracle/SUN, Apache Foundation, etc. </li></ul>
  4. 4. Copyright notice <ul><li>Most of subsequent slides are copied from else where on the Internet </li></ul><ul><li>You should be careful if you want to reuse them </li></ul><ul><li>This compilation is in public domain </li></ul>
  5. 9. DHE -RSA-AES256-SHA
  6. 10. DHE - RSA -AES256-SHA
  7. 11. DHE - RSA - AES256 -SHA
  8. 12. DHE - RSA - AES256 - SHA
  9. 13. Renegotiation vulnerability <ul><li>Active MITM attacker </li></ul><ul><li>Inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream </li></ul><ul><li>Execute a HTTP transaction, authenticated by a legitimate user </li></ul>
  10. 18. Trigger renegotiation <ul><li>Client certificate authentication </li></ul><ul><li>Differing server cryptographic requirements </li></ul><ul><li>Client-initiated renegotiation </li></ul>
  11. 20. Reference <ul><li>http://clicky.me/tlsvuln </li></ul><ul><li>http://extendedsubset.com/Renegotiating_TLS.pdf </li></ul><ul><li>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555 </li></ul>
  12. 21. Thank you! Question?

×