The real impact of obsolete cryptography, applied to SSL/TLS

Entrée en langue anglaise / English entry Catégorie: Séminaire
Auteur: Olivier Levillain
Date: juillet 2016
Série: SSL/TLS

SSL/TLS, a 20-year old security protocol, has become a major component securing network communications, from HTTPS e-commerce and social network sites to Virtual Private Networks, from e-mail protocols to virtually every possible protocol.

The problem SSL/TLS is trying to solve can be summarised as an authenticated key exchange followed by the establishment of a secure channel providing confidentiality and integrity to application data. Theorerically, this problem is a solved one. Actually, SSL/TLS comes with a heavy history, from its inception as SSLv2, which is vulnerable to numerous attacks, up to TLS 1.3, still a work in progress at the IETF.

Thus, the algorithms and modes used in practice in TLS do not reflect the state of the art. In this presentation, we will describe three examples of weak constuctions that are still frequently used by our browsers:

Présenté lors de l'école d'été Cyber In Bretagne à Rennes, France en juillet 2016

BibTeX Présentation