M04 - Part 1_ Hands-On Project 7-1_ SSL Server and Client Tests (1)

docx

School

Purdue University, Northwest *

*We aren’t endorsed by this school

Course

25000

Subject

Information Systems

Date

Dec 6, 2023

Type

docx

Pages

3

Uploaded by ChefPencil9883

Report
M04 - Part 1: Hands-On Project 7-1: SSL Server and Client Tests At the end of your reading for this part of the module, you will find Hands-On projects. Go to Hands-On Project 7-1. Complete it and make sure to answer the questions on steps 5, 6, 7, 8, 11, 13, 14, and 20. Type your answers in a word-processing document and submit for grading. 5. If this site did not receive an Overall Rating of A under Summary , you will see the reasons listed. Read through these. Would you agree? Why? To address this question, even though the website I visited had an A+ rating, I looked at another website that didn't. I looked at ASC.ARMY.MIL, and it received a B rating. This was primarily due to the fact that it uses RSA key exchange rather than "Forward Secrecy." In essence, PF lets you maintain session security even in the event that your private key is compromised. The remaining ratings fell within the authorized range. 6. Scroll through the document and read through the Certificate #1 information. Note the information supplied regarding the digital certificates. Under Certification Paths , click Click here to expand , if necessary, to view the certificate chaining. What can you tell about it? The certificate indicates to me that Love4Taylor. Because DST ROOT CA x3 is self-signed and can be spoof, it is important to have a Subordinate Certificate Authority, such as LET's ENCRYPT AUTHORITY x3, along with a signoff to confirm authenticity and LOVE4TAYLOR. This makes me a trusted site.Although it can only confirm the connection—not the authenticity of the certificate—I am the working certificate. 7. Scroll down to Configuration . Note the list of protocols supported and not supported. If this site were to increase its security, which protocols should it no longer support? Why? TLS 1.0 is the next version that I believe won't be supported. Due to its vulnerability to the "BEAST" attack, as well as the fact that newer versions have largely replaced it—mandated upgrades even for the banking sector by the US government—it has been phased out. Having said that, TLS 1.1 might not be supported either, as NIST currently advises everyone to update to at least TLS 1.2; therefore, it really depends on the security protocols that are established going forward. 8. Under Cipher Suites , interpret the suites listed. Notice that they are given in server-preferred order. To
increase its security, which cipher suite should be listed first? Why? If improved security over server preference was the primary determinant of order in TLS 1.3, the order would be as follows. TLS_CHACHA20_POLY1305_SHA256 (0x1303) ECDH x25519 (eq. 3072 bits RSA) FS TLS_AES_256_GCM_SHA384 (0x1302) ECDH x25519 (eq. 3072 bits RSA) FS TLS_AES_128_GCM_SHA256 (0x1301) ECDH x25519 (eq. 3072 bits RSA) FS As CHACHA20 is currently the most effective method for utilizing AEAD construction to combine encryption and authentication and is roughly three times faster than AES_GCMIn TLS 1.2, the order would be TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcca9 OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 (0xcc14) TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 (0xc02b) TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xc02c) TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA (0xc00a) TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA (0xc009) This is due to the fact that, once more, CHACHA_POLY1305 is the best standard, and "OLD TLS is merely a more recent iteration of TLS CHACHA20, but it is still superior to TLS AES_256_GCM, TLS AES_128_GCM, and AES 128_CBC, respectively." 11. Select one of the Recent Worst sites. Review the Summary , Authentication , Configuration , Cipher Suites , and Handshake Simulation . Would you agree with this site’s score? I visited www.etek.com, and the overall rating was c. Because it has been discovered that HTTP, SSL, and VPN servers use the same prime numbers for their key exchange, one reason for this was that it was using a weak Diffie-Hillman key exchange. Regrettably, it has been discovered that utilizing the same primes poses a vulnerability, which is the first step in breaking DH connections. Second, the use of the DH key vulnerability rather than the more robust RSA key exchange makes man-in-the-middle attacks easier to execute. Additionally, the site was awarded this grade because it uses SSL 3, a version of the protocol that is known to be vulnerable to the "POODLE" attack where CBC encryption is used in its configuration. Approximately thirty percent of the handshake tests also revealed potential vulnerabilities to the DROWN attack due to the use of common DH primes. However, this website also has a trusted certificate.
13. Enter the name of your school or work URL and generate a report. What score did it receive? Ivytech received a score of B. 14. Review the Summary , Authentication , Configuration , Cipher Suites , and Handshake Simulation . Would you agree with this site’s score? It uses a subordinate CA for authentication in addition to its trusted, self-signed Certificate. Because it uses RSA key exchange and does not support forward secrecy, it was given a lower grade of B status. To improve this status, a server that supports ECDHE suites would be required. Furthermore, even though TSL 1.1 isn't a bad version, it is now outdated. It is still in use. When I examined handshakes, it was clear that Ivytech also uses TLS 1.2. All handshakes were conducted using TLS 1.2 alone, but they were still in TLS 256/128 CBC rather than CHSACA20_poly1305. 20. Return to www.ssllabs.com , click Projects , and then click SSL Client Test to compare the two scores. From a security perspective, which browser is better? Why? https://www.ssllabs.com/ssltest/viewMyClient.html vs. https://www.ssllabs.com/ssltest/analyze.html ? d=ivytech.edu I have included the site view for each client test so that you can see a comparison, but I'm not sure what screen shorts you required for this assignment. However, my server was significantly superior to IVYtech in that my browser supported TLS 1.2 protocols well, Logjam had no known vulnerabilities or Freak vulnerabilities, and it was impervious to POODLE attacks. It did have some lesser preferences, using AES_256 and 128 GCM and CBC, respectively, that were considered weak but were lowest on the list of cipher suite preferences, even though it was still using TLS 1.0. It was also supporting TLS 1.1, TLS 1.2, and TLS 1.3 in addition to using ECDHE and CHACHA20_poly1305, which supports forward secrecy.Overall, when comparing the two, IVYtech lags slightly in using the most recent TLS version, updating to prevent vulnerabilities, and switching to ECDHE to support PFS. Nevertheless, IVYtech remains secure.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help

Related Documents

In-Class activity- Consumer Behavior.docx
ITS26000Lab6 (2).docx
Paul, Week 3 response 730.docx
Edward, Week 3 Response 730 .docx
Managing Change at Seahawk Books.docx
Jabena, Week 5 response 730.docx
Chenee, week 4 reply 730.docx
db2 assignment.pdf
IT-202 Final Project.docx
IT-202 Project Two Milestone.docx
Planning quiz.docx
Week 7 Discussion.docx