Is your organisation ready for the change in security protocol support?

-
PCI security standard council has stated in their official site* that:
"30 June 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data."

 Is your organisation ready for this change?


 HTTP is insecure and is subject to eavesdropping attacks because the data being transferred from the web browser to the web server or between other endpoints, is transmitted in plain text. This means attackers can intercept and view sensitive data, eg. account logins. When data is sent or posted through a browser using HTTPS: a secure version of HTTP, then such information is encrypted and secure from interception.
HTTPS are powered by several security protocols or ciphers. Let's have a basic understanding of these security protocols and why some of them are regarded as obsolete:

 What is SSL
SSL is an acronym for Secure Sockets Layer. It was the most widely deployed cryptographic protocol to provide security over internet communications. It was developed in the mid-1990s by Netscape. SSL 1.0 was never released to the public, and SSL 2.0 had serious flaws. SSL 3.0, released in 1996, was completely revamped but eventually presented its own flaws which were later all exploited.
This exploit was called POODLE attack. To understand this attack click on this link bellow:
How the POODLE attack was used to exploit SSL v3.0 


 What is TLS
TLS (Transport Layer Security) was released in 1999, it was standardized by the Internet Engineering Task Force (IETF).

The TLS protocol encrypts internet traffic of all types. The most common is web traffic; you know your browser is connected via TLS if the URL in your address starts with "https". TLS can also be used by other applications as well eg. e-mail
TLS initiates its encryption process by performing  a process by which a sessions key is agreed upon by the client and the server. This process is referred to as a HANDSHAKE. It is the heart of the TLS protocol.

 Process of establishing a TLS handshake
The TLS handshake process is quite complex, and there are a number of variations allowed by the protocol. The following steps provide an outline of how it works.

  1. The client contacts the server and requests a secure connection. 
  2. The server replies with the list of cipher suites that it knows how to use. These cipher suites are toolkits of creating encrypted connections. 
  3. The client compares this against its own list of supported cipher suites, selects one, and lets the server know that they'll both be using it.
  4. The server then provides its digital certificate, an electronic document issued by a third-party authority confirming the server's identity. The most important piece of information in the certificate is the server's public cryptographic key. 
  5. The client confirms the certificate's authenticity.
  6. Using the server's public key, the client and server establish a session key that both will use for the rest of the session to encrypt communication. 
  7. There are several techniques for doing this. The client may use the public key to encrypt a random number which is then sent to the server to decrypt. Both parties will then use that number to establish the session key.

Types of TLS

  • TLS 1.0: This was the first version of TLS launched in 1999. This version was vulnerable to the beast and poodle attack
  • TLS 1.1:  This was the second version launched in 2006, that made improvements to the previous version. TLS 1.1 would however later prove to later require an upgrade as it was also vulnerable to the beast and poodle attack.
  • TLS 1.2 : This is the most current defined version of the protocol. It established a host of new cryptographic options for communication. However, like some previous versions of the protocol, it also allowed older cryptographic techniques to be used, in order to support older computers unfortunately, opening it up to vulnerabilities
  • TLS 1.3: This is the latest version of the TLS protocol, is currently gaining traction. It plugs a lot of existing vulnerabilities by discarding support for legacy encryption systems. There is however backwards compatibility in the sense that connections will fall back to TLS 1.2 if one end isn't capable of using the newer encryption on TLS 1.3.

Furthermore, the PCI Data Security Standard (PCI-DSS) requires that you disable the use of any SSL/TLS 1.0 implementations by June 30, 2018.
TLS 1.1 will still be accepted by PCI although they strongly recommend using TLS 1.2.
It should however be noted too that many merchants, sites accepting card payments and internet banking platforms will soon be terminating support for TLS versions below TLS 1.1.

So its time to upgrade your server settings to the preferred security protocol if you want to pass the PCI-DSS Compliance test.

 For further interest, please check this post out:

 How the POODLE attack was used to exploit SSL v3.0 
Thanks for reading this post. I hope you found it helpful.
If you have any comments please do not hesitate to post me a comment.
https://blog.pcisecuritystandards.org

Comments

Post a Comment

Popular posts from this blog

Auditing Virtualization

-
Image
Virtualization is the process of creating virtual, representation of an entity, such as virtual applications, servers, storage and networks. It is the single most effective way to reduce IT expenses by reducing hardware footprint while boosting efficiency and agility for all size businesses. However good as it is, virtualization can create a single point of failure if poor implementation introduced a security flaw to the system. In this post I will be sharing with you how to audit virtualization.
Read more

How to Identify if the capacity of your FLASH storage device is genuine or counterfeit

-
Image
Have you at some time purchased a flash drive  or memory card that always stored corrupt data? You paid for a 64gig memory card and all you stored in it is simply just got corrupted. I have been a victim several times even with reputable retailers. These counterfeit flash storages are low capacity in nature, devices that have been maliciously altered so that they appear to have much more capacity than its original. An example is the 64 gig memory card I purchased which ended up having actual capacity of 2gig. So I actually paid for 2gig. Now I didn't get to know this on time because I actually copied a video file inside it as a test which checked out fine. The video file size was 1.5gb. I was able to play the video with no issue of corruption. Thus I "Assumed" the flash was genuine. Boy was I wrong. Later in the week I decided to do a major backup of my mobile phone since I was purchasing another one. After the backup, I formatted ...
Read more

Address Resolution Protocol (ARP): Understanding the basics

-
Image
Address resolution Protocol or ARP for short is basically used to resolve an IP address to a MAC address. A MAC address is a unique identifier for any device. And since we are talking networking today, The mac address we will be concentration on is that of a network device. Its important to note that, no two device can have the same mac address. Whenever a network device needs to communicate with another network device in a Local Area Network, it needs the MAC address of that device. This is where ARP comes to play. Lets take a look at the scenario bellow to clearly understand this concept: 1. There are 2 computers say A and B on the network. 2. They have both been assigned an IP address as seen below:        A: 192.168.0.1        B: 192.168.0.2 3. Computer A needs to communicate with computer B. 4. It looks at a list for the IP address to see if it has a corresponding MAC address. This list is called an ARP Cache. 5. If the en...
Read more