Hi,
This is my first post on this list :)
I have to test TLS implementation on our product. Ths goal is not to
discover a threat in TLS but to find threat in our implementation.
In my test I'll do :
- MitM
- Replay attack (I think it will not be possible because of TLS timestamps )
- Dos
- Sniffing (to check that all communications are encrypted)
What other tests could be done ?
Thanks
Julien
PS : Sorry for my english
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

What other tests could be done ?

Thanks

Julien

Can an attacker force a connection to step down, can an attacker inject
data? Tools like dsniff, although old, are quite effective.

Something I wrote a looong time ago:

Also is your certificate chaining/etc done securely.
-Kurt Seifried

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

I have to test TLS implementation on our product. Ths goal is not to
discover a threat in TLS but to find threat in our implementation.
In my test I'll do :
- MitM
- Replay attack (I think it will not be possible because of TLS timestamps )
- Dos
- Sniffing (to check that all communications are encrypted)

What other tests could be done ?

Well, there's always modification. If someone adds or removes encrypted
data, or modifies it in transit, will your implementation detect it?
This is particularly important when using stream cipher based
ciphersuites.

Also, does your implementation do perform correct client/server
certificate validation? It's a pretty complex process, and other major
implementations have had bugs in the past in this area.

good luck,
tim

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

Hi ,

Also, does your implementation do perform correct client/server
certificate validation?

Yes, it's implemented

>If someone adds or removes encrypted
data, or modifies it in transit, will your implementation detect it?

I don't don't know for the moment. By reading the design docs I think
it have to detect this kind of "attack".

Thanks all

2006/10/21, Tim <tim-pentest (AT) sentinelchicken (DOT) org>:

I have to test TLS implementation on our product. Ths goal is not to
discover a threat in TLS but to find threat in our implementation.
In my test I'll do :
- MitM
- Replay attack (I think it will not be possible because of TLS timestamps )
- Dos
- Sniffing (to check that all communications are encrypted)

What other tests could be done ?

Well, there's always modification. If someone adds or removes encrypted
data, or modifies it in transit, will your implementation detect it?
This is particularly important when using stream cipher based
ciphersuites.

Also, does your implementation do perform correct client/server
certificate validation? It's a pretty complex process, and other major
implementations have had bugs in the past in this area.

good luck,
tim

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

hi guys,

when i remove or add data application don't provide any alert, but
transfert is breaked. It'can be a problem, but at least, server is not
compromised.

That"s better than nothing.

Thanks

2006/10/21, Tim <tim-pentest (AT) sentinelchicken (DOT) org>:

I have to test TLS implementation on our product. Ths goal is not to
discover a threat in TLS but to find threat in our implementation.
In my test I'll do :
- MitM
- Replay attack (I think it will not be possible because of TLS timestamps )
- Dos
- Sniffing (to check that all communications are encrypted)

What other tests could be done ?

Well, there's always modification. If someone adds or removes encrypted
data, or modifies it in transit, will your implementation detect it?
This is particularly important when using stream cipher based
ciphersuites.

Also, does your implementation do perform correct client/server
certificate validation? It's a pretty complex process, and other major
implementations have had bugs in the past in this area.

good luck,
tim

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

Hi,

I add a few bullets to the list.

you should also check the handshake. Are the DES, RC4 or no-encryption
options enabled? What are the defaults?

If clients and server are fixed, or added in a controlled way, you may
want to add the requirement of mutual authentication!

What about random number generation? Can one force the server to reuse
symmetric keys? Are there any race conditions in the implementation?

the other hand, if the crypto has been implemented from scratch, then
you might want to check it for binary vulnerabilities. Else, if you
match this crypto with a known library, do check if there are any
reported bugs for this library.

Cheers,
Ariel

Julien wrote:
Hi,

This is my first post on this list :)
I have to test TLS implementation on our product. Ths goal is not to
discover a threat in TLS but to find threat in our implementation.
In my test I'll do :
- MitM
- Replay attack (I think it will not be possible because of TLS
timestamps )
- Dos
- Sniffing (to check that all communications are encrypted)

What other tests could be done ?

Thanks

Julien

PS : Sorry for my english

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.