Home   >   CSC-OpenAccess Library   >    Manuscript Information
Full Text Available

(345.23KB)
This is an Open Access publication published under CSC-OpenAccess Policy.
Publications from CSC-OpenAccess Library are being accessed from over 74 countries worldwide.
Comparative Analysis of Open-SSL Vulnerabilities & Heartbleed Exploit Detection
Eng. Mohanned Hassan Momani, Adam Ali.Zare Hudaib
Pages - 159 - 176     |    Revised - 10-07-2014     |    Published - 10-08-2014
Volume - 8   Issue - 4    |    Publication Date - August 2014  Table of Contents
MORE INFORMATION
KEYWORDS
SSL, TLS, BEAST Attack, CRIME Attack, Heartbleed Detection, RC4.
ABSTRACT
Since its introduction in 1994 the Secure Socket Layer (SSL) protocol (later renamed to Transport Layer Security (TLS)) evolved to the de facto standard for securing the transport layer. SSL/TLS can be used for ensuring data confidentiality, integrity and authenticity during transport. A main feature of the protocol is its flexibility. Modes of operation and security aims can easily be configured through different cipher suites. During its evolutionary development process several flaws were found. However, the flexible architecture of SSL/TLS allowed efficient fixes in order to counter the issues. This paper presents an overview on theoretical and practical attacks of the last 20 years.
CITED BY (1)  
1 Ghafoor, I., Jattalai, I., Durranit, S., & Ch, M. T. Analysis of OpenSSL Heartbleed Vulnerability for Embedded Systems.
1 Google Scholar 
2 CiteSeerX 
3 refSeek 
4 Scribd 
5 SlideShare 
6 PdfSR 
1 “The Secure Sockets Layer Protocol”. Internet:http://www.cs.bris.ac.uk/~bradley/publish/SSLP/chapter4.html [Nov. 22, 2013].
2 “SSL: Intercepted today, decrypted tomorrow”. Netcraft, pp. 10-12, May 25, 2013.
3 “SSL/TLS in Detail“. Microsoft TechNet, July 31, 2003.
4 “Description of the Secure Sockets Layer (SSL) Handshake“. Internet:http://www.support.microsoft.com [Dec. 1, 2013].
5 “Secure electronic transaction”. Internet:http://en.wikipedia.org/wiki/Secure_Electronic_Transaction [Dec. 12, 2013].
6 OpenSSL TLS/DTLS Heartbeat Read Overrun Vulnerability. Internet:http://herjavecgroup.com/admin/pdf/THG_TAB_Heartbleed.pdf [May, 2014].
7 “The Heartbleed Bug”. Codenomicon, Internet: http://heartbleed.com/ [Apr, 2014].
8 “April 2014 Web Server Survey”. Netcraft. April 2 204. Internet:http://news.netcraft.com/archives/2014/04/02/april-2014-web-server-survey.html [Apr, 2014].
9 “OpenSSL Security Advisory”. OpenSSL. Internet:https://www.openssl.org/news/secadv_20140407.txt [Apr, 2014].
10 “Wild at Heart: Were Intelligence Agencies Using Heartbleed in November 2013?”.Electronic Frontier Foundation. Internet: https://www.eff.org/deeplinks/2014/04/wild-heart-were intelligence-agencies-using-heartbleed-november-2013 [Apr, 2014].
11 “Daily Ruleset Update Summary”. Emerging Threats Snort Ruleset. Internet:http://www.emergingthreats.net/2014/04/09/daily-ruleset-update-summary-04092014/ [Apr, 2014].
12 “Detecting OpenSSL Heartbleed with Suricata”. Inliniac. Internet:http://blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/ [Apr, 2014].
13 „Detect Exploit openSSL Heartbleed vulnerability using Nmap and Metasploit on Kali Linux“. Internet: http://www.blackmoreops.com/2014/05/03/detect-exploit-openssl-heartbleedvulnerability-using-nmap-metasploit-kali-linux/ [June, 2014].
14 „Heart attack: detecting heartbleed exploits in real-time“. Internet:http://www.tripwire.com/state-of-security/incident-detection/heart-attack-detect-heartbleedexploits-in-real-time-with-active-defense/ [June, 2014].
15 „How to Detect a Prior Heartbleed Exploit“. Internet:http://www.riverbed.com/blogs/Retroactively-detecting-a-prior-Heartbleed-exploitation-fromstored-packets-using-a-BPF-expression.html [June, 2014].
16 Ivan Ristic. „SSL/TLS Deployment Best Practices“. Internet:https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.3.pdf [June, 2014].
17 Nadhem AlFardan, Dan Bernstein, Kenny Paterson, Bertram Poettering, Jacob Schuldt. „On the Security of RC4 in TLS“. Internet: http://www.isg.rhul.ac.uk/tls/ [June, 2014].
18 Lars Nybom, Alexander Wall. „SSL/TLS and MITM attacks“. Internet:http://www.it.uu.se/edu/course/homepage/distrinfo/ht09/presentations/Group7.pdf [June, 2014].
19 Pratik Guha Sarkar. „Attacks on ssl a comprehensive study of beast, crime, time, breach,lucky 13 & rc4 biases“. Internet:https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf [June, 2014].
20 „List of browsers support for different TLS version“. Internet:https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers [June, 2014].
21 Hong lei Zhang. „Three attacks in SSL protocol and their solutions“. Internet:https://www.cs.auckland.ac.nz/courses/compsci725s2c/archive/termpapers/725zhang.pdf [June,2014].
22 „Vulnerability Summary for CVE-2012-4929“. Internet:http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4929 [June, 2014].
23 „Software >> sslstrip“. Internet: http://www.thoughtcrime.org/software/sslstrip/ [June,2014].
24 „SSL, GONE IN 30 SECONDS“. Internet: http://breachattack.com/ [June, 2014].
25 Christopher Meyer. „SoK: Lessons Learned From SSL/TLS Attacks“. Internet:http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/08/19/paper.pdf [June, 2014].
26 Scott C. Johnson. „CRIME Attack on SSL/TSL“. Internet:http://www.cs.rit.edu/~sxj4236/crypto2_paper2.pdf [June, 2014].
27 Be'ery, Tal and Amichai Shulman. "TIME Prefect CRIME." Internet:https://media.blackhat.com/eu-13/briefings/Beery/bh-eu-13-a-perfect-crime-beery-wp.pdf [June,2014].
28 Constantin Lucian. „Researchers resurrect and improve CRIME attack against SSL“.Internet: http://www.networkworld.com/news/2013/031413-researchers-resurrect-and-improve-crime-267698.html?page=1 [June, 2014].
29 Kelsey John. "3091." 2002. IACR.org. 9 4 2013. Internet;http://www.iacr.org/cryptodb/archive/2002/FSE/3091/3091.pdf [June, 2014].
30 „zOompf. Explaining the Crime weakness in SPDY and SSL“. Internet:http://zoompf.com/2012/09/explaining-the-crime-weakness-in-spdy-and-ssl [June, 2014].
31 Vlastimil Klíma. „Attacking RSA-based Sessions in SSL/TLS“. Internet:http://eprint.iacr.org/2003/052.pdf [June, 2014].
32 Canvel, B.“Password Interception in a SSL/TLS Channel“. Internet:http://lasecwww.epfl.ch/memo_ssl.shtml [February, 2003].
33 Jonsson J. „On the Security of RSA Encryption in TLS“. In Proc. of CRYPTO '02, pp. 127-142, 2002.
34 Kurt Seifried. „As with marriage, SSL security success is in the details Attacks Against SSL“. Internet: http://www.linux-magazine.com/Issues/2010/112/Security-Lessons-SecureProgramming[June, 2014].
35 Dan Goodin. „Two new attacks on SSL decrypt authentication cookies“. Internet:http://arstechnica.com/security/2013/03/new-attacks-on-ssl-decrypt-authentication-cookies/ [June,2014].
36 „Another crypto-attack on SSL/TLS encryption“. Internet: http://www.honline.com/security/news/item/Another-crypto-attack-on-SSL-TLS-encryption-1823227.html [June, 2014].
Mr. Eng. Mohanned Hassan Momani
Sr. Information Security & Technology Consultant IT security trainer C|EI Security Wits Technologies Jordan - Jordan
Mr. Adam Ali.Zare Hudaib
Information & Cyber Security Expert Licensed penetration tester L|PT Sweden - Sweden
adamhudaib@gmail.com