120 likes | 349 Views
TLS/SSL - How and Why. PCI Flags it but why do we care? By: MadHat Unspecific. SSL – How and Why. What is TLS/SSL? How does TLS/SSL work? What is the difference between TLS and SSL? What is it used for? Weak Ciphers How this relates to PCI Exploitable
E N D
TLS/SSL - How and Why PCI Flags it but why do we care? By: MadHat Unspecific
SSL – How and Why • What is TLS/SSL? • How does TLS/SSL work? • What is the difference between TLS and SSL? • What is it used for? • Weak Ciphers • How this relates to PCI • Exploitable • SSL-Cipher-Check (tool from Unspecific.com)
What is TLS/SSL? • Transport Layer Security • Secure Socket Layers • Application Layer Protocols • Public/Asymmetric Key Cryptography • OSI Layer 6
How does TLS/SSL work? • Encryption Protocol, Key Length, Hashing Algorithm • Authentication • Handshake • Request • Protocols Supported • Digital Certificate • Session Keys
What is it used for? • Security & Data Integrity • Prevents Eavesdropping, tampering & message forgery • HTTP is most famous as HTTPS • Any layer 7 protocol, POP3, IMAP, SMTP, FTP • OpenVPN • Stunnel • Ncat (included with Nmap)
Weak Ciphers • Old Protocols • SSLv2 • Key Strength • 40bit & 56bit ciphers • RC2, RC4, NULL • Weak Hash Algorithms • DES • ADH - anonymous DH cipher
How this relates to PCI& Other Standards • PCI 4.1 - Use strong cryptography and security protocols such as SSL/TLS or IPSEC to safeguard sensitive cardholder data during transmission over open, public networks.
Exploitable • Man in the Middle • Decryption of Communications
SSL-Cipher-Check • OpenSSL binary • Checks ALL supported Ciphers • openssl ciphers • openssl s_client -$protocol -cipher $cipher -connect $host:$port • ssl_dump.logRaw openssl output
SSL-Cipher-Check • $ ./ssl-cipher-check.pl : SSL Cipher Check: 1.1 : written by Lee 'MadHat' Heath (at) Unspecific.comUsage: ./ssl-cipher-check.pl [ -dvwas ] <host> [<port>]default port is 443-d Add debug info (show it all, lots of stuff)-v Verbose. Show more info about what is found-w Show only weak ciphers enabled.-a Show all ciphers, enabled or not-s Show only the STRONG ciphers enabled.
References • http://en.wikipedia.org/wiki/Public-key_cryptography • http://en.wikipedia.org/wiki/Transport_Layer_Security • http://www.openssl.org/ • http://www.verisign.com/ssl/ssl-information-center/ssl-basics/index.html • http://en.wikipedia.org/wiki/OSI_model • http://www.gnu.org/software/gnutls/ • http://openvpn.net/ • http://www.stunnel.org/ • http://lasecwww.epfl.ch/memo/memo_ssl.shtml • http://www.owasp.org/index.php/Testing_for_SSL-TLS • http://www.unspecific.com/2009/02/16/ssl-cipher-check • http://www.schneier.com/paper-ssl.pdf • https://www.pcisecuritystandards.org/security_standards/download.html?id=pci_dss_v1-2.pdf
Future Meetings/Talks • T-Shirt • DefCon