Your search keyword '"COMPUTER network protocols"' showing total 4 results

1. A Messy State of the Union: Taming the Composite State Machines of TLS.

Author

Beurdouche, Benjamin, Bhargavan, Karthikeyan, Delignat-Lavaud, Antoine, Fournet, Cédric, Kohlweiss, Markulf, Pironti, Alfredo, Strub, Pierre-Yves, and Zinzindohoue, Jean Karim

Subjects

*COMPUTER network protocols, *FINITE state machines, *CLIENT/SERVER computing, *COMPUTER security

Abstract

The Transport Layer Security (TLS) protocol supports various authentication modes, key exchange methods, and protocol extensions. Confusingly, each combination may prescribe a different message sequence between the client and the server, and thus a key challenge for TLS implementations is to define a composite state machine that correctly handles these combinations. If the state machine is too restrictive, the implementation may fail to interoperate with others; if it is too liberal, it may allow unexpected message sequences that break the security of the protocol. We systematically test popular TLS implementations and find unexpected transitions in many of their state machines that have stayed hidden for years. We show how some of these flaws lead to critical security vulnerabilities, such as FREAK. While testing can help find such bugs, formal verification can prevent them entirely. To this end, we implement and formally verify a new composite state machine for OpenSSL, a popular TLS library. [ABSTRACT FROM AUTHOR]

Published

2017

2. 700,000 OpenSSH servers vulnerable to remote code execution CVE.

Author

Kapko, Matt

Subjects

COMPUTER network protocols, CLIENT/SERVER computing, REMOTE computing, COMPUTER software, COMPUTER security

Abstract

The article focuses on a critical vulnerability, CVE-2024-6387, affecting OpenSSH servers. Topics include the risk of remote code execution, the potential impact on system security, and recommendations for mitigation. Researchers at Qualys discovered the vulnerability, dubbed "regreSSHion," which affects OpenSSH versions 8.5p1 to 9.7p1. The latest update, version 9.8p1, addresses this issue.

Published

2024

3. On improving resistance to Denial of Service and key provisioning scalability of the DTLS handshake.

Author

Tiloca, Marco, Gehrmann, Christian, and Seitz, Ludwig

Subjects

*DENIAL of service attacks, *CLIENT/SERVER computing, *COMPUTER network protocols, *COMPUTER security, *SCALABILITY

Abstract

DTLS is a transport layer security protocol designed to provide secure communication over unreliable datagram protocols. Before starting to communicate, a DTLS client and server perform a specific handshake in order to establish a secure session and agree on a common security context. However, the DTLS handshake is affected by two relevant issues. First, the DTLS server is vulnerable to a specific Denial of Service (DoS) attack aimed at forcing the establishment of several half-open sessions. This may exhaust memory and network resources on the server, so making it less responsive or even unavailable to legitimate clients. Second, although it is one of the most efficient key provisioning approaches adopted in DTLS, the pre-shared key provisioning mode does not scale well with the number of clients, it may result in scalability issues on the server side, and it complicates key re-provisioning in dynamic scenarios. This paper presents a single and efficient security architecture which addresses both issues, by substantially limiting the impact of DoS, and reducing the number of keys stored on the server side to one unit only. Our approach does not break the existing standard and does not require any additional message exchange between DTLS client and server. Our experimental results show that our approach requires a shorter amount of time to complete a handshake execution and consistently reduces the time a DTLS server is exposed to a DoS instance. We also show that it considerably improves a DTLS server in terms of service availability and robustness against DoS attack. [ABSTRACT FROM AUTHOR]

Published

2017

4. An efficient client-client password-based authentication scheme with provable security.

Author

Farash, Mohammad and Attari, Mahmoud

Subjects

*CLIENT/SERVER computing, *COMPUTER passwords, *COMPUTER access control, *COMPUTER security, *COMPUTER network protocols

Abstract

Recently, Tso proposed a three-party password-based authenticated key exchange (3PAKE) protocol. This protocol allows two clients to authenticate each other and establish a secure session key through a server over an insecure channel. The main security goals of such protocols are authentication and privacy. However, we show that Tso's protocol achieves neither authentication goal nor privacy goal. In this paper, we indicate that the privacy and authentication goals of Tso's protocol will be broken by off-line password guessing attack and impersonation attack, respectively. To overcome the weaknesses, we propose an improved 3PAKE protocol to achieve more security and performance than related protocols. The security of the proposed improved protocol is proved in random oracle model. [ABSTRACT FROM AUTHOR]

Published

2014