Accession Number : ADA602429


Title :   Safe Configuration of TLS Connections


Descriptive Note : Conference paper


Corporate Author : RAYTHEON BBN TECHNOLOGIES CAMBRIDGE MA


Personal Author(s) : Atighetchi, Michael ; Soule, Nathaniel ; Pal, Partha ; Loyall, Joseph ; Sinclair, Asher ; Grant, Robert


Full Text : https://apps.dtic.mil/dtic/tr/fulltext/u2/a602429.pdf


Report Date : 16 Oct 2013


Pagination or Media Count : 9


Abstract : Transport Layer Security (TLS) and its precursor Secure Sockets Layer (SSL) are the most widely deployed protocol to establish secure communication over insecure Internet Protocol (IP) networks. Providing a secure session layer on top of TCP, TLS is frequently the first defense layer encountered by adversaries who try to cause loss of confidentiality by sniffing live traffic or loss of integrity using man-in-the-middle attacks. Despite its wide deployment and evolution over the last 18 years, TLS remains vulnerable to a number of threats at the protocol layer and therefore does not provide strong security out-of-the-box, requiring tweaks to its configuration in order to provide the expected security benefits. This paper provides a summary of the current TLS threat surface together with a validated approach for minimizing the risk of TLS-compromise. The main contributions of this paper include 1) identification of configuration options that together maximize security guarantees in the context of recent TLS exploits and 2) specification of expected flows and automated comparison with observed flows to flag inconsistencies.


Descriptors :   *CLIENT SERVER SYSTEMS , *COMMUNICATIONS PROTOCOLS , COMPUTER ACCESS CONTROL , COMPUTER NETWORK SECURITY , CONFIGURATION MANAGEMENT , INFORMATION ASSURANCE , NETWORK FLOWS , SECURE COMMUNICATIONS


Subject Categories : Computer Systems Management and Standards


Distribution Statement : APPROVED FOR PUBLIC RELEASE