Applied Crypto Hardening PDF
Applied Crypto Hardening PDF
Applied Crypto Hardening PDF
Wolfgang Breyha, David Durvaux, Tobias Dussa, L. Aaron Kaplan, Florian Mendel, Christian Mock, Manuel Koschuch, Adi Kriegisch, Ulrich Pschl, Ramin Sabet, Berg San, Ralf Schlatterbeck, Thomas Schreck, Aaron Zauner, Pepi Zawodsky
(University of Vienna, CERT.be, KIT-CERT, CERT.at, IAIK, coretec.at, FH Campus Wien, VRVis, MilCERT Austria, A-Trust, Runtux.com, Friedrich-Alexander University Erlangen-Nuremberg, azet.org, maclemon.at)
January 4, 2014
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 2 of 80
Acknowledgements
We would like to express our thanks to the following reviewers and people who have generously oered their time and interest (in alphabetical order): Brown, Scott Brulebois, Cyril Dulaunoy, Alexandre Ghring Philipp Grigg, Ian Horenbeck, Maarten Kovacic, Daniel Lenzhofer, Stefan Lornser, Thomas Millauer, Tobias OBrien, Hugh Pacher, Christoph Palfrader, Peter Pape, Tobias (layout) Petukhova, Anna (Logo) Pichler, Patrick Roeckx, Kurt Seidl, Eva (PDF layout) Wagner, Sebastian (sebix) Zangerl, Alexander
The reviewers did review parts of the document in their area of expertise; all remaining errors in this document are the sole responsibility of the primary authors.
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 3 of 80
Abstract
Unfortunately, the computer security and cryptology communities have drifted apart over the last 25 years. Security people dont always understand the available crypto tools, and crypto people dont always understand the real-world problems. Ross Anderson in [And08]
This guide arose out of the need for system administrators to have an updated, solid, well researched and thought-through guide for conguring SSL, PGP, SSH and other cryptographic tools in the post-Snowden age. Triggered by the NSA leaks in the summer of 2013, many system administrators and IT security ocers saw the need to strengthen their encryption settings. This guide is specically written for these system administrators. As Schneier noted in [Sch13a], it seems that intelligence agencies and adversaries on the Internet are not breaking so much the mathematics of encryption per se, but rather use software and hardware weaknesses, subvert standardization processes, plant backdoors, rig random number generators and most of all exploit careless settings in server congurations and encryption systems to listen in on private communications. Worst of all, most communication on the internet is not encrypted at all by default (for SMTP, opportunistic TLS would be a solution). This guide can only address one aspect of securing our information systems: getting the crypto settings right to the best of the authors current knowledge. Other attacks, as the above mentioned, require dierent protection schemes which are not covered in this guide. This guide is not an introduction to cryptography. For background information on cryptography and cryptoanalysis we would like to refer the reader to the the references in appendix B and C at the end of this document. The focus of this guide is merely to give current best practices for conguring complex cipher suites and related parameters in a copy & paste-able manner. The guide tries to stay as concise as is possible for such a complex topic as cryptography. Naturally, it can not be complete. There are many excellent guides [IS12, fSidIB13, ENI13] and best practice documents available when it comes to cryptography. However none of them focuses specically on what an average system administrator needs for hardening his or her systems crypto settings. This guide tries to ll this gap.
Contents
Contents
1. Introduction 1.1. Audience . . . . . . . . 1.2. Related publications . 1.3. How to read this guide 1.4. Disclaimer and scope . 1.5. Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 7 7 7 8 10 11 11 11 12 14 15 17 17 18 18 19 19 20 22 23 25 29 29 31 34 36 36 38 39 39 41 44 48 48 48 49 50 50 53 53
2. Practical recommendations 2.1. Webservers . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.1. Apache . . . . . . . . . . . . . . . . . . . . . . . . 2.1.2. lighttpd . . . . . . . . . . . . . . . . . . . . . . . . 2.1.3. nginx . . . . . . . . . . . . . . . . . . . . . . . . . 2.1.4. MS IIS . . . . . . . . . . . . . . . . . . . . . . . . . 2.2. SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2.1. OpenSSH . . . . . . . . . . . . . . . . . . . . . . . 2.2.2. Cisco ASA . . . . . . . . . . . . . . . . . . . . . . 2.2.3. Cisco IOS . . . . . . . . . . . . . . . . . . . . . . . 2.3. Mail Servers . . . . . . . . . . . . . . . . . . . . . . . . . 2.3.1. SMTP in general . . . . . . . . . . . . . . . . . . . 2.3.2. Dovecot . . . . . . . . . . . . . . . . . . . . . . . 2.3.3. cyrus-imapd . . . . . . . . . . . . . . . . . . . . . 2.3.4. Postx . . . . . . . . . . . . . . . . . . . . . . . . 2.3.5. Exim (based on 4.82) . . . . . . . . . . . . . . . . 2.4. VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.4.1. IPSec . . . . . . . . . . . . . . . . . . . . . . . . . 2.4.2. Check Point FireWall-1 . . . . . . . . . . . . . . . 2.4.3. OpenVPN . . . . . . . . . . . . . . . . . . . . . . 2.4.4. PPTP . . . . . . . . . . . . . . . . . . . . . . . . . 2.4.5. Cisco ASA . . . . . . . . . . . . . . . . . . . . . . 2.5. PGP/GPG - Pretty Good Privacy . . . . . . . . . . . . . . 2.6. IPMI, ILO and other lights out management solutions . 2.7. Instant Messaging Systems . . . . . . . . . . . . . . . . 2.8. Database Systems . . . . . . . . . . . . . . . . . . . . . 2.9. Intercepting proxy solutions and reverse proxies . . . 3. Theory 3.1. Overview . . . . . . . . . . . . . . . . . . 3.2. Cipher suites . . . . . . . . . . . . . . . . 3.2.1. Architectural overview . . . . . . 3.2.2. Forward Secrecy . . . . . . . . . 3.2.3. Recommended cipher suites . . 3.2.4. Compatibility . . . . . . . . . . . 3.2.5. Choosing your own cipher suites
. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
. . . . . . .
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 5 of 80
Contents 3.3. Random Number Generators . . . . . . . . . . 3.3.1. When random number generators fail 3.3.2. Linux . . . . . . . . . . . . . . . . . . . . 3.3.3. Recommendations . . . . . . . . . . . . 3.4. Keylengths . . . . . . . . . . . . . . . . . . . . . 3.5. A note on Elliptic Curve Cryptography . . . . . 3.6. A note on SHA-1 . . . . . . . . . . . . . . . . . . 3.7. A note on Die Hellman Key Exchanges . . . 3.8. Public Key Infrastructures . . . . . . . . . . . . 3.8.1. Certicate Authorities . . . . . . . . . . 3.8.2. Hardening PKI . . . . . . . . . . . . . . . A. Tools A.1. SSL & TLS . A.2. Keylength . A.3. RNGs . . . A.4. Guides . . B. Links C. Suggested Reading D. Cipher Suite Name Cross-Reference E. Further research . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 56 56 57 57 59 59 60 60 61 62 63 63 64 64 64 65 67 68 77
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
. . . .
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 6 of 80
Contents
1. Introduction
1.1. Audience
Sysadmins. Sysadmins. Sysadmins. They are a force-multiplier.
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 7 of 80
Contents
Start
Introduction
Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrically weak that NSA can frequently nd ways around it. Edward Snowden, answering questions live on the Guardians website [Gle13]
This guide specically does not address physical security, protecting software and hardware against exploits, basic IT security housekeeping, information assurance techniques, trac analysis attacks, issues with key-roll over and key management, securing client PCs and mobile devices (theft, loss), proper OPSec1 , social engineering attacks, anti-tempest [Wik13d] attack techniques, protecting against dierent side-channel attacks (timing, cache timing, dierential fault analysis, dierential power analysis or power monitoring attacks), downgrade attacks, jamming the encrypted channel or other similar attacks which are typically employed to circumvent strong encryption. The authors can not overstate the importance of these other techniques. Interested readers are advised to read about these attacks in detail since they give a lot of insight into other parts of cryptography engineering which need to be dealt with.2
1 https://en.wikipedia.org/wiki/Operations_security 2 An
easy to read yet very insightful recent example is the "FLUSH+RELOAD" technique [YF13] for leaking cryptographic keys from one virtual machine to another via L3 cache timing attacks.
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 8 of 80
Contents This guide does not talk much about the well-known insecurities of trusting a public-key infrastructure (PKI)3 . Nor does this text fully explain how to run your own Certicate Authority (CA). Most of this zoo of information security issues are addressed in the very comprehensive book Security Engineering by Ross Anderson [And08]. For some experts in cryptography this text might seem too informal. However, we strive to keep the language as non-technical as possible and tting for our target audience: system administrators who can collectively improve the security level for all of their users.
Security is a process, not a product. Bruce Schneier
This guide can only describe what the authors currently believe to be the best settings based on their personal experience and after intensive cross checking with literature and experts. For a complete list of people who reviewed this paper, see the Acknowledgements. Even though multiple specialists reviewed the guide, the authors can give no guarantee whatsoever that they made the right recommendations. Keep in mind that tomorrow there might be new attacks on some ciphers and many of the recommendations in this guide might turn out to be wrong. Security is a process. We therefore recommend that system administrators keep up to date with recent topics in IT security and cryptography. In this sense, this guide is very focused on getting the cipher strings done right even though there is much more to do in order to make a system more secure. We the authors, need this document as much as the reader needs it.
Scope
In this guide, we restricted ourselves to: Internet-facing services Commonly used services Devices which are used in business environments (this specically excludes XBoxes, Playstations and similar consumer devices) OpenSSL We explicitly excluded: Specialized systems (such as medical devices, most embedded systems, etc.) Wireless Access Points Smart-cards/chip cards
3 Interested
readers are referred to https://bugzilla.mozilla.org/show_bug.cgi?id=647959 or https://www.h-online.com/ security/news/item/Honest-Achmed-asks-for-trust-1231314.html which brings the problem of trusting PKIs right to the point
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 9 of 80
Contents
1.5. Methods
C.O.S.H.E.R - completely open source, headers, engineering and research A. Kaplans mail signature for many years
For writing this guide, we chose to collect the most well researched facts about cryptography settings and let as many trusted specialists as possible review those settings. The review process is completely open and done on a public mailing list. The document is available (read-only) to the public Internet on the web page and the source code of this document is on a public git server, mirrored on GitHub.com and open for public scrutiny. However, write permissions to the document are only granted to vetted people. The list of reviewers can be found in the section Acknowledgements. Every write operation to the document is logged via the git version control system and can thus be traced back to a specic author. We accept git pull requests on the github mirror4 for this paper. Public peer-review and multiple eyes checking of our guide is the best strategy we can imagine at the present moment 5 . We invite the gentle reader to participate in this public review process.
4 https://github.com/BetterCrypto/Applied-Crypto-Hardening 5 https://www.wired.com/opinion/2013/10/how-to-design-and-defend-against-the-perfect-backdoor/
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 10 of 80
Contents
2. Practical recommendations
2.1. Webservers
2.1.1. Apache
Tested with Versions Apache 2.4.6 linked against OpenSSL 1.0.1e, Debian jessie
Settings Enabled modules SSL and Headers are required. SS LC er ti fi ca te Fi le server . crt S S L C e r t i f i c a t e K e y F i l e server . key SSLProtocol All - SSLv2 - SSLv3 S S LH o n or C i ph e r Or d e r On SSLCompression off # Add six earth month HSTS header for all users ... Header add Strict - Transport - Security " max - age =15768000" # If you want to protect all subdomains , use the following header # ALL subdomains HAVE TO support https if you use this ! # Strict - Transport - Security : max - age =15768000 ; inc ludeSu bDomai ns SSLCipherSuite ' EDH + CAMELLIA : EDH + aRSA : EECDH + aRSA + AESGCM : EECDH + aRSA + SHA384 : EECDH + aRSA + SHA256 : EECDH :+ CAMELLIA256 :+ AES256 :+ CAMELLIA128 :+ AES128 :+ SSLv3 :! aNULL :! eNULL :! LOW :!3 DES :! MD5 :! EXP :! PSK :! SRP :! DSS :! RC4 :! SEED :! ECDSA : CAMELLIA256 - SHA : AES256 - SHA : CAMELLIA128 - SHA : AES128 - SHA ' Note that any cipher suite starting with EECDH can be omitted, if in doubt. (Compared to the theory section, EECDH in Apache and ECDHE in OpenSSL are synonyms 1 )
1 https://www.mail-archive.com/[email protected]/msg33405.html
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 11 of 80
Contents Additional settings You might want to redirect everything to https:// if possible. In Apache you can do this with the following setting inside of a VirtualHost environment: < VirtualHost *:80 > #... RewriteEngine On RewriteRule ^.* $ https :https://%{ SERVER_NAME }%{ REQUEST_URI } [L , R = permanent ] #... </ VirtualHost >
References https://httpd.apache.org/docs/2.4/ssl/
2.1.2. lighttpd
Tested with Version lighttpd/1.4.31-4 with OpenSSL 1.0.1e on Debian 7.0 lighttpd/1.4.33 with OpenSSL 0.9.8o on Debian Squeeze (note that TLSv1.2 does not work in openssl 0.9.8 thus not all ciphers actually work) lighttpd/1.4.28-2 with OpenSSL 0.9.8o on Debian Squeeze (note that TLSv1.2 does not work in openssl 0.9.8 thus not all ciphers actually work)
Settings TODO: FIXME: this string seems to be wrongly formatted?? $SERVER [" socket "] == "0.0.0.0:443" { ssl . engine = " enable " ssl . use - sslv2 = " disable " ssl . use - sslv3 = " disable " # ssl . use - compression obsolete >= 1.4.3.1 ssl . pemfile = "/ etc / lighttpd / server . pem "
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 12 of 80
Contents ssl . cipher - list = " EDH + CAMELLIA : EDH + aRSA : EECDH + aRSA + AESGCM : EECDH + aRSA + SHA384 : EECDH + aRSA + SHA256 : EECDH :+ CAMELLIA256 :+ AES256 :+ CAMELLIA128 :+ AES128 :+ SSLv3 :! aNULL :! eNULL :! LOW :!3 DES :! MD5 :! EXP :! PSK :! SRP :! DSS :! RC4 :! SEED :! ECDSA : CAMELLIA256 - SHA : AES256 - SHA : CAMELLIA128 - SHA : AES128 - SHA " ssl . honor - cipher - order = " enable " setenv . add - response - header = ( " Strict - Transport - Security " = > " max - age =31536000")
Additional settings As for any other webserver, you might want to automatically redirect http trac toward https:// It is also recommended to set the environment variable HTTPS, so the applications run by the webserver can easily detect, that HTTPS is in use. $HTTP [" scheme "] == " http " { # capture vhost name with regex conditiona -> %0 in redirect pattern # must be the most inner block to the redirect rule $HTTP [" host "] =~ ".*" { url . redirect = (".*" = > " https :https://%0 $0 ") } # Set the environment variable properly setenv . add - environment = ( " HTTPS " = > " on " ) }
Additional information The cong option honor-cipher-order is available since 1.4.30, the supported ciphers depend on the used OpenSSL-version (at runtime). ECDH has to be available in OpenSSL at compile-time, which should be default. SSL compression should by deactivated by default at compile-time (if not, its active). Support for other SSL-libraries like GnuTLS will be available in the upcoming 2.x branch, which is currently under development.
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 13 of 80
Contents Release 1.4.30 (How to mitigate BEAST attack) https://redmine.lighttpd.net/projects/lighttpd/ wiki/Release-1_4_30 SSL Compression disabled by default: https://redmine.lighttpd.net/issues/2445
2.1.3. nginx
Tested with Version 1.4.4 with OpenSSL 1.0.1e on OS X Server 10.8.5 1.2.1-2.2+wheezy2 with OpenSSL 1.0.1e on Debian 7.0 1.4.4 with OpenSSL 1.0.1e on Debian 7.0 1.2.1-2.2 bpo60+2 with OpenSSL 0.9.8o on Debian Squeeze (note that TLSv1.2 does not work in openssl 0.9.8 thus not all ciphers actually work)
Settings s s l _ p r e f e r _ s e r v e r _ c i p h e r s on ; ssl_protocols TLSv1 TLSv1 .1 TLSv1 .2; # not possible to do exclusive ssl_ciphers ' EDH + CAMELLIA : EDH + aRSA : EECDH + aRSA + AESGCM : EECDH + aRSA + SHA384 : EECDH + aRSA + SHA256 : EECDH :+ CAMELLIA256 :+ AES256 :+ CAMELLIA128 :+ AES128 :+ SSLv3 :! aNULL :! eNULL :! LOW :!3 DES :! MD5 :! EXP :! PSK :! SRP :! DSS :! RC4 :! SEED :! ECDSA : CAMELLIA256 - SHA : AES256 - SHA : CAMELLIA128 - SHA : AES128 - SHA ' ; add_header Strict - Transport - Security max - age =2592000; If you absolutely want to specify your own DH parameters, you can specify them via ssl_dhparam file ; However, we advise you to read section 3.7 and stay with the standard IKE/IETF parameters (as long as they are > 1024 bits). Additional settings If you decide to trust NISTs ECC curve recommendation, you can add the following line to nginxs conguration le to select special curves: ssl_ecdh_curve secp384r1 ;
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 14 of 80
Contents You might want to redirect everything to https:// if possible. In Nginx you can do this with the following setting: return 301 https :https:// $ host$r equest _uri ;
2.1.4. MS IIS
TODO: Daniel: add screenshots and registry keys
Settings When trying to avoid RC4 and CBC (BEAST-Attack) and requiring perfect forward secrecy, Microsoft Internet Information Server (IIS) supports ECDSA, but does not support RSA for key exchange (consider ECC suite B doubts2 ). Since ECDHE_RSA_* is not supported, a SSL certicate based on elliptic curves needs to be used. The conguration of cipher suites MS IIS will use, can be congured in one of the following ways: 1. Group Policy 3 2. Registry 3. IIS Crypto 4
2 https://safecurves.cr.yp.to/rigid.html 3 https://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx 4 https://www.nartac.com/Products/IISCrypto/
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 15 of 80
Contents Table 2.1 shows the process of turning on one algorithm after another and the eect on the supported clients tested using https://www.ssllabs.com. SSL 3.0, SSL 2.0 and MD5 are turned o. TLS 1.0 and TLS 2.0 are turned on.
Cipher Suite TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA Client only IE 10,11, OpenSSL 1.0.1e Chrome 30, Opera 17, Safari 6+ FF 10-24, IE 8+, Safari 5, Java 7
Table 2.1 shows the algorithms from strongest to weakest and why they need to be added in this order. For example insisting on SHA-2 algorithms (only rst two lines) would eliminate all versions of Firefox, so the last line is needed to support this browser, but should be placed at the bottom, so capable browsers will choose the stronger SHA-2 algorithms. TLS_RSA_WITH_RC4_128_SHA or equivalent should also be added if MS Terminal Server Connection is used (make sure to use this only in a trusted environment). This suite will not be used for SSL, since we do not use a RSA Key. Clients not supported: 1. Java 6 2. WinXP 3. Bing
Additional settings Justication for special settings (if needed) References TODO: add references
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 16 of 80
Contents
2.2. SSH
2.2.1. OpenSSH
Tested with Version OpenSSH 6.1
Settings # ... Protocol 2 P e r m i t E m p t y P a s s w o r d s no PermitRootLogin no StrictModes yes HostKey / etc / ssh / ssh_host_rsa_key Ciphers aes256 - gcm@openssh . com , aes128 - gcm@openssh . com , aes256 - ctr , aes128 - ctr MACs umac -128 - etm@openssh . com , hmac - sha2 -512 , hmac - sha2 -256 , hmac - ripemd160 KexAlgorithms curve25519 - sha256@libssh . org , diffie - hellman - group - exchange - sha256 , diffie - hellman - group14 - sha1 , diffie - hellman - group - exchange - sha1 Note: Older Linux systems wont support SHA2. PuTTY (Windows) does not support RIPE-MD160. Curve25519, AES-GCM and UMAC are only available upstream (OpenSSH 6.1). DSA host keys have been removed on purpose, the DSS standard does not support for DSA keys stronger than 1024bit 5 which is far below current standards (see section 3.4). Legacy systems can use this conguration and simply omit unsupported ciphers, key exchange algorithms and MACs.
References The openssh sshd_cong man page is the best reference: https://www.openssh.org/cgi-bin/man. cgi?query=sshd_cong
How to test Connect a client with verbose logging enabled to the SSH server $ ssh - vvv myserver . com
5 https://bugzilla.mindrot.org/show_bug.cgi?id=1647
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 17 of 80
Settings crypto key generate rsa modulus 2048 ssh version 2 ssh key - exchange group dh - group14 - sha1 Note: When the ASA is congured for SSH, by default both SSH versions 1 and 2 are allowed. In addition to that, only a group1 DH-key-exchange is used. This should be changed to allow only SSH version 2 and to use a key-exchange with group14. The generated RSA key should be 2048 bit (the actual supported maximum). A non-cryptographic best practice is to recongure the lines to only allow SSH-logins. References https://www.cisco.com/en/US/docs/security/asa/asa91/conguration/general/admin_management. html
How to test Connect a client with verbose logging enabled to the SSH server $ ssh - vvv myserver . com and observe the key exchange in the output.
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 18 of 80
Settings crypto ip ssh ip ssh ip ssh key generate rsa modulus 2048 label SSH - KEYS rsa keypair - name SSH - KEYS version 2 dh min size 2048
Note: Same as with the ASA, also on IOS by default both SSH versions 1 and 2 are allowed and the DH-key-exchange only use a DH-group of 768 Bit. In IOS, a dedicated Key-pair can be bound to SSH to reduce the usage of individual keys-pairs. References https://www.cisco.com/en/US/docs/ios/sec_user_services/conguration/guide/sec_secure_shell_v2. html
How to test Connect a client with verbose logging enabled to the SSH server $ ssh - vvv myserver . com and observe the key exchange in the output.
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 19 of 80
Contents Furthermore a mailserver can operate in three modes: As MSA (Mail Submission Agent) your mailserver receives mail from your clients MUAs (Mail User Agent). As receiving MTA (Mail Transmission Agent, MX) As sending MTA (SMTP client)
We recommend the following basic setup for all modes: correctly setup MX, A and PTR RRs without using CNAMEs at all. enable encryption (opportunistic TLS) do not use self signed certicates For SMTP client mode we additionally recommend: the hostname used as HELO must match the PTR RR setup a client certicate (most server certicates are client certicates as well) either the common name or at least an alternate subject name of your certicate must match the PTR RR do not modify the cipher suite for client mode For MSA operation we recommend: listen on submission port 587 enforce SMTP AUTH even for local networks do not allow SMTP AUTH on unencrypted connections optionally use the recommended cipher suites if (and only if) all your connecting MUAs support them We strongly recommend to allow all cipher suites for anything but MSA mode, because the alternative is plain text transmission.
2.3.2. Dovecot
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 20 of 80
Settings ssl_cipher_list = ' EDH + CAMELLIA : EDH + aRSA : EECDH + aRSA + AESGCM : EECDH + aRSA + SHA384 : EECDH + aRSA + SHA256 : EECDH :+ CAMELLIA256 :+ AES256 :+ CAMELLIA128 :+ AES128 :+ SSLv3 :! aNULL :! eNULL :! LOW :!3 DES :! MD5 :! EXP :! PSK :! SRP :! DSS :! RC4 :! SEED :! ECDSA : CAMELLIA256 - SHA : AES256 - SHA : CAMELLIA128 - SHA : AES128 - SHA ' s s l _ p r e f e r _ s e r v e r _ c i p h e r s = yes
Additional info Dovecot 2.0, 2.1: Almost as good as dovecot 2.2. Dovecot does not ignore unknown conguration parameters. Does not support ssl_prefer_server_ciphers
Limitations Dovecot currently does not support disabling TLS compression. Furthermore, DH parameters greater than 1024bit are not supported. The most recent version 2.2.7 of Dovecot implements congurable DH parameter length 6 .
References https://wiki2.dovecot.org/SSL
6 https://hg.dovecot.org/dovecot-2.2/rev/43ab5abeb8f0
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 21 of 80
Contents
2.3.3. cyrus-imapd
Settings
imapd.conf
To activate SSL/TLS congure your certicate with tls_cert_file : .../ cert . pem tls_key_file : .../ cert . key Do not forget to add necessary intermediate certicates to the .pem le.
Limiting the ciphers provided may force (especially older) clients to connect without encryption at all! Sticking to the defaults is recommended.
If you still want to force strong encryption use tls_cipher_list : EDH + CAMELLIA : EDH + aRSA : EECDH + aRSA + AESGCM : EECDH + aRSA + SHA384 : EECDH + aRSA + SHA256 : EECDH :+ CAMELLIA256 :+ AES256 :+ CAMELLIA128 :+ AES128 :+ SSLv3 :! aNULL :! eNULL :! LOW :!3 DES :! MD5 :! EXP :! PSK :! SRP :! DSS :! RC4 :! SEED :! ECDSA : CAMELLIA256 - SHA : AES256 - SHA : CAMELLIA128 - SHA : AES128 - SHA cyrus-imapd loads hardcoded 1024 bit DH parameters using get_rfc2409_prime_1024() by default. If you want to load your own DH parameters add them PEM encoded to the certicate le given in tls_cert_le. Do not forget to re-add them after updating your certicate.
To prevent unencrypted connections on the STARTTLS ports you can set allowplaintext : 0 This way MUAs can only authenticate after STARTTLS if you only provide plaintext and SASL PLAIN login methods. Therefore providing CRAM-MD5 or DIGEST-MD5 methods is not recommended.
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 22 of 80
Contents cyrus.conf
To support POP3/IMAP on ports 110/143 with STARTTLS add imap pop3 cmd =" imapd " listen =" imap " prefork =3 cmd =" pop3d " listen =" pop3 " prefork =1
To support POP3S/IMAPS on ports 995/993 add imaps pop3s cmd =" imapd -s " listen =" imaps " prefork =3 cmd =" pop3d -s " listen =" pop3s " prefork =1
Limitations cyrus-imapd currently (2.4.17, trunk) does not support elliptic curve cryptography. Hence, ECDHE will not work even if dened in your cipher list.
2.3.4. Postx
Tested with Version Postx 2.9.6 (Debian 7.0)
As discussed in section 2.3.1, because of opportunistic encryption we do not restrict the list of ciphers. There are still some steps needed to enable TLS, all in main.cf:
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 23 of 80
Contents s m tp d _ tl s _ ce r t _f i l e = / etc / postfix / server . pem sm tp d_ tl s_ ke y_ fi le = / etc / postfix / server . key # use 0 for Postfix >= 2.9 , and 1 for earlier versions sm tp d_ tl s_ lo gl ev el = 0 # enable opportunistic TLS support in the SMTP server and client s m t p d _ t l s _ s e c u r i t y _ l e v e l = may s m t p _ t l s _ s e c u r i t y _ l e v e l = may # if you have authentication enabled , only offer it after STARTTLS s m tp d _ tl s _ au t h _o n l y = yes tls_ssl_options = NO_COMPRESSION
MSA For the MSA smtpd process, we rst dene the ciphers that are acceptable for the mandatory security level, again in main.cf: s m t p d _ t l s _ m a n d a t o r y _ p r o t o c o l s = ! SSLv2 , ! SSLv3 s m t p d _ t l s _ m a n d a t o r y _ c i p h e r s = high t l s_ h i gh _ c ip h e rl i s t = EDH + CAMELLIA : EDH + aRSA : EECDH + aRSA + AESGCM : EECDH + aRSA + SHA384 : EECDH + aRSA + SHA256 : EECDH :+ CAMELLIA256 :+ AES256 :+ CAMELLIA128 :+ AES128 :+ SSLv3 :! aNULL :! eNULL :! LOW :!3 DES :! MD5 :! EXP :! PSK :! SRP :! DSS :! RC4 :! SEED :! ECDSA : CAMELLIA256 - SHA : AES256 - SHA : CAMELLIA128 - SHA : AES128 - SHA Then, we congure the MSA smtpd in master.cf with two additional options that are only used for this instance of smtpd: 587 inet n smtpd -o s m t p d _ t l s _ s e c u r i t y_ l e v e l = encrypt -o t l s _ p r e e m p t _ c i p h e r l i s t = yes
For those users who want to use ECC key exchange, it is possible to specify this via: s m t p d _ t l s _ e e c d h _ g r a d e = ultra
Limitations tls_ssl_options is supported from Postx 2.11 onwards. You can leave the statement in the conguration for older versions, it will be ignored. tls_preempt_cipherlist is supported from Postx 2.8 onwards. Again, you can leave the statement in for older versions.
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 24 of 80
Contents Additional settings Postx has two sets of built-in DH parameters that can be overridden with the smtpd_tls_dh512_param_file and smtpd_tls_dh1024_param_file options. The dh512 parameters are used for export ciphers, while the dh1024 ones are used for all other ciphers. The bit length in those parameter names is just a name, so one could use stronger parameter sets; it should be possible to e.g. use the IKE Group14 parameters (see section 3.7) without much interoperability risk, but we have not tested this yet.
How to test You can check the eect of the settings with the following command: $ zegrep " TLS connection established from .* with cipher " / var / log / mail . log | awk ' { printf ("% s % s % s % s \ n " , $12 , $13 , $14 , $15 ) } ' | sort | uniq -c | sort -n 1 SSLv3 with cipher DHE - RSA - AES256 - SHA 23 TLSv1 .2 with cipher DHE - RSA - AES256 - GCM - SHA384 60 TLSv1 with cipher ECDHE - RSA - AES256 - SHA 270 TLSv1 .2 with cipher ECDHE - RSA - AES256 - GCM - SHA384 335 TLSv1 with cipher DHE - RSA - AES256 - SHA openssl s_client - starttls smtp - crlf - connect SERVER . TLD :25
In the main cong section of Exim add: tls_certificate = ..../ cert . pem tls_privatekey = ..../ cert . key dont forget to add intermediate certicates to the .pem le if needed. Tell Exim to advertise STARTTLS in the EHLO answer to everyone: t l s_ a d ve r t is e _ ho s t s = * If you want to support legacy SMTPS on port 465, and STARTTLS on smtp(25)/submission(587) ports set
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 25 of 80
It is highly recommended to limit SMTP AUTH to SSL connections only. To do so add s e r v e r _ a d v e r t i s e _ c o n d i t i o n = $ { if eq { $tls_cipher }{}{ no }{ yes }} to every authenticator dened.
Add the following rules on top of your acl_smtp_mail: warn hosts control = * = submission / sender_retain
This switches Exim to submission mode and allows addition of missing Message-ID and Date headers.
It is not advisable to restrict the default cipher list for MSA mode if you dont know all connecting MUAs. If you still want to dene one please consult the Exim documentation or ask on the eximusers mailinglist.
The cipher used is written to the logles by default. You may want to add log_selector = < whatever your log_selector already contains > \ + t l s _ c e r t i f i c a t e _ v e r i f i e d + tls_peerdn + tls_sni to get even more TLS information logged.
In the main cong section of Exim add: tls_certificate = ..../ cert . pem tls_privatekey = ..../ cert . key dont forget to add intermediate certicates to the .pem le if needed. Tell Exim to advertise STARTTLS in the EHLO answer to everyone: t l s_ a d ve r t is e _ ho s t s = * Listen on smtp(25) port only daem on_sm tp_por ts = smtp
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 26 of 80
Contents It is not advisable to restrict the default cipher list for opportunistic encryption as used by SMTP. Do not use cipher lists recommended for HTTPS! If you still want to dene one please consult the Exim documentation or ask on the exim-users mailinglist.
If you want to request and verify client certicates from sending hosts set t l s _ v e r i f y _ c e r t i f i c a t e s = / etc / pki / tls / certs / ca - bundle . crt tls_try_verify_hosts = * tls_try_verify_hosts only reports the result to your logle. If you want to disconnect such clients you have to use tls_verify_hosts = * The cipher used is written to the logles by default. You may want to add log_selector = < whatever your log_selector already contains > \ + t l s _ c e r t i f i c a t e _ v e r i f i e d + tls_peerdn + tls_sni to get even more TLS information logged.
Exim uses opportunistic encryption in the SMTP transport by default. Client mode settings have to be done in the conguration section of the smtp transport (driver = smtp). If you want to use a client certicate (most server certicates can be used as client certicate, too) set tls_certificate tls_privatekey = .../ cert . pem = .../ cert . key
Do not limit ciphers without a very good reason. In the worst case you end up without encryption at all instead of some weak encryption. Please consult the Exim documentation if you really need to dene ciphers.
OpenSSL Exim already disables SSLv2 by default. We recommend to add openssl_options = + all + no_sslv2 + no_compression + cipher_server_preference
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 27 of 80
Contents to the main conguration. Note: +all is misleading here since OpenSSL only activates the most common workarounds. But thats how SSL_OP_ALL is dened.
You do not need to set dh_parameters. Exim with OpenSSL by default uses parameter initialization with the "2048-bit MODP Group with 224-bit Prime Order Subgroup" dened in section 2.2 of RFC 5114 [LK08] (ike23). If you want to set your own DH parameters please read the TLS documentation of exim.
GnuTLS
GnuTLS is dierent in only some respects to OpenSSL: tls_require_ciphers needs a GnuTLS priority string instead of a cipher list. It is recommended to use the defaults by not dening this option. It highly depends on the version of GnuTLS used. Therefore it is not advisable to change the defaults. There is no option like openssl_options
Note that most of the options accept expansion strings. This way you can e.g. set cipher lists or STARTTLS advertisement conditionally. Please follow the link to the ocial Exim documentation to get more information.
Limitations
Exim currently (4.82) does not support elliptic curves with OpenSSL. This means that ECDHE is not used even if dened in your cipher list. There already is a working patch to provide support: https://bugs.exim.org/show_bug.cgi?id=1397
How to test openssl s_client - starttls smtp - crlf - connect SERVER . TLD :25
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 28 of 80
Contents
2.4. VPNs
2.4.1. IPSec
Settings Assumptions
We assume the use of IKE (v1 or v2) and ESP for this document.
Authentication
IPSEC authentication should optimally be performed via RSA signatures, with a key size of 2048 bits or more. Conguring only the trusted CA that issued the peer certicate provides for additional protection against fake certicates. If you need to use Pre-Shared Key authentication: 1. Choose a random, long enough PSK (see below) 2. Use a separate PSK for any IPSEC connection 3. Change the PSKs regularly The size of the PSK should not be shorter than the output size of the hash algorithm used in IKE 7 . For a key composed of upper- and lowercase letters, numbers, and two additional symbols8 , table 2.2 gives the minimum lengths in characters.
IKE Hash SHA256 SHA384 SHA512 PSK length 43 64 86
Cryptographic Suites
is used in a HMAC, see RFC2104 [KBC97] and the discussion starting in https://www.vpnc.org/ietf-ipsec/02.ipsec/ msg00268.html. 8 64 possible values = 6 bits
7 It
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 29 of 80
Contents IPSEC Cryptographic Suites are pre-dened settings for all the items of a conguration; they try to provide a balanced security level and make setting up VPNs easier. 9 When using any of those suites, make sure to enable Perfect Forward Secrecy for Phase 2, as this is not specied in the suites. The equivalents to the recommended ciphers suites in section 3.2.3 are shown in table 2.3.
Conguration A Suite-B-GCM-256 Conguration B Suite-B-GCM-128 VPN-B Notes All Suite-B variants use NIST elliptic curves
IKE or Phase 1
Alternatively to the pre-dened cipher suites, you can dene your own, as described in this and the next section. IKE or Phase 1 is the mutual authentication and key exchange phase; table 2.4 shows the parameters. Use only main mode, as aggressive mode has known security vulnerabilities 10 .
Conguration A Mode Encryption Hash DH Group Main Mode AES-256 SHA2-* Group 14-18 Conguration B Main Mode AES, CAMELLIA (-256 or -128) SHA2-*, SHA1 Group 14-18
ESP or Phase 2
ESP or Phase 2 is where the actual data are protected; recommended parameters are shown in table 2.5.
References A Cryptographic Evaluation of IPsec, Niels Ferguson and Bruce Schneier: https://www.schneier. com/paper-ipsec.pdf
9 RFC6379
10 https://ikecrack.sourceforge.net/
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 30 of 80
Contents
Conguration A Perfect Forward Secrecy Encryption yes AES-GCM-16, AES-CTR, AES-CCM-16, AES-256 Conguration B yes AES-GCM-16, AES-CTR, AES-CCM-16, AES-256, CAMELLIA-256, AES-128, CAMELLIA-128 SHA2-*, SHA1 (or none for AEAD) Same as Phase 1
Hash DH Group
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 31 of 80
Contents
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 32 of 80
Contents
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 33 of 80
Contents
2.4.3. OpenVPN
Tested with Version:
OpenVPN 2.3.2 from Debian wheezy-backports linked against openssl (libssl.so.1.0.0) OpenVPN 2.2.1 from Debian 7.0 linked against openssl (libssl.so.1.0.0) OpenVPN 2.3.2 for Windows Settings:
General We describe a conguration with certicate-based authentication; see below for details on the easyrsa tool to help you with that. OpenVPN uses TLS only for authentication and key exchange. The bulk trac is then encrypted and authenticated with the OpenVPN protocol using those keys. Note that while the tls-cipher option takes a list of ciphers that is then negotiated as usual with TLS, the cipher and auth options both take a single argument that must match on client and server.
Server Conguration tls - cipher DHE - RSA - AES256 - GCM - SHA384 : DHE - RSA - AES256 - SHA256 : DHE - RSA - AES128 - GCM - SHA256 : DHE - RSA - AES128 - SHA256 : DHE - RSA - CAMELLIA256 - SHA : DHE - RSA - AES256 - SHA : DHE - RSA - CAMELLIA128 - SHA : DHE - RSA - AES128 - SHA : CAMELLIA256 - SHA : AES256 - SHA : CAMELLIA128 - SHA : AES128 - SHA cipher AES -256 - CBC auth SHA384
Client Conguration Client and server have to use compatible congurations, otherwise they cant communicate. The cipher and auth directives have to be identical. tls - cipher DHE - RSA - AES256 - GCM - SHA384 : DHE - RSA - AES256 - SHA256 : DHE - RSA - AES128 - GCM - SHA256 : DHE - RSA - AES128 - SHA256 : DHE - RSA - CAMELLIA256 - SHA : DHE - RSA - AES256 - SHA : DHE - RSA - CAMELLIA128 - SHA : DHE - RSA - AES128 - SHA : CAMELLIA256 - SHA : AES256 - SHA : CAMELLIA128 - SHA : AES128 - SHA cipher AES -256 - CBC auth SHA384
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 34 of 80
Contents # http :https:// openvpn . net / index . php / open - source / documentation / howto . html # mitm remote - cert - tls server tls - remote server . example . com Justication for special settings (if needed): OpenVPN 2.3.1 changed the values that the tls-cipher option expects from OpenSSL to IANA cipher names. That means from that version on you will get Deprecated TLS cipher name warnings for the congurations above. You cannot use the selection strings from section 3.2.3 directly from 2.3.1 on, which is why we give an explicit cipher list here. In addition, there is a 256 character limit on conguration le line lengths; that limits the size of cipher suites, so we dropped all ECDHE suites. The conguration shown above is compatible with all tested versions. References:
Key renegotiation interval The default for renegotiation of encryption keys is one hour (reneg-sec 3600). If you transfer huge amounts of data over your tunnel, you might consider conguring a shorter interval, or switch to a byte- or packet-based interval (reneg-bytes or reneg-pkts).
Fixing easy-rsa When installing an OpenVPN server instance, you are probably using easy-rsa to generate keys and certicates. The le vars in the easyrsa installation directory has a number of settings that should be changed to secure values: export KEY_SIZE =4096 export KEY_EXPIRE =365 export CA_EXPIRE =1826 This will enhance the security of the key generation by using RSA keys with a length of 4096 bits, and set a lifetime of one year for the server/client certicates and ve years for the CA certicate. NOTE: 4096 bits is only an example of how to do this with easy-rsa. See also section 3.4 for a discussion on keylengths. In addition, edit the pkitool script and replace all occurences of sha1 with sha256, to sign the certicates with SHA256.
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 35 of 80
Contents Limitations: Note that the ciphersuites shown by openvpn --show-tls are known, but not necessarily supported 11 . Which cipher suite is actually used can be seen in the logs: Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-CAMELLIA256-SHA, 2048 bit RSA
2.4.4. PPTP
PPTP is considered insecure, Microsoft recommends to use a more secure VPN tunnel12 . There is a cloud service that cracks the underlying MS-CHAPv2 authentication protocol for the price of USD 20013 , and given the resulting MD4 hash, all PPTP trac for a user can be decrypted.
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 36 of 80
Contents protocol esp encryption aes -192 protocol esp integrity sha -1 md5 crypto ipsec ikev2 ipsec - proposal AES256 protocol esp encryption aes -256 protocol esp integrity sha -1 md5 crypto ipsec ikev2 sa - strength - enforcement crypto ipsec security - association pmtu - aging infinite crypto dynamic - map S Y S T E M _ D E F A U L T _ C R Y P T O _ M A P 65535 set pfs group14 crypto dynamic - map S Y S T E M _ D E F A U L T _ C R Y P T O _ M A P 65535 set ikev2 ipsec - proposal AES256 - GCM AES192 - GCM AES128 - GCM AES - GCM - Fallback AES - Fallback crypto map Outside - DMZ_map 65535 ipsec - isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP crypto map Outside - DMZ_map interface Outside - DMZ crypto ikev2 policy 1 encryption aes - gcm -256 integrity null group 14 prf sha512 sha384 sha256 sha lifetime seconds 86400 crypto ikev2 policy 2 encryption aes - gcm -256 aes - gcm -192 aes - gcm integrity null group 14 prf sha512 sha384 sha256 sha lifetime seconds 86400 crypto ikev2 policy 3 encryption aes -256 aes -192 aes integrity sha512 sha384 sha256 group 14 prf sha512 sha384 sha256 sha lifetime seconds 86400 crypto ikev2 policy 4 encryption aes -256 aes -192 aes integrity sha512 sha384 sha256 sha group 14 prf sha512 sha384 sha256 sha lifetime seconds 86400 crypto ikev2 enable Outside - DMZ client - services port 443 crypto ikev2 remote - access trustpoint ASDM_TrustPoint0 ssl server - version tlsv1 - only ssl client - version tlsv1 - only ssl encryption dhe - aes256 - sha1 dhe - aes128 - sha1 aes256 - sha1 aes128 - sha1 ssl trust - point ASDM_TrustPoint0 Outside - DMZ Justication for special settings (if needed): New IPsec policies have been dened which do not make use of ciphers that may be cause for concern. Policies have a "Fallback" option to support legacy devices.
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 37 of 80
Contents 3DES has been completely disabled as such Windows XP AnyConnect Clients will no longer be able to connect. The Cisco ASA platform does not currently support RSA Keys above 2048bits. Legacy ASA models (e.g. 5505, 5510, 5520, 5540, 5550) do not oer the possibility to congure for SHA256/SHA384/SHA512 nor AES-GCM for IKEv2 proposals. References: https://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html https://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html
Hashing Avoid SHA-1 in GnuPG. Edit $HOME/.gnupg/gpg.conf: # according to : https :https:// www . debian - administration . org / users / dkg / weblog /48 personal - digest - preferences SHA256 cert - digest - algo SHA256 default - preference - list SHA512 SHA384 SHA256 SHA224 AES256 AES192 AES CAST5 ZLIB BZIP2 ZIP Uncompressed Before you generate a new PGP key, make sure there is enough entropy available (see subsection 3.3.2).
14 https://tools.ietf.org/search/rfc4880 15 https://www.schneier.com/blog/archives/2005/02/sha1_broken.html 16 https://www.gnupg.org/
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 38 of 80
Contents
ejabberd Tested with Version: Debian 7.0, version 2.1.10-4+deb7u1 Settings: ejabberd is one of the popular Jabber servers. In order to be compliant with the manifesto, you should adapt your conguration18 : { listen , [ {5222 , ejabberd_c2s , [
{ access , c2s } , { shaper , c2s_shaper } , { max_stanza_size , 65536} , starttls , starttls_required , { certfile , "/ etc / ejabberd / ejabberd . pem "} ]} , {5269 , ejabberd_s2s_in , [
17 https://github.com/stpeter/manifesto 18 https://www.process-one.net/docs/ejabberd/guide_en.html
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 39 of 80
Contents { shaper , s2s_shaper } , { max_stanza_size , 131072} ]} , %%% Other input ports ]}. { s2s_use_starttls , required_trusted }. { s2s_certfile , "/ etc / ejabberd / ejabberd . pem "}. Additional settings: Older Versions of ejabberd (< 2.0.0) need to be patched19 to be able to parse all of the certicates in the CA chain.
Newer versions of ejabberd now support specifying the cipher string in the cong le. See the commit message: https://github.com/processone/ejabberd/commit/1dd94ac0d06822daa8c394ea2da20d91c8 However, this change did not yet make it into the stable release at the time of this writing. References: How to test: https://xmpp.net is a practical website to test Jabber server congurations.
Chat privacy - O-the-Record Messaging (OTR) The OTR protocol works on top of the Jabber protocol20 . It adds to popular chat clients (Adium, Pidgin...) the following properties for encrypted chats: Authentication Integrity Condentiality Forward secrecy It basically uses Die-Hellman, AES and SHA1. Communicating over an insecure instant messaging network, OTR can be used for end to end encryption. There are no specic congurations required but the protocol itself is worth to be mentioned.
IRC There are numerous implementations of IRC servers. In this section, we choose Charybdis which serves as basis for ircd-seven21 , developed and used by freenode. Freenode is actually the biggest IRC network22 . Charybdis is part of the Debian & Ubuntu distributions.
19 https://hyperstruct.net/2007/06/20/installing-the-startcom-ssl-certicate-in-ejabberd/ 20 https://otr.cypherpunks.ca/Protocol-v3-4.0.0.html 21 https://dev.freenode.net/redmine/projects/ircd-seven 22 https://irc.netsplit.de/networks/top10.php
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 40 of 80
Contents /* Extensions */ # Some modules # loadmodule " extensions / c hm _s slo nl y_ co mp at . so "; loadmodule " extensions / extb_ssl . so "; # Some other modules serverinfo { /* Standard piece of information */ ssl_private_key = " etc / test . key "; ssl_cert = " etc / test . cert "; ssl_dh_params = " etc / dh . pem "; # set ssld_count as number of cores - 1 ssld_count = 1;
};
SILC SILC23 is instant messaging protocol publicly released in 2000. SILC is a per-default secure chat protocol thanks to a generalized usage of symmetric encryption. Keys are generated by the server meaning that if compromised, communication could be compromised. The protocol is not really popular anymore.
23 https://www.silcnet.org/
and https://en.wikipedia.org/wiki/SILC_(protocol)
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 41 of 80
Contents MySQL Tested with Version: Debian 7.0 and MySQL 5.5 Settings:
my.cnf [ mysqld ] ssl ssl - ca =/ etc / mysql / ssl / ca - cert . pem ssl - cert =/ etc / mysql / ssl / server - cert . pem ssl - key =/ etc / mysql / ssl / server - key . pem ssl - cipher = EECDH + aRSA + AESGCM : EECDH + aRSA + SHA384 : EECDH + aRSA + SHA256 : EDH + CAMELLIA256 : EECDH : EDH + aRSA :+ SSLv3 :! aNULL :! eNULL :! LOW :!3 DES :! MD5 :! EXP :! PSK :! SRP :! DSS :! RC4 :! SEED :! AES128 :! CAMELLIA128 :! ECDSA : AES256 - SHA Additional settings: Justication for special settings (if needed): References: https://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html How to test: After restarting the server run the following query to see if the ssl settings are correct: show variables like ' % ssl % ' ;
ssl_cipherspecs In the link above the whole SSL-conguration is described in-depth. The following command shows only how to set the recommended ciphersuites. # recommended and supported ciphersuites db2 update dbm cfg using SSL_CIPHERSPECS TLS_RSA_WITH_AES_256_CBC_SHA256 , TLS_RSA_WITH_AES_128_GCM_SHA256 , TLS_RSA_WITH_AES_128_CBC_SHA256 , T LS _E C DH E _R SA _ WI T H_ AE S _1 2 8_ GC M _S H A2 56 ,
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 42 of 80
Contents T L S _ EC D H E _ E C D SA _ W I T H _ A ES _ 1 2 8 _ G C M_ S H A 2 5 6 , T LS _E C DH E _R SA _ WI T H_ AE S _1 2 8_ CB C _S H A2 56 , T L S _ EC D H E _ E C D SA _ W I T H _ A ES _ 1 2 8 _ C B C_ S H A 2 5 6 , TLS_RSA_WITH_AES_256_GCM_SHA384 , T LS _E C DH E _R SA _ WI T H_ AE S _2 5 6_ GC M _S H A3 84 , T L S _ EC D H E _ E C D SA _ W I T H _ A ES _ 2 5 6 _ G C M_ S H A 3 8 4 , T LS _E C DH E _R SA _ WI T H_ AE S _2 5 6_ CB C _S H A3 84 , T L S _ EC D H E _ E C D SA _ W I T H _ A ES _ 2 5 6 _ C B C_ S H A 3 8 4 , TLS _ECDHE _RSA_W ITH_A ES_256 _CBC_S HA , T LS_ EC DH E_ EC DS A_ WI TH _A ES _2 56 _CB C_ SH A , TLS_RSA_WITH_AES_256_CBC_SHA , TLS_RSA_WITH_AES_128_CBC_SHA , TLS _ECDHE _RSA_W ITH_A ES_128 _CBC_S HA , TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
PostgreSQL Tested with Version: Debian 7.0 and PostgreSQL 9.1 References: Its recommended to read
Settings: To start in SSL mode the server.crt and server.key must exist in the server s data directory $PGDATA. Starting with version 9.2, you have the possibility to set the path. ssl_key_file = ' / your / path / server . key ' ssl_cert_file = ' / your / path / server . crt ' ssl_ca_file = ' / your / path / root . crt '
postgresql.conf # >=8.3 ssl = on ssl_ciphers = ' EECDH + aRSA + AESGCM : EECDH + aRSA + SHA384 : EECDH + aRSA + SHA256 : EDH + CAMELLIA256 : EECDH : EDH + aRSA :+ SSLv3 :! aNULL :! eNULL :! LOW :!3 DES :! MD5 :! EXP :! PSK :! SRP :! DSS :! RC4 :! SEED :! AES128 :! CAMELLIA128 :! ECDSA : AES256 - SHA ' How to test: To test your ssl settings, run psql with the sslmode parameter: psql " sslmode = require host = postgres - server dbname = database " your - username
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 43 of 80
Contents
For encrypted trac there are four options: Block the connection because it cannot be scanned for threats. Bypass the threat-mitigation and pass the encrypted session to the client, which results in a situation where malicious content is transferred directly to the client without visibility to the security system. Intercept (i.e. terminate) the session at the proxy, scan there and re-encrypt the session towards the client (eectively MITM). Deploy special Certicate Authorities to enable Deep Packet Inspection on the wire. While the latest solution might be the most "up to date", it arises a new front in the context of this paper, because the most secure part of a clients connection could only be within the corporate network, if the proxy-server handles the connection to the destination server in an insecure manner. Conclusion: Dont forget to check your proxy solutions SSL-capabilities. Also do so for your reverse proxies!
squid As of squid-3.2.7 (01 Feb 2013) there is support for the OpenSSL NO_Compression option within squid cong (CRIME attack) and if you combine that in the cong le, with an enforcement of the server cipher preferences (BEAST Attack) you are safe.
squid.conf
TODO: UNTESTED! options = NO_SSLv2 , NO_TLSv1 , NO_Compression , C I P H E R _ S E R V E R _ P R E F E R E N C E cipher = EDH + CAMELLIA : EDH + aRSA : EECDH + aRSA + AESGCM : EECDH + aRSA + SHA384 : EECDH + aRSA + SHA256 : EECDH :+ CAMELLIA256 :+ AES256 :+ CAMELLIA128 :+ AES128 :+ SSLv3 :! aNULL :! eNULL :! LOW :!3 DES :! MD5 :! EXP :! PSK :! SRP :! DSS :! RC4 :! SEED :! ECDSA : CAMELLIA256 - SHA : AES256 - SHA : CAMELLIA128 - SHA : AES128 - SHA
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 44 of 80
Contents squid.conf
TODO: UNTESTED! NO_SSLv2 Disallow the use of SSLv2 NO_SSLv3 Disallow the use of SSLv3 NO_TLSv1 Disallow the use of TLSv1 .0 NO_TLSv1_1 Disallow the use of TLSv1 .1 NO_TLSv1_2 Disallow the use of TLSv1 .2 SINGLE_DH_USE Always create a new key when using temporary / ephemeral DH key exchanges TODO: Patch here? Denitely working for 3.2.6! For squid Versions before 3.2.7 use this patch against a vanilla source-tree: --- support . cc . ini 2013 -01 -09 02 :4 1: 51 .0 00 00 000 0 +0100 +++ support . cc 2013 -01 -21 16 :1 3: 32 .5 49 38 38 48 +0100 @@ -400 ,6 +400 ,11 @@ " NO_TLSv1_2 " , SSL_ OP_NO_ TLSv1_ 2 }, # endif +# ifdef S S L _ O P _ N O _ C O M P R E S S I O N + { + " NO_Compression " , S S L _ O P _ N O _ C O M P R E S S I O N + }, +# endif { "" , 0 },
Bluecoat Tested with Version: SGOS 6.5.x BlueCoat Proxy SG Appliances can be used as forward and reverse proxies. The reverse proxy feature is rather under-developed, and while it is possible and supported, there only seems to be limited use of this feature "in the wild" - nonetheless there are a few cipher suites to choose from, when enabling SSL features. Only allow TLS 1.0,1.1 and 1.2 protocols: $conf t $ ( config ) ssl $ ( config ssl ) edit ssl - device - profile default $ ( config device - profile default ) protocol tlsv1 tlsv1 .1 tlsv1 .2 ok Select your accepted cipher-suites:
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 45 of 80
Contents $conf t Enter configuration commands , one per line . End with CTRL - Z . $ ( config ) proxy - services $ ( config proxy - services ) edit R e v e r s e P r o x y H i g h C i p h e r $ ( config R e v e r s e P r o x y H i g h C i p h e r ) attribute cipher - suite Cipher # Use Description Strength ------- --- - - - - - - - - - - - - - - - - - - - - - - - -------1 yes AES128 - SHA256 High 2 yes AES256 - SHA256 High 3 yes AES128 - SHA Medium 4 yes AES256 - SHA High 5 yes DHE - RSA - AES128 - SHA High 6 yes DHE - RSA - AES256 - SHA High [...] 13 yes EXP - RC2 - CBC - MD5 Export Select cipher numbers to use , separated by commas : 2 ,5 ,6 ok The same protocols are available for forward proxy settings and should be adjusted accordingly: In your local policy le add the following section: <ssl > DENY server . connection . n e g o t i a t e d _ s s l _ v e r s i o n =( SSLV2 , SSLV3 ) Disabling protocols and ciphers in a forward proxy environment could lead to unexpected results on certain (miscongured?) webservers (i.e. ones accepting only SSLv2/3 protocol connections)
Pound Pound 2.6 # HTTP Listener , redirects to HTTPS ListenHTTP Address 10.10.0.10 Port 80 Service Redirect " https :https:// some . site . tld End End ## HTTPS Listener ListenHTTPS Address 10.10.0.10 Port 443 AddHeader " Front - End - Https : on " Cert "/ path / to / your / cert . pem " ## See ' man ciphers ' . Ciphers " TLSv1 .2: TLSv1 .1:! SSLv3 :! SSLv2 : EDH + CAMELLIA : EDH + aRSA : EECDH + aRSA + AESGCM : EECDH + aRSA + SHA384 : EECDH + aRSA + SHA256 : EECDH :+ CAMELLIA256 :+ AES256 :+ CAMELLIA128 :+ AES128 :+ SSLv3 :! aNULL :! eNULL
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 46 of 80
Contents :! LOW :!3 DES :! MD5 :! EXP :! PSK :! SRP :! DSS :! RC4 :! SEED :! ECDSA : CAMELLIA256 - SHA : AES256 - SHA : CAMELLIA128 - SHA : AES128 - SHA " Service BackEnd Address 10.20.0.10 Port 80 End End
End
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 47 of 80
Contents
3. Theory
3.1. Overview
The balance between freedom and security is a delicate one. Mark Udall, american politician
This chapter provides the necessary background information on why chapter 2 recommended cipher string B. We start o by explaining the structure of cipher strings in section 3.2.1 (architecture) and dene Perfect Forward Secrecy (PFS) in 3.2.2. Next we present Cipher String A and Cipher String B in section 3.2.3. This concludes the section on cipher strings. In theory, the reader should now be able to construct his or her own cipher string. However, the question why certain settings were chosen still remains. To answer this part, we need to look at recommended keylengths, problems in specic algorithms and hash functions and other cryptographic parameters. As mentioned initially in section 1.2, the ENISA [ENI13], ECRYPT 2 [IS12] and BSI [fSidIB13] reports go much more into these topics and should be consulted in addition. We try to answer the questions by explaining issues with random number generators (section 3.3), keylengths (section 3.4), current issues in ECC (section 3.5), a note of warning on SHA-1 (section 3.6) and some comments on Die Hellman key exchanges (section 3.7). All of this is important in understanding why certain choices were made for Cipher String A and B. However, for most system administrators, the question of compatibility is one of the most pressing ones. Having the freedom to be compatible with any client (even running on outdated operating systems) of course, reduces the security of our cipher strings. We address these topics in section 3.2.4. All these sections will allow a system administrator to balance his or her needs for strong encryption with usability and compatibility. Last but not least, we nish this chapter by talking about issues in PKIs (section 3.8), Certicate Authorities and on hardening a PKI. Note that these last few topics deserve a book on their own. Hence this guide can only mention a few current topics in this area.
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 48 of 80
Contents
A note on nomenclature: there are two common naming schemes for cipher strings IANA names (see appendix B) and the more well known OpenSSL names. In this document we will always use OpenSSL names unless a specic service uses IANA names.
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 49 of 80
Contents
Conguration A: Strong ciphers, fewer clients At the time of writing, our recommendation is to use the following set of strong cipher suites which may be useful in an environment where one does not depend on many, dierent clients and where compatibility is not a big issue. An example of such an environment might be machineto-machine communication or corporate deployments where software that is to be used can be dened without restrictions. We arrived at this set of cipher suites by selecting: TLS 1.2 Perfect forward secrecy / ephemeral Die Hellman strong MACs (SHA-2) or GCM as Authenticated Encryption scheme This results in the OpenSSL string: ' EDH + aRSA + AES256 : EECDH + aRSA + AES256 :! SSLv3 '
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 50 of 80
Contents
Compatibility: Only clients which support TLS 1.2 are covered by these cipher suites (Chrome 30, Win 7 and Win 8.1 crypto stack, Opera 17, OpenSSL 1.0.1e, Safari 6 / iOS 6.0.1, Safari 7 / OS X 10.9).
Conguration B: Weaker ciphers but better compatibility In this section we propose a slightly weaker set of cipher suites. For example, there are known weaknesses for the SHA-1 hash function that is included in this set. The advantage of this set of cipher suites is not only better compatibility with a broad range of clients, but also less computational workload on the provisioning hardware.
We arrived at this set of cipher suites by selecting: TLS 1.2, TLS 1.1, TLS 1.0 allowing SHA-1 (see the comments on SHA-1 in section 3.6) This results in the OpenSSL string: EDH + CAMELLIA : EDH + aRSA : EECDH + aRSA + AESGCM : EECDH + aRSA + SHA384 : EECDH + aRSA + SHA256 : EECDH :+ CAMELLIA256 :+ AES256 :+ CAMELLIA128 :+ AES128 :+ SSLv3 :! aNULL :! eNULL :! LOW :!3 DES :! MD5 :! EXP :! PSK :! SRP :! DSS :! RC4 :! SEED :! ECDSA : CAMELLIA256 - SHA : AES256 - SHA : CAMELLIA128 - SHA : AES128 - SHA TODO: make a column for cipher chaining mode
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 51 of 80
Contents
ID 0x009F 0x006B 0xC030 0xC028 0x009E 0x0067 0xC02F 0xC027 0x0088 0x0039 0xC014 0x0045 0x0033 0xC013 0x0084 0x0035 0x0041 0x002F
OpenSSL Name DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-CAMELLIA256-SHA DHE-RSA-AES256-SHA ECDHE-RSA-AES256-SHA DHE-RSA-CAMELLIA128-SHA DHE-RSA-AES128-SHA ECDHE-RSA-AES128-SHA CAMELLIA256-SHA AES256-SHA CAMELLIA128-SHA AES128-SHA
Version TLSv1.2 TLSv1.2 TLSv1.2 TLSv1.2 TLSv1.2 TLSv1.2 TLSv1.2 TLSv1.2 SSLv3 SSLv3 SSLv3 SSLv3 SSLv3 SSLv3 SSLv3 SSLv3 SSLv3 SSLv3
KeyEx DH DH ECDH ECDH DH DH ECDH ECDH DH DH ECDH DH DH ECDH RSA RSA RSA RSA
Auth RSA RSA RSA RSA RSA RSA RSA RSA RSA RSA RSA RSA RSA RSA RSA RSA RSA RSA
Cipher AESGCM(256) AES(256) AESGCM(256) AES(256) AESGCM(128) AES(128) AESGCM(128) AES(128) Camellia(256) AES(256) AES(256) Camellia(128) AES(128) AES(128) Camellia(256) AES(256) Camellia(128) AES(128)
MAC AEAD SHA256 AEAD SHA384 AEAD SHA256 AEAD SHA256 SHA1 SHA1 SHA1 SHA1 SHA1 SHA1 SHA1 SHA1 SHA1 SHA1
Compatibility: Note that these cipher suites will not work with Windows XPs crypto stack (e.g. IE, Outlook), We could not verify yet if installing JCE also xes the Java 7 DH-parameter length limitation (1024 bit). TODO: do that!
Explanation: For a detailed explanation of the cipher suites chosen, please see 3.2.5. In short, nding a single perfect cipher string is practically impossible and there must be a tradeo between compatibility and security. On the one hand there are mandatory and optional ciphers dened in a few RFCs, on the other hand there are clients and servers only implementing subsets of the specication. Straight forward, the authors wanted strong ciphers, forward secrecy 4 and the best client compatibility possible while still ensuring a cipher string that can be used on legacy installations (e.g. OpenSSL 0.9.8). Our recommended cipher strings are meant to be used via copy and paste and need to work "out of the box". TLSv1.2 is preferred over TLSv1.0 (while still providing a useable cipher string for TLSv1.0 servers). AES256 and CAMELLIA256 count as very strong ciphers at the moment.
4 https://nmav.gnutls.org/2011/12/price-to-pay-for-perfect-forward.html
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 52 of 80
Contents AES128 and CAMELLIA128 count as strong ciphers at the moment DHE or ECDHE for forward secrecy RSA as this will t most of today s setups AES256-SHA as a last resort: with this cipher at the end, even server systems with very old OpenSSL versions will work out of the box (version 0.9.8 for example does not provide support for ECC and TLSv1.1 or above). Note however that this cipher suite will not provide forward secrecy. It is meant to provide the same client coverage (eg. support Microsoft crypto libraries) on legacy setups.
3.2.4. Compatibility
TODO: write this section. The idea here is to rst document which server (and openssl) version we assumed. Once these parameters are xed, we then list all clients which are supported for Variant A) and B). Therefore we can document compatibilities to some extent. The sysadmin can then choose roughly what he looses or gains by omitting certain cipher suites.
Key Exchange Many algorithms allow secure key exchange. Those are RSA, DH, EDH, ECDSA, ECDH, EECDH amongst others. During the key exchange, keys used for authentication and symmetric encryption are exchanged. For RSA, DSA and ECDSA those keys are derived from the server s public key. TODO: explain this section
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 53 of 80
Contents Key RSA DH EDH ECDH EECDH DSA ECDSA RSA RSA RSA both both DSA DSA EC no no no yes yes no yes ephemeral no no yes no yes no no
Ephemeral Key Exchange uses dierent keys for authentication (the server s RSA key) and encryption (a randomly created key). This advantage is called Forward Secrecy and means that even recorded trac cannot be decrypted later when someone obtains the server key. All ephemeral key exchange schemes are based on the Die-Hellman algorithm and require pregenerated Die-Hellman parameter (which allow fast ephemeral key generation). It is important to note that the Die-Hellman parameter settings need to reect at least the security (speaking in number of bits) as the RSA host key. TODO: add reference! Elliptic Curves (see section 3.5) required by current TLS standards only consist of the so-called NIST-curves (secp256r1 and secp384r1) which may be weak because the parameters that led to their generation were not properly explained by the authors [DJB13]. Disabling support for Elliptic Curves leads to no ephemeral key exchange being available for the Windows platform. When you decide to use Elliptic Curves despite the uncertainty, make sure to at least use the stronger curve of the two supported by all clients (secp384r1). Other key exchange mechanisms like Pre-Shared Key (PSK) are irrelevant for regular SSL/TLS use.
Authentication RSA, DSA, DSS, ECDSA, ECDH During Key Exchange the server proved that he is in control of the private key associated with a certain public key (the server s certicate). The client veries the server s identity by comparing the signature on the certicate and matching it with its trust database. For details about the trust model of SSL/TLS please see 3.8. In addition to the server providing its identity, a client might do so as well. That way mutual trust can be established. Another mechanism providing client authentication is Secure Remote Password (SRP)TODO: reference. All those mechanisms require special conguration. Other authentication mechanisms like Pre Shared Keys are not used in SSL/TLS. Anonymous sessions will not be discussed in this paper. !PSK:!aNULL
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 54 of 80
Contents Encryption AES, CAMELLIA, SEED, ARIA(?), FORTEZZA(?)... Other ciphers like IDEA, RC2, RC4, 3DES or DES are weak and therefore not recommended: !DES:!3DES:!RC2:!RC4:!eNULL
Message authentication SHA-1 (SHA), SHA-2 (SHA256, SHA384), AEAD Note that SHA-1 is considered broken and should not be used. SHA-1 is however the only still available message authentication mechanism supporting TLS1.0/SSLv3. Without SHA-1 most clients will be locked out. Other hash functions like MD2, MD4 or MD5 are unsafe and broken: !MD2:!MD4:!MD5
Combining cipher strings TODO: Adi... The text below was simply the old text, still left here for reference.
A good source of random numbers is essential for many crypto operations. The key feature of a good random number generator is the non-predictability of the generated numbers. This means that hardware support for generating entropy is essential. Hardware random number generators in operating systems or standalone components collect entropy from various random events mostly by using the (low bits of the) time an event occurs as an entropy source. The entropy is merged into an entropy pool and in some implementations there is some bookkeeping about the number of random bits available.
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 55 of 80
Contents
3.3.2. Linux
TODO: Other architectures, BSD, Windows? On Linux there are two devices that return random bytes when read; the /dev/random can block until sucient entropy has been collected while /dev/urandom will not block and return whatever (possibly insucient) entropy has been collected so far. Unfortunately most crypto implementations are using /dev/urandom and can produce predictable random numbers if not enough entropy has been collected [HDWH12]. Linux supports the injection of additional entropy into the entropy pool via the device /dev/random. On the one hand this is used for keeping entropy across reboots by storing output of /dev/random into a le before shutdown and re-injecting the contents during the boot process. On the other hand this can be used for running a secondary entropy collector to inject entropy into the kernel entropy pool. On Linux you can check how much entropy is available with the command: $ cat / proc / sys / kernel / random / entropy_avail
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 56 of 80
Contents
3.3.3. Recommendations
To avoid situations where a newly deployed server doesnt have enough entropy it is recommended to generate keys (e.g. for SSL or SSH) on a system with a sucient amount of entropy available and transfer the generated keys to the server. This is especially advisable for small embedded devices or virtual machines. For embedded devices and virtual machines deploying additional userspace software that generates entropy and feeds this to kernel entropy pool (e.g. by writing to /dev/random on Linux) is recommended. Note that only a process with root rights can update the entropy counters in the kernel; non-root or user processes can still feed entropy to the pool but cannot update the counters [Wik13a]. For Linux the haveged implementation [HAV13a] based on the HAVEGE [SS03] strong random number generator currently looks like the best choice. It can feed its generated entropy into the kernel entropy pool and recently has grown a mechanism to monitor the quality of generated random numbers [HAV13b]. The memory footprint may be too high for small embedded devices, though. For systems where during the lifetime of the keys it is expected that low-entropy situations occur, RSA keys should be preferred over DSA keys: For DSA, if there is ever insucient entropy at the time keys are used for signing this may lead to repeated ephemeral keys. An attacker who can guess an ephemeral private key used in such a signature can compromise the DSA secret key. For RSA this can lead to discovery of encrypted plaintext or forged signatures but not to the compromise of the secret key [HDWH12].
3.4. Keylengths
On the choice between AES256 and AES128: I would never consider using AES256, just like I dont wear a helmet when I sit inside my car. Its too much bother for the epsilon improvement in security. Vincent Rijmen in a personal mail exchange Dec 2013
Recommendations on keylengths need to be adapted regularly. Since this document rst of all is static and second of all, does not consider itself to be authoritative on keylengths, we would rather refer to existing publications and websites. Recommending a safe key length is a hit-and-miss issue. Furthermore, when choosing an encryption algorithm and keylength, the designer/sysadmin always needs to consider the value of the information and how long it must be protected. In other words: consider the number of years the data needs to stay condential. The ECRYPT II publication [IS12] gives a fascinating overview of strengths of symmetric keys in chapter 5 and chapter 7. Summarizing ECRYPT II, we recommend 128 bit of key strength for symmetric keys. In ECRYPT II, this is considered safe for security level 7, long term protection. In the same ECRYPT II publication you can nd a practical comparison of key size equivalence between symmetric key sizes and RSA, discrete log (DLOG) and EC keylengths. ECRYPT II arrives at
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 57 of 80
Contents the interesting conclusion that for an equivalence of 128 bit symmetric size, you will need to use an 3248 bit RSA key [IS12, chapter 7, page 30]. There are a couple of other studies comparing keylengths and their respective strengths. The website https://www.keylength.com/ compares these papers and oers a good overview of approximations for key lengths based on recommendations by dierent standardization bodies and academic publications. Figure 3.3 shows a typical comparison of keylengths on this web site.
Figure 3.3.: Screenshot of https://www.keylength.com for 128 bit symmetric key size equivalents
Summary For traditional asymmetric public-key cryptography we consider any key length below 2048 bits to be deprecated at the time of this writing (for long term protection). For elliptic curve cryptography we consider key lengths below 256 bits to be inadequate for long term protection. For symmetric algorithms we consider anything below 128 bits to be inadequate for long term protection.
Special remark on 3DES We want to note that 3DES theoretically has 168 bits of security, however based on the NIST Special
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 58 of 80
Contents Publication 800-57 5 , it is clear that 3DES can only be considered to provide for 80 bits / 112 bits security.
Elliptic Curve Cryptography (simply called ECC from now on) is a branch of cryptography that emerged in the mid-1980s. The security of the RSA algorithm is based on the assumption that factoring large numbers is infeasible. Likewise, the security of ECC, DH and DSA is based on the discrete logarithm problem [Wik13b, McC90, Wol13]. Finding the discrete logarithm of an elliptic curve from its public base point is thought to be infeasible. This is known as the Elliptic Curve Discrete Logarithm Problem (ECDLP). ECC and the underlying mathematical foundation are not easy to understand - luckily, there have been some great introductions on the topic lately 6 7 8 . ECC provides for much stronger security with less computationally expensive operations in comparison to traditional asymmetric algorithms (See the Section 3.4). The security of ECC relies on the elliptic curves and curve points chosen as parameters for the algorithm in question. Well before the NSAleak scandal there has been a lot of discussion regarding these parameters and their potential subversion. A part of the discussion involved recommended sets of curves and curve points chosen by dierent standardization bodies such as the National Institute of Standards and Technology (NIST) 9 which were later widely implemented in most common crypto libraries. Those parameters came under question repeatedly from cryptographers [BL13, Sch13b, W.13]. At the time of writing, there is ongoing research as to the security of various ECC parameters [DJB13]. Most software congured to rely on ECC (be it client or server) is not able to promote or black-list certain curves. It is the hope of the authors that such functionality will be deployed widely soon. The authors of this paper include congurations and recommendations with and without ECC - the reader may choose to adopt those settings as he nds best suited to his environment. The authors will not make this decision for the reader. A word of warning: One should get familiar with ECC, dierent curves and parameters if one chooses to adopt ECC congurations. Since there is much discussion on the security of ECC, awed settings might very well compromise the security of the entire system!
pages 63 and 64
6 https://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 59 of 80
Contents applications that require collision resistance. The use of SHA-1 in message authentication, e.g. HMAC, is not immediately threatened. We recommend using SHA-2 whenever available. Since SHA-2 is not supported by older versions of TLS, SHA-1 can be used for message authentication if a higher compatibility with a more diverse set of clients is needed. Our congurations A and B reect this. While conguration A does not include SHA-1, conguration B does and thus is more compatible with a wider range of clients.
10 https://crypto.stackexchange.com/questions/1963/how-large-should-a-die-hellman-p-be
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 60 of 80
Contents
Certicates From an External Certicate Authority There is a fairly large number of commercial CAs that will issue certicates for money. Some of the most ubiquitous commercial CAs are Verisign, GoDaddy, and Teletrust. However, there are also CAs that oer certicates for free. The most notable examples are StartSSL, which is a company that oers some types of certicates for free, and CAcert, which is a non-prot volunteerbased organization that does not charge at all for issuing certicates. Finally, in the research and education eld, a number of CAs exist that are generally well-known and well-accepted within the higher-education community. A large number of CAs is pre-installed in client softwares or operating systemstrust stores; depending on your application, you have to select your CA according to this, or have a mechanism to distribute the chosen CAs root certicate to the clients. When requesting a certicate from a CA, it is vital that you generate the key pair yourself. In particular, the private key should never be known to the CA. If a CA oers to generate the key pair for you, you should not trust that CA. Generating a key pair and a certicate request can be done with a number of tools. On Unix-like systems, it is likely that the OpenSSL suite is available to you. In this case, you can generate a private key and a corresponding certicate request as follows: % openssl req - new - nodes - keyout < servername >. key - out < servername >. csr - newkey rsa : < keysize > Country Name (2 letter code ) [ AU ]: DE State or Province Name ( full name ) [ Some - State ]: Bavaria Locality Name ( eg , city ) []: Munich Organization Name ( eg , company ) [ Internet Widgits Pty Ltd ]: Example Organizational Unit Name ( eg , section ) []: Example Section Common Name ( e . g . server FQDN or YOUR name ) []: example . com Email Address []: admin@example . com Please enter the following ' extra ' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Setting Up Your Own Certicate Authority In some situations it is advisable to run your own certicate authority. Whether this is a good idea depends on the exact circumstances. Generally speaking, the more centralized the control of the systems in your environment, the fewer pains you will have to go through to deploy your own CA.
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 61 of 80
Contents On the other hand, running your own CA maximizes the trust level that you can achieve because it minimizes external trust dependencies. Again using OpenSSL as an example, you can set up your own CA with the following commands on a Debian system: % cd / usr / lib / ssl / misc % sudo ./ CA . pl - newca Answer the questions according to your setup. Now that you have congured your basic settings and issued a new root certicate, you can issue new certicates as follows: % cd / usr / lib / ssl / misc % sudo ./ CA . pl - newreq Alternatively, software such as TinyCA [Wik13e] that acts as a wrapper around OpenSSL and tries to make life easier is available.
Creating a Self-Signed Certicate If the desired trust level is very high and the number of systems involved is limited, the easiest way to set up a secure environment may be to use self-signed certicates. A self-signed certicate is not issued by any CA at all, but is signed by the entity that it is issued to. Thus, the organizational overhead of running a CA is eliminated at the expense of having to establish all trust relationships between entities manually. With OpenSSL, a self-signed certicate may be created with this command: % openssl req - new - x509 - key privkey . pem - out cacert . pem - days 1095 The resulting certicate will by default not be trusted by anyone at all, so in order to be useful, the certicate will have to be made known a priori to all parties that may encounter it.
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 62 of 80
Contents
A. Tools
This section lists tools for checking the security settings.
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 63 of 80
A.2. Keylength
https://www.keylength.com comprehensive online resource for comparison of keylengths according to common recommendations and standards in cryptography.
A.3. RNGs
ENT is a pseudo random number generator sequence tester. HaveGE is a tool which increases the Entropy of the Linux random number generator devices. It is based on the HAVEGE algorithm. https://dl.acm.org/citation.cfm?id=945516 Dieharder a random number generator testing tool. CAcert Random another random number generator testing service.
A.4. Guides
See: https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices_1.3.pdf.
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 64 of 80
Contents
B. Links
IANA ocial list of Transport Layer Security (TLS) Parameters: https://www.iana.org/assignments/ tls-parameters/tls-parameters.txt SSL cipher settings: https://www.skytale.net/blog/archives/22-SSL-cipher-setting.html Elliptic curves and their implementation (04 Dec 2010): https://www.imperialviolet.org/2010/ 12/04/ecc.html A (relatively easy to understand) primer on elliptic curve cryptography: https://arstechnica. com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography Duraconf, A collection of hardened conguration les for SSL/TLS services (Jacob Appelbaums github): https://github.com/ioerror/duraconf Attacks on SSL a comprehensive study of BEAST, CRIME, TIME, BREACH, LUCKY 13 & RC4 Biases: https://www.isecpartners.com/media/106031/ssl_attacks_survey.pdf EFF How to deploy HTTPS correctly: https://www.e.org/https-everywhere/deploying-https Bruce Almighty: Schneier preaches security to Linux faithful (on not recommending to use Blowsh anymore in favor of Twosh): https://www.computerworld.com.au/article/46254/ bruce_almighty_schneier_preaches_security_linux_faithful/?pp=3 Implement FIPS 183-3 for DSA keys (1024bit constraint): https://bugzilla.mindrot.org/show_ bug.cgi?id=1647 Elliptic Curve Cryptography in Practice: https://eprint.iacr.org/2013/734.pdf Factoring as a Service: https://crypto.2013.rump.cr.yp.to/981774ce07e51813fd4466612a78601b. pdf Black Ops of TCP/IP 2012: https://dankaminsky.com/2012/08/06/bo2012/ SSL and the Future of Authenticity, Moxie Marlinspike - Black Hat USA 2011: https://www. youtube.com/watch?v=Z7Wl2FW2TcA ENISA - Algorithms, Key Sizes and Parameters Report (Oct.13) https://www.enisa.europa.eu/ activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report Die-Hellman Groups https://ibm.co/18lslZf Die-Hellman Groups standardized in RFC3526 [KK03] https://datatracker.ietf.org/doc/rfc3526/ ECC-enabled GnuPG per RFC6637 [Jiv12] https://code.google.com/p/gnupg-ecc
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 65 of 80
Contents TLS Security (Survey + Lucky13 + RC4 Attack) by Kenny Paterson https://www.cosic.esat. kuleuven.be/ecc2013/les/kenny.pdf Ensuring High-Quality Randomness in Cryptographic Key Generation https://arxiv.org/abs/ 1309.7366v1 Wikipedia: Ciphertext Stealing https://en.wikipedia.org/wiki/Ciphertext_stealing Wikipedia: Malleability (Cryptography) https://en.wikipedia.org/wiki/Malleability_(cryptography) Ritter s Crypto Glossary and Dictionary of Technical Cryptography https://www.ciphersbyritter. com/GLOSSARY.HTM
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 66 of 80
Contents
C. Suggested Reading
This section contains suggested reading material. Cryptography Engineering: Design Principles and Practical Applications, Ferguson, N. and Schneier, B. and Kohno, T. (ISBN-13: 978-0470474242) Security Engineering: A Guide to Building Dependable Distributed Systems, Anderson, R.J. (ISBN-13: 978-0470068526) Applied cryptography: protocols, algorithms, and source code in C, Schneier, B. (ISBN-13: 978-0471117094) Guide to Elliptic Curve Cryptography, Hankerson, D. and Vanstone, S. and Menezes, A.J. (ISBN13: 978-0387952734) A Introduction To The Theory of Numbers, Godfrey Harold Hardy, E. M. Wrigh (ISBN-13: 978-0199219865) Malicious Cryptography: Exposing Cryptovirology, Young A., Yung, M. (ISBN-13: 978-0764549755)
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 67 of 80
Contents
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 68 of 80
Contents
Code 0x00,0x1B 0x00,0x1E 0x00,0x1F 0x00,0x20 0x00,0x21 0x00,0x22 0x00,0x23 0x00,0x24 0x00,0x25 0x00,0x26 0x00,0x27 0x00,0x28 0x00,0x29 0x00,0x2A 0x00,0x2B 0x00,0x2C 0x00,0x2D 0x00,0x2E 0x00,0x2F 0x00,0x30 0x00,0x31 0x00,0x32 0x00,0x33 0x00,0x34 0x00,0x35 0x00,0x36 0x00,0x37 0x00,0x38 0x00,0x39 0x00,0x3A 0x00,0x3B 0x00,0x3C 0x00,0x3D 0x00,0x3E 0x00,0x3F 0x00,0x40 0x00,0x41 0x00,0x42 0x00,0x43 0x00,0x44
IANA Name TLS_DH_anon_WITH_3DES_EDE_CBC_SHA TLS_KRB5_WITH_DES_CBC_SHA TLS_KRB5_WITH_3DES_EDE_CBC_SHA TLS_KRB5_WITH_RC4_128_SHA TLS_KRB5_WITH_IDEA_CBC_SHA TLS_KRB5_WITH_DES_CBC_MD5 TLS_KRB5_WITH_3DES_EDE_CBC_MD5 TLS_KRB5_WITH_RC4_128_MD5 TLS_KRB5_WITH_IDEA_CBC_MD5 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA TLS_KRB5_EXPORT_WITH_RC4_40_SHA TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5 TLS_KRB5_EXPORT_WITH_RC4_40_MD5 TLS_PSK_WITH_NULL_SHA TLS_DHE_PSK_WITH_NULL_SHA TLS_RSA_PSK_WITH_NULL_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DH_DSS_WITH_AES_128_CBC_SHA TLS_DH_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_RSA_WITH_AES_256_CBC_SHA TLS_DH_DSS_WITH_AES_256_CBC_SHA TLS_DH_RSA_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DH_anon_WITH_AES_256_CBC_SHA TLS_RSA_WITH_NULL_SHA256 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_SHA256 TLS_DH_DSS_WITH_AES_128_CBC_SHA256 TLS_DH_RSA_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
AES128-SHA
DHE-DSS-AES128-SHA256 CAMELLIA128-SHA
DHE-DSS-CAMELLIA128-SHA
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 69 of 80
Contents
Code 0x00,0x45 0x00,0x46 0x00,0x67 0x00,0x68 0x00,0x69 0x00,0x6A 0x00,0x6B 0x00,0x6C 0x00,0x6D 0x00,0x84 0x00,0x85 0x00,0x86 0x00,0x87 0x00,0x88 0x00,0x89 0x00,0x8A 0x00,0x8B 0x00,0x8C 0x00,0x8D 0x00,0x8E 0x00,0x8F 0x00,0x90 0x00,0x91 0x00,0x92 0x00,0x93 0x00,0x94 0x00,0x95 0x00,0x96 0x00,0x97 0x00,0x98 0x00,0x99 0x00,0x9A 0x00,0x9B 0x00,0x9C 0x00,0x9D 0x00,0x9E 0x00,0x9F 0x00,0xA0 0x00,0xA1 0x00,0xA2
IANA Name TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_DH_DSS_WITH_AES_256_CBC_SHA256 TLS_DH_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DH_anon_WITH_AES_128_CBC_SHA256 TLS_DH_anon_WITH_AES_256_CBC_SHA256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA TLS_PSK_WITH_RC4_128_SHA TLS_PSK_WITH_3DES_EDE_CBC_SHA TLS_PSK_WITH_AES_128_CBC_SHA TLS_PSK_WITH_AES_256_CBC_SHA TLS_DHE_PSK_WITH_RC4_128_SHA TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA TLS_DHE_PSK_WITH_AES_128_CBC_SHA TLS_DHE_PSK_WITH_AES_256_CBC_SHA TLS_RSA_PSK_WITH_RC4_128_SHA TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA TLS_RSA_PSK_WITH_AES_128_CBC_SHA TLS_RSA_PSK_WITH_AES_256_CBC_SHA TLS_RSA_WITH_SEED_CBC_SHA TLS_DH_DSS_WITH_SEED_CBC_SHA TLS_DH_RSA_WITH_SEED_CBC_SHA TLS_DHE_DSS_WITH_SEED_CBC_SHA TLS_DHE_RSA_WITH_SEED_CBC_SHA TLS_DH_anon_WITH_SEED_CBC_SHA TLS_RSA_WITH_AES_128_GCM_SHA256 TLS_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DH_RSA_WITH_AES_128_GCM_SHA256 TLS_DH_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
SEED-SHA
DHE-DSS-AES128-GCM-SHA256
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 70 of 80
Contents
Code 0x00,0xA3 0x00,0xA4 0x00,0xA5 0x00,0xA6 0x00,0xA7 0x00,0xA8 0x00,0xA9 0x00,0xAA 0x00,0xAB 0x00,0xAC 0x00,0xAD 0x00,0xAE 0x00,0xAF 0x00,0xB0 0x00,0xB1 0x00,0xB2 0x00,0xB3 0x00,0xB4 0x00,0xB5 0x00,0xB6 0x00,0xB7 0x00,0xB8 0x00,0xB9 0x00,0xBA 0x00,0xBB 0x00,0xBC 0x00,0xBD 0x00,0xBE 0x00,0xBF 0x00,0xC0 0x00,0xC1 0x00,0xC2 0x00,0xC3 0x00,0xC4 0x00,0xC5 0x00,0xFF 0xC0,0x01 0xC0,0x02 0xC0,0x03 0xC0,0x04
IANA Name TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 TLS_DH_DSS_WITH_AES_128_GCM_SHA256 TLS_DH_DSS_WITH_AES_256_GCM_SHA384 TLS_DH_anon_WITH_AES_128_GCM_SHA256 TLS_DH_anon_WITH_AES_256_GCM_SHA384 TLS_PSK_WITH_AES_128_GCM_SHA256 TLS_PSK_WITH_AES_256_GCM_SHA384 TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 TLS_PSK_WITH_AES_128_CBC_SHA256 TLS_PSK_WITH_AES_256_CBC_SHA384 TLS_PSK_WITH_NULL_SHA256 TLS_PSK_WITH_NULL_SHA384 TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 TLS_DHE_PSK_WITH_NULL_SHA256 TLS_DHE_PSK_WITH_NULL_SHA384 TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 TLS_RSA_PSK_WITH_NULL_SHA256 TLS_RSA_PSK_WITH_NULL_SHA384 TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 TLS_EMPTY_RENEGOTIATION_INFO_SCSV TLS_ECDH_ECDSA_WITH_NULL_SHA TLS_ECDH_ECDSA_WITH_RC4_128_SHA TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
ADH-AES128-GCM-SHA256 ADH-AES256-GCM-SHA384
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 71 of 80
Contents
Code 0xC0,0x05 0xC0,0x06 0xC0,0x07 0xC0,0x08 0xC0,0x09 0xC0,0x0A 0xC0,0x0B 0xC0,0x0C 0xC0,0x0D 0xC0,0x0E 0xC0,0x0F 0xC0,0x10 0xC0,0x11 0xC0,0x12 0xC0,0x13 0xC0,0x14 0xC0,0x15 0xC0,0x16 0xC0,0x17 0xC0,0x18 0xC0,0x19 0xC0,0x1A 0xC0,0x1B 0xC0,0x1C 0xC0,0x1D 0xC0,0x1E 0xC0,0x1F 0xC0,0x20 0xC0,0x21 0xC0,0x22 0xC0,0x23 0xC0,0x24 0xC0,0x25 0xC0,0x26 0xC0,0x27 0xC0,0x28 0xC0,0x29 0xC0,0x2A 0xC0,0x2B 0xC0,0x2C
IANA Name TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_NULL_SHA TLS_ECDHE_ECDSA_WITH_RC4_128_SHA TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDH_RSA_WITH_NULL_SHA TLS_ECDH_RSA_WITH_RC4_128_SHA TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDH_RSA_WITH_AES_128_CBC_SHA TLS_ECDH_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_NULL_SHA TLS_ECDHE_RSA_WITH_RC4_128_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDH_anon_WITH_NULL_SHA TLS_ECDH_anon_WITH_RC4_128_SHA TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA TLS_ECDH_anon_WITH_AES_128_CBC_SHA TLS_ECDH_anon_WITH_AES_256_CBC_SHA TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA TLS_SRP_SHA_WITH_AES_128_CBC_SHA TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA TLS_SRP_SHA_WITH_AES_256_CBC_SHA TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
OpenSSL Name ECDH-ECDSA-AES256-SHA ECDHE-ECDSA-NULL-SHA ECDHE-ECDSA-RC4-SHA ECDHE-ECDSA-DES-CBC3-SHA ECDHE-ECDSA-AES128-SHA ECDHE-ECDSA-AES256-SHA ECDH-RSA-NULL-SHA ECDH-RSA-RC4-SHA ECDH-RSA-DES-CBC3-SHA ECDH-RSA-AES128-SHA ECDH-RSA-AES256-SHA ECDHE-RSA-NULL-SHA ECDHE-RSA-RC4-SHA ECDHE-RSA-DES-CBC3-SHA ECDHE-RSA-AES128-SHA ECDHE-RSA-AES256-SHA AECDH-NULL-SHA AECDH-RC4-SHA AECDH-DES-CBC3-SHA AECDH-AES128-SHA AECDH-AES256-SHA SRP-3DES-EDE-CBC-SHA SRP-RSA-3DES-EDE-CBC-SHA SRP-DSS-3DES-EDE-CBC-SHA SRP-AES-128-CBC-SHA SRP-RSA-AES-128-CBC-SHA SRP-DSS-AES-128-CBC-SHA SRP-AES-256-CBC-SHA SRP-RSA-AES-256-CBC-SHA SRP-DSS-AES-256-CBC-SHA ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-SHA384 ECDH-ECDSA-AES128-SHA256 ECDH-ECDSA-AES256-SHA384 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 ECDH-RSA-AES128-SHA256 ECDH-RSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 72 of 80
Contents
Code 0xC0,0x2D 0xC0,0x2E 0xC0,0x2F 0xC0,0x30 0xC0,0x31 0xC0,0x32 0xC0,0x33 0xC0,0x34 0xC0,0x35 0xC0,0x36 0xC0,0x37 0xC0,0x38 0xC0,0x39 0xC0,0x3A 0xC0,0x3B 0xC0,0x3C 0xC0,0x3D 0xC0,0x3E 0xC0,0x3F 0xC0,0x40 0xC0,0x41 0xC0,0x42 0xC0,0x43 0xC0,0x44 0xC0,0x45 0xC0,0x46 0xC0,0x47 0xC0,0x48 0xC0,0x49 0xC0,0x4A 0xC0,0x4B 0xC0,0x4C 0xC0,0x4D 0xC0,0x4E 0xC0,0x4F 0xC0,0x50 0xC0,0x51 0xC0,0x52 0xC0,0x53 0xC0,0x54
IANA Name TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_PSK_WITH_RC4_128_SHA TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 TLS_ECDHE_PSK_WITH_NULL_SHA TLS_ECDHE_PSK_WITH_NULL_SHA256 TLS_ECDHE_PSK_WITH_NULL_SHA384 TLS_RSA_WITH_ARIA_128_CBC_SHA256 TLS_RSA_WITH_ARIA_256_CBC_SHA384 TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 TLS_DH_anon_WITH_ARIA_128_CBC_SHA256 TLS_DH_anon_WITH_ARIA_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 TLS_RSA_WITH_ARIA_128_GCM_SHA256 TLS_RSA_WITH_ARIA_256_GCM_SHA384 TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 73 of 80
Contents
Code 0xC0,0x55 0xC0,0x56 0xC0,0x57 0xC0,0x58 0xC0,0x59 0xC0,0x5A 0xC0,0x5B 0xC0,0x5C 0xC0,0x5D 0xC0,0x5E 0xC0,0x5F 0xC0,0x60 0xC0,0x61 0xC0,0x62 0xC0,0x63 0xC0,0x64 0xC0,0x65 0xC0,0x66 0xC0,0x67 0xC0,0x68 0xC0,0x69 0xC0,0x6A 0xC0,0x6B 0xC0,0x6C 0xC0,0x6D 0xC0,0x6E 0xC0,0x6F 0xC0,0x70 0xC0,0x71 0xC0,0x72 0xC0,0x73 0xC0,0x74 0xC0,0x75 0xC0,0x76 0xC0,0x77 0xC0,0x78 0xC0,0x79 0xC0,0x7A 0xC0,0x7B 0xC0,0x7C
IANA Name TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 TLS_DH_anon_WITH_ARIA_128_GCM_SHA256 TLS_DH_anon_WITH_ARIA_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 TLS_PSK_WITH_ARIA_128_CBC_SHA256 TLS_PSK_WITH_ARIA_256_CBC_SHA384 TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 TLS_PSK_WITH_ARIA_128_GCM_SHA256 TLS_PSK_WITH_ARIA_256_GCM_SHA384 TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256
OpenSSL Name
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 74 of 80
Contents
Code 0xC0,0x7D 0xC0,0x7E 0xC0,0x7F 0xC0,0x80 0xC0,0x81 0xC0,0x82 0xC0,0x83 0xC0,0x84 0xC0,0x85 0xC0,0x86 0xC0,0x87 0xC0,0x88 0xC0,0x89 0xC0,0x8A 0xC0,0x8B 0xC0,0x8C 0xC0,0x8D 0xC0,0x8E 0xC0,0x8F 0xC0,0x90 0xC0,0x91 0xC0,0x92 0xC0,0x93 0xC0,0x94 0xC0,0x95 0xC0,0x96 0xC0,0x97 0xC0,0x98 0xC0,0x99 0xC0,0x9A 0xC0,0x9B 0xC0,0x9C 0xC0,0x9D 0xC0,0x9E 0xC0,0x9F 0xC0,0xA0 0xC0,0xA1 0xC0,0xA2 0xC0,0xA3 0xC0,0xA4
IANA Name TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 TLS_RSA_WITH_AES_128_CCM TLS_RSA_WITH_AES_256_CCM TLS_DHE_RSA_WITH_AES_128_CCM TLS_DHE_RSA_WITH_AES_256_CCM TLS_RSA_WITH_AES_128_CCM_8 TLS_RSA_WITH_AES_256_CCM_8 TLS_DHE_RSA_WITH_AES_128_CCM_8 TLS_DHE_RSA_WITH_AES_256_CCM_8 TLS_PSK_WITH_AES_128_CCM
OpenSSL Name
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 75 of 80
Contents
OpenSSL Name
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 76 of 80
Contents
E. Further research
The following is a list of services, software packages, hardware devices or protocols that we considered documenting but either did not manage to document yet or might be able to document later. We encourage input from the Internet community. whatsapp (might be problematic since a user/admin cant change anything) Lync BGP / OSPF Skype (might be problematic since a user/admin cant change anything) Wi-Fi APs, 802.1X seclayer-tcp Tomcat SIP SRTP DNSSec (mention BCPs) DANE TOR S/Mime (check are there any BCPs? ) TrueCrypt, Vault AFS LUKS, File telnet (only sensible recommendation: DONt!!) rsyslog UPnP, natPmp v6 spoong (look at work by Ferndo Gont, Marc Heuse, et. al.) tinc SAML federated providers 1 auth DSL modems (where to start?) network Commerical equipment vendors RADIUS Moxa , APC, und co... ICS . Ethernet to serial SILC ftps LDAP webmin (probably the same recommendations as with Apache apply, but where does that need to be congured?) plesk (same as webmin) phpmyadmin (same as webmin) telnets Kerberos NNTP NTPs tlsdate racoon l2tp rsync
1 e.g.,
all the REFEDS folks (https://refeds.org/)), including InCommon (https://www.incommon.org/federation/metadata. html https://wiki.shibboleth.net/conuence/display/SHIB2/TrustManagement
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 77 of 80
Bibliography
Bibliography
[Ada13a] Adam Langley, Ben Laurie, Emilia Kasper. Certicate Transparency. https://www. certicate-transparency.org https://datatracker.ietf.org/doc/rfc6962/, 07 2013. [Ada13b] Adam Langley, et. al. Go X.509 Verication Source Code. https://code.google.com/p/go/ source/browse/src/pkg/crypto/x509/verify.go#173, 12 2013. [And08] Ross Anderson. Security engineering. Wiley.com, 2008. https://www.cl.cam.ac.uk/~rja14/ book.html D. J. Bernstein and Tanja Lange. Security dangers of the NIST curves. Presentation slides, September 2013. https://cr.yp.to/talks/2013.09.16/slides-djb-20130916-a4.pdf C. Evans and C. Palmer. Public Key Pinning Extension for HTTP. https://tools.ietf.org/ html/draft-ietf-websec-key-pinning-09, November 2013.
[BL13]
[C. 13]
[Dam11] Damon Poeter. Fake Google Certicate Puts Gmail at Risk. https://www.pcmag.com/ article2/0,2817,2392063,00.asp, August 2011. [DJB13] Safecurves: choosing safe curves for elliptic-curve cryptography. Technical background, December 2013. Accessed 2013-12-09. https://safecurves.cr.yp.to/rigid.html
[DKBH13] Zakir Durumeric, James Kasten, Michael Bailey, and J. Alex Halderman. Analysis of the HTTPS certicate ecosystem. In Proceedings of the 13th Internet Measurement Conference, October 2013. https://jhalderm.com/pub/papers/https-imc13.pdf [Eli11] Elinor Mills. Fraudulent Google certicate points to Internet attack. https://news.cnet.com/8301-27080_3-20098894-245/ fraudulent-google-certicate-points-to-internet-attack/, August 2011. Jakob Engblom. Evaluating HAVEGE randomness. Blog: Observations from uppsala, February 2011. https://jakob.engbloms.se/archives/1374 ENISA and Vincent Rijmen, Nigel P. Smart, Bogdan warinschi, Gaven Watson. Enisa - algorithms, key sizes and parameters report. Technical report, Oct 2013. https://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/ algorithms-key-sizes-and-parameters-report
[Eng11]
[ENI13]
[fSidIB13] Bundesamt fr Sicherheit in der Informationstechnik (BSI). Bsi tr-02102 kryptographische verfahren. Technical report, Jan 2013. https://www.bsi.bund.de/SharedDocs/ Downloads/DE/BSI/Publikationen/TechnischeRichtlinien/TR02102/BSI-TR-02102_pdf [Gle13] Glenn reader Greenwald. questions. Edward Snowden: NSA whistleblower answers https://www.theguardian.com/world/2013/jun/17/
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 78 of 80
Bibliography edward-snowden-nsa- les-whistleblower, https://www.theguardian.com/world/2013/ jun/17/edward-snowden-nsa- les-whistleblower, 07 2013. [H. 13] H. Tschofenig and E. Lear. Evolving the Web Public Key Infrastructure. https://tools.ietf. org/html/draft-tschofenig-iab-webpki-evolution-01.txt, November 2013.
[HAV13a] haveged a simple entropy daemon. Software homepage, December 2013. Accessed 2013-12-06. https://www.issihosts.com/haveged/ [HAV13b] haveged a simple entropy daemon: Runtime testing. Technical background, December 2013. Accessed 2013-12-06. https://www.issihosts.com/haveged/ [HDWH12] Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J. Alex Halderman. Mining your Ps and Qs: Detection of widespread weak keys in network devices. In Proceedings of the 21st USENIX Security Symposium, August 2012. https://factorable.net/weakkeys12.extended. pdf [Hof05] P. Homan. Cryptographic Suites for IPsec. RFC 4308 (Proposed Standard), December 2005. https://www.ietf.org/rfc/rfc4308.txt P. Homan and J. Schlyter. The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. RFC 6698 (Proposed Standard), August 2012. https://www.ietf.org/rfc/rfc6698.txt ECRYPT II and D SYM. Ecrypt ii. pages 7986, 2012. https://www.ecrypt.eu.org/documents/ D.SPA.20.pdf A. Jivsov. Elliptic Curve Cryptography (ECC) in OpenPGP. RFC 6637 (Proposed Standard), June 2012. https://www.ietf.org/rfc/rfc6637.txt H. Krawczyk, M. Bellare, and R. Canetti. HMAC: Keyed-Hashing for Message Authentication. RFC 2104 (Informational), February 1997. Updated by RFC 6151. https://www.ietf. org/rfc/rfc2104.txt T. Kivinen and M. Kojo. More Modular Exponential (MODP) Die-Hellman groups for Internet Key Exchange (IKE). RFC 3526 (Proposed Standard), May 2003. https://www.ietf. org/rfc/rfc3526.txt J. Katz and Y. Lindell. Introduction to modern cryptography. Chapman and Hall/CRC Cryptography and Network Security Series. Chapman & Hall/CRC, 2008. https://books. google.at/books?id=WIc_AQAAIAA J M. Lepinski and S. Kent. Additional Die-Hellman Groups for Use with IETF Standards. RFC 5114 (Informational), January 2008. https://www.ietf.org/rfc/rfc5114.txt L. Law and J. Solinas. Suite B Cryptographic Suites for IPsec. RFC 6379 (Informational), October 2011. https://www.ietf.org/rfc/rfc6379.txt
[HS12]
[IS12]
[Jiv12]
[KBC97]
[KK03]
[KL08]
[LK08]
[LS11]
[McC90] Kevin S. McCurley. The discrete logarithm problem. In Cryptology and Computational Number Theory, Proceedings of Symposia in Applied Mathematics, volume 42, pages 49 74, 1990. https://www.mccurley.org/papers/dlog.pdf
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 79 of 80
Bibliography [POL11] Weak random number generation within virtualized environments. Security Advisory 2011-02, PolarSSL, December 2011. https://polarssl.org/tech-updates/ security-advisories/polarssl-security-advisory-2011-02
[Sch13a] Bruce Schneier. The NSA is breaking most encryption on the internet. Blog: Schneier on security, September 2013. https://www.schneier.com/blog/archives/2013/09/the_nsa_ is_brea.html [Sch13b] Bruce Schneier. The NSA is breaking most encryption on the internet. Answer to blog comment, September 2013. https://www.schneier.com/blog/archives/2013/09/the_nsa_ is_brea.html#c1675929 [SS03] A. Seznec and N. Sendrier. HAVEGE: a user-level software heuristic for generating empirically strong random numbers. ACM Transactions on Modeling and Computer Simulation, 13(4):334346, October 2003. https://www.irisa.fr/caps/projects/hipsor/scripts/ down.php?id=13781296&ext=.pdf D. W. Should we trust the NIST-recommended ECC parameters? Stackexchange question, Stackexchange Q&A Site, September 2013. https://crypto.stackexchange.com/questions/ 10263/should-we-trust-the-nist-recommended-ecc-parameters
[W.13]
[Wik13a] /dev/random. Wikipedia, Wikipedia, December 2013. Accessed 2013-12-06. https://en. wikipedia.org/wiki/dev/random [Wik13b] Discrete logarithm. Wikipedia, Wikipedia, December 2013. Accessed 2013-12-12. https: //en.wikipedia.org/wiki/Discrete_logarithm [Wik13c] Export of cryptography in the United States. Wikipedia, Wikipedia, December 2013. Accessed 2013-12-09. https://en.wikipedia.org/wiki/Export_of_cryptography_in_the_United_ States [Wik13d] Tempest (codename). Wikipedia, Wikipedia, December 2013. Accessed 2013-12-12. https://en.wikipedia.org/wiki/Tempest_(codename) [Wik13e] Tinyca. Wikipedia, Wikipedia, December 2013. Accessed 2013-12-24. https://en.wikipedia. org/wiki/TinyCA [Wol13] Elliptic curve. Math dictionary entry, Wolfram Research Mathworld, December 2013. Accessed 2013-12-12. https://mathworld.wolfram.com/EllipticCurve.html Yuval Yarom and Katrina Falkner. Flush+ reload: a high resolution, low noise, l3 cache side-channel attack, 2013. https://eprint.iacr.org/2013/448.pdf
[YF13]
Applied Crypto Hardening Draft revision: be7a9f4 (2014-01-04 20:08:20 +0100) Aaron Kaplan
page 80 of 80