In SSL communication both symmetric and asymmetric key are used for encryption. The cryptography mechanism uses two keys (public and private) generated by an asymmetric algorithm for protecting keys and key distribution, and a secret key is generated by a symmetric algorithm and used for bulk encryption. The secret symmetric key is nothing but the session key generated by mutual understanding of client and server for particular session. In SSL communication this symmetric key is used to make the encryption process faster.
If any weak encryption is supported by the server then there is a chance that client and server might agree on that weak encryption and generate a weak session key. For Ex. most webservers like apache on the internet, allow to connect with SSLv2, which is known to be broken. Even good methods, like sslv3, support weak ciphers like RC4, which should also be disabled.So it is required to blocked/patched all weak encryption supported by the server.
If any weak encryption is supported by the server then there is a chance that client and server might agree on that weak encryption and generate a weak session key. For Ex. most webservers like apache on the internet, allow to connect with SSLv2, which is known to be broken. Even good methods, like sslv3, support weak ciphers like RC4, which should also be disabled.So it is required to blocked/patched all weak encryption supported by the server.
There are several open source tools like THCSSLCheck,SSLDigger can be used to check the weak encryption supported by the server. You can find more about these tools in pentest tools section.
No comments:
Post a Comment