TLS/SSL Vulnerabilities

POODLE: The SSL 3.0 vulnerability is in the Cipher Block Chaining (CBC) mode. Block ciphers require blocks of fixed length. If data in the last block is not a multiple of the block size, extra space is filled by padding. The server ignores the content of padding. It only checks if padding length is correct and verifies the Message Authentication Code (MAC) of the plaintext. That means that the server cannot verify if anyone modified the padding content.


BEAST:  Browser Exploit Against SSL/TLS (BEAST). It is an attack that was found to be possible against TLS v1.0 and SSLv3.0 (and below) when a block cipher is in use. In this attack, the attacker is able to determine the IV(Initialisation Vector) which is utilised as part of the encryption process.
It provides a way to extract the unencrypted plaintext from an encrypted session.


BREACH (Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext):

Breach attack is an exploit against HTTPS when using HTTP compression. It is based on CRIME exploit.
It was possible to mitigate CRIME by disabling TLS compression, but BREACH attacks HTTP responses. To be vulnerable against BREACH attack, a web application must be served from a server that uses HTTP level compression. Also, user input should be reflected in HTTP response and also a secret should be reflected in response body (such as CSRF token).

FREAK (Factoring RSA Export Keys):

Export cipher suites have been stopped using in 2000s. But researchers revealed that old export cipher suites are still being used. This cipher suite enables really weak encryption.
In handshake process attacker modifies the cipher suite and make server and client use the export RSA keys. This encryption key with export RSA can be easily broken by the attacker and can control the traffic. MITM is possible using FREAK attack.
Support for export-grade cipher suits must be disabled on servers. Vulnerable clients also must be updated. This vulnerability was seen on every browser and also on OpenSSL.

HEARTBLEED: Heartbleed is not an issue with TLS/SSL itself but an issue with OPENSSL affected versions 1.0.1 and before. It doesn’t require man in the middle, it can be exploited against both server and client.
(The most common implementation of SSL and TLS is OpenSSL. Openssl is an encryption library. OpenSSL is a toolkit for TLS and SSL protocols. OpenSSL is a set of open source tools.)
It is a buffer size check issue. Heartbeat check traffic is not encrypted. Also OpenSSL is not checking the length of heartbeat command, if the attacker specifies the heart command as 64k and sends it to server, than response is 64k with information in it. Response is with “HEART+random additional information”
Heartbleed allows an attacker to extract up to 64kb of memory from vulnerable system. This can lead to theft of credentials, session tokens and server private keys.


DROWN: CVE-2016-0800, or Decrypting RSA with Obsolete and Weakened eNcryption (DROWN),
Is a vulnerability that affects servers still supporting SSLv2 or servers that share private key with any other server that allows SSLv2. Attack takes many hundreds of requests. This can be achieved by the user visiting a load intensive application or alternatively forcing user to visit a site which can make a large number of cross-site requests.
Even if the target application uses TLS 1.2, if SSLv2 is supported and RSA key exchange algorithm is used, it means that server is vulnerable to DROWN attack.
If server supports SSLv2 but doesn’t support SSLv2 cipher suits, server is still vulnerable.
To protect against DROWN, server operators need to ensure that their private keys are not used anywhere with server software that allows SSLv2 connections.

Attacker makes multiple requests to server, in some of them by luck he will guess the correct padding. Than try more and more and will acquire more data.

SABSA(Sherwood Applied Business Security Architecture)

SABSA is a security architecture framework and also methodology. SABSA is a layered framework starting from defining business requirements in layer 1. It goes from abstraction to more detailed phase. From policy level to more detailed and practical implementations of technology in order to achieve business goals.

Since it is a framework it defines the architecture, and since it is also a methodology it also provides the processes to achieve and maintain this architecture.

TOGAF

TOGAF 9 covers the development of four main architecture domains. Those are:

• Business architecture
• Application architecture
• Data architecture
• Technology architecture

What are the benefits of having an architectural framework?

• Pressure of laws and regulations
• More co-operative and efficient IT and business relations
• Helps organisation to achieve business strategy
• Faster adaptation to business needs and provides smooth changes
• Provides more consistent business processes and information across business units
• Provides more security and minimizes risks

An architectural framework must provide a set of methods and strategies in order to achieve enterprise's
target state. It should be describing how each block of enterprise should act in order to achieve the desired
state. A framework must be defining the method step by step and block by block. Also it must
clearly state how those blocks fit together and create the overall strategy for enterprise.

It must provide a set of tools and also a common vocabulary list. A framework should also suggest
a set of standards, regulations and compliant tools that can be used in order to achieve the goal.

When developing an enterprise architecture it is really important to get advantage of a framework,
because it prevents the initial panic, it gives a baseline, it shows how other achieved goals, how others
solved same possible problems.

TOGAF provides a set of tools in its library.

• TOGAF Architectural Development Method (ADM)
• ADM Guidelines and techniques
• TOGAF Architecture Content Framework
• Enterprise Continuum
• TOGAF Reference Models
• TOGAF Capability Framework

Architecture Development Cycle

Preliminary: Preliminary phase is the initialization and preparation phase for creating an Architecture
 Capability
A. Architecture Vision: In this phase, scope, constraints and expectations are defined. Architecture Vision and Statement of architecture work are created.
B. Business Architecture: It defines organisational structure, business goals and processes
C. Information System Architecture: Shows how IT systems meet the business goals. IT includes data architecture and application architecture. Enterprise which one must be done first. They can be done in parallel too. Iteration must be done in order to provide consistency.
D. Technology Architecture: Principals and fundamentals of IT system is defined. Hardware, software technology, their relationships and design principles are defined.
E. Opportunities and Solutions: In this phase, the initial planning is performed. Priorities and dependencies are identified.
F. Migration Planning: Finalize the implementation and migration plan.
G. Implementation Governance: This phase provides an architectural oversight on implementation and monitors implementations.
H. Architecture Change Management: Provides a continuous monitoring and change management process. It ensures that all changes are implemented and managed in a way that is compliant with architecture.

What is the use of Address Resolution Protocol (ARP)?

Address Resolution Protocol is a protocol used by IP (mostly IPv4) in order to match IP addresses to link layer addresses such as MAC addresses in local area network. ARP operates between network layer and data link layer. ARP is a layer 2 protocol. It uses ARP table.

Format of an ARP message:




https://erg.abdn.ac.uk/users/gorry/course/inet-pages/arp.html

ARP Poisoning:

Block Cipher vs Stream Cipher

Block cipher encrypts and decrypts the block of text at a time. But Stream cipher encrypts and decrypts the text by taking one byte of text at a time.

Block cipher is best used when you know how large is the message. When you don't know the exact size, it is better to use the Stream cipher.

Block cipher algorithm modes: ECB(Electronic Code Book) and CBC(Cipher Block Chain)
Stream cipher algorithm modes: CFB(Cipher Feedback) and OFB(Output Feedback)

Methods of Encryption

Symmetric Cryptography

In symmetric encryption, sender and receiver use two instances of the same key for encryption and decryption. Symmetric keys are also called "secret" keys, because those keys should be kept private and secret by both receiver and sender. If this key is stolen by malicious people, than messages can be decrypted.

Strong sides of symmetric cryptography is being fast. But there are bunch of negative sides of symmetric cryptography, It requires a secure way of delivering keys between sender and receiver. Each pair of users need a unique key and it becomes difficult to manage enormous number of keys.
It provides confidentiality but not authenticity and non-repudiation.

DES, 3DES, Blowfish, RC4 and AES are examples of symmetric cryptography.

Asymmetric Cryptography

In asymmetric cryptography each side has different set of keys which are public key and private key. Message is encrypted with one key and decrypted with another key. It is not possible to encrypt and decrypt with the same key.

User A can encrypt message using his/her own private key and User B can decrypt the message with User A's public key. In that case User B will be sure that this message is coming from User A. This provides authentication.

If confidentiality is very important, than User A can encrypt the message with User B's public key and User B decrypts it with using own private key. In that case only User B can decrypt the message because only he/she has his/her own private key.

It is important to understand that both public and private keys can be used both for encryption and decryption.

Strong sides of asymmetric encryption are that having a better key distribution system compared to symmetric systems and also ability to provide confidentiality, non-repudiation and authentication.

Of course it also has some weaknesses such as being slow becuase it includes mathematically much more intensive tasks.

RSA, ECC, Diffie-Hellma, El Gamal, DSA(Digital Signature Algorithm) are examples of asymmetric encryption.

What is ISMS?

An Information Security Systems Management is a systematic approach and a combination of policies and procedures that helps you to manage and protect enterprise's sensitive data using effective risk management.

ISMS focuses on three key aspects, which are:

1. Confidentiality
2. Integrity
3. Availability

ISMS vs Security Enterprise Architecture

An ISMS outlines the controls to put in place and provides a direction how to manage those controls in their own lifecycle.

Those controls may be; risk management, vulnerability management, physical security, auditing, configuration management etc.) An ISMS defines specifies the parts and pieces that needed to be put into place in order to achieve a holistic security program for the enterprise. ISMS also defines how to maintain and take care of those pieces and parts properly.

Security Enterprise Architecture illustrates how those parts should be implemented and integrated into the different layers of current business environment.