ipv6 tls security scanning
play

IPv6 TLS Security Scanning Master Thesis Intermediate Talk Pirmin - PowerPoint PPT Presentation

Oct 27, 2023 •38 likes •188 views

Chair of Network Architectures and Services Technical University of Munich IPv6 TLS Security Scanning Master Thesis Intermediate Talk Pirmin Blanz 28.09.2016 Chair of Network Architectures and Services Department of Informatics Technical

  1. Chair of Network Architectures and Services Technical University of Munich IPv6 TLS Security Scanning Master Thesis Intermediate Talk Pirmin Blanz 28.09.2016 Chair of Network Architectures and Services Department of Informatics Technical University of Munich Advisors: Oliver Gasser, Quirin Scheitle, Dr. Ralph Holz Pirmin Blanz – IPv6 TLS Security Scanning 1

  2. Chair of Network Architectures and Services Technical University of Munich Motivation Related Work Approach Analysis Next Steps Pirmin Blanz – IPv6 TLS Security Scanning 2

  3. Chair of Network Architectures and Services Technical University of Munich Motivation ◮ TLS Security Scanning ◮ Protocol for security sensitive services (Banking, Shopping, etc.) ◮ TLS can be vulnerable: Weak ciphers, short keys, bad implementations (Heartbleed, DROWN) ◮ IHK TLS-Check (2016) [6] ◮ ∼ 16,000 Server of IHK member companies ◮ ∼ 6% SSL V2.0, ∼ 22% SSL V3.0, ∼ 87% TLS 1.0 ◮ ∼ 74% offer insecure cipher suites ◮ IPv6 TLS Security Scanning ◮ Plenty of existing IPv4 security scans ◮ Growing IPv6 deployment ( ∼ 10% [4]) ◮ How secure are IPv6 enabled hosts? ◮ How does IPv6 stand up in a comparison with IPv4 Pirmin Blanz – IPv6 TLS Security Scanning 3

  4. Chair of Network Architectures and Services Technical University of Munich Related Work ◮ Holz et al.: ” The SSL Landscape - A Thorough Analysis of the X.509 PKI Using Active and Passive Measurements ”[5] ◮ 1.5 years, ∼ 5.5M distinct X.509 certificates, ∼ 120M TLS connections ◮ ∼ 30% with weak cipher suites, ∼ 18% valid certificates ◮ Gasser et al.: ” Scanning the IPv6 Internet: Towards a Comprehensive Hitlist ”[3]) ◮ Guidelines for IPv6-Hitlist generation ◮ Alexa, DNS zone files, Passive measurements ◮ 150M IPv6 addresses, 84% AS coverage ◮ Czyz et al.: ” Don’t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy ”[1] ◮ Unintended port openness of Dualstack hosts ◮ ∼ 50% are more open (HTTPS by ∼ 19% ) Pirmin Blanz – IPv6 TLS Security Scanning 4

  5. Chair of Network Architectures and Services Technical University of Munich Approach 1. Gather targets (DNS name resolution using massdns ) 2. Port scan (using Zmap [2], Zmapv6 [3]) 3. Perform TLS handshakes (using goscanner ) and collect data (X.509 certificates, TLS handshake data) 4. Data analysis ( Jupyter Notebook with Pandas , PyOpenSSL ) ◮ Investigated subsets: IPv4, IPv6, dualstack, dualstack IPv4, dualstack IPv6 ◮ Investigated aspects: TLS (version, cipher suite ), X.509 certificates (Validity dates, signature algorithms, key length, ... ) Pirmin Blanz – IPv6 TLS Security Scanning 5

  6. Chair of Network Architectures and Services Technical University of Munich Evaluation (I) - The Dataset Overview - Numbers 1) Alexa 1 Mio 700,000 700235 2) Zmap Output 655134 3) Goscan Output 600,000 500,000 478978 Number IPs/Hosts 460441 400,000 392822 382186 300,000 200,000 100,000 55157 45100 32574 18536 20849 10636 0 IP Addresses IPv4 Addresses IPv6 Addresses Dualstack Hosts IP/Host Subsets ◮ Hosts accessible on port 443: ∼ 70%, Successful TLS handshake: ∼ 57% ◮ ∼ 390,000 TLS handshakes, ∼ 284,000 distinct certificates Pirmin Blanz – IPv6 TLS Security Scanning 6

  7. Chair of Network Architectures and Services Technical University of Munich Evaluation (II) - TLS Versions Protocols TLSv1 1.0 TLSv1.1 TLSv1.2 0.9 0.8 0.7 0.6 Percent 0.5 0.4 0.3 0.2 0.1 0.0 IPv4 Addresses Dualstack IPs Dualstack IPv4 Dualstack IPv6 Sets ◮ Various TLSv1 implementations are vulnerable (e.G.: to POODLE) ◮ TLSv1 is used more frequently on IPv4 hosts Pirmin Blanz – IPv6 TLS Security Scanning 7

  8. Chair of Network Architectures and Services Technical University of Munich Evaluation (I) - TLS Cipher Suites Ciphers 1.0 0.9 0.8 0.7 0.6 1) STRONG Percent 0.5 2) INTERMEDIATE 3) WEAK 0.4 0.3 0.2 0.1 0.0 IPv4 Addresses Dualstack IPs Dualstack IPv4 Dualstack IPv6 IP Subsets ◮ Strong: AES-GCM ≥ 128, PFS ◮ Intermediate: Known weaknesses. E.g.: CBC in TLS 1.0 ◮ Weak: Known to be broken. E.g.: 3DES, MD5 Pirmin Blanz – IPv6 TLS Security Scanning 8

  9. Chair of Network Architectures and Services Technical University of Munich Evaluation (IV) - X.509 Public Key ◮ 256-EC-RSA � = 3072-RSA/DSA ◮ 1024-RSA deprecated since 2008 Pirmin Blanz – IPv6 TLS Security Scanning 9

  10. 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 Chair of Network Architectures and Services Technical University of Munich Evaluation (V) - X.509 Signature Algorithms Certificate Signature Algorithms IPv4 Addresses 0.6 IPv4 only hosts Dualstack IPs Dualstack IPv4 0.5 Dualstack IPv6 0.4 Percent 0.3 0.2 0.1 0.0 sha256WithRSAEncryption sha1WithRSAEncryption ecdsa-with-SHA256 sha384WithRSAEncryption ecdsa-with-SHA384 Sets ◮ Collisions for SHA1 detected [7] ◮ IPv6 resp. dualstack hosts utilize ECDSA more frequently Pirmin Blanz – IPv6 TLS Security Scanning 10

  11. Chair of Network Architectures and Services Technical University of Munich Evaluation (VI) - X.509 Validity Certificate Validity IPv4 Addresses Dualstack IPv6 0.3 0.2 0.1 0.0 Expired 60 - 180 days 180 - 360 days 1 - 2 years 2 - 5 years 5 - 10 years 20 - 40 years ◮ Expired certificates won’t pass verification ◮ IPv4 hosts utilize expired certificates more frequently Pirmin Blanz – IPv6 TLS Security Scanning 11

  12. Chair of Network Architectures and Services Technical University of Munich Next Steps (I) ◮ Additional scans ◮ Comparison of multiple scans over time ◮ Multiple hitlists (DNS zone files next) ◮ Refine scanning ◮ SNI ◮ Dualstack detection ◮ Extend evaluation ◮ Certificate chains ◮ Vulnerabilities Pirmin Blanz – IPv6 TLS Security Scanning 12

  13. Chair of Network Architectures and Services Technical University of Munich Next Steps (II) - Estimated Schedule 2016 Aug Jun Jul Sep Oct Nov Dec Research Implement Analysis Framework Scanning Data Evaluation Thesis writing Today Pirmin Blanz – IPv6 TLS Security Scanning 13

  14. Chair of Network Architectures and Services Technical University of Munich Bibliography I [1] J. Czyz, M. Luckie, M. Allman, and M. Bailey. Don’t Forget to Lock the Back Door! A Characterization of IPv6 Network Security Policy. In Network and Distributed System Security Symposium , Feb. 2016. [2] Z. Durumeric, E. Wustrow, and J. A. Halderman. ZMap: Fast Internet-wide Scanning and Its Security Applications. In Usenix Security , volume 2013, 2013. [3] O. Gasser, Q. Scheitle, S. Gebhard, and G. Carle. Scanning the IPv6 Internet: Towards a Comprehensive Hitlist. In 8th Int. Workshop on Traffic Monitoring and Analysis , 2016. [4] Google. Ipv6 adpoption. Technical report, Google, https://www.google.com/intl/en/ipv6/statistics.html, 2016. [5] R. Holz, L. Braun, N. Kammenhuber, and G. Carle. The SSL Landscape: A Thorough Analysis of the X.509 PKI Using Active and Passive Measurements. In Proceedings of the 2011 ACM SIGCOMM conference on Internet measurement conference , pages 427–444. ACM, 2011. [6] IHK. Pk tls-check. Technical report, IHK, 2016. [7] M. Stevens, P . Karpman, and T. Peyrin. Freestart collision for full sha-1. Cryptology ePrint Archive, Report 2015/967, 2015. Pirmin Blanz – IPv6 TLS Security Scanning 14

  15. Chair of Network Architectures and Services Technical University of Munich Backup(I) - X.509 Versions Certificate X.509 Versions 1.0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 IP Addresses IPv4 Addresses IPv6 Addresses Dualstack IPs Dualstack IPv4 Dualstack IPv6 0.8 0.6 0.4 0.2 0.0 0 2 3 Pirmin Blanz – IPv6 TLS Security Scanning 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security

Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security

A Comparative Security Evaluation for IPv4 and IPv6 Addresses Vincent van der Eijk && Erik Lamers Comparing IPv4 port security to IPv6 port security Scanning the Internet for profit, ethically. 2 Why do we need to know this? IPv6

279 views • 16 slides
Overview System Security Scanning Security Scanning and Discovery Important Security Web

Overview System Security Scanning Security Scanning and Discovery Important Security Web

Overview System Security Scanning Security Scanning and Discovery Important Security Web Sites Fingerprinting OS FingerPrinting IP Stacks Share Scans Chapter 14 SNMP Vulnerabilities FingerPrinting TCP/IP Services

439 views • 8 slides
Mapping the Great Void Smarter scanning for IPv6 Richard Barnes, Rick Altmann, Daniel Kerr BBN

Mapping the Great Void Smarter scanning for IPv6 Richard Barnes, Rick Altmann, Daniel Kerr BBN

Mapping the Great Void Smarter scanning for IPv6 Richard Barnes, Rick Altmann, Daniel Kerr BBN Technologies Agenda Challenges for mapping the IPv6 Internet Some approaches to smarter scanning CIDR++ Registry information

736 views • 26 slides
IPv6 Implications for TCP/UDP Port Scanning Tim Chown tjc@ecs.soton.ac.uk IETF 65, March 23rd

IPv6 Implications for TCP/UDP Port Scanning Tim Chown tjc@ecs.soton.ac.uk IETF 65, March 23rd

IPv6 Implications for TCP/UDP Port Scanning Tim Chown tjc@ecs.soton.ac.uk IETF 65, March 23rd 2006 Dallas, TX draft-chown-v6ops-port-scanning-implications-02 Rationale The goals of the document are currently to Note the properties of

635 views • 6 slides
Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education

Security of IPv6 and DNSSEC for penetration testers Vesselin Hadjitodorov Master education System and Network Engineering June 30, 2011 Agenda Introduction DNSSEC security IPv6 security Conclusion Questions Security of IPv6

625 views • 33 slides
Target Generation for Internet-wide IPv6 Scanning Austin Murdock, Frank Li, Paul Bramsen, Zakir

Target Generation for Internet-wide IPv6 Scanning Austin Murdock, Frank Li, Paul Bramsen, Zakir

Target Generation for Internet-wide IPv6 Scanning Austin Murdock, Frank Li, Paul Bramsen, Zakir Durumeric, Vern Paxson Background IPv4 scanning - Zmap . 2 Background 2 128 addresses => 10 30 years to scan 32 nybbles (hex

518 views • 28 slides
IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor

IPv6 Protocol IPv6 Protocol Does it solve all the security problems of IPv4? Franjo Majstor EMEA Consulting Engineer fmajstor@cisco.com Cisco Systems, Inc. 1 fmajstor@cisco.com, IPv6 Security Agenda IPv6 Primer IPv6 Protocol

241 views • 21 slides
IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction

IPv6 Security David Kelsey (STFC-RAL) ISGC2016, Taipei 16 March 2016 Outline Introduction to WLCG & IPv6 IPv6 security & threats IPv6 protocol attacks Issues for site network & security teams Issues for sys admins

501 views • 34 slides
IPv6 Scanning Smart address selection and comparison to legacy IP Intermediate talk Sebastian

IPv6 Scanning Smart address selection and comparison to legacy IP Intermediate talk Sebastian

Chair for Network Architectures and Services Technische Universit at M unchen IPv6 Scanning Smart address selection and comparison to legacy IP Intermediate talk Sebastian Gebhard Supervisors: Oliver Gasser, Quirin Scheitle September

436 views • 32 slides
Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi,

Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi,

Balanced Security for IPv6 CPE draft-v6ops-vyncke-balanced-ipv6-security IETF86 Orlando M. Gysi, G. Leclanche, E. Vyncke, R. Anfinsen Status -00 posted on 25 January 2013 Some comments on the list (see later) Problem Statement

378 views • 10 slides
IPv6 Scanning Smart address selection and comparison to legacy IP Sebastian Gebhard Final Talk

IPv6 Scanning Smart address selection and comparison to legacy IP Sebastian Gebhard Final Talk

Chair of Network Architectures and Services Technical University of Munich IPv6 Scanning Smart address selection and comparison to legacy IP Sebastian Gebhard Final Talk on Masters Thesis in Electrical Engineering and Information Technology

1.01k views • 64 slides
Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The

Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The

Mobile IPv6 Security Arnaud Ebalard - EADS Corporate Research Center France Guillaume Valadon - The University of Tokyo / Laboratoire dInformatique de Paris 6 Summary IPv6 Mobile IPv6 Security and Mobile IPv6 Protections by

669 views • 50 slides
The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich,

The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich,

The Security Impact of IPv6 How I Learned to Stop Worrying and Love IPv6 Johannes B. Ullrich, Ph.D. jullrich@sans.edu 1 Housekeeping This presentation consists of slides and audio. If you are experiencing any problems/ issues,

1.12k views • 56 slides
Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension

Security Impacts of Security Impacts of Abusing IPv6 Extension Headers Abusing IPv6 Extension Headers Antonios Atlasis antonios.atlasis@cscss.org Centre for Strategic Cyberspace + Security Science Bio Independent IT Security

689 views • 66 slides
v6ops and security IPv6 Transition/Co-existence Security Considerations

v6ops and security IPv6 Transition/Co-existence Security Considerations

v6ops and security IPv6 Transition/Co-existence Security Considerations draft-savola-v6ops-security-overview-00.txt Pekka Savola, CSC/FUNET Overview Overview Look at different kinds of issues IPv6 protocol Transition mechanisms in general

853 views • 10 slides
IPv6 Security Concerns Introduction to Integralis Garry Sidaway SVP Security Strategy Agenda

IPv6 Security Concerns Introduction to Integralis Garry Sidaway SVP Security Strategy Agenda

IPv6 Security Concerns Introduction to Integralis Garry Sidaway SVP Security Strategy Agenda Introduction to Integralis IPv6 Security Concerns Questions Private & Confidential Continuous Secure Service Delivery Governance,

336 views • 21 slides
To BLISS-B or not to be - Attacking strongSwans Implementation of Post-Quantum Signatures

To BLISS-B or not to be - Attacking strongSwans Implementation of Post-Quantum Signatures

S C I E N C E P A S S I O N T E C H N O L O G Y To BLISS-B or not to be - Attacking strongSwans Implementation of Post-Quantum Signatures Peter Pessl 1 , Leon Groot Bruinderink 2 , Yuval Yarom 3 1 Graz University of

416 views • 27 slides
Oblivious Signature-Based Envelope scheme (OSBE) Presented By: Khaled Rabieh Supervisor: Dr.

Oblivious Signature-Based Envelope scheme (OSBE) Presented By: Khaled Rabieh Supervisor: Dr.

Oblivious Signature-Based Envelope scheme (OSBE) Presented By: Khaled Rabieh Supervisor: Dr. Mohamed Mahmoud Outline - What is Oblivious Signature-Based Envelope (OSBE)? - Applications - cryptosystem - Analysis 2 Problem Formulation -

339 views • 14 slides
Malware CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio

Malware CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio

Malware CS 161: Computer Security Prof. Vern Paxson TAs: Jethro Beekman, Mobin Javed, Antonio Lupher, Paul Pearce & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ April 16, 2013 Announcements / Goals Guest lecture next

543 views • 29 slides
Implementing Signatures for Transactional Memory Daniel Sanchez , Luke Yen, Mark Hill, Karu

Implementing Signatures for Transactional Memory Daniel Sanchez , Luke Yen, Mark Hill, Karu

Implementing Signatures for Transactional Memory Daniel Sanchez , Luke Yen, Mark Hill, Karu Sankaralingam University of Wisconsin-Madison Executive summary Several TM systems use signatures: Represent unbounded read/write sets in bounded

894 views • 37 slides
EOS Validation: SAFARI 2000 Hank Revercomb University of Wisconsin - Madison AIRS Science Team

EOS Validation: SAFARI 2000 Hank Revercomb University of Wisconsin - Madison AIRS Science Team

EOS Validation: SAFARI 2000 Hank Revercomb University of Wisconsin - Madison AIRS Science Team Meeting 19-21 June 2001 Topics: Scanning-HIS airborne FTIR (ER-2 and DC-8) South African Fires Smoke haze CO detection Land

524 views • 20 slides
Sign Extension Needed for 2s complement addition Consider case of adding two numbers of

Sign Extension Needed for 2s complement addition Consider case of adding two numbers of

Sign Extension Needed for 2s complement addition Consider case of adding two numbers of different widths 1 0 1 1 -5 0 1 0 0 1 0 +18 --------------- 0 1 1 1 0 1 +29! EEC 281, Winter 2008, B. Baas 75 Sign Extension Rule #1:

385 views • 3 slides
More about Binary 9/6/2016 Unsigned vs. Twos Complement 8-bit example: 1 1 0 0 0 0 1

More about Binary 9/6/2016 Unsigned vs. Twos Complement 8-bit example: 1 1 0 0 0 0 1

More about Binary 9/6/2016 Unsigned vs. Twos Complement 8-bit example: 1 1 0 0 0 0 1 1 2 1 +2 0 = 128+64+2+1 2 7 +2 6 + = 195 2 1 +2 0 = -128+64+2+1 -2 7 +2 6 + = -61 Why does twos complement work this way? The traditional

467 views • 30 slides
Slides for Lecture 3 ENEL 353: Digital Circuits Fall 2013 Term Steve Norman, PhD, PEng

Slides for Lecture 3 ENEL 353: Digital Circuits Fall 2013 Term Steve Norman, PhD, PEng

Slides for Lecture 3 ENEL 353: Digital Circuits Fall 2013 Term Steve Norman, PhD, PEng Electrical & Computer Engineering Schulich School of Engineering University of Calgary 13 September, 2013 slide 2/22 ENEL 353 F13 Section 02

398 views • 22 slides

More recommend