Common SSL/TLS Decryption Techniques

June 17, 2018

Introduction

The following article cover a few common SSL/TLS decryption techniques.

Please note that the article assumes that the attacker doesn’t have a pre-access to the digital certificate private key or the encryption keys.

Attack Vectors

1. Stealing the digital certificate private key and/or the SSL/TLS session key. A physical access, trojan horse or other client-side attack techniques can be used to accomplish this task. After it, the attacker can use sniffer or another tool, to copy the network traffic to a local or remote store, and then decrypt it. Please note the limitations of this technique while the SSL/TLS is based on the feature PFS (Perfect Forward Secrecy).

2. MiTM (Man-in-the-Middle) – For existing SSL/TLS session, first, a wise attacker will break the current session by “resetting” the TCP connection, downgrade connection to plaintext HTTP, downgrade the connection to a vulnerable SSL/TLS protocol version (I.e. fall back to an older version) or by using other techniques. After it, the MiTM attack could be deployed. For additional information please review: Man-in-the-Middle (MITM) Attacks

3. Calibration Curve – One of the limitations of the PKI (Public Key Infrastructure) is the ability to create a calibration curve. By this, the attacker would be able to map public key value to the private key value. Although it’s may look like over kill task, some posts in the internet provide additional highlights on this field.

4. ETA (Encrypted Traffic Analytics) – Cisco introduced recently a new technology that can be used to identify malware communication (or other data types according to the specification) in encrypted traffic, without the need for bulk decryption. For additional information please review: Encrypted Traffic Analytics

Summary

SSL/TLS isn’t a bullet proof solution for data confidentiality. However, by using a few simple mitigation techniques, such as HSTS (HTTP Strict Transport Security) and SSL/TLS Pinning, the overall level of security level could be raised easily.

Add comment
facebook linkedin twitter email