Browse > Article
http://dx.doi.org/10.7838/jsebs.2017.22.2.169

New Security Approaches for SSL/TLS Attacks Resistance in Practice  

Phuc, Tran Song Dat (Department of Computer Science and Engineering, Seoul National University of Science and Technology)
Lee, Changhoon (Department of Computer Science and Engineering, Seoul National University of Science and Technology)
Publication Information
The Journal of Society for e-Business Studies / v.22, no.2, 2017 , pp. 169-185 More about this Journal
Abstract
Juliano Rizzo and Thai Duong, the authors of the BEAST attack [11, 12] on SSL, have proposed a new attack named CRIME [13] which is Compression Ratio Info-leak Made Easy. The CRIME exploits how data compression and encryption interact to discover secret information about the underlying encrypted data. Repeating this method allows an attacker to eventually decrypt the data and recover HTTP session cookies. This security weakness targets in SPDY and SSL/TLS compression. The attack becomes effective because the attacker is enable to choose different input data and observe the length of the encrypted data that comes out. Since Transport Layer Security (TLS) ensures integrity of data transmitted between two parties (server and client) and provides strong authentication for both parties, in the last few years, it has a wide range of attacks on SSL/TLS which have exploited various features in the TLS mechanism. In this paper, we will discuss about the CRIME and other versions of SSL/TLS attacks along with countermeasures, implementations. We also present direction for SSL/TLS attacks resistance in practice.
Keywords
SSL/TLS; Handshake Protocol; Record Layer; CRIME; BEAST; BREACH; SPDY; Compression; DEFLATE; LZ77;
Citations & Related Records
Times Cited By KSCI : 3  (Citation Analysis)
연도 인용수 순위
1 Jin, C. Y., Kim, A. C., and Lim, J. I., "Correlation Analysis in Information Security Checklist Based on Knowledge Network," The Journal of Society for e-Business Studies, Vol. 19, No. 2, pp. 89-97, 2014.
2 Mavrogiannopoulos, N., Vercauteren, F., Velichkov, V., and Preneel, B., "A crossprotocol attack on the TLS protocol," Proceedings of the 2012 ACM Conference in Computer and Communications Security, pp. 62-72, http://doi.acm.org/10.1145/ 2382196.23 82206, 2012.   DOI
3 Popov, A., "Prohibiting RC4 Cipher Suites," Work in Progress, draft-ietf-tls-prohibiting- rc4-01, 2014.
4 Prado, A., Harris, N., and Gluck, Y., "The BREACH Attack," http://breachattack.com, 2013.
5 Rescorla, E., "SSL and TLS: Designing and Building Secure Systems," Addison-Wesley, 2001.
6 Rizzo, J. and Duong, T., "Browser Exploit Against SSL/TLS," http://packetstormsecurity.com/files/105499/Browser-Exploi t-Against-SSL-TLS.html, 2011.
7 Rizzo, J. and Duong, T., "Here Come The Ninjas," Ekoparty Security Conference, 2012.
8 Rizzo, J. and Duong, T., "The CRIME Attack," EKOparty Security Conference, 2012.
9 Rosenfeld, M., "Internet Explorer SSL Vu lnerability," 2008. Available at: http://www.thoughtcrime.org/ie-ssl-chain.txt.
10 Seok, O. N., Han, Y. S., Eom, C. W., Oh, K. S., and Lee, B. K., "Developing the Assessment Method for Information Security Levels," The Journal of Society for e-Business Studies, Vol. 16, No. 2, pp. 159-169, 2011.   DOI
11 Dierks, T. and Allen, C., "The TLS Protocol Version 1.0," RFC 2246, Internet Engineering Task Force, 1999. Available at: http://www.ietf.org/rfc/rfc2246.txt.
12 AlFardan, N. and Paterson, K., "Lucky Thirteen: Breaking the TLS and DTLS Record Protocols," IEEE Symposium on Security and Privacy, http://www.ieee -security.org/TC/SP2013/papers/4977a526.pdf, 2013.
13 AlFardan, N., Bernstein, D., Paterson, K., Poettering, B., and Schuldt, J., "On the Security of RC4 in TLS and WPA," http://www.isg.rhul.ac.uk/tls/RC4biases.pdf, 2013.
14 Bellare, M. and Rogaway, P., "Entity authentication and key distribution," pp. 232-249, 1994.
15 Hwang, S. J. and Lee, C. H., "Padding Oracle Attack on Block Cipher with CBC CBC-Double Mode of Operation using the BOZ-PAD," The Journal of Society for e-Business Studies, Vol. 20, No. 1, pp. 89-97, 2015.   DOI