OpenSSL.docx

Abstract OpenSSL mainly used for cryptography library which provides execution of SSL and TSL in opensource. As we all know that OpenSSL is used by around 60% of web servers present in the world. In current time information system security implementation recommendation used to find out the threat or securities vulnerabilities on the basis of processes, users and infrastructure. Due to the presence of different types of threats, it is necessary to make different secure pieces of the information system. Due to the rise in complexity of IT system security the role of IT governance play a major role in the mechanism of IT governance. There are so many different IT frameworks nowadays mainly used to provide better and secure information system to the organizations. As we know that any framework of IT control framework is explained as “ A known system of control management which covers complete internal control of any organization. Normally there are three types of control framework according to the research of Nicho(2008). In this report, we will be analysis all the threats and analysis using diagrams and will be discussing how organization code of ethics and security policies does apply and what the security policies that organization should apply on their information system to mitigate the risks and important factors which can affect to your organization. Hackers create fake accounts in order to inflate clicks, likes, and shares on social media so as to manipulate the user to believe in a perception. Attackers usually use software to create a function to automatically spread malicious links. A kind of Operational threat that occurs when an entire system or a part of the system fails. Spyware as the name suggests spies on the user and collects account details such as username, passwords and sends it to the hackers. Use of Anti-Phishing tool can help a lot in mitigating this type of attack. Use of firewalls, keeping information masqued are some other preventive measures. Periodic system checkups must be performed so as to avoid system failures. Also, Errors must be clearly mitigated by personal alertness. The major concept behind the implementation of OpenSSL is to organize the information system security according to the needs of the users which going to fulfill the objectives of organization business. Whereas when data passes over the network then it will be sent over the SSL. Here in this report, we are going to discuss OpenSSL, its type, encryption algorithms, learn different way through which attacker exploit the network and how to deal with it. functionality and characteristics of OpenSSL Secure Socket Layer is basically an encryption protocol which protect the information and data over the network. Netscape makes a protocol of SSL in the year of 1994. when SSL found vulnerable after years of use they develop transport layer security in the year 1999. POODLE and BEAST are the main big vulnerabilities of SSL. Protecting the communication between the user and web application is the main aim of TLS/SSL. SSL mainly uses the encryption method to manage and protect the user data. The increasing growth of information system security threats and attacks can be minimized by identifying the vulnerabilities and providing some good engineering practices and operational procedures to the organization and individuals.In recent years the cloud computing services becomes very famous due to which the privacy of user is at greater risk. The provider of cloud application use the user data for their own personal benefits and user can not monitor their data usage. when the user data have been sent to the cloud computing application, then it ibecomes very hard to monitor the usage of the data by the application provider. it is very hard for application provider to make user data secure, when their data are easily replicated and spread all over the cloud computing infrastructure. FEATURES OF OpenSSL The major concept behind the execution of OpenSSL is to organize the information system security according to the needs of the users which going to fulfill the objectives of SSL. Here we are more concerned about the security of the organization data and customer data and to remedy this vulnerability we execute the use of encrypted emails, encrypted domains, secured websites, and security protocols in the system. we create encrypted channels and protocols so that the data communication between two devices are secured. Hackers create fake accounts in order to inflate clicks, likes, and shares on social media so as to manipulate the user to believe in a perception. Attackers usually use software to create a function to automatically spread malicious links. A kind of Operational threat that occurs when an entire system or a part of the system fails. Spyware as the name suggests spies on the user and collects account details such as username, passwords and sends it to the hackers. OpenSSL helps in finding those vulnerability which spread by attackers in the user system. APPLICATIONS OF OpenSSL : As we see that cloud computing basically used for storage of data and exchange of information so its security is a major concern. As we know that it is very hard to make a solution to anything in which you don't know about the requirements. Firstly we gather all the required data and information from the user. After that, we try to understand according to given data what really user wants from us. According to user recommendation, we find the problem and other unwanted things present and then we remove it from the system or servers. Also by a discussion with many users at a different place and from the different field, we gather the information and by using OpenSSL and TLS we filter it out to a common problem . then after that, an analyst worked on it and by using SSL they give the appropriate solution of the problem. OpenSSL PROTOCOL Triple data encryption standard and Advanced encryption standard are used to block cipher. Both are basically security algorithms which work from single byte of data to a block of data. Due to its easy implementation and speed , it is very fast in hardware and software implementation. Which make AES the best security algorithm choice for wimax. The authentication of device and the user of SSL is mainly using support of certificate by Internet Engineering Task Force (IETF). To perform authentication process EAP is designed by using many functions which can deal with different possible steps. OpenSSL can be used for many authentication process like password/username, smart cards and digital certificates. When we add authentication of device and authentication of user then it can create the additional layer of security. SSL help in controlling the message in authentication process. Cipher based message authentication code mainly uses block cipher algorithm whereas key hash message authentication code mainly used hash function to add the secret key for the integrity and authenticity of the data in OpenSSL. Types Of OpenSSL Certificate There are three types of SSL certificates are available and each of them differs in the level of validation. First one is the DV, the second one is OV and the third one is newly named as EV. Here we are more concerned about the security of the organization data and customer data and to remedy this vulnerability we implement the use of encrypted emails, encrypted domains, secured websites, and security policies in the organization. we create encrypted channels and protocols so that the data communication between two devices are secured. Command Line for OpenSSL in Kali Linux These command line mainly used to measure different functions of OpenSSL library through bash shell without writing any type of code. Here we are going to use the s_client command which make a connection to the server using SSL. we get every information by using certificate request in command prompt here we see that when we try to use weak algorithm of encryption with server then google disable the weak ciphers on server. OpenSSL gives web client which help to connect webserver with SSL/TSL by using following command line we can get the desire results. openssl s_client -connect poftut.com:443 To get the list of weak cipher we use the command line which is shown in screenshot. The famous use of s_client is to just connect remote TLS/SSL website. $ openssl s_client -connect poftut.com:443 Source regarding OpenSSL We get new version of OpenSSL by using this command line $wget -c $ wget -c http openssl version -v sudo apt-get install make wget https://www.openssl.org/source/openssl-1.0.2l.tar.gz tar -xzvf openssl-1.0.2l.tar.gz sudo./config openssl version -v By using SSLScan in OpenSSL in kali linux we can easily find out the weak cipher, expire version of protocol and misconfiguration. By default it will check the vulnerabilities of web server . During the SSL/TLS connection time there are so many things working at the same time in the same hood. For example we use tlsextdebug to get detailed information about SSL/TLS. $ openssl s_client -connect poftut.com:443 -tlsextdebug Metasploit OpenSSL we can use this to find the vulnerability present in the system by just typing “msfupdate” in kali linux. Now, run “msfconsole” to initiate Metasploit as well as search for the heartbleed modules After that now we have to type only “use auxiliary/scanner/ssl/openssl_heartbleed“: And at the end we just “run” the exploit and see that metasploit communicated with the server and able to extract data from the memory of the server. OpenSSL Security Threats SSL has a different type of many security threats like renegotiation attack ,cross-protocol, downgrade, beast attack etc. In the present time, the security of data and information play an important role in the development of organizations. Due to the rise in the use of mobile device, it becomes a soft target for attackers which leads to security breaches of important information and data of the users. In current time information system security implementation recommendation used to find out the threat or securities vulnerabilities on the basis of processes, users and infrastructure. In current time information system security implementation recommendation used to find out the threat or securities vulnerabilities on the basis of processes, users and infrastructure. Due to the presence of different types of threats, it is necessary to make different secure pieces of the information system. we will be analysis all the threats and analysis using diagrams and will be discussing how organization code of ethics and security policies does apply and what the security policies that organization should apply on their information system to mitigate the risks and important factors which can affect to your organization. Hackers create fake accounts in order to inflate clicks, likes, and shares on social media so as to manipulate the user to believe in a perception. Attackers usually use software to create a function to automatically spread malicious links. A kind of Operational threat that occurs when an entire system or a part of the system fails. Spyware as the name suggests spies on the user and collects account details such as username, passwords and sends it to the hackers. Use of Anti-Phishing tool can help a lot in mitigating this type of attack. Use of firewalls, keeping information masqued are some other preventive measures. Periodic system checkups must be performed so as to avoid system failures. Also, Errors must be clearly mitigated by personal alertness. The major concept behind the implementation of OpenSSL is to organize the information system security according to the needs of the users which going to fulfill the objectives of organization business. Recommendations Here we are more concerned about the security of the organization data and customer data and to remedy this vulnerability we implement the use of encrypted emails, encrypted domains, secured websites, and security policies in the organization. OpenSSL test all links of the related web pages. Outgoing links, internal links, and other links should be checked to make sure no broken links are available. In this, we check also the test forms to ensure whether the user fills it or not. Cookies testing also comes under this it mainly remembers the active user sessions so that user does not have to log in again in specific time. To ensure the standard compliance of W3C we regularly update or check our HTML, CSS code regularly to our web application easily. Consistency and integrity of data are very important for any web application. So database testing also is done in functionality testing for its integrity. Here we can see that by protecting and controlling the data leads to decrease in threats .Use of firewalls, keeping information masqued are some other preventive measures. Periodic system checkups must be performed so as to avoid system failures. Also, Errors must be clearly mitigated by personal alertness. The major concept behind the implementation of OpenSSL is to organize the information system security according to the needs of the users which going to fulfill the objectives of organization business. Conclusion There are so many things which should be placed in a good place so that new methods and techniques can evolve its true power as well as value. It applies well with SSL security. By applying disaster recovery plan we resume the business after any disruptive activities. Whereas business continuity planning help in making more comprehensive approach which always makes sure that you keep the money making not only in natural calamity but it also continues during lower disruptions including the illness or minor software as well hardware problem. IT leaders, Security, and business all work on the same platform to make decisions which are very crucial for the organization or the company. By developing own certificates using web servers we can protect the information and data . So we develop a framework for remote server which check the mechanism and pay attention on user. References and bibliography John Viega, Matt Messier, Pravir Chandra, "Network Security with OpenSSL: Cryptography for Secure Communications" O'Really Medi Inc., First Edition, pp. 21-22, 2002. Behrouz A Forouzan, "Data Communication and Networking", The McGraw-Hills Companies, Fourth Edition, pp. 1008-1014 [BEAST] T. Duong, J. Rizzo: “Here Come The ⊕ Ninjas”, 2011. [draft-ietf-tls downgrade-scsv-00] B. Möller, A. Langley: “TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks”, 2014. Martin R. Albrecht, Kenneth G. Paterson, and Gaven J. Watson. Plaintext recovery attacks against SSH. In David Evans and Andrew Myers, editors, 2009 IEEE Symposium on Security and Privacy, Proceedings, pages 16–26. IEEE Computer Society, 2009. Elaine Barker, William Barker, William Burr, William Polk, and Miles Smid. Recommendation for key management—part 1: General (revised). NIST Special Publication 800-57, 2007. Dag Arne Osvik, Adi Shamir, and Eran Tromer. Cache attacks and countermeasures: the case of AES. In David Pointcheval, editor, Topics in Cryptology—CTRSA 2006, volume 3860 of LNCS, pages 1–20. Springer, 2006. David Molnar, Matt Piotrowski, David Schultz, and David Wagner. The program counter security model: Automatic detection and removal of control-flow side channel attacks. In Dongho Won and Seungjoo Kim, editors, Information Security and Cryptology: ICISC 2005, volume 3935 of LNCS, pages 156–168. Springer, 2005 Daniel J. Bernstein. CurveCP: Usable security for the Internet, 2011.