nach oben

Erschienen in:

2017 | OriginalPaper | Buchkapitel

A Practical Analysis of TLS Vulnerabilities in Korea Web Environment

verfasst von : Jongmin Jeong, Hyunsoo Kwon, Hyungjune Shin, Junbeom Hur

Erschienen in: Information Security Applications

Verlag: Springer International Publishing

Einloggen

Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.

search-config

KI-gestützte Suche

Aus

Abstract

TLS protocol provides a secure communication environment by guaranteeing the confidentiality and the integrity of transmitted data between two parties. However, there have been lots of vulnerabilities in TLS protocol and attacks exploiting them in aspects of protocol, implementation, and cryptographic tools. In spite of the lessons learned from the past experiences, various attacks on the network systems are being reported continuously due to the lack of care with regard to the proper TLS deployment and management. In this paper, we investigate TLS vulnerabilities in Korea’s top 100 websites selected from Alexa global top 500 sites and 291 Korea’s public enterprise websites. We compare the analysis results with those of Alexa global top 100 websites. Then, we discuss the lessons learned from this study. In order to analyze TLS vulnerabilities efficiently, we developed a TLS vulnerability scanner, called Network Vulnerabilities Scanner (NVS). We also analyze e-mail security of Korea’s top 3 e-mail service providers, which are supposed to be secured by TLS. Interestingly, we found that the e-mail service of them is not so secured by TLS as opposed to the analysis of Google’s transparency report.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Online-Abonnement

Mit Springer Professional "Wirtschaft+Technik" erhalten Sie Zugriff auf:

über 102.000 Bücher
über 537 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Finance + Banking
Management + Führung
Marketing + Vertrieb
Maschinenbau + Werkstoffe
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Technik"

Online-Abonnement

Mit Springer Professional "Technik" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 390 Zeitschriften

aus folgenden Fachgebieten:

Automobil + Motoren
Bauwesen + Immobilien
Business IT + Informatik
Elektrotechnik + Elektronik
Energie + Nachhaltigkeit
Maschinenbau + Werkstoffe

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Springer Professional "Wirtschaft"

Online-Abonnement

Mit Springer Professional "Wirtschaft" erhalten Sie Zugriff auf:

über 67.000 Bücher
über 340 Zeitschriften

aus folgenden Fachgebieten:

Bauwesen + Immobilien
Business IT + Informatik
Finance + Banking
Management + Führung
Marketing + Vertrieb
Versicherung + Risiko

Jetzt Wissensvorsprung sichern!

Jetzt informieren

Vorheriges Kapitel Analysis on South Korean Cybersecurity Readiness Regarding North Korean Cyber Capabilities

Nächstes Kapitel Doppelganger in Bitcoin Mining Pools: An Analysis of the Duplication Share Attack

Alexa top 500 sites. http://www.alexa.com/topsites/

Center for software security and assurance website. http://iotqv.korea.ac.kr/

Common vulerabilities and exposures. https://cve.mitre.org/

Daum mail. http://mail.daum.net/

Google transparency report about e-mail TLS. https://www.google.com/transparencyreport/saferemail/?hl=ko/

The internet engineering task force. https://www.ietf.org/

Nate mail. http://mail3.nate.com/

Naver mail. http://mail.naver.com/

Qualys ssl labs web site. https://www.ssllabs.com/index.html/

10.

Target website lists and the result of scanning. https://www.dropbox.com/s/mhr4f7mpioow0hd/Result%20of%20scanning.xlsx?dl=0/

11.

Wireshark. https://www.wireshark.org/

12.

Aoki, K., Sasaki, Y.: Preimage attacks on one-block MD4, 63-step MD5 and more. In: Avanzi, R.M., Keliher, L., Sica, F. (eds.) SAC 2008. LNCS, vol. 5381, pp. 103–119. Springer, Heidelberg (2009). doi:10.1007/978-3-642-04159-4_7 CrossRef

13.

Aviram, N., Schinzel, S., Somorovsky, J., Heninger, N., Dankel, M., Steube, J., Valenta, L., Adrian, D., Halderman, J.A., Dukhovni, V., et al.: Drown: Breaking TLS using SSLv2

14.

Bhargavan, K., Leurent, G., Cadé, D., Blanchet, B., Paraskevopoulou, Z., Hriţcu, C., Dénès, M., Lampropoulos, L., Pierce, B.C., Delignat-Lavaud, A., et al.: Transcript collision attacks: breaking authentication in TLS, IKE, and SSH. In: Network and Distributed System Security Symposium-NDSS 2016 (2016)

15.

Biham, E., Chen, R., Joux, A., Carribault, P., Lemuet, C., Jalby, W.: Collisions of SHA-0 and reduced SHA-1. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 36–57. Springer, Heidelberg (2005). doi:10.1007/11426639_3 CrossRef

16.

Dierks, T.: The transport layer security (TLS) protocol version 1.2 (2008)

17.

Durumeric, Z., Adrian, D., Kasten, J., Springall, D., Bailey, M., Halderman, J.: Poodle attack and SSLv3 deployment (2014)

18.

Durumeric, Z., Kasten, J., Adrian, D., Halderman, J.A., Bailey, M., Li, F., Weaver, N., Amann, J., Beekman, J., Payer, M., et al.: The matter of heartbleed. In: Proceedings of the 2014 Conference on Internet Measurement Conference, pp. 475–488. ACM (2014)

19.

Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the key scheduling algorithm of RC4. In: Vaudenay, S., Youssef, A.M. (eds.) SAC 2001. LNCS, vol. 2259, pp. 1–24. Springer, Heidelberg (2001). doi:10.1007/3-540-45537-X_1 CrossRef

20.

Fogel, B.: A survey of web vulnerabilities. Ph.D. thesis, Auburn University (2015)

21.

Gujrathi, S.: Heartbleed bug: AnOpenSSL heartbeat vulnerability. Int. J. Comput. Sci. Eng. 2(5), 61–64 (2014)

22.

Fogel, B., Farmer, S., Alkofahi, H., Skjellum, A., Hafiz, M.: POODLEs, more POODLEs, FREAK attacks too: how server administrators responded to three serious web vulnerabilities. In: Caballero, J., Bodden, E., Athanasopoulos, E. (eds.) ESSoS 2016. LNCS, vol. 9639, pp. 122–137. Springer, Cham (2016). doi:10.1007/978-3-319-30806-7_8 CrossRef

23.

Liang, J., Lai, X.J.: Improved collision attack on hash function MD5. J. Comput. Sci. Technol. 22(1), 79–87 (2007)MathSciNetCrossRef

24.

Möller, B., Duong, T., Kotowicz, K.: This poodle bites: exploiting the SSL 3.0 fallback. Google, September 2014

25.

Popov, A.: Prohibiting RC4 cipher suites. Comput. Sci. 2355, 152–164 (2015)

26.

Sasaki, Y., Naito, Y., Kunihiro, N., Ohta, K.: Improved collision attack on MD5. IACR Cryptology ePrint Archive 2005, 400 (2005)

27.

Vanhoef, M., Piessens, F.: All Your biases belong to Us: Breaking RC4 in WPA-TKIP and TLS. In: 24th USENIX Security Symposium (USENIX Security 15), pp. 97–112 (2015)

28.

Wang, X., Yin, Y.L., Yu, H.: Finding collisions in the full SHA-1. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 17–36. Springer, Heidelberg (2005). doi:10.1007/11535218_2 CrossRef

29.

Yau, A.K.L., Paterson, K.G., Mitchell, C.J.: Padding Oracle attacks on CBC-mode encryption with secret and random IVs. In: Gilbert, H., Handschuh, H. (eds.) FSE 2005. LNCS, vol. 3557, pp. 299–319. Springer, Heidelberg (2005). doi:10.1007/11502760_20 CrossRef

Titel: A Practical Analysis of TLS Vulnerabilities in Korea Web Environment
verfasst von: Jongmin Jeong
Hyunsoo Kwon
Hyungjune Shin
Junbeom Hur
Verlag: Springer International Publishing
Buch: Information Security Applications
Print ISBN: 978-3-319-56548-4

Electronic ISBN: 978-3-319-56549-1

Copyright-Jahr: 2017
DOI: https://doi.org/10.1007/978-3-319-56549-1_10

Springer Professional

Abstract

Bitte loggen Sie sich ein, um Zugang zu Ihrer Lizenz zu erhalten.

Sie haben noch keine Lizenz? Dann Informieren Sie sich jetzt über unsere Produkte:

Springer Professional "Wirtschaft+Technik"

Springer Professional "Technik"

Springer Professional "Wirtschaft"