TLS/SSL - How and Why - PowerPoint PPT Presentation

About This Presentation
Title:

TLS/SSL - How and Why

Description:

TLS/SSL - How and Why PCI Flags it but why do we care? By: MadHat Unspecific SSL How and Why What is TLS/SSL? How does TLS/SSL work? What is the difference ... – PowerPoint PPT presentation

Number of Views:103
Avg rating:3.0/5.0
Slides: 13
Provided by: LeeH164
Learn more at: http://dc214.org
Category:
Tags: ssl | tls | imap | protocol

less

Transcript and Presenter's Notes

Title: TLS/SSL - How and Why


1
TLS/SSL - How and Why
  • PCI Flags it but why do we care?
  • By MadHat Unspecific

2
SSL How and Why
  • What is TLS/SSL?
  • How does TLS/SSL work?
  • What is the difference between TLS and SSL?
  • What is it used for?
  • Weak Ciphers
  • How this relates to PCI
  • Exploitable
  • SSL-Cipher-Check (tool from Unspecific.com)

3
What is TLS/SSL?
  • Transport Layer Security
  • Secure Socket Layers
  • Application Layer Protocols
  • Public/Asymmetric Key Cryptography
  • OSI Layer 6

4
How does TLS/SSL work?
  • Encryption Protocol, Key Length, Hashing
    Algorithm
  • Authentication
  • Handshake
  • Request
  • Protocols Supported
  • Digital Certificate
  • Session Keys

5
What is it used for?
  • Security Data Integrity
  • Prevents Eavesdropping, tampering message
    forgery
  • HTTP is most famous as HTTPS
  • Any layer 7 protocol, POP3, IMAP, SMTP, FTP
  • OpenVPN
  • Stunnel
  • Ncat (included with Nmap)

6
Weak Ciphers
  • Old Protocols
  • SSLv2
  • Key Strength
  • 40bit 56bit ciphers
  • RC2, RC4, NULL
  • Weak Hash Algorithms
  • DES
  • ADH - anonymous DH cipher

7
How this relates to PCI Other Standards
  • PCI 4.1 - Use strong cryptography and security
    protocols such as SSL/TLS or IPSEC to safeguard
    sensitive cardholder data during transmission
    over open, public networks.

8
Exploitable
  • Man in the Middle
  • Decryption of Communications

9
SSL-Cipher-Check
  • OpenSSL binary
  • Checks ALL supported Ciphers
  • openssl ciphers
  • openssl s_client -protocol -cipher cipher
    -connect hostport
  • ssl_dump.logRaw openssl output

10
SSL-Cipher-Check
  • ./ssl-cipher-check.pl SSL Cipher Check 1.1
    written by Lee 'MadHat' Heath (at)
    Unspecific.comUsage ./ssl-cipher-check.pl
    -dvwas lthostgt ltportgtdefault port is 443-d
    Add debug info (show it all, lots of stuff)-v
    Verbose. Show more info about what is found-w
    Show only weak ciphers enabled.-a Show all
    ciphers, enabled or not-s Show only the STRONG
    ciphers enabled.

11
References
  • http//en.wikipedia.org/wiki/Public-key_cryptograp
    hy
  • http//en.wikipedia.org/wiki/Transport_Layer_Secur
    ity
  • http//www.openssl.org/
  • http//www.verisign.com/ssl/ssl-information-center
    /ssl-basics/index.html
  • http//en.wikipedia.org/wiki/OSI_model
  • http//www.gnu.org/software/gnutls/
  • http//openvpn.net/
  • http//www.stunnel.org/
  • http//lasecwww.epfl.ch/memo/memo_ssl.shtml
  • http//www.owasp.org/index.php/Testing_for_SSL-TLS
  • http//www.unspecific.com/2009/02/16/ssl-cipher-ch
    eck
  • http//www.schneier.com/paper-ssl.pdf
  • https//www.pcisecuritystandards.org/security_stan
    dards/download.html?idpci_dss_v1-2.pdf

12
  • Future Meetings/Talks
  • T-Shirt
  • DefCon
Write a Comment
User Comments (0)
About PowerShow.com