polimd/Computer Security/lesson_17.md

Computer Security - lesson 17

Stefano Zanero

16 June 2016

SSL Security

New protocol adoption

Every time a new protocol needs to be adopted, it is a critical problem the critical mass question. This can be a major problem for startups/business plans that aim to replace a big player with a new, better system.

SSL

Phases:

• cipher suite + random data
• certificate verification
• pre-master key exchange
• pre-master key encryption (and optional signing)

The signing of the master key by the user authenticates it but it is an optional feature and nobody uses it (99%) so the majority of the times the client is not authenticated.

The exchange of random data in SSL is used to ensure freshness of the communication, that is used to avoid replay attacks in which a malicious server replays the exact messages of an old communication and establishes a connection.

Man in the middle

A simple man in the middle attack can't get the content of a connection because it doesn't know the server private key.

SET system

Meant to protect transactions not connections

SET story was used by VISA and MasterCard to give the resposibility of transaction frauds entirely to merchants, because they offered a secure alternative but the merchants decided it was not economically convenient to adopt.

Malware

Categories:

• Virus: is not an executable but a piece of code able to infect programs and self propagate
• Worm: is an executable for of virus
• Trojan Horse: Is a program that seems useful or innocent but hides malicious behaviour like creation of remote access.