Attack on Sun’s MIDP Reference Implementation of SSL
نویسندگان
چکیده
Key generation on resource-constrained devices is a challenging task. This paper describes a proof-of-concept implementation of an attack on Sun’s reference implementation of the Mobile Information Device Profile (MIDP). It is known that this implementation has a flaw in the generation of the premaster secret in SSL. The attack recovers the symmetric keys and plaintext from an SSL session.
منابع مشابه
SSL Man-in-the-Middle Attacks
TCP/IP protocols have long been subject to man-in-the-middle (MITM) attacks, but the advent of SSL/TLS was supposed to mitigate that risk for web transactions by providing endpoint authentication and encryption. The advent of Dug Song's 'webmitm' in late 2000 demonstrated the feasibility of mounting an MITM attack on the protocol, but a properlyconfigured client SSL implementation would warn th...
متن کاملSSL/TLS session-aware user authentication - Or how to effectively thwart the man-in-the-middle
Man-in-the-middle attacks pose a serious threat to SSL/TLSbased electronic commerce applications, such as Internet banking. In this paper, we argue that most deployed user authentication mechanisms fail to provide protection against this type of attack, even when they run on top of SSL/TLS. As a possible countermeasure, we introduce the notion of SSL/TLS session-aware user authentication, and p...
متن کاملThe most recent SSL security attacks: origins, implementation, evaluation, and suggested countermeasures
Attacks have been targeting secure socket layer (SSL) from the time it was created especially because of its utmost importance in securing Web transactions. These attacks are either attacks exploiting vulnerabilities in the SSL protocol itself, or attacks exploiting vulnerabilities in the services that SSL uses, such as certificates and web browsers. While the attacks on SSL itself have been su...
متن کاملA Proof of concept Implementation of SSL/TLS Session-Aware User Authentication
Man-in-the-middle (MITM) attacks pose a serious threat to SSL/TLS-based e-commerce applications, such as Internet banking. SSL/TLS session-aware user authentication can be used to mitigate the risks and to protect users against MITM attacks in an SSL/TLS setting. In this paper, we further delve into SSL/TLS session-aware user authentication and possibilities to implement it. More specifically, ...
متن کاملA Proof of Concept Implementation of SSL/TLS Session-Aware User Authentication (TLS-SA)
Most SSL/TLS-based e-commerce applications employ conventional mechanisms for user authentication. These mechanisms—if decoupled from SSL/TLS session establishment—are vulnerable to manin-the-middle (MITM) attacks. In this paper, we elaborate on the feasibility of MITM attacks, survey countermeasures, introduce the notion of SSL/TLS session-aware user authentication (TLS-SA), and present a proo...
متن کامل