Man in The Middle Attacks Against SSL/TLS: Mitigation and Defeat

  • Muneer Alwazzeh Electrical and Mechanical Engineering Faculty, Damascus University, Damascus, Syrian Arab Republic https://orcid.org/0000-0003-1015-070X
  • Sameer Karaman Electrical and Mechanical Engineering Faculty, Damascus University, Damascus, Syrian Arab Republic
  • Mohammad Nur Shamma Electrical and Mechanical Engineering Faculty, Damascus University, Damascus, Syrian Arab Republic
Keywords: SSL/TLS, MITM, DDoS, integrity, accountability

Abstract

Network security and related issues have been discussed thoroughly in this paper, especially at transport layer security network protocol, which concern with confidentiality, integrity, availability, authentication, and accountability. To mitigate and defeat Man-in-the-middle-attacks, we have proposed a new model which consists of sender and receiver systems and utilizes a combination of blowfish (BF) and Advanced Encryption Standard (AES) algorithms, symmetric key agreement to distribute public keys, Elliptic Curve Cryptography (ECC) to create secret key, and then Diffe Hellman (DH) for key exchange. Both SHA-256 hashing and Elliptic Curve Digital Signature Algorithm (ECDSA) have been applied for integrity, and authentication, respectively.

Downloads

Download data is not yet available.

Author Biographies

Muneer Alwazzeh, Electrical and Mechanical Engineering Faculty, Damascus University, Damascus, Syrian Arab Republic

Muneer Alwazzeh is a Ph.D student at the University of Damascus since summer 2016. He attended the University of Damascus, Syria where he received his B.Sc. in Electrical Engineering in 2000. Muneer has gained an M.Sc. in programming and operating systems from the University of Damascus, Syria in 2010. He is currently completing a doctorate degree in Computer Engineering and Networks at the University of Damascus. His Ph.D. work concentrates on reaching an adaptive and scalable security solution with time and cost optimization that contributes to protecting the computer network and helping traditional programs and tools to protect the network and combat cyber-crime.

Sameer Karaman, Electrical and Mechanical Engineering Faculty, Damascus University, Damascus, Syrian Arab Republic

Sameer Karaman is an academic staff of electrical and mechanical engineering faculty, Damascus University since 1994. He has also been appointed as academic staff of Private International Syrian University, Virtual University of Damascus, Qasuoun Private University of science and technology, Yarmook Private University, and Al-Rasheed Private University in the period 2008–2020. He was chosen as the head of division of computer engineering and control during 2015–2019. His work interest is in the field of encryption and information security.

Mohammad Nur Shamma, Electrical and Mechanical Engineering Faculty, Damascus University, Damascus, Syrian Arab Republic

Mohammad Nur Shamma is an academic staff of electrical and mechanical engineering faculty, Damascus University since 1994. He has also been involved as academic staff in both the virtual University of Damascus – Information Technology since 2013, and communication and information engineering faculty of Arab International University since 2015. His work interest is in the field of arithmetic science and encryption and information security.

References

K. Bhargavan, C. Fournet, M. Kohlweiss, A. Pironti, P. Strub, Implementing TLS with Verified Cryptographic Security, 2013 IEEE Symposium on Security and Privacy, 2013, pp. 445–459.

A. Satapathy, L.M.J. Livingston, A Comprehensive Survey on SSL/ TLS and their Vulnerabilities, International Journal of Computer Applications, 153 (2016) 31–38.

H. Parmar, A. Gosai, Analysis and Study of Network Security at Transport Layer, International Journal of Computer Applications, 121 (2015 ) 35–40.

S. Stricot-Tarboton, S. Chaisiri, R.K.L. Ko, Taxonomy of man-in-the-middle attacks on HTTPS, TrustCom 2016, IEEE Computer Society, Tianjin, China, 2016, pp. 527–534.

A. Madan, A. Tuteja, Bharti, OSI Reference Model, International Journal of Advanced Research in Computer Science and Software Engineering, 4 (2014) 55–49.

T. Dierks, E. Rescorla, The Transport Layer Security (TLS) Protocol Version 1.2, URL https://www.ietf.org/rfc/rfc5246.txt, IETF, 2008.

T. Shubh, S. Sharma, Man-In-The-Middle-Attack Prevention Using HTTPS and SSL, International Journal of Computer Science and Mobile Computing, 5 (2016) 569–579.

A. Singh, A. Vaish, P.K. Keserwani, Information Security: Components and Techniques, International Journal of Advanced Research in Computer Science and Software Engineering, 4 (2014).

P.K. Pateriya, S.S. Kumar, Analysis on Man in the Middle Attack on SSL, International Journal of Computer Applications, 45 (2012) 43–46.

Radhika, P., Ramya, G., Sadhana, K., Salini, R., Defending Man In The Middle Attacks, International Research Journal of Engineering and Technology, 4 (2017) 579–585.

I. Dacosta, M. Ahamad, P. Traynor, Trust No One Else: Detecting MITM Attacks Against SSL/TLSWithout Third-Parties, Converging Infrastructure Security (CISEC) Laboratory, Georgia Tech Information Security Center (GTISC), Georgia 2013.

P. Hallam-Baker, R. Stradling, DNS Certification Authority Authorization (CAA) Resource Record, URL http://tools.ietf.org/html/rfc6844, IETF, 2013.

P. Hoffman, J. Schlyter, The DNS Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA, URL http://tools.ietf.org/html/rfc6698, IETF, 2012.

J. Hodges, C. Jackson, A. Barth, HTTP Strict Transport Security (HSTS), URL https://tools.ietf.org/html/rfc6797, IETF, 2012.

C. Evans, C. Palmer, R. Sleevi, Public Key Pinning Extension for HTTP, URL https://tools.ietf.org/html/rfc7469, IETF, 2015.

V. Boyko, P. MacKenzie, S. Patel, Provably Secure Password-Authenticated Key Exchange using Diffie-Hellman, in: B. Preneel (Ed.) International Conference on the Theory and Application of Cryptographic Techniques, May 14–18, 2000 Springer, Bruges, Belgium, 2000, pp. 156–171.

P. MacKenzie, The PAK suite: Protocols for Password-Authenticated Key Exchange, DIMACS Technical Reports, Bell Laboratories, Luent Technologies, Murray Hill, USA, 2002.

S.B. Wilson, N. Bolyard, V. Gupta, C. Hawk, B. Moeller, Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS), URL https://tools.ietf.org/html/rfc4492, IETF, 2006.

M.J.B. Robshaw, Y.L. Yin, Elliptic Curve Cryptosystems, An RSA Laboratories Technical Note, URL http://citeseerx.ist.psu.edu/view doc/download?doi=10.1.1.461.1411&rep=rep1&type=pdf, RSA Laboratories, 1997.

P. Sehgal, N. Agarwal, S. Dutta, P.M.D.R. Vincent, Modification of Diffie-Hellman Algorithm to Provide More Secure Key Exchange, International Journal of Engineering and Technology, 5 (2013) 2498–2501.

Y. Sheffer, R. Holz, P. Saint-Andre, Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS), URL https://tools.ietf.org/html/rfc7525, IETF, 2015.

G. Sarath, D.C. Jinwala, S. Patel, A survey on elliptic curve digital signature algorithm and its variants, Computer Science & Information Technology, 4 (2014) 121–136.

N. Sklavos, Towards to SHA-3 Hashing Standard for Secure Communications: On the Hardware Evaluation Development, IEEE Latin America Transactions, 10 (2012) 1433–1434.

T. Nie, C. Song, X. Zhi, Performance Evaluation of DES and Blowfish Algorithms, Biomedical Engineering and computer Science International Conference, IEEE, 2010.

A. Nadeem, M.Y. Javed, A Performance Comparison of Data Encryption Algorithms, 2005 International Conference on Information and Communication Technologies, 2005, pp. 84–89.

S. Rehman, S.Q. Hussain, W.G.a. Israr, Characterization of Advanced Encryption Standard (AES) for Textual and Image data, International Journal Of Engineering And Computer, 5 (2016) 18346–18349.

A. Menezes, P.v. Oorschot, S. Vanstone, Key Management Techniques, CRC Press, 1996.

A. Mahmud H, B. Angga W, Tommy, A. Marwan E, R. Siregar, Performance analysis of AES-Blowfish hybrid algorithm for security of patient medical record data, Journal of Physics: Conference Series, 1007 (2018) 012018.

Published
2020-07-01
Section
Articles