Cryptographic strength of ssl/tls servers: current and recent practices

The Secure Socket Layer (SSL) and its variant, Transport Layer Security (TLS), are used toward ensuring server security. In this paper, we characterize the cryptographic strength of public servers running SSL/TLS. We present a tool developed for this purpose, the Probing SSL Security Tool (PSST), and evaluate over 19,000 servers. We expose the great diversity in the levels of cryptographic strength that is supported on the Internet. Some of our discouraging results show that most sites still support the insecure SSL 2.0, weak export-level grades of encryption ciphers, or weak RSA key strengths. We also observe encouraging behavior such as sensible default choices by servers when presented with multiple options, the quick adoption of AES (more than half the servers support strong key AES as their default choice), and the use of strong RSA key sizes of 1024 bits and above. Comparing results of running our tool over the last two years points to a positive trend that is moving in the right direction, though perhaps not as quickly as it should.

[1]  Ronald L. Rivest,et al.  The MD5 Message-Digest Algorithm , 1992, RFC.

[2]  B. Kaliski,et al.  TWIRL and RSA Key Size , 2003 .

[3]  Niels Provos,et al.  ScanSSH: Scanning the Internet for SSH Servers , 2001, LISA.

[4]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[5]  Vincent Rijmen,et al.  On the Design and Security of RC2 , 1998, FSE.

[6]  Hugo Krawczyk,et al.  Keying Hash Functions for Message Authentication , 1996, CRYPTO.

[7]  David Mosberger,et al.  httperf—a tool for measuring web server performance , 1998, PERV.

[8]  Alan O. Freier,et al.  The SSL Protocol Version 3.0 , 1996 .

[9]  Dengguo Feng,et al.  Collisions for Hash Functions MD4, MD5, HAVAL-128 and RIPEMD , 2004, IACR Cryptol. ePrint Arch..

[10]  Bruce Schneier,et al.  Analysis of the SSL 3.0 protocol , 1996 .

[11]  Security Rsa,et al.  TWIRL and RSA Key Size , 2003 .

[12]  Josef Pieprzyk,et al.  Cryptanalysis of Block Ciphers with Overdefined Systems of Equations , 2002, ASIACRYPT.

[13]  Christopher Allen,et al.  The TLS Protocol Version 1.0 , 1999, RFC.

[14]  Sally Floyd,et al.  On inferring TCP behavior , 2001, SIGCOMM 2001.

[15]  David Brumley,et al.  Remote timing attacks are practical , 2003, Comput. Networks.

[16]  Eric Rescorla Security Holes . . . Who Cares? , 2003, USENIX Security Symposium.

[17]  Hans Dobbertin Cryptanalysis of MD5 Compress , 1996 .

[18]  Gregory V. Bard,et al.  The Vulnerability of SSL to Chosen Plaintext Attack , 2004, IACR Cryptol. ePrint Arch..

[19]  Antoon Bosselaers,et al.  Collisions for the Compressin Function of MD5 , 1994, EUROCRYPT.

[20]  Sally Floyd,et al.  On inferring TCP behavior , 2001, SIGCOMM.

[21]  Vlastimil Klíma,et al.  Attacking RSA-Based Sessions in SSL/TLS , 2003, CHES.

[22]  염흥렬,et al.  [서평]「Applied Cryptography」 , 1997 .

[23]  Debanjan Saha,et al.  Transport layer security: how much does it really cost? , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[24]  Xiaoyun Wang,et al.  Finding Collisions in the Full SHA-1 , 2005, CRYPTO.

[25]  Bruce Schneier,et al.  Practical cryptography , 2003 .

[26]  Serge Vaudenay,et al.  Security Flaws Induced by CBC Padding - Applications to SSL, IPSEC, WTLS , 2002, EUROCRYPT.

[27]  Adi Shamir,et al.  Weaknesses in the Key Scheduling Algorithm of RC4 , 2001, Selected Areas in Cryptography.

[28]  권태경,et al.  SSL Protocol 기반의 서버인증 , 2003 .

[29]  Hans Dobbertin Cryptanalysis of MD4 , 1996, FSE.

[30]  Dan S. Wallach,et al.  Performance analysis of TLS Web servers , 2006, TOCS.