Usage issues of SSL/TLS issues
DOI:
https://doi.org/10.18372/2410-7840.19.12218Keywords:
secure communication session, SSL/TLS cryptographic protocol, public key infrastructure, Х.509 certificates, vulnerability, MITM attack, key exchange, SWEET32, DROWN, ROBOT, application librariesAbstract
One of the means of creating a secure communication ses-sion is using the SSL/TLS cryptographic protocol, how-ever it does not guarantee full protection and also has its own vulnerabilities and disadvantages, which must be ana-lyzed and eliminated in the future. In particular, in this pa-per the basic terminology is analyzed, vulnerabilities of the protocol are analyzed and generalized, some aspects that make possible implementation of the “man in the middle” attack and it’s variations,the problem of certificates substi-tution and self-signed certificates, authentication defects, application libraries vulnerabilities, key exchange problem, including the Bleichenbacher’s threat, public key infra-structure problems, the problem of interoperability in Ukraine and the most recent vulnerabilities of this protocol are presented (SWEET32, DROWN, ROBOT). The result of the research is the arranged list of unsolved problems and recommendations to increase cryptoresistability level of the protocol.References
Stephen Thomas, "SSL&TSL Essentials, securing the Web", Wiley Computer publishing, 2000.
Cooper, "Standards Track, Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL)", RFC 5280, 2008.
M. Georgiev, "The Most Dangerous Code in the World: Validating SSL Certificates in Non-Browser Software", Proceedings of the 2012 ACM conference on Computer and communications security, 2012.
J. Sunshine, S. Egelman, "Crying Wolf: An Empirical Study of SSL Warning Efectiveness", SSYM'09 Pro-ceedings of the 18th conference on USENIX security symposi-um, 2009.
S. Santesson, "X.509 Internet Public Key Infrastruc-ture Online Certificate Status Protocol – OCSP", RFC 6960, 2013.
A. Klein, "Attacks on the RC4 stream cipher", Designs, codes and cryptography, 2008.
С. Леонтьєв, В. Попов, С. Смишляев, "Противо-действие атакам на протокол TLS", Системи високої доступності, 2012.
I. Grigorik, "High Performance Browser Network-ing", O Reilly Media, 2013.
A. Sotirov, M. Stevens, "MD5 considered harmful today: Creating a rogue CA certificate", International Journal of Applied Cryptography, 2009.
T. Zoller, G-Sec, TLS/SSLv3 renegotiation vulnerability explained, University of Luxembourg, 2011.
Ah. Kioon, M. Cindy, Z. Wang, Deb. Das. S., "Analy-sis of MD5 Algorithm in Password Storage", Applied Mechanics and Materials Security, 2013.
N. Aviram, S. Schinzel, J. Somorovsky, N. Heninger, M. Dankel, "DROWN: Breaking TLS using SSLv2", USENIX Security Symposium, 2016.
K. Bhargavan, G. Leurent, "On the Practical (In-) Security of 64-bit Block Ciphers Collision Attacks on HTTP over TLS and OpenVPN", Proceedings of the 2016 ACM SIGSAC Conference on Computer and Commu-nications Security, 2016.
T. Jager, J. Schwenk, J. Somorovsky, "On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption", Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Secu-rity, 2015.
H. Böck, J. Somorovsky, C. Young, "Return Of Bleichenbacher's Oracle Threat (ROBOT)", Cryptology ePrint Archive: Report 2017/1189, 2017.
Downloads
Published
How to Cite
Issue
Section
License
The scientific journal adheres to the principles of Open Access and provides free, immediate, and permanent access to all published materials without financial, technical, or legal barriers for readers.
All articles are published in Open Access under the Creative Commons Attribution 4.0 International (CC BY 4.0) license.
Copyright
Authors who publish their works in the journal:
-
retain the copyright to their publications;
-
grant the journal the right of first publication of the article;
-
agree to the distribution of their materials under the CC BY 4.0 license;
-
have the right to reuse, archive, and distribute their works (including in institutional and subject repositories), provided that proper reference is made to the original publication in the journal.
