skip to main content
10.1145/1298306.1298318acmconferencesArticle/Chapter ViewAbstractPublication PagesimcConference Proceedingsconference-collections
Article

Cryptographic strength of ssl/tls servers: current and recent practices

Published: 24 October 2007 Publication History

Abstract

The Secure Socket Layer (SSL) and its variant, Transport Layer Security (TLS), are used toward ensuring server security. In this paper, we characterize the cryptographic strength of public servers running SSL/TLS. We present a tool developed for this purpose, the Probing SSL Security Tool (PSST), and evaluate over 19,000 servers. We expose the great diversity in the levels of cryptographic strength that is supported on the Internet. Some of our discouraging results show that most sites still support the insecure SSL 2.0, weak export-level grades of encryption ciphers, or weak RSA key strengths. We also observe encouraging behavior such as sensible default choices by servers when presented with multiple options, the quick adoption of AES (more than half the servers support strong key AES as their default choice), and the use of strong RSA key sizes of 1024 bits and above. Comparing results of running our tool over the last two years points to a positive trend that is moving in the right direction, though perhaps not as quickly as it should.

References

[1]
Alexa Web Search - Top 500. http://www.alexa.com/site/ds/top_500.
[2]
IRCache. http://www.ircache.net.
[3]
Nmap. http://www.insecure.org/nmap/.
[4]
The OpenSSL project. http://www.openssl.org.
[5]
Web100. http://www.web100.com.
[6]
George Apostolopoulos, Vinod Peris, and Debanjan Saha. Transport layer security: How much does it really cost? In IEEE InfoCom, New York, NY, March 1999.
[7]
Gregory V. Bard. The vulnerability of SSL to chosen plaintext attack. Cryptology ePrint Archive, Report 2004/111, 2004. http://eprint.iacr.org/.
[8]
Mihir Bellare, Ran Canetti, and Hugo Krawczyk. Keying hash functions for message authentication. In N. Koblitz, editor, Advances in Cryptology --CRYPTO 1996, volume 1109 of Lecture Notes in Computer Science, pages 534--545. Springer-Verlag, 1996.
[9]
Dan Boneh and David Brumley. Remote timing attacks are practical. In The 12th USENIX Security Symposium, August 2003.
[10]
Cristian Coarfa, Peter Druschel, and Dan S. Wallach. Performance analysis of TLS Web servers. ACM Transactions on Computer Systems, 24(1), February 2006.
[11]
NESSIE Consortium. Portfolio of recommended cryptographic primitives. Internet draft, February 2003. http://www.cryptonessie.org/.
[12]
Nicolas Courtois and Josef Pieprzyk. Cryptanalysis of block ciphers with overdefined systems of equations. In Yuliang Zheng, editor, Advances in Cryptology - ASIACRYPT 2002, volume 2501 of Lecture Notes in Computer Science, pages 267--287. Springer-Verlag, 2002.
[13]
B. den Boer and A. Bosselaers. Collisions for the compression function of MD5. In Tor Helleseth, editor, Advances in Cryptology -- EUROCRYPT 1993, volume 470 of Lecture Notes in Computer Science, pages 293--304. Springer-Verlag, 1994.
[14]
T. Dierks and C. Allen. The TLS protocol, version 1.0, January 1999. RFC-2246.
[15]
Tim Dierks and Eric Rescorla. The TLS protocol, version 1.1, June 2005. Internet Draft, http://www.ietf.org/internet-drafts/draft-ietf-tls-rfc2246-bis-13.txt, expires December 2005.
[16]
Hans Dobbertin. Cryptanalysis of MD5 compress. In Fast Software Encryption, pages 53--69, 1996.
[17]
Hans Dobbertin. The status of MD5 after a recent attack. CryptoBytes, 2(2), 1996.
[18]
N. Ferguson and B. Schneier. Practical Cryptography. Wiley Publishing, Inc., 2003.
[19]
Scott Fluhrer, Itsik Mantin, and Adi Shamir. Weaknesses in the key scheduling algorithm of RC4. In Selected Areas in Cryptography, volume 2259 of Lecture Notes in Computer Science, pages 1--24, 2001.
[20]
Alan O. Freier, Philip Karlton, and Paul C. Kocher. The SSL protocol version 3.0. Internet draft, Netscape Communications, November 1996. http://wp.netscape.com/eng/ssl3/ssl-toc.html.
[21]
Eu-Jin Goh. SSL sniffer. http://crypto.stanford.edu/~eujin/sslsniffer/index.html.
[22]
Kipp E. B. Hickman. The SSL protocol. Internet draft, Netscape Communications, February 1995. http://wp.netscape.com/eng/security/SSL_2.html.
[23]
Burt Kaliski. TWIRL and RSA key size. Internet draft, RSA Laboratories, May 2003. http://www.rsasecurity.com/rsalabs/node.asp?id=2004.
[24]
Vlastimil Klima, Ondrej Pokorny, and Tomas Rosa. Attacking RSA-based sessions in SSL/TLS. Cryptology ePrint Archive, Report 2003/052, 2003. http://eprint.iacr.org/.
[25]
Lars R. Knudsen, Vincent Rijmen, Ronald L. Rivest,and M. J. B. Robshaw. On the design and security of RC2. In FSE '98: Proceedings of the 5th International Workshop on Fast Software Encryption, pages 206--221. Springer-Verlag, 1998.
[26]
D. Mosberger and T. Jin. httperf -- a tool for measuring Webserver performance. In Proceedings of the ACM SIGMETRICS Workshop on Internet Server Performance (WISP), pages 69--67, Madison, WI, June 1998.
[27]
Eric Murray. Changes in deployment of cryptography. Invited talk, USENIX Security Symposium 2001. http://www.usenix.org/events/sec01/murray/index.htm,July 2001.
[28]
Netcraft News. Vulnerable versions of OpenSSL apparently still widely deployed on commerce sites. http://news.netcraft.com/archives/2003/11/03/vulnerable_versions_of_openssl_apparently_still_widely_deployed_on_commerce_sites.html.
[29]
NIST. Data encryption standard DES, December 1993. http://www.itl.nist.gov/fipspubs/fip46-2.htm.
[30]
NIST. Secure hash standard, federal information processing standards publication 180-1, April 1995. http://www.itl.nist.gov/fipspubs/fip180-1.htm.
[31]
NIST. Advanced encryption standard (AES), federal information processing standards publication 197, November 2001. http://www.csrc.nist.gov/publications/fips/fips197/fips-197.pdf.
[32]
NIST. Special publication 800-57: Recommendation for key management. part 1: General guideline, January 2003. http://csrc.nist.gov/CryptoToolkit/kms/guideline-1-Jan03.pdf.
[33]
NIST. Announcing proposed withdrawal of federal information processing standard (FIPS) for the data encryption standard (DES) and request for comments, July 2004. http://edocket.access.gpo.gov/2004/04-16894.htm.
[34]
Jitendra Padhye and Sally Floyd. On inferring TCP behavior. In ACM SIGCOMM Symposium on Communications Architectures and Protocols, San Diego, CA, August 2002.
[35]
Niels Provos and Peter Honeyman. ScanSSH: Scanning the Internet for SSH servers. In USENIX Large Installation System Administration Conference(LISA), pages 25--30, 2001.
[36]
Eric Rescorla. SSL and TLS. Addison Wesley, 2000.
[37]
Eric Rescorla. Security holes... who cares? In Proceedings of the 12th USENIX Security Symposium, pages 75--90, August 2003.
[38]
Ron Rivest. The MD5 message digest algorithm, April 1992. RFC-1321.
[39]
Ronald L. Rivest, Adi Shamir, and Leonard Adleman. A method for obtaining digital signatures and public-key cryptosystems. Communications of the ACM, 21(2):120--126, February 1978.
[40]
RSA Laboratories. How large a key should be used inthe RSA cryptosystem? Internet draft, RSA Crypto FAQ. http://www.rsasecurity.com/rsalabs/node.asp?id=2218.
[41]
RSA Laboratories. RSA crypto challenge sets new security benchmark - 512-bit public key factored by international team of researchers, August 1999.
[42]
Bruce Schneier. Applied Cryptography. John Wiley & Sons, 1994.
[43]
S. Vaudenay. Security flaws induced by CBC padding - applications to SSL, IPSEC, WTLS,... In Advances in Cryptology -- EUROCRYPT 2002, volume 2332 of Lecture Notes in Computer Science, pages 534--545. Springer-Verlag, 2002.
[44]
David Wagner and Bruce Schneier. Analysis of the SSL 3.0 protocol. In Proceedings of the 2nd USENIX Workshop on Electronic Commerce, pages 29--40,Oakland, CA, November 1996. http://www.cs.berkeley.edu/~daw/papers/ssl3.0.ps.
[45]
Xiaoyun Wang, Dengguo Feng, Xuejia Lai, and Hongbo Yu. Collisions for hash functions MD4, MD5, HAVAL-128 and RIPEMD, 2004. Manuscript. Available from eprint.iacr.org.
[46]
Xiaoyun Wang, Yiqun Lisa Yin, and Hongbo Yu. Finding collisions in the full SHA-1. In Advances in Cryptology -- CRYPTO 2005, Lecture Notes in Computer Science. Springer-Verlag, 2005.
[47]
Michael J. Wiener. Performance comparison of public-key cryptosystems. CryptoBytes, 4(1), 1998. http://www.rsasecurity.com/rsalabs/node.asp?id=2004.

Cited By

View all

Index Terms

  1. Cryptographic strength of ssl/tls servers: current and recent practices

    Recommendations

    Comments

    Information & Contributors

    Information

    Published In

    cover image ACM Conferences
    IMC '07: Proceedings of the 7th ACM SIGCOMM conference on Internet measurement
    October 2007
    390 pages
    ISBN:9781595939081
    DOI:10.1145/1298306
    Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

    Sponsors

    Publisher

    Association for Computing Machinery

    New York, NY, United States

    Publication History

    Published: 24 October 2007

    Permissions

    Request permissions for this article.

    Check for updates

    Author Tags

    1. network security
    2. servers
    3. ssl

    Qualifiers

    • Article

    Conference

    IMC07
    Sponsor:
    IMC07: Internet Measurement Conference
    October 24 - 26, 2007
    California, San Diego, USA

    Acceptance Rates

    Overall Acceptance Rate 277 of 1,083 submissions, 26%

    Contributors

    Other Metrics

    Bibliometrics & Citations

    Bibliometrics

    Article Metrics

    • Downloads (Last 12 months)98
    • Downloads (Last 6 weeks)13
    Reflects downloads up to 16 Jan 2025

    Other Metrics

    Citations

    Cited By

    View all

    View Options

    Login options

    View options

    PDF

    View or Download as a PDF file.

    PDF

    eReader

    View online with eReader.

    eReader

    Media

    Figures

    Other

    Tables

    Share

    Share

    Share this Publication link

    Share on social media