Successive attack is fatal for both the user and the company in using these protocols to establish a safe channel to transfer information. This article will introduce three typical attacks: Cipher suite rollback attack, version rollback attack and password interception in SSL/TLS channel. 1. Introduction As the Internet and World Wide Web become popular, it is important to consider the system security. This is because the plaintext flowing through the Internet is unencrypted, it is for cracker or hacker, even a user without any programming knowledge, to intercept the message and modify it. So, How to protect personal rivalry?
How to ensure a safe online commerce? Etc. These are the challenge for Information Technology. SSL/TLS can set up a valid secure channel between server and client which can encode the plaintext, then the third party who intercept the message can not disclose the original message without decode it. SSL consist of two phases: handshake and data transfer. During the handshake process, the client and server use a public-key encryption algorithm to determine secretly parameters, during the data transfer process, both sides use the secret key to encrypt and decrypt successive data transmissions .
There are potential dangers both during handshake and data transfer state, although the latest TLS have fixed several secure hole of the old version, the successive attack in practice is not only a terrible thing for the user who trusts the SSL/TLS, but also a challenge for software security area. This article will introduce the birth and development of SSL in section 2 and give some background of ASГјTLS in section 3. Within the basic knowledge of the protocol, Section 4 will present some comment on an attack during data transfer in practice, followed by two attacks of the SSL handshake protocol from comparing old version SSL.
O and new version SSL. O. Finally, Section 5 concludes the strengths and weaknesses of SSL protocol. 2. The history of STATUS 2. 1 Birth of SSL transaction between web server and web browser, there should be some security method to protect the message alternated between client and server, especially for some commercial poppers. At first, Netscape established some encryption in their applications. However, they found that the encryption did not support non-HTTP applications. SSL (Secure Sockets Layer) protocol was developed which is Just above the TCP (Transmission Control Protocol) to create this security. . Development of STATUS As other companies such as Microsoft began to develop their own transport security protocols, the Internet Engineering Task Force (IETF) intervened to define a standard for an encryption-layer protocol.  With the input of multiple vendors, the IETF created Transport Layer Security standard. In fact, TLS is a protocol based on SSL 3. 0, some people believe TLS . 0 is the same as SSL. 1 . Although there are some implement differences between TLS and SSL, application developer and user cannot detect any differences at all.
During the last few years, SSL developed rapidly, because there is always some cure holes and some previous versions of SSL cannot prevent attacker to eavesdropping or -2- intercept properly. For instance, Version 3. 0 of SSL was designed to correct a flaw in previous versions 2. 0, the cipher-suite rollback attack, whereby an intruder could get the parties to adopt a weak cryptologist . This article will put emphasis on comparing SSL version 2. 0 and SSL version 3. 0. There are several security flaws in SSL 2. 0 1 . SSL 2. 0 unnecessarily weakens the authentication keys to 40 bits. 2. SSL. O has a weak MAC construction. . SSL. O puts padding bytes into the MAC in block cipher modes. But the padding Engel field are not authenticated, which may allow active attackers to selectively delete bytes from the end of messages. 4. During a cipher suite rollback attack, an active attacker edits the list of cipher suite preferences in the hello messages to force both endpoints to use a weaker form of encryption than they would choose. Changes SSL 3. 0: 1. SSL 3. 0 use 128 bits authentication keys. 2. SSL. O use stronger HAMS construction, a simple, fast hash-based construction with strong theoretical evidence for its security 3.
Change the sequence of MAC and padding. 4. The change in SSL 3. 0 will be introduced in section 4. . Basic knowledge and technology in SSL protocol 3. 1 public key and private key 3. 1. That is public key and private key The association of public key (sometimes called asymmetric key) and private key (also known as symmetric key or secret key) can ensure the safe transaction between Web decrypting information. Private Key, which saves in web server, will decrypt the information being sent from web browser. However, web browser encrypts its information within public key. 3- 3. 1. 2 public-key encryption The sender uses public key to encrypt the message, and the receiver uses private key to decrypt it. So every public key owner can send his or her encoded message and only a private key owner can read the message within decoded the message. However decrypting a message, which encrypted with public key, is a CPU intensive, such as RASA (Rivets-Shaman-Dolman) Another usage of public key is the sender encodes the message within secret key, and the receiver use the private key to decode that message with the associated public key.
This is efficient for message authentication, such as a bank server sending their digital signature encrypted with private key, and then any customer can decrypt the message within private key and verify the message. . 1. 3 What kind of key SSL use “Although SSL supports the Edified-Hellman protocol, the majority of SSL transactions do not use this public-key agreement approach. Instead, they use the RASA public key algorithm to distribute secret-key parameters”  3. 2 How SSL secure a transaction Handshake 1 .
Client Hello: client side send hello message including a list of cipher suite which client supported, in this step client also create a random number: Clientele. Random. 2. Server Hello: server sends response of client hello message. Server will select a cipher suite, generate random number: Sherrill. Random and session id. 3. Certificate Server sending certificate then client verifies it. Followed by server hello done. 4. Client generates another random number: pre_master_secret (encrypted with server’s public key), then produce a master_key (structure in ).
The master_key and two random number generated during the Hello procedure are used to create the secret key and MAC key. 5. Server decrypt the pre_master_key transmitted from client and generate a same master key as client. -4- 6. Change cipher specification: send by client then client copies the pending cipher spec into the current cipher spec. At this point, client sends the finished message. . At same time, server is ready to transmit data encrypted with created secret key and also send a handshake finished message to client.
CLIENT Client hello message Server hello message Client verify certificate Server certificate Server hello done Client key exchange, generating the pre_master_key and the secret key and MAC key Server decrypt generate same MAC key and secret key Change cipher spec Handshake finish Application data Data transfer (Figure 1 : example of handshake using RASA public-key exchange) -5_ Data transfer: After the handshake, two sides cut up their messages into fragment and append a Message Authentication Code (MAC). The MAC is a message digest of the message itself plus material derived from the master key .
As mentioned that MAC is computed during the handshake phrase. “When transmitting, the sender combines the data fragment, MAC, and a record header and encrypts them with the secret key to produce the completed SSL packet” . When receiving, the receiver decodes the 4. Example of attacking previous SSL version and solutions In this section, three typical attacks will be presented. Cipher suite rollback attack and version rollback attack are more theoretical, and the Password Interception in a SSL/TLS is a man-in-the-middle attack which is a successful attack performed by a student of LEASE. . 1 cipher suite rollback attack According to Figurer , the initial handshake messages are not protected and that is why each endpoint sends a “change cipher spec” before finishing the handshake. The utility of “change cipher spec” is alert the other side to change their pending session state to current. In fact, “change cipher spec” message is not protected by the authentication during transfer. It is a quirk of the SSL protocol which an attacker can delete the “change cipher spec” message so that the server and client will never upgrade their current cipher suite.
One solution of this attack is including the “change cipher spec” in the finished message’s message authentication calculation. However, this would need a change to SSL specification. Another solution is to generate a warning message for this kind of error caused by an attacker. 4. 2 Version rollback attacks -6- Although SSL 2. 0 has many flaws, SSL 3. 0 supports to accept SSL 2. 0 connections. This acceptance make the protocol have vulnerable to the possibility of being attacked by version rollback attacks. Paul Ocher designed an excellent strategy to detect the attack in different version 8].
He makes the client that supports SSL 3. 0 embed several fixed redundancy in the RASA PACKS padding bytes. In the server side, if RASA encryption includes the RASA PACKS padding bytes, the server will not permit RASA-encrypted key-exchange over version 2. 0. This makes the endpoints which support SSL version 3. 0 to have the ability to detect version rollback attacks. Furthermore, old SSL 2. 0 clients will be using random PACKS padding, so they will still work with servers that support SSL 2. 0. However, this solution still has some vulnerability.