Visible to the public Biblio

Filters: Keyword is SSL  [Clear All Filters]
2022-12-20
Şimşek, Merve Melis, Ergun, Tamer, Temuçin, Hüseyin.  2022.  SSL Test Suite: SSL Certificate Test Public Key Infrastructure. 2022 30th Signal Processing and Communications Applications Conference (SIU). :1–4.
Today, many internet-based applications, especially e-commerce and banking applications, require the transfer of personal data and sensitive data such as credit card information, and in this process, all operations are carried out over the Internet. Users frequently perform these transactions, which require high security, on web sites they access via web browsers. This makes the browser one of the most basic software on the Internet. The security of the communication between the user and the website is provided with SSL certificates, which is used for server authentication. Certificates issued by Certificate Authorities (CA) that have passed international audits must meet certain conditions. The criteria for the issuance of certificates are defined in the Baseline Requirements (BR) document published by the Certificate Authority/Browser (CA/B) Forum, which is accepted as the authority in the WEB Public Key Infrastructure (WEB PKI) ecosystem. Issuing the certificates in accordance with the defined criteria is not sufficient on its own to establish a secure SSL connection. In order to ensure a secure connection and confirm the identity of the website, the certificate validation task falls to the web browsers with which users interact the most. In this study, a comprehensive SSL certificate public key infrastructure (SSL Test Suite) was established to test the behavior of web browsers against certificates that do not comply with BR requirements. With the designed test suite, it is aimed to analyze the certificate validation behaviors of web browsers effectively.
ISSN: 2165-0608
2020-03-30
Verma, Rajat Singh, Chandavarkar, B. R., Nazareth, Pradeep.  2019.  Mitigation of hard-coded credentials related attacks using QR code and secured web service for IoT. 2019 10th International Conference on Computing, Communication and Networking Technologies (ICCCNT). :1–5.
Hard-coded credentials such as clear text log-in id and password provided by the IoT manufacturers and unsecured ways of remotely accessing IoT devices are the major security concerns of industry and academia. Limited memory, power, and processing capabilities of IoT devices further worsen the situations in improving the security of IoT devices. In such scenarios, a lightweight security algorithm up to some extent can minimize the risk. This paper proposes one such approach using Quick Response (QR) code to mitigate hard-coded credentials related attacks such as Mirai malware, wreak havoc, etc. The QR code based approach provides non-clear text unpredictable login id and password. Further, this paper also proposes a secured way of remotely accessing IoT devices through modified https. The proposed algorithms are implemented and verified using Raspberry Pi 3 model B.
2020-02-10
Odelu, Vanga.  2019.  An Efficient Two-Server Password-Only User Authentication for Consumer Electronic Devices. 2019 IEEE International Conference on Consumer Electronics (ICCE). :1–2.

We propose an efficient and secure two-server password-only remote user authentication protocol for consumer electronic devices, such as smartphones and laptops. Our protocol works on-top of any existing trust model, like Secure Sockets Layer protocol (SSL). The proposed protocol is secure against dictionary and impersonation attacks.

Majumdar, R., Gayen, P. K., Mondal, S., Sadhukhan, A., Das, P. K., Kushary, I..  2019.  A Cyber Communication Package in the Application of Grid Tied Solar System. 2019 Devices for Integrated Circuit (DevIC). :146–150.

In this paper, development of cyber communication package in the application of grid connected solar system has been presented. Here, implemented communication methodology supports communication process with reduced latency, high security arrangement with various degrees of freedom. Faithful transferring of various electrical data for the purpose of measurement, monitoring and controlling actions depend on the bidirectional communication strategy. Thus, real-time communication of data through cyber network has been emphasized in this paper. The C\# language based coding is done to develop the communication program. The notable features of proposed communication process are reduction of latency during data exchange by usage of advanced encryption standard (AES) algorithm, tightening of cyber security arrangement by implementing secured socket layer (SSL) and Rivest, Shamir and Adleman (RSA) algorithms. Various real-time experiments using internet connected computers have been done to verify the usability of the proposed communication concept along with its notable features in the application.

Kö\v g\c ce, Mustafa, \c Si\c seci, Necati Ersen.  2019.  A New Approach to Security of N TP via SSL Certificates. 2019 1st International Informatics and Software Engineering Conference (UBMYK). :1–5.

The Time and the Time Synchronization are veryimportant especially for the computer networks performing timesensitive operations. It is very important for all the datacenters, markets, finance companies, industrial networks, commercial applications, e-mail and communication-related Clients and servers, active directory services, authentication mechanisms, and wired and wireless communication. For instance. a sensitive time system is crucial for financial networks processing a large amount of data on a daily basis. If the computer does not communicate with other Computers Or Other systems using time, then the time information might not be important. The NTP acts as a Single time source in order to synchronize all the devices in a network. While the computer networks communicate with each other between different time zones and different locations on the earth; the main time doesn't need to be the same all around the world but it must be very sensitive otherwise the networks at different locations might work on different times.As the main time sources, most of networks uses the Coordinated Universal Time The is important also for security. The hackers and the malware such as computer Viruses use the time inconsistencies in order to overcome all the security measures such as firewalls or antivirus software; without a correct time, any system might be taken under control. If all the devices are connected to STP time. then it would be more difficult for malicious to the System.

2019-01-31
Razaghpanah, Abbas, Niaki, Arian Akhavan, Vallina-Rodriguez, Narseo, Sundaresan, Srikanth, Amann, Johanna, Gill, Philippa.  2018.  Studying TLS Usage in Android Apps. Proceedings of the Applied Networking Research Workshop. :5–5.

First standardized by the IETF in the 1990's, SSL/TLS is the most widely-used encryption protocol on the Internet. This makes it imperative to study its usage across different platforms and applications to ensure proper usage and robustness against attacks and vulnerabilities. While previous efforts have focused on the usage of TLS in the desktop ecosystem, there have been no studies of TLS usage by mobile apps at scale. In our study, we use anonymized data collected by the Lumen mobile measurement app to analyze TLS usage by Android apps in the wild. We analyze and fingerprint handshake messages to characterize the TLS APIs and libraries that apps use, and evaluate their weaknesses. We find that 84% of apps use the default TLS libraries provided by the operating system, and the remaining apps use other TLS libraries for various reasons such as using TLS extensions and features that are not supported by the Android TLS libraries, some of which are also not standardized by the IETF. Our analysis reveals the strengths and weaknesses of each approach, demonstrating that the path to improving TLS security in the mobile platform is not straightforward. Based on work published at: Abbas Razaghpanah, Arian Akhavan Niaki, Narseo Vallina-Rodriguez, Srikanth Sundaresan, Johanna Amann, and Phillipa Gill. 2017. Studying TLS Usage in Android Apps. In Proceedings of CoNEXT '17. ACM, New York, NY, USA, 13 pages. https://doi.org/10.1145/3143361.3143400

2018-05-30
Razaghpanah, Abbas, Niaki, Arian Akhavan, Vallina-Rodriguez, Narseo, Sundaresan, Srikanth, Amann, Johanna, Gill, Phillipa.  2017.  Studying TLS Usage in Android Apps. Proceedings of the 13th International Conference on Emerging Networking EXperiments and Technologies. :350–362.

Transport Layer Security (TLS), has become the de-facto standard for secure Internet communication. When used correctly, it provides secure data transfer, but used incorrectly, it can leave users vulnerable to attacks while giving them a false sense of security. Numerous efforts have studied the adoption of TLS (and its predecessor, SSL) and its use in the desktop ecosystem, attacks, and vulnerabilities in both desktop clients and servers. However, there is a dearth of knowledge of how TLS is used in mobile platforms. In this paper we use data collected by Lumen, a mobile measurement platform, to analyze how 7,258 Android apps use TLS in the wild. We analyze and fingerprint handshake messages to characterize the TLS APIs and libraries that apps use, and also evaluate weaknesses. We see that about 84% of apps use default OS APIs for TLS. Many apps use third-party TLS libraries; in some cases they are forced to do so because of restricted Android capabilities. Our analysis shows that both approaches have limitations, and that improving TLS security in mobile is not straightforward. Apps that use their own TLS configurations may have vulnerabilities due to developer inexperience, but apps that use OS defaults are vulnerable to certain attacks if the OS is out of date, even if the apps themselves are up to date. We also study certificate verification, and see low prevalence of security measures such as certificate pinning, even among high-risk apps such as those providing financial services, though we did observe major third-party tracking and advertisement services deploying certificate pinning.

2017-09-27
Xu, Jinsheng, Yuan, Xiaohong, Velma, Ashrith.  2016.  Design and Evaluation of a Course Module on Android Cipher Programming (Abstract Only). Proceedings of the 47th ACM Technical Symposium on Computing Science Education. :689–690.
Encryption is critical in protecting the confidentiality of users' data on mobile devices. However, research has shown that many mobile apps are not correctly using the ciphers, which makes them vulnerable to the attacks. The existing resources on cipher programming education do not provide enough practical scenarios to help students learn the cipher programming in the context of real world situations with programs that have complex interacting modules with access to networking, storage, and database. This poster introduces a course module that teaches students how to develop secure Android applications by correctly using Android's cryptography APIs. This course module is targeted to two areas where programmers commonly make many mistakes: password based encryption and SSL certificate validation. The core of the module includes a real world sample Android program for students to secure by implementing cryptographic components correctly. The course module will use open-ended problem solving to let students freely explore the multiple options in securing the application. The course module includes a lecture slide on Android's Crypto library, its common misuses, and suggested good practices. Assessment materials will also be included in the course module. This course module will be used and evaluated in a Network Security class. We will present the results of the evaluation in the conference.
Springall, Drew, Durumeric, Zakir, Halderman, J. Alex.  2016.  Measuring the Security Harm of TLS Crypto Shortcuts. Proceedings of the 2016 Internet Measurement Conference. :33–47.

TLS has the potential to provide strong protection against network-based attackers and mass surveillance, but many implementations take security shortcuts in order to reduce the costs of cryptographic computations and network round trips. We report the results of a nine-week study that measures the use and security impact of these shortcuts for HTTPS sites among Alexa Top Million domains. We find widespread deployment of DHE and ECDHE private value reuse, TLS session resumption, and TLS session tickets. These practices greatly reduce the protection afforded by forward secrecy: connections to 38% of Top Million HTTPS sites are vulnerable to decryption if the server is compromised up to 24 hours later, and 10% up to 30 days later, regardless of the selected cipher suite. We also investigate the practice of TLS secrets and session state being shared across domains, finding that in some cases, the theft of a single secret value can compromise connections to tens of thousands of sites. These results suggest that site operators need to better understand the tradeoffs between optimizing TLS performance and providing strong security, particularly when faced with nation-state attackers with a history of aggressive, large-scale surveillance.

O'Neill, Mark, Ruoti, Scott, Seamons, Kent, Zappala, Daniel.  2016.  TLS Proxies: Friend or Foe? Proceedings of the 2016 Internet Measurement Conference. :551–557.
We measure the prevalence and uses of TLS proxies using a Flash tool deployed with a Google AdWords campaign. We generate 2.9 million certificate tests and find that 1 in 250 TLS connections are TLS-proxied. The majority of these proxies appear to be benevolent, however we identify over 1,000 cases where three malware products are using this technology nefariously. We also find numerous instances of negligent, duplicitous, and suspicious behavior, some of which degrade security for users without their knowledge. Distinguishing these types of practices is challenging in practice, indicating a need for transparency and user awareness.
Malchow, Jan-Ole, Güldenring, Benjamin, Roth, Volker.  2016.  POSTER: Re-Thinking Risks and Rewards for Trusted Third Parties. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. :1796–1798.
Commercial trusted third parties (TTPs) may increase their bottom line by watering down their validation procedures because they assume no liability for lapses of judgement. Consumers bear the risk of misplaced trust. Reputation loss is a weak deterrent for TTPs because consumers do not choose them - web shops and browser vendors do. At the same time, consumers are the source of income of these parties. Hence, risks and rewards are not well-aligned. Towards a better alignment, we explore the brokering of connection insurances and transaction insurances, where consumers get to choose their insurer. We lay out the principal idea how such a brokerage might work at a technical level with minimal interference with existing protocols and mechanisms, we analyze the security requirements and we propose techniques to meet these requirements.
2017-09-26
Cangialosi, Frank, Chung, Taejoong, Choffnes, David, Levin, Dave, Maggs, Bruce M., Mislove, Alan, Wilson, Christo.  2016.  Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. :628–640.

The semantics of online authentication in the web are rather straightforward: if Alice has a certificate binding Bob's name to a public key, and if a remote entity can prove knowledge of Bob's private key, then (barring key compromise) that remote entity must be Bob. However, in reality, many websites' and the majority of the most popular ones-are hosted at least in part by third parties such as Content Delivery Networks (CDNs) or web hosting providers. Put simply: administrators of websites who deal with (extremely) sensitive user data are giving their private keys to third parties. Importantly, this sharing of keys is undetectable by most users, and widely unknown even among researchers. In this paper, we perform a large-scale measurement study of key sharing in today's web. We analyze the prevalence with which websites trust third-party hosting providers with their secret keys, as well as the impact that this trust has on responsible key management practices, such as revocation. Our results reveal that key sharing is extremely common, with a small handful of hosting providers having keys from the majority of the most popular websites. We also find that hosting providers often manage their customers' keys, and that they tend to react more slowly yet more thoroughly to compromised or potentially compromised keys.

2017-09-11
Chung, Taejoong, Liu, Yabing, Choffnes, David, Levin, Dave, Maggs, Bruce MacDowell, Mislove, Alan, Wilson, Christo.  2016.  Measuring and Applying Invalid SSL Certificates: The Silent Majority. Proceedings of the 2016 Internet Measurement Conference. :527–541.

SSL and TLS are used to secure the most commonly used Internet protocols. As a result, the ecosystem of SSL certificates has been thoroughly studied, leading to a broad understanding of the strengths and weaknesses of the certificates accepted by most web browsers. Prior work has naturally focused almost exclusively on "valid" certificates–those that standard browsers accept as well-formed and trusted–and has largely disregarded certificates that are otherwise "invalid." Surprisingly, however, this leaves the majority of certificates unexamined: we find that, on average, 65% of SSL certificates advertised in each IPv4 scan that we examine are actually invalid. In this paper, we demonstrate that despite their invalidity, much can be understood from these certificates. Specifically, we show why the web's SSL ecosystem is populated by so many invalid certificates, where they originate from, and how they impact security. Using a dataset of over 80M certificates, we determine that most invalid certificates originate from a few types of end-user devices, and possess dramatically different properties than their valid counterparts. We find that many of these devices periodically reissue their (invalid) certificates, and develop new techniques that allow us to track these reissues across scans. We present evidence that this technique allows us to uniquely track over 6.7M devices. Taken together, our results open up a heretofore largely-ignored portion of the SSL ecosystem to further study.

2017-08-18
Cangialosi, Frank, Chung, Taejoong, Choffnes, David, Levin, Dave, Maggs, Bruce M., Mislove, Alan, Wilson, Christo.  2016.  Measurement and Analysis of Private Key Sharing in the HTTPS Ecosystem. Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. :628–640.

The semantics of online authentication in the web are rather straightforward: if Alice has a certificate binding Bob's name to a public key, and if a remote entity can prove knowledge of Bob's private key, then (barring key compromise) that remote entity must be Bob. However, in reality, many websites' and the majority of the most popular ones-are hosted at least in part by third parties such as Content Delivery Networks (CDNs) or web hosting providers. Put simply: administrators of websites who deal with (extremely) sensitive user data are giving their private keys to third parties. Importantly, this sharing of keys is undetectable by most users, and widely unknown even among researchers. In this paper, we perform a large-scale measurement study of key sharing in today's web. We analyze the prevalence with which websites trust third-party hosting providers with their secret keys, as well as the impact that this trust has on responsible key management practices, such as revocation. Our results reveal that key sharing is extremely common, with a small handful of hosting providers having keys from the majority of the most popular websites. We also find that hosting providers often manage their customers' keys, and that they tend to react more slowly yet more thoroughly to compromised or potentially compromised keys.

2015-05-04
Chakaravarthi, S., Selvamani, K., Kanimozhi, S., Arya, P.K..  2014.  An intelligent agent based privacy preserving model for Web Service security. Electrical and Computer Engineering (CCECE), 2014 IEEE 27th Canadian Conference on. :1-5.

Web Service (WS) plays an important role in today's word to provide effective services for humans and these web services are built with the standard of SOAP, WSDL & UDDI. This technology enables various service providers to register and service sender their intelligent agent based privacy preserving modelservices to utilize the service over the internet through pre established networks. Also accessing these services need to be secured and protected from various types of attacks in the network environment. Exchanging data between two applications on a secure channel is a challenging issue in today communication world. Traditional security mechanism such as secured socket layer (SSL), Transport Layer Security (TLS) and Internet Protocol Security (IP Sec) is able to resolve this problem partially, hence this research paper proposes the privacy preserving named as HTTPI to secure the communication more efficiently. This HTTPI protocol satisfies the QoS requirements, such as authentication, authorization, integrity and confidentiality in various levels of the OSI layers. This work also ensures the QoS that covers non functional characteristics like performance (throughput), response time, security, reliability and capacity. This proposed intelligent agent based model results in excellent throughput, good response time and increases the QoS requirements.
 

2014-09-17
Fahl, Sascha, Harbach, Marian, Perl, Henning, Koetter, Markus, Smith, Matthew.  2013.  Rethinking SSL Development in an Appified World. Proceedings of the 2013 ACM SIGSAC Conference on Computer &\#38; Communications Security. :49–60.
The Secure Sockets Layer (SSL) is widely used to secure data transfers on the Internet. Previous studies have shown that the state of non-browser SSL code is catastrophic across a large variety of desktop applications and libraries as well as a large selection of Android apps, leaving users vulnerable to Man-in-the-Middle attacks (MITMAs). To determine possible causes of SSL problems on all major appified platforms, we extended the analysis to the walled-garden ecosystem of iOS, analyzed software developer forums and conducted interviews with developers of vulnerable apps. Our results show that the root causes are not simply careless developers, but also limitations and issues of the current SSL development paradigm. Based on our findings, we derive a proposal to rethink the handling of SSL in the appified world and present a set of countermeasures to improve the handling of SSL using Android as a blueprint for other platforms. Our countermeasures prevent developers from willfully or accidentally breaking SSL certificate validation, offer support for extended features such as SSL Pinning and different SSL validation infrastructures, and protect users. We evaluated our solution against 13,500 popular Android apps and conducted developer interviews to judge the acceptance of our approach and found that our solution works well for all investigated apps and developers.