With people using computers as part of their everyday life to communicate, buy goods or for banking, ensuring our details are protected from online thieves remains one of our biggest concerns.
A new system called Transport Layer Security (TLS) is helping to make sure our details remain safe and researchers from Royal Holloway, University of London are analysing the system to identify any weaknesses and ensure it is doing its job properly to give us greater confidence online. The findings are outlined in a research paper entitled ‘Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol’ which will be presented at a conference in Asia from 5-9 December.
Professor Kenny Paterson from the Information Security Group (ISG) at Royal Holloway, is one of the authors of the research and will be addressing the Korean conference. He said: “Web users may not have heard of TLS and won’t know that the system is in place to help protect our private details from hackers and online thieves. Our analysis of TLS version 1.2 gives us higher confidence that the data we share online will be kept safe, secure and private.”
The only real evidence of the hidden security system for web users is when the web browser says ‘https’, rather than ‘http’, this is when the TLS system comes into play. TLS encrypts the messages as they are sent across the Internet, keeping our personal data safe from attackers.
However, the researchers did find a new vulnerability in the latest version of the system.
Professor Paterson said: “There is still scope for a ‘distinguishing attack’ against TLS 1.2, where an attacker could tell whether a user has sent a ‘yes’ or a ‘no’ during a transaction, for example. This kind of attack is usually considered a bit theoretical, but it can point to more serious underlying security issues.
“Fortunately, in the TLS case, this attack should never arise in practice. TLS uses something called a Message Authentication Code (MAC) tag to help provide security, and for our attack to work, we would need the MAC tag to be small. In short, our work proves that size does matter!”
Professor Paterson concluded: “In 2002, TLS 1.0 came under fire after researchers found a distinguishing attack against the system. In September 2011, the same basic idea was used to mount a much more serious attack against TLS 1.0, under the colourful name of the BEAST attack. So now the industry is finally getting ready to make the switch to TLS 1.2. We can have higher confidence in this latest version of TLS because of our work.
A new system called Transport Layer Security (TLS) is helping to make sure our details remain safe and researchers from Royal Holloway, University of London are analysing the system to identify any weaknesses and ensure it is doing its job properly to give us greater confidence online. The findings are outlined in a research paper entitled ‘Tag Size Does Matter: Attacks and Proofs for the TLS Record Protocol’ which will be presented at a conference in Asia from 5-9 December.
Professor Kenny Paterson from the Information Security Group (ISG) at Royal Holloway, is one of the authors of the research and will be addressing the Korean conference. He said: “Web users may not have heard of TLS and won’t know that the system is in place to help protect our private details from hackers and online thieves. Our analysis of TLS version 1.2 gives us higher confidence that the data we share online will be kept safe, secure and private.”
The only real evidence of the hidden security system for web users is when the web browser says ‘https’, rather than ‘http’, this is when the TLS system comes into play. TLS encrypts the messages as they are sent across the Internet, keeping our personal data safe from attackers.
However, the researchers did find a new vulnerability in the latest version of the system.
Professor Paterson said: “There is still scope for a ‘distinguishing attack’ against TLS 1.2, where an attacker could tell whether a user has sent a ‘yes’ or a ‘no’ during a transaction, for example. This kind of attack is usually considered a bit theoretical, but it can point to more serious underlying security issues.
“Fortunately, in the TLS case, this attack should never arise in practice. TLS uses something called a Message Authentication Code (MAC) tag to help provide security, and for our attack to work, we would need the MAC tag to be small. In short, our work proves that size does matter!”
Professor Paterson concluded: “In 2002, TLS 1.0 came under fire after researchers found a distinguishing attack against the system. In September 2011, the same basic idea was used to mount a much more serious attack against TLS 1.0, under the colourful name of the BEAST attack. So now the industry is finally getting ready to make the switch to TLS 1.2. We can have higher confidence in this latest version of TLS because of our work.
The UK has been subjected to millions of cyber attacks in the past two years. The Government alone is victim to more than 1,000 targeted attacks and 20,000 more general ones every week.
As part of the Government’s Cyber Security Strategy, which was launched today (25 November), it is working with The Government Communications Headquarters (GCHQ) to help the private sector protect itself.
GCHQ has approached academics from the Information Security Group (ISG) at Royal Holloway to use their expertise to help solve operational problems - such as how to stop an attack before it is triggered - and also to offer long-term strategic analysis.
The universities of Lancaster, Glamorgan and De Montfort have also been approached.
Professor Keith Martin, Director of ISG at Royal Holloway, said: “The department has long recognised that cyber security is an issue that can only be tackled by co-operation between academia, industry and government, both at a national and international level.
“We welcome the many current initiatives by the UK Government to promote and address the challenges presented by cyber security threats and look forward to continued engagement through our cyber security research activities, provision of cyber security education programmes and advisory services.”
Cabinet Office minister Francis Maude was interviewed as part of Sky New’s coverage of the story. He said the new network would foster greater co-operation between the public and private sectors and enable them to share information about cyber attacks.
"We want Britain to be a great place to do internet business, both with lots of opportunity but also the best levels of security that we can manage," he added.
Contacts and sources:
Royal Holloway, University of London
0 comments:
Post a Comment