scholarly journals Man in The Middle Attacks Against SSL/TLS: Mitigation and Defeat

2020 ◽  
Author(s):  
Muneer Alwazzeh ◽  
Sameer Karaman ◽  
Mohammad Nur Shamma
Keyword(s):  
Elliptic Curve ◽  
Key Agreement ◽  
Transport Layer ◽  
Secret Key ◽  
Transport Layer Security ◽  
Digital Signature Algorithm ◽  
Public Keys ◽  
Man In The Middle ◽  
Symmetric Key ◽  
Security Network

Network security and related issues have been discussed thoroughly in this paper, especially at transport layer security network protocol, which concern with confidentiality, integrity, availability, authentication, and accountability. To mitigate and defeat Man-in-the-middle-attacks, we have proposed a new model which consists of sender and receiver systems and utilizes a combination of blowfish (BF) and Advanced Encryption Standard (AES) algorithms, symmetric key agreement to distribute public keys, Elliptic Curve Cryptography (ECC) to create secret key, and then Diffe Hellman (DH) for key exchange. Both SHA-256 hashing and Elliptic Curve Digital Signature Algorithm (ECDSA) have been applied for integrity, and authentication, respectively.

scholarly journals The Arithmetic Of elliptic Curve for Prime Curve Secp-384r1 Using One Variable Polynomial Division for Security of Transport Layer Protocol

2019 ◽  
Vol 8 (2) ◽  
pp. 4770-4774
Keyword(s):  
Elliptic Curve ◽  
Transport Layer ◽  
Mathematical Function ◽  
Secure Socket Layer ◽  
Prime Field ◽  
Security Services ◽  
Transport Layer Security ◽  
Digital Signature Algorithm ◽  
Ssl Protocol ◽  
Transport Layer Protocol

In this paper, we present a new method for solving multivariate polynomial elliptic curve equations over a finite field. The arithmetic of elliptic curve is implemented using the mathematical function trace of finite fields. We explain the approach which is based on one variable polynomial division. This is achieved by identifying the plane p with the extension of and transforming elliptic curve equations as well as line equations arising in point addition or point doubling into one variable polynomial. Hence the intersection of the line with the curve is analogous to the roots of the division between these polynomials. Hence this is the different way of computing arithmetic of elliptic curve.Transport layer security provides endto-end security services for applications that use a reliable transport layer protocol such as TCP. Two Protocols are dominant today for providing security at the transport layer, the secure socket layer (SSL) protocol and transport layer security (TLS) protocol. One of the goals of these protocols is to provide server and client authentication, data confidentiality and data integrity. The above goals are achieved by establishing the keys between server and client, the algorithm is called elliptic curve digital signature algorithm (ECDSA) and elliptic curve DiffieHellman (ECDH). These algorithms are implemented using standard for efficient cryptography(SEC) prime field elliptic curve secp-384r1 currently specified in NSA Suite B Cryptography. The algorithm is verified on elliptic curve secp384r1and is shown to be adaptable to perform computation

On Cryptographically Strong Bindings of SAML Assertions to Transport Layer Security

2011 ◽  
Vol 3 (4) ◽  
pp. 20-35
Author(s):  
Florian Kohlar ◽  
Jörg Schwenk ◽  
Meiko Jensen ◽  
Sebastian Gajek
Keyword(s):  
Identity Management ◽  
Transport Layer ◽  
The Public ◽  
Web Technologies ◽  
Transport Layer Security ◽  
Man In The Middle ◽  
Federated Identity Management ◽  
Same Origin Policy ◽  
Security Guarantees ◽  
Federated Identity

In recent research, two approaches to protect SAML based Federated Identity Management (FIM) against man-in-the-middle attacks have been proposed. One approach is to bind the SAML assertion and the SAML artifact to the public key contained in a TLS client certificate. Another approach is to strengthen the Same Origin Policy of the browser by taking into account the security guarantees TLS gives. This work presents a third approach which is of further interest beyond IDM protocols, especially for mobile devices relying heavily on the security offered by web technologies. By binding the SAML assertion to cryptographically derived values of the TLS session that has been agreed upon between client and the service provider, this approach provides anonymity of the (mobile) browser while allowing Relying Party and Identity Provider to detect the presence of a man-in-the-middle attack.

On Cryptographically Strong Bindings of SAML Assertions to Transport Layer Security

2012 ◽  
pp. 89-106
Author(s):  
Florian Kohlar ◽  
Jörg Schwenk ◽  
Meiko Jensen ◽  
Sebastian Gajek
Keyword(s):  
Identity Management ◽  
Transport Layer ◽  
The Public ◽  
Web Technologies ◽  
Transport Layer Security ◽  
Man In The Middle ◽  
Same Origin Policy ◽  
Security Guarantees ◽  
Federated Identity ◽  
Identity Provider

In recent research, two approaches to protect SAML based Federated Identity Management (FIM) against man-in-the-middle attacks have been proposed. One approach is to bind the SAML assertion and the SAML artifact to the public key contained in a TLS client certificate. Another approach is to strengthen the Same Origin Policy of the browser by taking into account the security guarantees TLS gives. This work presents a third approach which is of further interest beyond IDM protocols, especially for mobile devices relying heavily on the security offered by web technologies. By binding the SAML assertion to cryptographically derived values of the TLS session that has been agreed upon between client and the service provider, this approach provides anonymity of the (mobile) browser while allowing Relying Party and Identity Provider to detect the presence of a man-in-the-middle attack.

scholarly journals Authenticated Blind Issuing of Symmetric Keys for Mobile Access Control System without Trusted Parties

2013 ◽  
Vol 2013 ◽  
pp. 1-11 ◽  
Author(s):  
Shin-Yan Chiou
Keyword(s):  
Access Control ◽  
Mobile Devices ◽  
Key Agreement ◽  
Secret Key ◽  
Mobile Access ◽  
Battery Capacity ◽  
Access Control System ◽  
Symmetric Key ◽  
Secret Key Agreement ◽  
Mobile Authentication

Mobile authentication can be used to verify a mobile user’s identity. Normally this is accomplished through the use of logon passwords, but this can raise the secret-key agreement problem between entities. This issue can be resolved by using a public-key cryptosystem, but mobile devices have limited computation ability and battery capacity and a PKI is needed. In this paper, we propose an efficient, non-PKI, authenticated, and blind issued symmetric key protocol for mobile access control systems. An easy-to-deploy authentication and authenticated key agreement system is designed such that empowered mobile devices can directly authorize other mobile devices to exchange keys with the server upon authentication using a non-PKI system without trusted parties. Empowered mobile users do not know the key value of the other mobile devices, preventing users from impersonating other individuals. Also, for security considerations, this system can revoke specific keys or keys issued by a specific user. The scheme is secure, efficient, and feasible and can be implemented in existing environments.

scholarly journals Efficient Implementation on Low-Cost SoC-FPGAs of TLSv1.2 Protocol with ECC_AES Support for Secure IoT Coordinators

Electronics ◽  
2019 ◽  
Vol 8 (11) ◽  
pp. 1238 ◽  
Author(s):  
Ahmed Mohamed Bellemou ◽  
Antonio García ◽  
Encarnación Castillo ◽  
Nadjia Benblidia ◽  
Mohamed Anane ◽  
...  
Keyword(s):  
Elliptic Curve ◽  
High Speed ◽  
High Performance ◽  
Performance Enhancement ◽  
Low Cost ◽  
Research Field ◽  
Transport Layer ◽  
Limited Area ◽  
Secret Key ◽  
Elliptic Curve Cryptosystems

Security management for IoT applications is a critical research field, especially when taking into account the performance variation over the very different IoT devices. In this paper, we present high-performance client/server coordinators on low-cost SoC-FPGA devices for secure IoT data collection. Security is ensured by using the Transport Layer Security (TLS) protocol based on the TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 cipher suite. The hardware architecture of the proposed coordinators is based on SW/HW co-design, implementing within the hardware accelerator core Elliptic Curve Scalar Multiplication (ECSM), which is the core operation of Elliptic Curve Cryptosystems (ECC). Meanwhile, the control of the overall TLS scheme is performed in software by an ARM Cortex-A9 microprocessor. In fact, the implementation of the ECC accelerator core around an ARM microprocessor allows not only the improvement of ECSM execution but also the performance enhancement of the overall cryptosystem. The integration of the ARM processor enables to exploit the possibility of embedded Linux features for high system flexibility. As a result, the proposed ECC accelerator requires limited area, with only 3395 LUTs on the Zynq device used to perform high-speed, 233-bit ECSMs in 413 µs, with a 50 MHz clock. Moreover, the generation of a 384-bit TLS handshake secret key between client and server coordinators requires 67.5 ms on a low cost Zynq 7Z007S device.

Two-Party Key Agreement Protocol Without Central Authority for Mobile Ad Hoc Networks

2019 ◽  
Vol 13 (4) ◽  
pp. 68-88
Author(s):  
Asha Jyothi Ch ◽  
Narsimha G.
Keyword(s):  
Routing Protocol ◽  
Key Agreement ◽  
Ad Hoc ◽  
Central Authority ◽  
Central Administration ◽  
Secret Key ◽  
Multiple Node ◽  
Man In The Middle ◽  
Mobile Ad Hoc ◽  
Hoc Networks

Key agreement (KA) without the use of a central authority is an elementary cryptographic problem to ensure security in MANETs because such networks consist of movable nodes with no fixed infrastructure or no central administration. The nodes communicate via wireless channels that are more prone to security attacks. A majority of the existing KA protocols assume the existence of central authority and hence, not perfectly suitable for a MANET environment. Proposed 2P-NCKA (Two-Party Non-Central authority KA) protocol creates a secret key between two users for a MANET which does not assume the use of a central authority and a prior password. It uses pairings, a verifiable secret sharing scheme and routing protocol. The AOPMDV protocol allows transmission of multiple packets across multiple node-disjoint paths in parallel so that one packet is in each path. This article also cryptanalyzes Li's KA protocol and has proven its vulnerability towards a man-in-the-middle (MITM) attack. The 2P-NCKA protocol is secure against MITM attacks and all known attacks and addresses problems of Li's protocol with a small increase in execution time.

scholarly journals QoS3: Secure Caching in HTTPS Based on Fine-Grained Trust Delegation

2019 ◽  
Vol 2019 ◽  
pp. 1-16
Author(s):  
Abdulrahman Al-Dailami ◽  
Chang Ruan ◽  
Zhihong Bao ◽  
Tao Zhang
Keyword(s):  
Transport Layer ◽  
Security And Privacy ◽  
Web Content ◽  
The Public ◽  
Fine Grained ◽  
Transport Layer Security ◽  
Man In The Middle ◽  
Hypertext Transfer Protocol ◽  
Caching Proxy ◽  
Object Level

With the ever-increasing concern in network security and privacy, a major portion of Internet traffic is encrypted now. Recent research shows that more than 70% of Internet content is transmitted using HyperText Transfer Protocol Secure (HTTPS). However, HTTPS encryption eliminates the advantages of many intermediate services like the caching proxy, which can significantly degrade the performance of web content delivery. We argue that these restrictions lead to the need for other mechanisms to access sites quickly and safely. In this paper, we introduce QoS3, which is a protocol that can overcome such limitations by allowing clients to explicitly and securely re-introduce in-network caching proxies using fine-grained trust delegation without compromising the integrity of the HTTPS content and modifying the format of Transport Layer Security (TLS). In QoS3, we classify web page contents into two types: (1) public contents that are common for all users, which can be stored in the caching proxies, and (2) private contents that are specific for each user. Correspondingly, QoS3 establishes two separate TLS connections between the client and the web server for them. Specifically, for private contents, QoS3 just leverages the original HTTPS protocol to deliver them, without involving any middlebox. For public contents, QoS3 allows clients to delegate trust to specific caching proxy along the path, thereby allowing the clients to use the cached contents in the caching proxy via a delegated HTTPS connection. Meanwhile, to prevent Man-in-the-Middle (MitM) attacks on public contents, QoS3 validates the public contents by employing Document object Model (DoM) object-level checksums, which are delivered through the original HTTPS connection. We implement a prototype of QoS3 and evaluate its performance in our testbed. Experimental results show that QoS3 provides acceleration on page load time ranging between 30% and 64% over traditional HTTPS with negligible overhead. Moreover, QoS3 is deployable since it requires just minor software modifications to the server, client, and the middlebox.

Sign in / Sign up

Export Citation Format

Share Document