Improving the security of Internet exchanges

Mar 20, 2009

( -- TLS is the main protocol used today to secure exchanges over the Internet. The protocol has been subject to attacks in recent years, resulting in identity theft and data tampering. To address these problems, Mohamad Badra, CNRS researcher at LIMOS (France), has worked in collaboration with the Ineovation company to develop two new extensions to the TLS protocol. These standards were recently published by the Internet Engineering Task Force, an international community which develops Internet standards. These are available to programmers and software vendors for use in information systems.

The SSL/TLS was developed in 1995 by Netscape and has become the main protocol used worldwide to and transactions over the Internet (e-commerce, banking, online auctions, , etc.). Due to problems related to the encryption algorithms used by TLS, the protocol has several major drawbacks, notably concerning collision attacks. This also raises concerns about authentication based on digital certificates. In association with Ineovation, Mohamad Badra—CNRS researcher at the Laboratoire d'information, de modélisation et d'optimisation des systčmes in Clermont-Ferrand, France—has developed two new extensions to the TLS protocol in order to improve its security.

The first extension concerns the key exchange method. A key is a parameter required to encrypt and decrypt data. Keys are either symmetric or asymmetric. With a symmetric key, the same key is used for both encryption and decryption. To ensure secure exchanges, this key must remain secret; it must be exchanged between the sender and the receiver over a secure channel prior to the data exchange. In the case of , a “public” key (known to all) is used to encrypt the data to be sent to the recipient. The recipient then uses a private (secret) key to decrypt the data. The advantage is that asymmetric keys do not require a secure channel prior to the key exchange. The extension developed by Badra uses a new method for exchanging keys, based on the association between an asymmetric algorithm and a symmetric key. A “fresh” key is therefore generated at the start of each session, and authenticated by the symmetric key. This new method is more reliable and more secure than the current method. It simplifies the deployment of TLS in network equipment, notably wireless devices and for access providers (as opposed to asymmetric keys, more complex to implement).

The second extension concerns the data hashing function. This function transforms the message into a , i.e. a fairly short series of characters which represent the message. The slightest change to the message requires a change to the message digest. Furthermore, it is very difficult to reconstruct the original message based on the message digest. are used both to ensure data integrity (HMAC functions(8)) and for the digital signature. In the first case, once the recipient receives the message, he calculates its HMAC value and checks that it matches the value transmitted by the message sender.

In the second case, the sender wishing to transmit a signed message must first calculate the message digest and then sign (encrypt) the digest using his private key. The recipient uses the sender's public key to decrypt the message digest and checks that it matches the key calculated by the recipient. Since 2005, the most commonly-used hash functions (notably MD5) have been subject to “collision attacks”, i.e. two different messages could have identical message digests, which brings into question the digital signature authentication used with the TLS protocol. The second extension developed by Badra uses new hash functions which provide better protection against collision attacks.

More information:

SSL/TLS protocol

New extensions to SSL/TLS protocol: (active link to publication)

Other ongoing standardization work at LIMOS:

TLS client identity protection and VPN services… ty-protection-08.txt… a-hajjeh-mtls-04.txt

Provided by CNRS

Explore further: Computerized emotion detector

add to favorites email to friend print save as pdf

Related Stories

Quantum decoys foil code-breaking attempts

Jul 19, 2005

Laser-lit encryption key has immediate commercial applications Computer code-makers may soon get the upper hand on code-breakers thanks to a new quantum cryptography method designed at the University of Toronto. Quantum c ...

New authentication code urged for digital data

Jun 03, 2005

The National Institute of Standards and Technology (NIST) is recommending a new algorithm for authenticating digital data for federal agencies. Called CMAC (cipher-based message authentication code), the algorithm can authenticate ...

Fast and totally secure communication in quantum

Nov 07, 2005

A new era of totally secure communication and information sharing is within reach, with physicists at ANU achieving possibly the world’s fastest transmission of 'unhackable' data using bright lasers to generate an absolutely ...

Recommended for you

Computerized emotion detector

13 hours ago

Face recognition software measures various parameters in a mug shot, such as the distance between the person's eyes, the height from lip to top of their nose and various other metrics and then compares it with photos of people ...

Cutting the cloud computing carbon cost

Sep 12, 2014

Cloud computing involves displacing data storage and processing from the user's computer on to remote servers. It can provide users with more storage space and computing power that they can then access from anywhere in the ...

Teaching computers the nuances of human conversation

Sep 12, 2014

Computer scientists have successfully developed programs to recognize spoken language, as in automated phone systems that respond to voice prompts and voice-activated assistants like Apple's Siri.

Mapping the connections between diverse sets of data

Sep 12, 2014

What is a map? Most often, it's a visual tool used to demonstrate the relationship between multiple places in geographic space. They're useful because you can look at one and very quickly pick up on the general ...

User comments : 0