SSL
21
-
Upload
hiep-luong -
Category
Technology
-
view
678 -
download
2
description
Transcript of SSL
- 1. TLS/SSL Renegotiation Vulnerability Thai N. Duong [email_address]
2. Agenda
- SSL/TLS protocol
- SSL/TLS renegotiation vulnerability
- Q & A
3. About me
- CISO at DongA Bank
- Blogger -http://vnhacker.blogspot.com
- Administrator http://www.hvaonline.net
- Member Team CLGT -http://vnsecurity.net
- Bug Hunter Yahoo!, Oracle/SUN, Apache Foundation, etc.
4. Copyright notice
- Most of subsequent slides are copied from elsewhere on the Internet
- You should be careful if you want to reuse them
- This compilation is in public domain
5. 6. 7. 8. 9. DHE -RSA-AES256-SHA 10. DHE - RSA -AES256-SHA 11. DHE - RSA - AES256 -SHA 12. DHE - RSA - AES256 - SHA 13. Renegotiation vulnerability
- Active MITM attacker
- Inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream
- Execute a HTTP transaction, authenticated by a legitimate user
14. 15. 16. 17. 18. Trigger renegotiation
- Client certificate authentication
- Differing server cryptographic requirements
- Client-initiated renegotiation
19. 20. Reference
- http://clicky.me/tlsvuln
- http://extendedsubset.com/Renegotiating_TLS.pdf
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
21. Thank you! Question?