Advertisement

Cryptographic Assessment of SSL/TLS Servers Popular in India

  • Prakhar JainEmail author
  • K. K. Shukla
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 625)

Abstract

Major web sites use Secure Sockets Layer (SSL) or its updated version name called Transport Layer Security (TLS) to secure all communications between their servers and web browsers. It is very important to analyze the security of this protocol because the compromise of the banking accounts, health care directories, information of national importance, even vital information about business competitors is unacceptable.

SSL/TLS is not a simple encryption or hashing algorithm. It is a protocol which consists of bunch of cryptographic primitives which aim to provide secure communication. Moreover, this protocol has a long history of attacks and it needs to be revised since security field is changing. This paper presents the most commonly used configurations of this protocol among web servers, highlighting issues where it is insecure and areas where it can be improved. Specifically, parameters used in cryptographic primitives and certificates used by the web servers have been reported. The approach was to probe all web servers using a tool - TestSSLServer. There were sets of two experiments carried out. One in which top 500 most popular websites in India were probed and other in which 50 banking sites in India were probed. Some of the surprising results were that servers still posses SSLv2 and v3 despite of its insecurity. Also, banking sites were found not to support forward secrecy.

Keywords

Elliptic Curve Forward Secrecy Pseudo Random Function Secure Socket Layer Protocol Version 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Wikipedia, Transport Layer Security. https://en.wikipedia.org/wiki/Transport_Layer_Security
  2. 2.
    Ristic, I.: Bulletproof SSL and TLS: Understanding and Deploying SSL/TLS and PKI to Secure Servers and Web ApplicationsGoogle Scholar
  3. 3.
  4. 4.
    Wikipedia, Public Key Infrastructure. https://en.wikipedia.org/wiki/Public_key_infrastructure
  5. 5.
  6. 6.
  7. 7.
    Wagner, D., Schneier, B.: Analysis of the SSL 3.0 ProtocolGoogle Scholar
  8. 8.
    Rescorla, E.: SSL and TLS: Designing and Building Secure Systems. Addison-Wesley, Boston (2001)Google Scholar
  9. 9.
  10. 10.
    Bhargavan, K., Delignat-Lavaud, A., Fournet, C., Pironti, A., Strub, P.-Y.: Triple Handshakes and Cookie Cutters: Breaking and Fixing Authentication over TLSGoogle Scholar
  11. 11.
  12. 12.
  13. 13.
    The Transport Layer Security (TLS) Protocol Version 1.2 - RFC 5246. https://tools.ietf.org/html/rfc5246
  14. 14.
    Transport Layer Security (TLS) Renegotiation Indication Extension - RFC 5746. https://tools.ietf.org/html/rfc5746
  15. 15.
  16. 16.
    Directories of Banks in India. http://www.banknetindia.com/banklinks.htm
  17. 17.
    Pornin, T.: TestSSLServer. pornin@bolet.org, http://www.bolet.org/TestSSLServer/
  18. 18.
    Davies, J.: Implementing SSL/TLS Using Cryptography and PKIGoogle Scholar
  19. 19.
    Lee, H.K., Malkin, T., Nahum, E.: Cryptographic Strength of SSL/TLS Servers: Current and Recent PracticesGoogle Scholar
  20. 20.
    Boneh, D.: Coursera, Cryptography IGoogle Scholar
  21. 21.
    Katz, J.: Coursera, CryptographyGoogle Scholar
  22. 22.
    Schneier, B.: Applied CryptographyGoogle Scholar
  23. 23.
    Buchmann, J.A., Karatsiolis, E., Wiesmaier, A.: Introduction to Public Key InfrastructuresGoogle Scholar
  24. 24.
  25. 25.
  26. 26.
    Prohibiting Secure Sockets Layer (SSL) Version 2.0 - RFC 6176. https://tools.ietf.org/html/rfc6176
  27. 27.
    Deprecating Secure Sockets Layer Version 3.0 - RFC 7568. https://tools.ietf.org/html/rfc7568

Copyright information

© Springer Nature Singapore Pte Ltd. 2016

Authors and Affiliations

  1. 1.Indian Institute of Technology (BHU)VaranasiIndia

Personalised recommendations