Man in The Middle Attacks Against SSL/TLS: Mitigation and Defeat
Keywords:SSL/TLS, MITM, DDoS, integrity, accountability
Network security and related issues have been discussed thoroughly in this paper, especially at transport layer security network protocol, which concern with confidentiality, integrity, availability, authentication, and accountability. To mitigate and defeat Man-in-the-middle-attacks, we have proposed a new model which consists of sender and receiver systems and utilizes a combination of blowfish (BF) and Advanced Encryption Standard (AES) algorithms, symmetric key agreement to distribute public keys, Elliptic Curve Cryptography (ECC) to create secret key, and then Diffe Hellman (DH) for key exchange. Both SHA-256 hashing and Elliptic Curve Digital Signature Algorithm (ECDSA) have been applied for integrity, and authentication, respectively.
K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, P. Strub, Implementing TLS with Verified Cryptographic Security, 2013 IEEE Symposium on Security and Privacy, 2013, pp. 445–459.
A. Satapathy, L.M.J. Livingston, A Comprehensive Survey on SSL/ TLS and their Vulnerabilities, International Journal of Computer Applications, 153 (2016) 31–38.
H. Parmar, A. Gosai, Analysis and Study of Network Security at Transport Layer, International Journal of Computer Applications, 121 (2015 ) 35–40.
S. Stricot-Tarboton, S. Chaisiri, R.K.L. Ko, Taxonomy of man-in-the-middle attacks on HTTPS, TrustCom 2016, IEEE Computer Society, Tianjin, China, 2016, pp. 527–534.
A. Madan, A. Tuteja, Bharti, OSI Reference Model, International Journal of Advanced Research in Computer Science and Software Engineering, 4 (2014) 55–49.
T. Dierks, E. Rescorla, The Transport Layer Security (TLS) Protocol Version 1.2, URL https://www.ietf.org/rfc/rfc5246.txt, IETF, 2008.
T. Shubh, S. Sharma, Man-In-The-Middle-Attack Prevention Using HTTPS and SSL, International Journal of Computer Science and Mobile Computing, 5 (2016) 569–579.
A. Singh, A. Vaish, P.K. Keserwani, Information Security: Components and Techniques, International Journal of Advanced Research in Computer Science and Software Engineering, 4 (2014).
P.K. Pateriya, S.S. Kumar, Analysis on Man in the Middle Attack on SSL, International Journal of Computer Applications, 45 (2012) 43–46.
Radhika, P., Ramya, G., Sadhana, K., Salini, R., Defending Man In The Middle Attacks, International Research Journal of Engineering and Technology, 4 (2017) 579–585.
I. Dacosta, M. Ahamad, P. Traynor, Trust No One Else: Detecting MITM Attacks Against SSL/TLSWithout Third-Parties, Converging Infrastructure Security (CISEC) Laboratory, Georgia Tech Information Security Center (GTISC), Georgia 2013.
P. Hallam-Baker, R. Stradling, DNS Certification Authority Authorization (CAA) Resource Record, URL http://tools.ietf.org/html/rfc6844, IETF, 2013.
P. Hoffman, J. Schlyter, The DNS Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA, URL http://tools.ietf.org/html/rfc6698, IETF, 2012.
J. Hodges, C. Jackson, A. Barth, HTTP Strict Transport Security (HSTS), URL https://tools.ietf.org/html/rfc6797, IETF, 2012.
C. Evans, C. Palmer, R. Sleevi, Public Key Pinning Extension for HTTP, URL https://tools.ietf.org/html/rfc7469, IETF, 2015.
V. Boyko, P. MacKenzie, S. Patel, Provably Secure Password-Authenticated Key Exchange using Diffie-Hellman, in: B. Preneel (Ed.) International Conference on the Theory and Application of Cryptographic Techniques, May 14–18, 2000 Springer, Bruges, Belgium, 2000, pp. 156–171.
P. MacKenzie, The PAK suite: Protocols for Password-Authenticated Key Exchange, DIMACS Technical Reports, Bell Laboratories, Luent Technologies, Murray Hill, USA, 2002.
S.B. Wilson, N. Bolyard, V. Gupta, C. Hawk, B. Moeller, Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS), URL https://tools.ietf.org/html/rfc4492, IETF, 2006.
M.J.B. Robshaw, Y.L. Yin, Elliptic Curve Cryptosystems, An RSA Laboratories Technical Note, URL http://citeseerx.ist.psu.edu/view doc/download?doi=10.1.1.461.1411&rep=rep1&type=pdf, RSA Laboratories, 1997.
P. Sehgal, N. Agarwal, S. Dutta, P.M.D.R. Vincent, Modification of Diffie-Hellman Algorithm to Provide More Secure Key Exchange, International Journal of Engineering and Technology, 5 (2013) 2498–2501.
Y. Sheffer, R. Holz, P. Saint-Andre, Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS), URL https://tools.ietf.org/html/rfc7525, IETF, 2015.
G. Sarath, D.C. Jinwala, S. Patel, A survey on elliptic curve digital signature algorithm and its variants, Computer Science & Information Technology, 4 (2014) 121–136.
N. Sklavos, Towards to SHA-3 Hashing Standard for Secure Communications: On the Hardware Evaluation Development, IEEE Latin America Transactions, 10 (2012) 1433–1434.
T. Nie, C. Song, X. Zhi, Performance Evaluation of DES and Blowfish Algorithms, Biomedical Engineering and computer Science International Conference, IEEE, 2010.
A. Nadeem, M.Y. Javed, A Performance Comparison of Data Encryption Algorithms, 2005 International Conference on Information and Communication Technologies, 2005, pp. 84–89.
S. Rehman, S.Q. Hussain, W.G.a. Israr, Characterization of Advanced Encryption Standard (AES) for Textual and Image data, International Journal Of Engineering And Computer, 5 (2016) 18346–18349.
A. Menezes, P.v. Oorschot, S. Vanstone, Key Management Techniques, CRC Press, 1996.
A. Mahmud H, B. Angga W, Tommy, A. Marwan E, R. Siregar, Performance analysis of AES-Blowfish hybrid algorithm for security of patient medical record data, Journal of Physics: Conference Series, 1007 (2018) 012018.