Published @: International Journal of Cyber-Security and Digital Forensics (IJCSDF) 7(2): 111-118
The Society of Digital Information and Wireless Communications (SDIWC), 2018 ISSN: 2305-001
The document discusses the history and purpose of TLS/SSL, including how it uses asymmetric and symmetric cryptography. It describes how TLS/SSL works, including the handshake and record layers, cipher suites, and public key infrastructure (PKI). It notes that TLS/SSL secures communications between applications and transport layers in the OSI model. Examples of exploits like session hijacking and man-in-the-middle attacks are provided to illustrate the importance of encryption.
RC4 is the most popular stream cipher in the world. It is used to protect as many as 30 percent of SSL traffic today, probably
summing up to billions of TLS connections every day.
In this paper, we revisit the Invariance Weakness – a 13-year-old vulnerability of RC4 that is based on huge classes of RC4 weak
keys, which was first published in the FMS paper in 2001. We show how this vulnerability can be used to mount several partial
plaintext recovery attacks on SSL-protected data when RC4 is the cipher of choice, recovering part of secrets such as session
cookies, passwords, and credit card numbers. This paper will describe the Invariance Weakness in detail, explain its impacts, and
recommend some mitigating actions.
by Imperva
This document discusses web security and Secure Sockets Layer (SSL) / Transport Layer Security (TLS). It defines key web security terminology like hackers, viruses, worms, and Trojans. It then explains what SSL/TLS is, how it provides security for web communications through encryption, message authentication codes, and authentication. The document outlines the SSL/TLS architecture, components, sessions and connections. It also discusses how SSL/TLS has been widely implemented in applications like HTTPS to secure internet traffic.
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit DetectionCSCJournals
Since its introduction in 1994 the Secure Socket Layer (SSL) protocol (later renamed to Transport Layer Security (TLS)) evolved to the de facto standard for securing the transport layer. SSL/TLS can be used for ensuring data confidentiality, integrity and authenticity during transport. A main feature of the protocol is its flexibility. Modes of operation and security aims can easily be configured through different cipher suites. During its evolutionary development process several flaws were found. However, the flexible architecture of SSL/TLS allowed efficient fixes in order to counter the issues. This paper presents an overview on theoretical and practical attacks of the last 20 years.
The document presents an overview of Secure Socket Layer (SSL) technology. It discusses how SSL establishes encrypted connections to provide security and integrity. It describes SSL architecture including certificates, hashing, asymmetric and symmetric data transfer, and the SSL handshake process. It also covers encryption algorithms like RC4, AES, Triple DES, and RSA that are used. Finally, it discusses asymmetric key cryptography algorithms like Diffie-Hellman and RSA, as well as symmetric key cryptography and the future scope of encryption standards.
S/MIME (Secure Multipurpose Internet Mail Extensions) allows users to securely send emails through encryption and digital signatures. It uses public key cryptography, with algorithms like RSA and ElGamal for encryption and DSS and RSA for digital signatures. S/MIME supports encrypting the message contents, digitally signing the message, or both. It defines new MIME types to implement these security features for email. Other technologies like PGP provide similar email security functionality to S/MIME.
The document discusses the history and purpose of TLS/SSL, including how it uses asymmetric and symmetric cryptography. It describes how TLS/SSL works, including the handshake and record layers, cipher suites, and public key infrastructure (PKI). It notes that TLS/SSL secures communications between applications and transport layers in the OSI model. Examples of exploits like session hijacking and man-in-the-middle attacks are provided to illustrate the importance of encryption.
RC4 is the most popular stream cipher in the world. It is used to protect as many as 30 percent of SSL traffic today, probably
summing up to billions of TLS connections every day.
In this paper, we revisit the Invariance Weakness – a 13-year-old vulnerability of RC4 that is based on huge classes of RC4 weak
keys, which was first published in the FMS paper in 2001. We show how this vulnerability can be used to mount several partial
plaintext recovery attacks on SSL-protected data when RC4 is the cipher of choice, recovering part of secrets such as session
cookies, passwords, and credit card numbers. This paper will describe the Invariance Weakness in detail, explain its impacts, and
recommend some mitigating actions.
by Imperva
This document discusses web security and Secure Sockets Layer (SSL) / Transport Layer Security (TLS). It defines key web security terminology like hackers, viruses, worms, and Trojans. It then explains what SSL/TLS is, how it provides security for web communications through encryption, message authentication codes, and authentication. The document outlines the SSL/TLS architecture, components, sessions and connections. It also discusses how SSL/TLS has been widely implemented in applications like HTTPS to secure internet traffic.
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit DetectionCSCJournals
Since its introduction in 1994 the Secure Socket Layer (SSL) protocol (later renamed to Transport Layer Security (TLS)) evolved to the de facto standard for securing the transport layer. SSL/TLS can be used for ensuring data confidentiality, integrity and authenticity during transport. A main feature of the protocol is its flexibility. Modes of operation and security aims can easily be configured through different cipher suites. During its evolutionary development process several flaws were found. However, the flexible architecture of SSL/TLS allowed efficient fixes in order to counter the issues. This paper presents an overview on theoretical and practical attacks of the last 20 years.
The document presents an overview of Secure Socket Layer (SSL) technology. It discusses how SSL establishes encrypted connections to provide security and integrity. It describes SSL architecture including certificates, hashing, asymmetric and symmetric data transfer, and the SSL handshake process. It also covers encryption algorithms like RC4, AES, Triple DES, and RSA that are used. Finally, it discusses asymmetric key cryptography algorithms like Diffie-Hellman and RSA, as well as symmetric key cryptography and the future scope of encryption standards.
S/MIME (Secure Multipurpose Internet Mail Extensions) allows users to securely send emails through encryption and digital signatures. It uses public key cryptography, with algorithms like RSA and ElGamal for encryption and DSS and RSA for digital signatures. S/MIME supports encrypting the message contents, digitally signing the message, or both. It defines new MIME types to implement these security features for email. Other technologies like PGP provide similar email security functionality to S/MIME.
Pgp-Pretty Good Privacy is the open source freely available tool to encrypt your emails then you can very securely send mails to others over internet without fear of eavesdropping by cryptanalyst.
Securing TCP connections using SSL
Originally developed by Netscape
Communications to allow secure access of a
browser to a Web server, Secure Sockets
Layer (SSL) has become the accepted
standard for Web security.1 The first version
of SSL was never released because of
problems regarding protection of credit
card transactions on the Web. In 1994,
Netscape created SSLv2, which made it
possible to keep credit card numbers
confidential and also authenticate the Web
server with the use of encryption and digital
certificates. In 1995, Netscape strengthened
the cryptographic algorithms and resolved
many of the security problems in SSLv2
with the release of SSLv3. SSLv3 now
supports more security algorithms
than SSLv2.
This document contains a presentation on Secure Sockets Layer (SSL) and Transport Layer Security (TLS) given to a Network Security class. It includes sections on an overview of SSL, how SSL works, benefits and limitations of SSL, advanced SSL concepts, related protocols including TLS, the importance and benefits of TLS, and a summary. Diagrams illustrate the SSL handshake process and how technologies like SSL, TLS, and Windows Schannel fit together. The presentation was created by students Atif Naveed, Kinnan Nawaz, and Qaiser Abbas for their Network Security professor Mrs. Asma at G.C. University Lahore.
This document discusses various aspects of web security including:
1. Secure Socket Layer (SSL) and Transport Layer Security (TLS) which provide secure communication over the internet.
2. Secure Electronic Transaction (SET) which is an open encryption standard that protects credit card transactions on the internet.
3. The document outlines different security considerations for the web including vulnerabilities of web servers and the need for mechanisms like SSL, TLS at the transport layer and SET at the application layer.
SSL is a secure protocol that runs above TCP/IP and allows users to encrypt data and authenticate server and client identities securely. It uses public key encryption to generate a shared secret and establish an encrypted connection. The SSL handshake process verifies the server's identity and allows the client and server to agree on encryption algorithms before exchanging data. This helps prevent man-in-the-middle attacks by authenticating servers and encrypting the connection.
This slide help you about Security at the transport layer. In this slide we cover About Kerberos Model, Security of Kerberos Model and SSL/TLS Model and How it work and its SSL Architecture and its different phase .
This paper analyzes vulnerabilities of the SSL/TLS
Handshake
protocol
, which
is
responsible
for
authentication of
the parties in the
communication
and
negotiation of
security parameters
that
will be used
to protect
confidentiality and
integrity of the
data
. It
will
be
analyzed the
attacks
against the implementation of Handshake
protocol, as well as the
attacks against the other
elements
necessary to SSL/TLS protocol to discover security
flaws that were exploited, modes of
attack, the potential consequences, but also studyi
ng methods of defense
.
All versions of the
protocol are going to be the subject of the researc
h but
emphasis will be placed
on the critical
attack that
the most endanger the safety of data.
The goal of
the research
is
to point out the
danger of
existence
of at least
vulnerability
in the SSL/TLS protocol
, which
can be exploited
and
endanger the safety of
the data
that should be protected.
SSL uses TCP to provide a secure end-to-end service. It consists of two layers - the SSL record protocol and the SSL handshake protocol. The record protocol provides data encryption and integrity checking, while the handshake protocol allows the server and client to authenticate each other and negotiate encryption parameters for the secure connection.
The TLS/SSL protocol provides privacy and integrity of communications over TCP by encrypting message content and verifying message integrity. It operates in layers, with the TLS record protocol handling fragmentation, compression, encryption, and MAC verification of messages, and the TLS handshake protocol allowing client and server to authenticate and establish encryption parameters before transmitting application data. Openssl is an open source implementation of the TLS/SSL protocols and cryptographic functions used for tasks like generating certificates.
This document discusses various aspects of web security including common threats, countermeasures, security facilities, Secure Socket Layer (SSL) architecture and protocols, and the Secure Electronic Transaction (SET) protocol. It outlines threats like integrity issues, confidentiality breaches, denial of service attacks and authentication problems. It then describes countermeasures like encryption, web proxies, and cryptographic techniques. It provides details on SSL components like sessions, connections, record protocol, handshake protocol and cipher specifications. Finally, it outlines the business requirements and features of SET for secure online transactions.
This document discusses email security and the Pretty Good Privacy (PGP) encryption software. It describes why email security is important given threats like loss of confidentiality and integrity. It then provides details on PGP, including how it uses public/private key encryption and digital signatures to encrypt messages and authenticate senders. PGP uses symmetric encryption of messages and asymmetric encryption of session keys, storing keys in a local ring. The document discusses PGP key management and its use of a web of trust model without a central authority.
This document provides an overview of Secure Sockets Layer (SSL) and Transport Layer Security (TLS). It discusses the evolution of SSL/TLS, the SSL/TLS handshake process, common attacks like man-in-the-middle attacks using tools like SSLStrip, recent attacks on SSL/TLS like BEAST and CRIME, and security guidelines for configuring SSL/TLS on servers.
Short Presentation (2 Hrs) on SSL and TLS Protocol and its reference standard. Good for intermediate participant or technical who want to understand secure protocol an
This document discusses firewalls and firewall traversals. It begins by introducing firewalls and their purpose of securing networks while restricting harmful traffic. It then discusses various methods of traversing firewalls, including SSL/TLS tunneling and proxies. SSL/TLS tunneling involves creating an encrypted tunnel between a client and server through a proxy, while SSL proxies terminate encryption and recreate certificates to provide visibility of encrypted traffic. The document covers the workings and benefits of SSL proxies, as well as types of firewalls and issues they can present.
Frost & Sullivan: Moving Forward with Distributed CryptographyEMC
This analyst report provides an overview of distributed cryptography. The premise underlying distributed cryptography is that if a credential (such as a password or a response to a challenge question) is stolen, the illegitimate possessor of that credential now has access to the secured material
TLS is an IETF standard similar to SSL that provides cryptographic security and secure connections between parties through the establishment of a secure session. It aims to securely transmit data via record layer encapsulation and encryption, using techniques like cryptographic computations, MACs, and the generation of secrets through pseudorandom functions and data expansion. TLS supports various cipher suites, certificate types, and alert codes while making some changes compared to SSL in areas like record formatting, PRF usage, and handshake messaging.
Web Security and SSL - Secure Socket LayerAkhil Nadh PC
Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between their servers and web browsers.
SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that provide secure communication over the internet. They allow for confidentiality, integrity, and authentication between two applications communicating over TCP. SSL/TLS works by encrypting the segments of TCP connections above the transport layer through the use of symmetric and asymmetric cryptography. It establishes a secure channel over an insecure network such as the internet.
In cryptography, a cryptosystem is called a threshold cryptosystem.
If in order to decrypt an encrypted message or to sign a message
several parties must cooperate in the decryption
In many of today’s computer application needs, faster operation is essential to the efficient implementation
of information security algorithm. RC4 has been used as the data encryption algorithm for many
applications and protocols including the Wi-Fi, Skype, and Bit Torrent to name a few. Several efficient
approaches to the implementation of RC4 have been proposed and we review some of those. More recently
some parallel approaches to faster implementation of RC4 have been presented and we include those in our
survey of efficient approaches to RC4. This paper presents an analysis of available hardware/software
parallel implementations of RC4 symmetric key-based algorithm and some security approaches which
make it more secure.
Pgp-Pretty Good Privacy is the open source freely available tool to encrypt your emails then you can very securely send mails to others over internet without fear of eavesdropping by cryptanalyst.
Securing TCP connections using SSL
Originally developed by Netscape
Communications to allow secure access of a
browser to a Web server, Secure Sockets
Layer (SSL) has become the accepted
standard for Web security.1 The first version
of SSL was never released because of
problems regarding protection of credit
card transactions on the Web. In 1994,
Netscape created SSLv2, which made it
possible to keep credit card numbers
confidential and also authenticate the Web
server with the use of encryption and digital
certificates. In 1995, Netscape strengthened
the cryptographic algorithms and resolved
many of the security problems in SSLv2
with the release of SSLv3. SSLv3 now
supports more security algorithms
than SSLv2.
This document contains a presentation on Secure Sockets Layer (SSL) and Transport Layer Security (TLS) given to a Network Security class. It includes sections on an overview of SSL, how SSL works, benefits and limitations of SSL, advanced SSL concepts, related protocols including TLS, the importance and benefits of TLS, and a summary. Diagrams illustrate the SSL handshake process and how technologies like SSL, TLS, and Windows Schannel fit together. The presentation was created by students Atif Naveed, Kinnan Nawaz, and Qaiser Abbas for their Network Security professor Mrs. Asma at G.C. University Lahore.
This document discusses various aspects of web security including:
1. Secure Socket Layer (SSL) and Transport Layer Security (TLS) which provide secure communication over the internet.
2. Secure Electronic Transaction (SET) which is an open encryption standard that protects credit card transactions on the internet.
3. The document outlines different security considerations for the web including vulnerabilities of web servers and the need for mechanisms like SSL, TLS at the transport layer and SET at the application layer.
SSL is a secure protocol that runs above TCP/IP and allows users to encrypt data and authenticate server and client identities securely. It uses public key encryption to generate a shared secret and establish an encrypted connection. The SSL handshake process verifies the server's identity and allows the client and server to agree on encryption algorithms before exchanging data. This helps prevent man-in-the-middle attacks by authenticating servers and encrypting the connection.
This slide help you about Security at the transport layer. In this slide we cover About Kerberos Model, Security of Kerberos Model and SSL/TLS Model and How it work and its SSL Architecture and its different phase .
This paper analyzes vulnerabilities of the SSL/TLS
Handshake
protocol
, which
is
responsible
for
authentication of
the parties in the
communication
and
negotiation of
security parameters
that
will be used
to protect
confidentiality and
integrity of the
data
. It
will
be
analyzed the
attacks
against the implementation of Handshake
protocol, as well as the
attacks against the other
elements
necessary to SSL/TLS protocol to discover security
flaws that were exploited, modes of
attack, the potential consequences, but also studyi
ng methods of defense
.
All versions of the
protocol are going to be the subject of the researc
h but
emphasis will be placed
on the critical
attack that
the most endanger the safety of data.
The goal of
the research
is
to point out the
danger of
existence
of at least
vulnerability
in the SSL/TLS protocol
, which
can be exploited
and
endanger the safety of
the data
that should be protected.
SSL uses TCP to provide a secure end-to-end service. It consists of two layers - the SSL record protocol and the SSL handshake protocol. The record protocol provides data encryption and integrity checking, while the handshake protocol allows the server and client to authenticate each other and negotiate encryption parameters for the secure connection.
The TLS/SSL protocol provides privacy and integrity of communications over TCP by encrypting message content and verifying message integrity. It operates in layers, with the TLS record protocol handling fragmentation, compression, encryption, and MAC verification of messages, and the TLS handshake protocol allowing client and server to authenticate and establish encryption parameters before transmitting application data. Openssl is an open source implementation of the TLS/SSL protocols and cryptographic functions used for tasks like generating certificates.
This document discusses various aspects of web security including common threats, countermeasures, security facilities, Secure Socket Layer (SSL) architecture and protocols, and the Secure Electronic Transaction (SET) protocol. It outlines threats like integrity issues, confidentiality breaches, denial of service attacks and authentication problems. It then describes countermeasures like encryption, web proxies, and cryptographic techniques. It provides details on SSL components like sessions, connections, record protocol, handshake protocol and cipher specifications. Finally, it outlines the business requirements and features of SET for secure online transactions.
This document discusses email security and the Pretty Good Privacy (PGP) encryption software. It describes why email security is important given threats like loss of confidentiality and integrity. It then provides details on PGP, including how it uses public/private key encryption and digital signatures to encrypt messages and authenticate senders. PGP uses symmetric encryption of messages and asymmetric encryption of session keys, storing keys in a local ring. The document discusses PGP key management and its use of a web of trust model without a central authority.
This document provides an overview of Secure Sockets Layer (SSL) and Transport Layer Security (TLS). It discusses the evolution of SSL/TLS, the SSL/TLS handshake process, common attacks like man-in-the-middle attacks using tools like SSLStrip, recent attacks on SSL/TLS like BEAST and CRIME, and security guidelines for configuring SSL/TLS on servers.
Short Presentation (2 Hrs) on SSL and TLS Protocol and its reference standard. Good for intermediate participant or technical who want to understand secure protocol an
This document discusses firewalls and firewall traversals. It begins by introducing firewalls and their purpose of securing networks while restricting harmful traffic. It then discusses various methods of traversing firewalls, including SSL/TLS tunneling and proxies. SSL/TLS tunneling involves creating an encrypted tunnel between a client and server through a proxy, while SSL proxies terminate encryption and recreate certificates to provide visibility of encrypted traffic. The document covers the workings and benefits of SSL proxies, as well as types of firewalls and issues they can present.
Frost & Sullivan: Moving Forward with Distributed CryptographyEMC
This analyst report provides an overview of distributed cryptography. The premise underlying distributed cryptography is that if a credential (such as a password or a response to a challenge question) is stolen, the illegitimate possessor of that credential now has access to the secured material
TLS is an IETF standard similar to SSL that provides cryptographic security and secure connections between parties through the establishment of a secure session. It aims to securely transmit data via record layer encapsulation and encryption, using techniques like cryptographic computations, MACs, and the generation of secrets through pseudorandom functions and data expansion. TLS supports various cipher suites, certificate types, and alert codes while making some changes compared to SSL in areas like record formatting, PRF usage, and handshake messaging.
Web Security and SSL - Secure Socket LayerAkhil Nadh PC
Transport Layer Security (TLS), and its now-deprecated predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a computer network. Several versions of the protocols find widespread use in applications such as web browsing, email, instant messaging, and voice over IP (VoIP). Websites can use TLS to secure all communications between their servers and web browsers.
SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that provide secure communication over the internet. They allow for confidentiality, integrity, and authentication between two applications communicating over TCP. SSL/TLS works by encrypting the segments of TCP connections above the transport layer through the use of symmetric and asymmetric cryptography. It establishes a secure channel over an insecure network such as the internet.
In cryptography, a cryptosystem is called a threshold cryptosystem.
If in order to decrypt an encrypted message or to sign a message
several parties must cooperate in the decryption
In many of today’s computer application needs, faster operation is essential to the efficient implementation
of information security algorithm. RC4 has been used as the data encryption algorithm for many
applications and protocols including the Wi-Fi, Skype, and Bit Torrent to name a few. Several efficient
approaches to the implementation of RC4 have been proposed and we review some of those. More recently
some parallel approaches to faster implementation of RC4 have been presented and we include those in our
survey of efficient approaches to RC4. This paper presents an analysis of available hardware/software
parallel implementations of RC4 symmetric key-based algorithm and some security approaches which
make it more secure.
This document discusses the course "Network Security" taught by Dr. Shivashankar at RRIT. The course aims to help students understand network security services, transport layer security using SSL and TLS, security concerns regarding the internet protocol, intruders and firewalls. It provides an overview of web security threats and approaches like IPsec and SSL. The document also describes the SSL/TLS handshake protocol and record protocol, cipher suites, and alert codes.
This document provides an overview of Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL). It begins with an introduction to TLS/SSL, explaining what they are and their purposes of providing encryption, authentication and integrity verification. It then discusses digital certificates, the TLS/SSL handshake protocol and record protocol. It explains the four upper layer protocols: record, change cipher spec, alert and handshake. It provides details on SSL, TLS, their implementations and applications. The document is intended to explore how TLS works, best practices for its use, and its various applications in securing business computing.
This paper analyzes vulnerabilities of the SSL/TLS Handshake protocol, which is responsible for authentication of the parties in the communication and negotiation of security parameters that will be used to protect confidentiality and integrity of the data. It will be analyzed the attacks against the implementation of Handshake protocol, as well as the attacks against the other
elements necessary to SSL/TLS protocol to discover security flaws that were exploited, modes of
attack, the potential consequences, but also studying methods of defense. All versions of the
protocol are going to be the subject of the research but emphasis will be placed on the critical attack that the most endanger the safety of data. The goal of the research is to point out the
danger of existence of at least vulnerability in the SSL/TLS protocol, which can be exploited and endanger the safety of the data that should be protected.
This document outlines the course objectives and content for a Network Security course taught by Dr. Shivashankar at RRIT. The course will cover network security services and mechanisms, transport layer security including SSL and TLS, security concerns with IP and the internet, intrusion detection, firewalls, and web security considerations. Students will learn about security threats to web traffic and how approaches like IPsec, SSL, and TLS provide security. The textbook is Cryptography and Network Security by William Stallings.
Transport Layer Security (TLS) is the successor to the Secure Sockets Layer (SSL) protocol. TLS ensures privacy and security between communicating applications and users on the internet by preventing eavesdropping, tampering, and message forgery. It works by having the client and server negotiate a cipher suite and protocol version to use to securely transmit encrypted messages. This establishes a secure channel over an unsecured network like the internet to provide confidentiality, integrity, and authentication of communications.
The document provides an overview of the Secure Sockets Layer (SSL) protocol. It discusses SSL's goals of providing confidentiality, integrity, and authentication for network communications. It describes the SSL handshake process, where the client and server authenticate each other and negotiate encryption parameters before transmitting application data. It also discusses SSL applications like securing web traffic and online payments. The document concludes that SSL is vital for web security and ensures user confidentiality and integrity.
The document discusses web security considerations and threats. It provides 3 levels at which security can be implemented - at the IP level using IPSec, at the transport level using SSL/TLS, and at the application level using protocols like SET. SSL/TLS works by establishing an encrypted channel between the client and server for secure communication. It uses handshake, change cipher spec, and alert protocols for negotiation and management of the secure session. Common web security threats include eavesdropping, message modification, denial of service attacks, and impersonation which can be mitigated using encryption, authentication and other cryptographic techniques.
White paper - Full SSL automation with OneClickSSLGlobalSign
SSL Automation from application to installation
GlobalSign has designed, developed and patented OneClickSSL™, a revolutionary technology that simplifies the process from SSL application to installation with levels of automation previously considered impossible – eliminating support fees and minimizing time spent supporting customers.
Learn how the OneClickSSL technology works, the deployment options and use cases and how to generate new revenues with OneClickSSL.
Introduction to SSL and How to Exploit & SecureBrian Ritchie
The document discusses SSL/TLS, how it works to securely transmit data between endpoints, and potential vulnerabilities. It provides an overview of SSL/TLS protocols and how data is encrypted and transmitted. It then outlines several common endpoint issues that can compromise SSL/TLS, such as inconsistent DNS configurations, self-signed certificates, incomplete certificates, and mixing plain text and encrypted sessions. Exploiting these issues allows man-in-the-middle attacks that can intercept and decrypt encrypted traffic.
RSA and RC4 Cryptosystem Performance Evaluation Using Image and TextYekini Nureni
This document compares the performance of the RSA and RC4 encryption algorithms. An application was developed to encrypt text and image files of varying sizes (10-200KB) using RSA and RC4. The encryption time (TE) for each algorithm on each file size was measured and recorded. The results showed that RC4 had significantly faster encryption times than RSA for all file sizes, both for text and image files. However, RSA is considered more securely than RC4. In conclusion, while RSA is more secure, RC4 has better performance and faster encryption/decryption speeds compared to RSA.
Improving the Secure Socket Layer by Modifying the RSA AlgorithmIJCSEA Journal
Secure Socket Layer (SSL) is a cryptographic protocol which has been used broadly for making secure connection to a web server. SSL relies upon the use of dependent cryptographic functions to perform a secure connection. The first function is the authentication function which facilitates the client to identify the server and vice versa [1]. There have been used, several other functions such as encryption and integrity for the imbuement of security. The most common cryptographic algorithm used for ensuring security is RSA. It still has got several security breaches that need to be dealt with. An improvement over this has been implemented in this paper. In this paper, a modification of RSA has been proposed that switches from the domain of integers to the domain of bit stuffing to be applied to the first function of SSL that would give more secure communication. The introduction of bit stuffing will complicate the access to the message even after getting the access to the private key. So, it will enhance the security which is the inevitable requirement for the design of cryptographic protocols for secure communication.
Transport Layer Security (TLS) is a protocol that ensures privacy between communicating applications and their users on the Internet. When a server and client communicate, TLS ensures that no third party may eavesdrop or tamper with any message. TLS is the successor to the Secure Sockets Layer (SSL).
This document summarizes the risks of SSL/TLS interception proxies, which act as a "man in the middle" to inspect encrypted traffic. It discusses how interception proxies establish two separate SSL sessions and generate their own certificates, creating "transitive trust" where the client trusts the proxy's validation of the server. This can expose clients to risks from expired, revoked, self-signed or untrusted root certificates accepted by the proxy but not the client. The document also notes increased legal exposure, threat surface, and potential for weaker encryption when using an interception proxy.
Introduction to Secure Socket Layer (SSL) and Tunnel Layer Security (TLS). Shows basic principle of SSL and also little bit of practical applicability.
The document provides an overview of Secure Sockets Layer (SSL) and how it works. It discusses how SSL uses cryptography, digital signatures, and certificates to provide security for web traffic by ensuring confidentiality, message integrity, and authentication. It describes how SSL operates through the handshake protocol to negotiate encryption between clients and servers and the record protocol to encrypt data transfer. SSL termination devices are deployed to offload SSL processing from web servers and improve performance and scalability.
Rapid increases in information technology also changed the existing markets and transformed them into emarkets
(e-commerce) from physical markets. Equally with the e-commerce evolution, enterprises have to
recover a safer approach for implementing E-commerce and maintaining its logical security. SOA is one of
the best techniques to fulfill these requirements. SOA holds the vantage of being easy to use, flexible, and
recyclable. With the advantages, SOA is also endowed with ease for message tampering and unauthorized
access. This causes the security technology implementation of E-commerce very difficult at other
engineering sciences. This paper discusses the importance of using SOA in E-commerce and identifies the
flaws in the existing security analysis of E-commerce platforms. On the foundation of identifying defects,
this editorial also suggested an implementation design of the logical security framework for SOA supported
E-commerce system.
Designing A Logical Security Framework for E-Commerce System Based on SOA ijsc
Rapid increases in information technology also changed the existing markets and transformed them into emarkets (e-commerce) from physical markets. Equally with the e-commerce evolution, enterprises have to recover a safer approach for implementing E-commerce and maintaining its logical security. SOA is one of the best techniques to fulfill these requirements. SOA holds the vantage of being easy to use, flexible, and recyclable. With the advantages, SOA is also endowed with ease for message tampering and unauthorized access. This causes the security technology implementation of E-commerce very difficult at other engineering sciences. This paper discusses the importance of using SOA in E-commerce and identifies the flaws in the existing security analysis of E-commerce platforms. On the foundation of identifying defects, this editorial also suggested an implementation design of the logical security framework for SOA supported E-commerce system.
Similar to Usage of rc4 cipher in SSL configurations of Sri Lankan financial institutes edited (20)
This document provides an overview of basic concepts in C programming language, including:
1. The basic building blocks of C programs like alphabets, words, sentences, and paragraphs.
2. The basic components of C language like alphabets/digits/symbols, constants/variables/keywords, statements, and programs.
3. Details on the C character set and constants/variables/keywords.
Series of articles written by me for Vidusara Science Magazine, Sri Lanka [2008 – 2010]; sharing for all those who like to learn the basics of Computer Networks in Sinhala.
Series of articles written by me for Vidusara Science Magazine, Sri Lanka [2012]; sharing for all those who like to learn the basics of Data Structures and Algorithms in Sinhala.
Series of articles written by me for Vidusara Science Magazine, Sri Lanka [2011 – 2012]; sharing for all those who like to learn the basics of OOP in Sinhala.
The document provides tips and guidance for undergraduate research. It discusses selecting a research problem and domain, conducting a literature review, finalizing the research problem and method, collecting and validating data, and writing up the findings. The tips are part of a lecture series for third year undergraduates on better conducting undergraduate research.
The document provides an overview of basic blockchain concepts including:
- A blockchain is a secured digital record or journal containing data and integrity information. Each record or "block" contains data attached to it, giving the technology its name.
- The document outlines sample Python code to implement a simple blockchain and print a genesis block. It also discusses the output of the sample code.
- Other topics covered include cryptocurrency mining, examples of popular cryptocurrencies beyond Bitcoin, and potential business applications of blockchain technology beyond cryptocurrencies such as smart contracts, supply chains, and healthcare.
This document provides an overview of Internet of Things (IoT) basics and some research topics. It defines IoT as devices communicating with each other via a common protocol while connected to the cloud/internet. The document outlines protocols used in IoT, including data protocols like MQTT, CoAP, AMQP; and network protocols like Bluetooth, WiFi, ZigBee, LoRaWan. It provides details on several protocols, their uses, and research opportunities like using LoRaWan for acoustics in agriculture.
These were prepared to teach the module "Emerging Technologies" for the 3rd year Undergraduates of the Asia Pacific Institue of Information Technology, Colombo-2, Sri Lanka (Remotely)
These slides were prepared to teach the module "Emerging Technologies" for the 3rd year Undergraduates of the Asia Pacific Institue of Information Technology, Colombo-2, Sri Lanka (Remotely)
These were prepared to teach the module "Emerging Technologies" for the 3rd year Undergraduates of the Asia Pacific Institue of Information Technology, Colombo-2, Sri Lanka (Remotely)
These slides were used for the module "Introduction to EJB" which was taught as a part of the course "Software Engineering" for the 3rd year computer enigneering undergraduates of the University of Peradeniya in 2010.
These slides were used to teach the module "Introduction to Enterprise Applications and Tools" for the 3rd year undergraduates of the Department of Computer Engineering, University of Peradeniya in 2010.
These slides were used to teach the module "Introduction to Agile Software Development & Python" as a sub-section of the major course "Software Engineering" for the 3rd year undergraduates of the Department of Computer Engineering, University of Peradeniya in 2010.
These slides were used to teach the above subject for the 3rd year undergrads of the Departement of Computer Engineering, University of Peradeniya in 2009, under IFS-PERADENIYA industry -university collaboration.
Things to ponder before you start building [cooperate] softwareTharindu Weerasinghe
This particular PPT was prepared for the session I carried out on 28th Jan 2022,for the 3rd year computer engineering udergrads of the Faculty of Engineering, University of Peradeniya, 20400, Peradeniya, SRI LANKA.
This is the presentation of the invited speech by me on " How to make screens and the internet safe for Children ".
The webinar was organized by the Sri Lanka Medical Association on 7th Sep 2021
This document discusses different types of databases including web-based databases, distributed databases, and data warehousing. It describes the components of a web-based database system including web browsers, web servers, application servers, and a DBMS. Distributed databases allow data to be accessed and modified across multiple computers using a network, while each local database is controlled by its own DBMS. Data warehousing involves integrating data from multiple sources to support analytics and decision making.
A Survey Study on Higher Education Trends among Sri Lankan IT ProfessionalsTharindu Weerasinghe
This is a presentation I did at IEEE TALE Conference 2019, held in Yogyakarta, Indonesia. This is about Higher Education Trends amoung Sri Lanka IT Professionals
A Survey Study on Higher Education Trends among Information Technology Prof...Tharindu Weerasinghe
This document summarizes the results of a survey on higher education trends among IT professionals in Sri Lanka. The survey received responses from 30% of the 100 IT professionals contacted. Key findings include:
- 60% of respondents have already completed a post-graduate degree in addition to their basic degree.
- 66.7% said they wanted to gain further knowledge and recognition through a post-graduate degree.
- The most popular post-graduate degrees of interest were Master of Business Administration (MBA) and Master of Science (MSc) degrees.
- Most respondents advised younger IT professionals to pursue further education before taking on family commitments.
Professionalism and Industry Expectations related to IT industry Tharindu Weerasinghe
This document discusses professionalism and expectations from the IT industry. It defines profession and professionalism. Things needed to be professional include being an expert in your field, continuous learning, behaving ethically, respecting organizational culture, punctuality, admitting mistakes, direct communication, and having good soft skills. The IT industry expects knowledge of basics, teamwork, continuous learning, and loyalty from employees. The document emphasizes the importance of professionalism for the Sri Lankan IT/BPO sector.
Do you want Software for your Business? Visit Deuglo
Deuglo has top Software Developers in India. They are experts in software development and help design and create custom Software solutions.
Deuglo follows seven steps methods for delivering their services to their customers. They called it the Software development life cycle process (SDLC).
Requirement — Collecting the Requirements is the first Phase in the SSLC process.
Feasibility Study — after completing the requirement process they move to the design phase.
Design — in this phase, they start designing the software.
Coding — when designing is completed, the developers start coding for the software.
Testing — in this phase when the coding of the software is done the testing team will start testing.
Installation — after completion of testing, the application opens to the live server and launches!
Maintenance — after completing the software development, customers start using the software.
GraphSummit Paris - The art of the possible with Graph TechnologyNeo4j
Sudhir Hasbe, Chief Product Officer, Neo4j
Join us as we explore breakthrough innovations enabled by interconnected data and AI. Discover firsthand how organizations use relationships in data to uncover contextual insights and solve our most pressing challenges – from optimizing supply chains, detecting fraud, and improving customer experiences to accelerating drug discoveries.
Artificia Intellicence and XPath Extension FunctionsOctavian Nadolu
The purpose of this presentation is to provide an overview of how you can use AI from XSLT, XQuery, Schematron, or XML Refactoring operations, the potential benefits of using AI, and some of the challenges we face.
What is Augmented Reality Image Trackingpavan998932
Augmented Reality (AR) Image Tracking is a technology that enables AR applications to recognize and track images in the real world, overlaying digital content onto them. This enhances the user's interaction with their environment by providing additional information and interactive elements directly tied to physical images.
Why Mobile App Regression Testing is Critical for Sustained Success_ A Detail...kalichargn70th171
A dynamic process unfolds in the intricate realm of software development, dedicated to crafting and sustaining products that effortlessly address user needs. Amidst vital stages like market analysis and requirement assessments, the heart of software development lies in the meticulous creation and upkeep of source code. Code alterations are inherent, challenging code quality, particularly under stringent deadlines.
DDS Security Version 1.2 was adopted in 2024. This revision strengthens support for long runnings systems adding new cryptographic algorithms, certificate revocation, and hardness against DoS attacks.
E-commerce Application Development Company.pdfHornet Dynamics
Your business can reach new heights with our assistance as we design solutions that are specifically appropriate for your goals and vision. Our eCommerce application solutions can digitally coordinate all retail operations processes to meet the demands of the marketplace while maintaining business continuity.
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI AppGoogle
AI Fusion Buddy Review: Brand New, Groundbreaking Gemini-Powered AI App
👉👉 Click Here To Get More Info 👇👇
https://sumonreview.com/ai-fusion-buddy-review
AI Fusion Buddy Review: Key Features
✅Create Stunning AI App Suite Fully Powered By Google's Latest AI technology, Gemini
✅Use Gemini to Build high-converting Converting Sales Video Scripts, ad copies, Trending Articles, blogs, etc.100% unique!
✅Create Ultra-HD graphics with a single keyword or phrase that commands 10x eyeballs!
✅Fully automated AI articles bulk generation!
✅Auto-post or schedule stunning AI content across all your accounts at once—WordPress, Facebook, LinkedIn, Blogger, and more.
✅With one keyword or URL, generate complete websites, landing pages, and more…
✅Automatically create & sell AI content, graphics, websites, landing pages, & all that gets you paid non-stop 24*7.
✅Pre-built High-Converting 100+ website Templates and 2000+ graphic templates logos, banners, and thumbnail images in Trending Niches.
✅Say goodbye to wasting time logging into multiple Chat GPT & AI Apps once & for all!
✅Save over $5000 per year and kick out dependency on third parties completely!
✅Brand New App: Not available anywhere else!
✅ Beginner-friendly!
✅ZERO upfront cost or any extra expenses
✅Risk-Free: 30-Day Money-Back Guarantee!
✅Commercial License included!
See My Other Reviews Article:
(1) AI Genie Review: https://sumonreview.com/ai-genie-review
(2) SocioWave Review: https://sumonreview.com/sociowave-review
(3) AI Partner & Profit Review: https://sumonreview.com/ai-partner-profit-review
(4) AI Ebook Suite Review: https://sumonreview.com/ai-ebook-suite-review
#AIFusionBuddyReview,
#AIFusionBuddyFeatures,
#AIFusionBuddyPricing,
#AIFusionBuddyProsandCons,
#AIFusionBuddyTutorial,
#AIFusionBuddyUserExperience
#AIFusionBuddyforBeginners,
#AIFusionBuddyBenefits,
#AIFusionBuddyComparison,
#AIFusionBuddyInstallation,
#AIFusionBuddyRefundPolicy,
#AIFusionBuddyDemo,
#AIFusionBuddyMaintenanceFees,
#AIFusionBuddyNewbieFriendly,
#WhatIsAIFusionBuddy?,
#HowDoesAIFusionBuddyWorks
Need for Speed: Removing speed bumps from your Symfony projects ⚡️Łukasz Chruściel
No one wants their application to drag like a car stuck in the slow lane! Yet it’s all too common to encounter bumpy, pothole-filled solutions that slow the speed of any application. Symfony apps are not an exception.
In this talk, I will take you for a spin around the performance racetrack. We’ll explore common pitfalls - those hidden potholes on your application that can cause unexpected slowdowns. Learn how to spot these performance bumps early, and more importantly, how to navigate around them to keep your application running at top speed.
We will focus in particular on tuning your engine at the application level, making the right adjustments to ensure that your system responds like a well-oiled, high-performance race car.
Takashi Kobayashi and Hironori Washizaki, "SWEBOK Guide and Future of SE Education," First International Symposium on the Future of Software Engineering (FUSE), June 3-6, 2024, Okinawa, Japan
WhatsApp offers simple, reliable, and private messaging and calling services for free worldwide. With end-to-end encryption, your personal messages and calls are secure, ensuring only you and the recipient can access them. Enjoy voice and video calls to stay connected with loved ones or colleagues. Express yourself using stickers, GIFs, or by sharing moments on Status. WhatsApp Business enables global customer outreach, facilitating sales growth and relationship building through showcasing products and services. Stay connected effortlessly with group chats for planning outings with friends or staying updated on family conversations.
Neo4j - Product Vision and Knowledge Graphs - GraphSummit ParisNeo4j
Dr. Jesús Barrasa, Head of Solutions Architecture for EMEA, Neo4j
Découvrez les dernières innovations de Neo4j, et notamment les dernières intégrations cloud et les améliorations produits qui font de Neo4j un choix essentiel pour les développeurs qui créent des applications avec des données interconnectées et de l’IA générative.
Introducing Crescat - Event Management Software for Venues, Festivals and Eve...Crescat
Crescat is industry-trusted event management software, built by event professionals for event professionals. Founded in 2017, we have three key products tailored for the live event industry.
Crescat Event for concert promoters and event agencies. Crescat Venue for music venues, conference centers, wedding venues, concert halls and more. And Crescat Festival for festivals, conferences and complex events.
With a wide range of popular features such as event scheduling, shift management, volunteer and crew coordination, artist booking and much more, Crescat is designed for customisation and ease-of-use.
Over 125,000 events have been planned in Crescat and with hundreds of customers of all shapes and sizes, from boutique event agencies through to international concert promoters, Crescat is rigged for success. What's more, we highly value feedback from our users and we are constantly improving our software with updates, new features and improvements.
If you plan events, run a venue or produce festivals and you're looking for ways to make your life easier, then we have a solution for you. Try our software for free or schedule a no-obligation demo with one of our product specialists today at crescat.io
Atelier - Innover avec l’IA Générative et les graphes de connaissancesNeo4j
Atelier - Innover avec l’IA Générative et les graphes de connaissances
Allez au-delà du battage médiatique autour de l’IA et découvrez des techniques pratiques pour utiliser l’IA de manière responsable à travers les données de votre organisation. Explorez comment utiliser les graphes de connaissances pour augmenter la précision, la transparence et la capacité d’explication dans les systèmes d’IA générative. Vous partirez avec une expérience pratique combinant les relations entre les données et les LLM pour apporter du contexte spécifique à votre domaine et améliorer votre raisonnement.
Amenez votre ordinateur portable et nous vous guiderons sur la mise en place de votre propre pile d’IA générative, en vous fournissant des exemples pratiques et codés pour démarrer en quelques minutes.
Mobile app Development Services | Drona InfotechDrona Infotech
Drona Infotech is one of the Best Mobile App Development Company In Noida Maintenance and ongoing support. mobile app development Services can help you maintain and support your app after it has been launched. This includes fixing bugs, adding new features, and keeping your app up-to-date with the latest
Visit Us For :
Usage of rc4 cipher in SSL configurations of Sri Lankan financial institutes edited
1. A research study: Usage of RC4 stream cipher in SSL configurations of web servers
used by Sri Lankan Financial Institutes
T.D.B Weerasinghe* and Chamara Disanayake
CICRA Campus, Colombo 4, Sri Lanka
tharindu.weerasinghe@gmail.com
chamara@nic.lk
ABSTRACT
The security of the Internet is mainly based on
Secure Socket Layer (SSL) or its successor Transport
Layer Security (TLS). To secure the on-line
transactions, the organizations widely use the
particular protocol(s) in their web portals. In SSL, a
lot of cipher suits are used as encryption algorithms.
RC4 is the most commonly used stream cipher
(although it is regarded as a weak cipher) and it is
used in SSL as an encryption algorithm. SSL is the
most renowned security protocol for pursuating a
secure link between a web server and a browser.
Nonetheless the stream cipher RC4 is found to be
vulnerable for various attacks. The main objective of
this research study is to find-out the usage of RC4
stream cipher in on-line web portals of Sri Lankan
Financial Sector, as well as the awareness level of the
IT and Security administrators and managers of some
of the selected banks which are geographically based
in Sri Lanka, regarding the usage of RC4 in SSL.
KEYWORDS
RC4, SSL, Stream Cipher, Web Portals, Sri Lankan
Financial Institutes
1 INTRODUCTION
Even though there are proven scenarios that
illustrate RC4's vulnerabilities in SSL, a lot of
Sri Lankan banks were using RC4 as one of the
cipher suits in the SSL configurations of their
respective on-line web portals. This was
identified by the SSL testing tools available in
open literature. By the time this case/research
study started many of the private banks in Sri
Lanka were not updated to the latest of SSL/TLS
versions. And hence why they were vulnerable to
RC4 based attacks. Most of the vulnerabilities
occur due to the Invariance Weakness of the
particular algorithm. One of the other objectives
of this study was to
know the awareness level of the System
Administrators, IT Managers and IT
Administrators in the financial sector in Sri
Lanka, about the RC4 cipher vulnerabilities in
SSL. A questionnaire (presented later in this
paper) was given to some of the selected
professionals mentioned above. The outcomes of
the survey are depicted in the results section.
2 LITERATURE
WWW (World Wide Web) is the largest network
around and information is spread to every corner
of the world through the World Wide Web which
we call as the Internet. Nowadays most of the
professionals can't survive in their professions if
they don't have the Internet access. When
information spreads everywhere the privacy and
secrecy of information also pay a vital role.
When Information become paramount, the
protection of information becomes even more
important; hence the secure information
transactions are encouraged over the Internet.
The Internet is browsed or surfed through web
browsers (e.g. Chrome, Firefox, Internet
Explorer, Opera etc). The web browsers render
the web-pages a nd illustrate them to the users. It
is self explanatory that the vital (sensitive)
information are transferred via web browsers
hence the information should be transferred
through secure channels. To protect (or encrypt)
the sensitive information over the Internet via
web browsers, there is a standard mechanism
called SSL (Secure Socket Layer) through
handshakes and agreed protocols the information
will be encrypted by SSL and transformed over
the Internet. A man in the middle can intercept
but can only get the meaningless data which are
encrypted. SSL uses various ciphers to encrypt
the data/information; likes of RSA, AES, RC4
etc.
1
2. The financial sector as well the enterprise web
applications use SSL in order to make their
application transactions secure. In Sri Lanka also
a lot of financial institutions use HTTPS. When
you use SSL (specially the versions prior to
TLS1.2) and if you have configured the stream
cipher RC4 as a cipher in SSL then you are
vulnerable to some attacks which are mainly
based on the in-variance weakness of the RC4
algorithm.
2.1 Stream Cipher
In cryptography, the Stream Cipher is a light
weight cipher which encrypts plain-text bit by
bit. Input plain-text is considered as a bit stream
and that stream is encrypted using a key which
can be used to decrypt the particular cipher text
and obtain the plain text. Stream ciphers are
widely used in embedded systems because they
are light weight. Unlike block ciphers stream
ciphers are less secured. Among all the stream
ciphers, the most popular one is RC4.
2.2 RC4 Stream Cipher
RC4 (originally named as Rivest Cipher 4 or
ARC4, founded by Ron Rivest at RSA Security),
is the well-known stream cipher around which is
widely used in applications like WPA, SSL, TLS,
Kerberos, PDF and Skype [4].
Here, the algorithm RC4 is described with
respect to its major parts:
The Key Scheduling Algorithm (KSA) and the
Pseudo- Random Generation Algorithm (PRGA).
In most of the applications RC4 is used with a
word size 8 (n = 8) and array size N = 28
[6]
KSA:
for i = 0 to 255
S[i] = i;
end for
j=0
for i = 0 to 255
j = (j+S[i]+K[i mod keylength]) mod
256;
swap S[i] and S[j];
end for
PRGA:
i = 0, j=0;
for x = 0 to L-1
i = (i+1) mod 256;
j = (j+S[i]) mod 256;
swap S[i] and S[j];
GeneratedKey = S[ (S[i] + S[j]) mod
256]
Output = M XOR GeneratedKey
end for
Where ‘M[]’ is the plain-text message
and L is its length. Keylength is the
initial key length in bytes.[6]
2.3 SSL
SSL (Secure Sockets Layer) is considered to be
the standard security methodology for
establishing an encrypted communication link
between a web server and a browser. SSL is an
industry standard which is used by many
websites to safeguard their on-line transactions
with their stakeholders. In other words, SSL is
the standard technology for maintaining a secure
Internet connection and protecting sensitive data
that is being shared between two entities or
systems, preventing eavesdroppers/hackers from
reading and amending any information
transferred, including the personal information
of the users. The two entities or systems can be a
server and a client (e.g. an on-line shopping wen
site and a browser) or server to server (e.g. an
application with sensitive personal identifiable
data or information with salary details of the
employees of an organization). It achieves this
by encrypting the data shared between the two
systems. It uses encryption algorithms such as
AES, 3DES, RC4 and Hash Functions to
scramble the data in transit and preventing
hackers from reading it as it is sent over the
connection. This information can be anything
sensitive or personal which can include personal
civil information, bank account details, credit
card numbers and other valuable contact
information. TLS (Transport Layer Security) is
regarded as a successor to SSL, a more secure
and trusted version of SSL. The computer world
still refers to the security certificates as SSL
because it is a more commonly used term. [6].
2.4 How does SSL work
1. A browser or server tries to connect to a
Website, in other words, a client attempts to
connect to a Web server, secured with SSL. The
particular browser or the server requests the
identity of the Web Server itself.
2
3. 2. The Web server sends the browser or the
server a copy of its SSL certificate.
3. Then the particular browser or the server
checks whether the SSL certificate can be trusted
or not. If trusted then, it sends a message to the
Web server.
4. After that, the Web Server sends back a
digitally signed acknowledgment to start a SSL
encrypted session.
5. Encrypted data is shared between the browser
or the server and the Web server.
2.5 How RC4 is used in SSL
RC4 is used in SSL Record Protocol for
encryption in many SSL cipher suites. In the
Handshaking Protocol, RC4 encryption keys are
generated for upstream and downstream
communication. In the Record Protocol, the
upstream key is used for encryption of the client-
to-server communication, whereas the
downstream key is used for encryption of the
server-to-client communication. It is important to
note that the encryption(s) are state-full, using
the first key-stream bytes for encrypting the first
message, the succeeding key-stream bytes for
encrypting the next message, etc.
2.6 Vulnerabilities in RC4 in SSL
Several researchers and experts have proved that
RC4 is vulnerable for attacks in SSL.
Implementation of RC4 (the structure of the
algorithm) itself found to be vulnerable.
Statistical biases in the pseudo-random number
generator (PRNG) as well as some in the key
stream generator (KSA) that lead an attacker to
distinguish RC4 from random and to guess or
predict its allegedly pseudo-random bits with a
higher probability. On the other hand, a lot
vulnerabilities occur due to the in-variance
weakness of the RC4 algorithm [2].
2.7 In-variance Weakness of RC4
Invariance Weakness is about a pattern which
can be derived in the key-stream. It is described
as an L-shape key pattern in RC4 keys; if further
explained, once it exists in an RC4 key, keeps
part of the state permutation intact throughout
the initialization process. This intact part
includes
the least significant bits of the permutation,
when processed by the Pseudo Random Number
Generator (PRNG) algorithm, it determines the
least significant bits of the allegedly pseudo-
random output stream along a long prefix of the
stream. These biased stream bytes are XOR-ed
with the plain-text bytes, resulting in significant
leakage of plain-text bytes from the cipher-text
bytes.[2]
These patterns are formed for different number
of Least Significant Bits (LSBs), a single LSB, 2
LSBs, 3 LSBs to 7 LSBs, resulting with different
classes of weak RC4 keys. Because of the
structure of these classes, each class contains
the succeeding classes and thus the first class is
the largest, denoted below as the Main Class.
The portion of q-class for L byte keys (which is
the probability of a random key to be in the
class) is 2 -(qL+(9-q)). For 16-byte key the
portion of the Main Class (1-class) is 2 -24 (1 in
16 million) and the portion of 2- class is 2 -39
(very rare). Several researchers have found that
the Invariance Weakness of RC4 has several
crypt-analytic applications, including statistical
biases in the RC4's PRNG that allow an
eavesdropper to distinguish RC4 streams from
randomness and enhancement of trade-off
attacks on RC4. Another application of the
Invariance Weakness, is the leakage of plain-text
data into the cipher-text when q-class keys are
used, which is described in [2].
Given the fact that the Invariance Weakness is
exposed only in the initial 100 bytes of the key-
stream, it can be used only for the initial 100
bytes of the secured upstream traffic and the first
100 bytes of the secured downstream traffic.
Given the fact that the first encrypted message in
each direction is the SSL Handshake Finished
message (36-bytes in a typical usage of SSL),
about 64 bytes of secret plain-text data are
vulnerable for attacks [2].The attack described in
the research published by www.imperva.com is
based on sniffing a large number of SSL
connections encrypted with RC4, waiting for the
arrival of a weak key. Once a weak key
arrives, the attacker is good enough to predict the
LSBs of the key-stream bytes, and he/she uses
these to extract the LSBs of the plain-text bytes
3
4. from the cipher-text with significant advantage.
In order to achieve this situation, the attacker
needs to determine which SSL sessions are the
ones in which weak keys were used. For this
isolation, the attacker can use the fact that the
first encrypted bytes include the SSL “Finished”
message and HTTP request, both having
predictable information. Thus, when a weak key
is used, the plain-text patterns are XOR-ed with
key-stream patterns, generating cipher-text
patterns visible to the attacker.
`
2.8 Sri Lankan Financial Institutes
In this study, the Sri Lankan financial domain
which consists of the Banking Sector and other
Financial Institutes, taken into consideration.
There are 32 Commercial and Licensed
Specialized banks and 45 Registered Financial
Institutes in Sri Lanka [12, 13, 14]. Almost all
these banks use cooperate websites and also
customer log-in portals. Hence SSL/TLS is
playing a basic vital role. Nonetheless, one of
main objectives of this research was to identify
the awareness level of the IT System
Administrators and Network Engineers of these
banking/financial sector, regarding RC4's
vulnerabilities in SSL and also how well the
particular institutes' web based products are
protected against them.
2.9 Mitigation of RC4 vulnerabilities in SSL
One of the solutions is to upgrade SSL into
TLS1.2 where the stream cipher RC4 algorithm
is not used as a cipher suit. This is the solution
that a lot of banks have adhered to, during the
research. Please note that, by the time the
research started, a lot of banks were using the
RC4 as a cipher suit (analyzed using the online
tool, SSL Server Test, Powered By Qualys SSL
Labs). The other is to disable RC4 Cipher Suit in
the SSL configuration of the web server [8].
3 RESEARCH METHODOLOGY
3.1 Preliminary Research Method
A study of the existing RC4 vulnerabilities and
remedies was carried out in-terms of finding the
reliable and suitable remedies.
Data were gathered via a Survey (Google Forms
were used to gather data) from the senior
professionals of some of the Sri Lankan Banks.
The aim of the survey was the identify the
background knowledge and awareness of the IT-
Security Admins and Managers of Sri Lanka
Banks, about the RC4 cipher vulnerabilities in
SSL/TLS. In open literature, researchers,
professionals in the domain have already
discussed about these vulnerabilities but it is
important to know to which extend the Sri
Lankan professionals in the domain, are aware of
these. The questionnaire was prepared to cover a
wide range of areas related to SSL, RC4 and
opinions of the organizations.
Then the SSL protocols used by the targeted web
sites were analyzed using the online tools
available.
https://www.ssllabs.com/ssltest is used which is
publicly available to anyone interested.
3.2 Action plan
Selection of Methods and Tools
Identification and illustration of the
vulnerabilities in SSL when using RC4.
Analysis of the suitable remedies.
Preparation of the questionnaire for Data
Collection
Circulation of the questionnaire to the
selected professionals and data gathering.
Data Analysis.
4 RESULTS AND ANALYSIS
Twelve senior level employees from
several banks of Sri Lanka were
contacted and inputs were taken for the
questionnaire.
All of them know RC4 Cipher and also
all of them know that SSL has RC4 as a
cipher suit.
4
5. 75% of them know that RC4 is
vulnerable in SSL.
75% of their institutes use SSL and all of
them has mitigated RC4. Summary of
Results are shown in respective pie
charts:
Summary of Results are shown in respective pie
charts:
Figure 1. SSL usage in the customer login portals of the
Sri Lankan banks (by June 2017)
Figure 2. RC4 cipher suit usage in SSL configurations of
the customer login portals of the Sri Lankan banks (by
June 2017)
Figure 3. RC4 cipher suit usage in SSL configurations of
the customer login portals of other financial institutes of
Sri Lanka (by June 2017)
Figure 4. Awareness levels of the selected IT
Infrastructure/ Networking professionals in Sri Lankan
Banks about RC4 usage in SSL
Figure 5. Awareness levels of the selected IT
Infrastructure/ Networking professionals in Sri Lankan
Banks about RC4 vulnerabilities in SSL
5
6. Results of finding a suitable remedy for Sri
Lankan eBusiness sector if the stakeholders still
use RC4 cipher suit in their web servers :
Upgrading to TLS1.2 which is the latest of TLS
and this needs management approval. This is
about shifting/changing infrastructure. Well this
is not hard but if there are management decisions
(highly unlikely) then an organization will have
to hold back in changing.
JDK8 supports TLS by, default. Support for TLS
1.2 initially appeared in JDK 7 in 2011 [9, 10,
11].
Setting up JDK 8 to use TLS 1.2 as the default is
good because of two reasons:
1. TLS1.2 is backward compatible means even
after upgrading to TLS1.2 you can use even
TLS1.0.
2. Few systems will be affected by this unless
configured to use an algorithm that was removed
for security reasons [10].
For other versions of SSL, it is recommended to
disable RC4 as mentioned in the Introduction.
Sample connector entry in the server.xml of
Apache Tomcat 8.0.41 is mentioned here:
Remedy apart from upgrading to TLS1.2:
<!ENTRY STARTS>
<Connector
protocol="org.apache.coyote.http11.Http
1
1
NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true"
SSLEnabled="true"
keystoreFile="/usr/lib/jvm/java8oracle
/
bin/keystore"
keystorePass="SetFree123"
clientAuth="false" sslProtocol="TLS"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CB
C_S
HA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,RC4
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
SSL_RSA_WITH_RC4_128_SHA
"/>
<!ENTRY FINISHES>
5 CONCLUSION
Nearly 75% of the Banks and Financial Institutes
in Sri Lanka have been transferred to TLS1.2
from SSL and TLS older versions and hence they
have mitigated the RC4 vulnerabilities (this has
happened after April 2017, because when by the
time the research study commenced, most of the
banks had not been upgraded and hence they
were using RC4. Nonetheless, the other 25% is
under a risk of exposing major part of the plain-
text messages as they use the RC4cipher suit in
their SSL configuration. TLS1.2 was not used by
the most of the Sri Lankan banks until March
2017 (by the time this research started, they were
not using TLS1.2 and hence they were
vulnerable to RC4 weaknesses in SSL. It is very
interesting to see that, during the research period,
most of the banks have shifted to TLS1.2 to
mitigate RC4 like vulnerabilities. RC4 stream
cipher is understood to be a weak cipher suit in
SSL and it is recommended that it is disabled in
all SSL and TLS versions if the organizations
does not use TLS1.2 or above. Java 8 (JDK 8)
supports TLS by default and hence Apache
8.0.44 also supports TLS. As a best
practice,when you harden your web servers it is
good to use the latest versions available; of
course you need to have the management
approval for this kind of an infrastructure
change; but it is essential to convince the
management use the best practices.
According to the results, the majority of the
selected IT Administrators of the selected Banks
(75% of them) are aware of the RC4
vulnerabilities.
For the Banks and Financial Institutes that are
yet to avoid RC4 vulnerabilities which are
mainly caused due to the Invariance weakness of
the cipher, it is recommended to migrate to
TLS1.2 which has no RC4 cipher suit or else at-
least remove RC4 cipher suits from their SSL
cipher configuration. As far as the objectives of
this research are concerned, it is clearly depicted
that all of those objectives are achieved with
6
7. results and there are no any motive or thought to
publish the research data publicly, as they are
regarded as very sensitive in-terms of banking
and financial industry. If there is a formal and
legal request the researcher can provide the
necessary details to the authorized person or
institute. The tools used to check the
vulnerabilities and it is worth using such tools
get an idea about the security standard of the
web sites of your organization.
REFERENCES
1 “What is SSL?,” What is SSL? [Online]. Available:
http://info.ssl.com/article.aspx?id=10241. [Accessed: Jan
& Feb -2017].
2 IMPERVA., “Attacking SSL when using RC4.” Hacker
Intelligence Initiative, Mar-2015.
3 “DigiCert® Certificate Inspector: Vulnerabilities,”
DigiCert. [Online].Available:
https://www.digicert.com/certinspector-vulnerabilities.htm.
[Accessed: Jan-2017].
4 “RC4,” Wikipedia, 02-Jul-2017. [Online]. Available:
https://en.wikipedia.org/wiki/RC4
5 “What is SSL, TLS and HTTPS?,” What is SSL, TLS
and HTTPS? Symantec. [Online]. Available:
https://www.symantec.com/page.jsp?id=ssl-information-
center. [Accessed: June-2017].
6 Y. Nawaz, K. Gupta, and G. Gong, “A 32-bit RC4-like
Keystream Generator.” International Association for
Cryptologic Research, 2005.
7 How Does SSL Work? What is SSL? | Entrust. (n.d.).
Retrieved June 24, 2017, from https://www.entrust.com/ssl
8 “WHICH SSL/TLS PROTOCOL VERSIONS AND
CIPHER SUITES SHOULD I USE?,” WHICH SSL/TLS
PROTOCOL VERSIONS AND CIPHER SUITES
SHOULD I USE? [Online].
Available:https://securityevaluators.com/knowledge/blog/2
015 0119-protocols/. Accessed: June-2017].
9 B. S. Inc, “Finding and Fixing Vulnerabilities in SSL
RC4 Cipher Suites Supported , a Medium Risk
Vulnerability,” Beyond Security - Vulnerability
Assessment and
Management.Online].Available:http://www.beyondsecurity
.com/scan_pentest_network_vulnerabilities_ssl_rc4_cipher
_suites_supported. [Accessed: June-2017].
10 G. Author, “JDK 8 will use TLS 1.2 as default,” JDK 8
will use TLS 1.2 as default | Oracle. [Online]. Available:
https://blogs.oracle.com/java-platform-group/jdk-8-will-
usetls- 12-as-default. [Accessed: June-2017].
11 H. Schlawack, “Hardening Your Web Server's SSL
Ciphers,” Homepage and blog of Hynek Schlawack, 12-
Jun-2017 [Online].Available:
https://hynek.me/articles/hardeningyour-
web-servers-ssl-ciphers/. [Accessed: June-2017].
12 “Licensed Commercial Banks,” Licensed Commercial
Banks. [Online]. Available:
http://www.cbsl.gov.lk/htm/english/05_fss/popup/licensed
_cb.htm.
13 “Licensed Specialised Banks,” Licensed Specialised
Banks. [Online]. Available:
http://www.cbsl.gov.lk/htm/english/05_fss/popup/licensed
_sb.htm.
14 “Licensed Finance Companies,” Registered Finance
Companies. [Online]. Available:
http://www.cbsl.gov.lk/htm/english/05_fss/popup/registere
d_fc.htm.
APPENDIX
Questionnaire given to the target audience:
1. Does your institute use SSL in your cooperate web site
and also in customer login portals?
Options:
Yes
No
1.1 . If the answer for the above question is “No” then do
you think your management will bring SSL into picture
in near future?
Options:
Yes
No
1.2 . If the answer for the above question (1.1) is “No”
then don't you think that your cooperate web site can be
compromised by an attack?
Options:
Yes
No
2. Do you know about the stream cipher RC4?
Options:
Yes
No
2.1 . Do you know that SSL uses RC4 as an encryption
algorithm?
Options:
Yes
No
7
8. 2.1 . Are you aware of the vulnerabilities of RC4 in SSL?
Options:
Yes
No
2.1.1 If yes, then can you list some of them?
Please write down a few
3. Are you aware of the existing remedies for the above
vulnerabilities?
Options:
Yes
No
3.1. If yes, then what are the remedies for the above
vulnerabilities that you are aware of?
Please write down a few
4. If your organization is yet to mitigate the RC4
vulnerabilities, then what are the reasons for that according
to your opinion.
Please write down a few
5. If your organization already mitigated the above
vulnerabilities, then who was behind that and what made
you to mitigate them?
Please write down a few
5.1 Given the fact that your organization has migrated to
TLS1.2; when did it happen?
8