Hong lei Zhang
Department of Computer Science
The University of Auckland zhon003@ec.auckland.ac.nz Abstract
Secure Socket Layer (SSL) and Transport Layer Security (TLS) is the protocol above
TCP, which can protect user’s privacy when they sending data from a client side to a web server, this is an important protocol due to the expansion of Internet. In fact, it is a long way to make the SSL/TLS protocol perfectly. However there are still shortcomings and problems during the development of SSL/TLS, and we cannot deny that there maybe some other potential security hole in the latest version. Successive attack is fatal for both the user and the company in using these protocols to establish a safe channel to transfer information. This article will introduce three typical attacks: Cipher suite rollback attack, version rollback attack and password interception in SSL/TLS channel.
1. Introduction
As the Internet and World Wide Web become popular, it is important to consider the system security. This is because the plaintext flowing through the Internet is unencrypted, it is for cracker or hacker, even a user without any programming knowledge, to intercept the message and modify it. So, How to protect personal privacy? How to ensure a safe online commerce? etc. These are the challenge for Information Technology.
SSL/TLS can set up a valid secure channel between server and client which can encode the plaintext, then the third party who intercept the message can not disclose the original message without decode it.
SSL consist of two phases: handshake and data transfer. During the handshake process, the client and server use a public-key encryption algorithm to determine secretkey parameters, during the data transfer process, both sides use the secret key to encrypt and decrypt successive data transmissions [1].
-1-
There are potential dangers both during handshake and data transfer state,