Ask a question to Desklib · AI bot

Ask NowBETA

CVE-2014-3566- Executive Summary

3 Pages1049 Words439 Views
   

Added on  2019-09-19

BookmarkShareRelated Documents
Executive SummaryTLS or Transport Layer Security as well as its predecessor known as SSL or Secure SocketsLayer are secure protocols that are designed for providing encryption over wireless networks.HTTPs is the default standard network protocol of HTTP that is used in combination with aTLS or SSL channel. Now, CVE-2014-3566 or more commonly known as the POODLE is aweakness in version 3 of the SSL protocol. This vulnerability allows an attacker to recoversmall bits of information in plaintext, although from an encrypted SSL 3 connection byissuing various crafted HTTPS requests. The attacker can issues multiple HTTPS requestsand get plaintext byte and therefore allows him to gues a particular byte. In order to mitigatethis vulnerability, lots of companies have jumped over the TLS protocol.Technical DescriptionVulnerability DescriptionA vulnerability discovered in the third version of Secure Socket Layer allows for attacker toguess the plaintext in secure encrypted connections, effectively defeating the sole purpose ofSSL. The SSL security SSL and TLS are communication protocol that protect the integrityand confidential of communications by encrypting the messages end to end. However, thevulnerability here kon as POODLE or Padding Oracle on Downgraded Legacy Encryptionhave been discovered. Malicious agents are likely going to make this vulnerability into a full-fledged attack. This vulnerability can be executed via the man-in-the-middle type of attackswhere an attacker would force the downgrade of an encryption protocol to the version 3 ofSSL and thereafter targeting the system which is decrypting the data. In the process, theattacker would also be observing the exchange and also applying for a paddle based attack inorder to recover the plain type text [1]. Attack VectorThe main attack vector here is in the form of a man-in-middle type of attack. In this case, theattacker assumes the role of the middle man and makes use of multiple types of man-in-themiddle techniques for the attack. The handshake here begins when the client’s device sends ahello message to the server to which it responds with another help message. Once both sidehas completed the handshake, the encrypted data would begin transferring. This is exactlywhen the page starts to be displayed on the screen. The encrypted data being exchangedbetween the client and server is the main data that is crucial for the attack to happen. Theattacker performs a man in the middle attack in order to send a request to the server and
CVE-2014-3566- Executive Summary_1

Found this document preview useful?

Related Documents
SSL/TLS VPN Technologies for Secure Network Connection
|8
|2000
|419

TLS/SSL Handshake with RSA and DHE - Desklib
|16
|2305
|399

Questions & Answers on Symmetric Block Cipher and Encryption Process
|12
|2956
|64

SSL Handshake: A Process for Secure Communication between Client and Server
|5
|774
|344

Research Paper: Heartbleed Vulnerability
|4
|1054
|112

CSI2102 - Introduction to Information Security
|6
|883
|177