Application security encompasses measures taken throughout the application's life-cycle to prevent exceptions in the security policy of an application or the underlying system (vulnerabilities) through flaws in the design, development, deployment, upgrade, or maintenance of the application.

Monday, June 13, 2011

How to discover weak ssl/cipher supported by the server

In SSL communication both symmetric and asymmetric key are used for encryption. The cryptography mechanism uses two keys (public and private) generated by an asymmetric algorithm for protecting keys and key distribution, and a secret key is generated by a symmetric algorithm and used for bulk encryption. The secret symmetric key is nothing but the session key generated by mutual understanding of client and server for particular session. In SSL communication this symmetric key is used to make the encryption process faster.

If any weak encryption is supported by the server then there is a chance that client and server might agree on that weak encryption and generate a weak session key. For Ex. most webservers like apache on the internet, allow to connect with SSLv2, which is known to be broken. Even good methods, like sslv3, support weak ciphers like RC4, which should also be disabled.So it is required to blocked/patched all weak encryption supported by the server.

There are several open source tools like THCSSLCheck,SSLDigger can be used to check the weak encryption supported by the server. You can find more about these tools in pentest tools section.

No comments:

Post a Comment