Kryptografie/Chiffrier Suits: Unterschied zwischen den Versionen

Aus Foxwiki
 
(153 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt)
Zeile 1: Zeile 1:
== Overview ==
== Chiffrier Suits ==
Number theorists are like lotus-eaters - having tasted this food they can never give it up.
; Sammlung von Kryptografieverfahren
— Leopold Kronecker


This chapter provides the necessary background information on why chapter [https://bettercrypto.org/#practicalsettings [practicalsettings]] recommended ''cipher string B''.
=== Komponenten ===
* We start off by explaining the structure of cipher strings in section [https://bettercrypto.org/#architecture [architecture]] (architecture) and define PFS in [https://bettercrypto.org/#pfs [pfs]].
; Standardisierte Algorithmen
* Next we present ''Cipher String A'' and ''Cipher String B'' in section [https://bettercrypto.org/#recommendedciphers Recommended cipher suites].
* Schlüsselaustausch
* Kryptografiealgorithmen (Chiffren)  
* Algorithmus für Nachrichtenauthentifizierungscodes (MAC)
* Authentifizierung 
* Authentifizierte Kryptografie mit zugehörigen Daten (AEAD)


; This concludes the section on cipher strings
=== Aufbau einer Chiffrierzeichenfolge ===
* In theory, the reader should now be able to construct his or her own cipher string.
{| class="wikitable"
* However, the question why certain settings were chosen still remains.
|-
* To answer this part, we need to look at recommended keylengths, problems in specific algorithms and hash functions and other cryptographic parameters.
| DHE
* As mentioned initially in section [https://bettercrypto.org/#relatedPublications [relatedPublications]], the ENISA ([https://bettercrypto.org/#bibliography-default-ENISA2013 ENISA and Vincent Rijmen, Nigel P. Smart, Bogdan warinschi, Gaven Watson, 2013]), ECRYPT 2 ([https://bettercrypto.org/#bibliography-default-ii2011ecrypt II & SYM, 2012]) and BSI ([https://bettercrypto.org/#bibliography-default-TR02102 für Sicherheit in der Informationstechnik (BSI), 2018]) reports go much more into these topics and should be consulted in addition.
| RSA
| AES256
| SHA256
|}
 
=== Nomenklatur ===
; Benennungsschemata für Chiffrezeichenfolgen
* IANA-Namen
* OpenSSL-Namen


We try to answer the questions by explaining issues with random number generators (section [https://bettercrypto.org/#rngs Random Number Generators]), keylengths (section [https://bettercrypto.org/#keylengths Keylengths]), current issues in ECC (section [https://bettercrypto.org/#EllipticCurveCryptography A note on Elliptic Curve Cryptography]), a note of warning on SHA-1 (section [https://bettercrypto.org/#sha A note on SHA-1]) and some comments on Diffie Hellman key exchanges (section [https://bettercrypto.org/#dh A note on Diffie Hellman Key Exchanges]).
=== Forward Secrecy ===
* All of this is important in understanding why certain choices were made for ''Cipher String A and B''.
; Vertraulichkeit auch dann gewährleisten, wenn der Serverschlüssel kompromittiert wurde
* However, for most system administrators, the question of compatibility is one of the most pressing ones.
* Having the freedom to be compatible with any client (even running on outdated operating systems) of course, reduces the security of our cipher strings.
* We address these topics in section [https://bettercrypto.org/#compatibility TODO].
* All these sections will allow a system administrator to balance his or her needs for strong encryption with usability and compatibility.


Last but not least, we finish this chapter by talking about issues in PKIs (section [https://bettercrypto.org/#pkis Public Key Infrastructures]), Certificate Authorities and on hardening a PKI.
{{:Perfect Forward Secrecy}}
* Note that these last few topics deserve a book on their own.
* Hence this guide can only mention a few current topics in this area.


== Cipher suites ==
== Cipher Strings ==
; Wann sollten welche Einstellungen gewählt werden?
* Schlüssellängen
* Algorithmen
* Hash-Funktionen
* Andere kryptografische Parameter


=== Architectural overview ===
; Entscheidungen
This section defines some terms which will be used throughout this guide.
# Sicherheit der Kommunikation
A cipher suite is a standardized collection of key exchange algorithms, encryption algorithms (ciphers) and Message authentication codes (MAC) algorithm that provides authenticated encryption schemes. It consists of the following components:
# Hohen Sicherheit der Cipher-Suite bei
# Key exchange protocol 
#* Ausschluss einiger Benutzer
# Authentication 
#* Unterstützung möglichst vieler Benutzer
# Cipher
# Message authentication code (MAC) 
# Authenticated Encryption with Associated Data (AEAD) 
 
; Composition of a typical cipher string
+-----+  +-----+  +--------+  +--------+
| DHE +--+ RSA +--+ AES256 +--+ SHA256 +
+-----+  +-----+  +--------+  +--------+


; A note on nomenclature
; Qualys SSL Labs
: There are two common naming schemes for cipher strings – IANA names (see appendix [https://bettercrypto.org/#links Links]) and the more well known OpenSSL names. In this document we will always use OpenSSL names unless a specific service uses IANA names.
Werkzeug zum Test der Einrichtung und Kompatibilität des Webservers
: https://www.ssllabs.com


=== Forward Secrecy ===
; Achtung
Forward Secrecy or Perfect Forward Secrecy is a property of a cipher suite that ensures confidentiality even if the server key has been compromised.
: '''Hier gewählte Einstellungen sind nur beispielhaft und MÜSSEN angepasst werden!'''
* Thus if traffic has been recorded it can not be decrypted even if an adversary has got hold of the server key.
* [https://en.wikipedia.org/wiki/Forward_secrecy Forward secrecy] (Wikipedia)
* [https://www.eff.org/deeplinks/2013/08/pushing-perfect-forward-secrecy-important-web-privacy-protection Pushing for Perfect Forward Secrecy, an Important Web Privacy Protection] (EFF)
* [https://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html SSL: Intercepted today, decrypted tomorrow] (Netcraft)


=== Recommended cipher suites ===
; Chiffriersuiten auszuwählen und überprüfen
* Eigenen Chiffriersuiten auszuwählen und überprüfen
* basierend auf den Anweisungen im Abschnitt [[https://bettercrypto.org/#ChoosingYourOwnCipherSuites ChoosingYourOwnCipherSuites]]


== Recommended cipher suites ==
=== Starke Chiffren ===
In principle system administrators who want to improve their communication security have to make a difficult decision between effectively locking out some users and keeping high cipher suite security while supporting as many users as possible. The web-site [https://www.ssllabs.com/ Qualys SSL Labs] gives administrators and security engineers a tool to test their setup and compare compatibility with clients. The authors made use of ssllabs.com to arrive at a set of cipher suites which we will recommend throughout this document.
; Starken Chiffriersuiten = Weniger Clients


; Caution
; Umgebung
: these settings can only represent a subjective choice of the authors at the time of writing. It might be a wise choice to select your own and review cipher suites based on the instructions in section [https://bettercrypto.org/#ChoosingYourOwnCipherSuites [ChoosingYourOwnCipherSuites]].
* Lokales Netzwerk
* Einheitliche Client-Infrastruktur
* Maschine-zu-Maschine-Kommunikation


=== Configuration A: Strong ciphers, fewer clients ===
; Cipher suites
At the time of writing, our recommendation is to use the following set of strong cipher suites which may be useful in an environment where one does not depend on many, different clients and where compatibility is not a big issue. An example of such an environment might be machine-to-machine communication or corporate deployments where software that is to be used can be defined without restrictions.
* TLS 1.2
We arrived at this set of cipher suites by selecting:* TLS 1.2
* Perfect forward secrecy / ephemeral Diffie Hellman
* Perfect forward secrecy / ephemeral Diffie Hellman
* strong MACs (SHA-2) or
* strong MACs (SHA-2) or
* GCM as Authenticated Encryption scheme
* GCM as Authenticated Encryption scheme
This results in the OpenSSL string: <tt>EDH+aRSA+AES256:EECDH+aRSA+AES256:!SSLv3</tt>


Table 14. Configuration A ciphers
; OpenSSL string
: <tt>EDH+aRSA+AES256:EECDH+aRSA+AES256:!SSLv3</tt>


{| style="border-spacing:0;width:17cm;"
; Configuration A ciphers
|- style="border:none;padding:0.049cm;"
{| class="wikitable sortable options"
! align=center| ID
! align=center| ID
! align=center| OpenSSL Name
! align=center| OpenSSL Name
Zeile 113: Zeile 115:


; Compatibility
; Compatibility
: At the time of this writing only Win 7 and Win 8.1 crypto stack, OpenSSL >= 1.0.1e, Safari 6 / iOS 6.0.1 and Safari 7 / OS X 10.9 are covered by that cipher string.
Zeitweise waren von diesem Cipher String nur abgedeckt
* Win 7  
* Win 8.1 Crypto Stack,  
* OpenSSL >= 1.0.1e,  
* Safari 6 / iOS 6.0.1 und Safari 7 / OS X 10.9


=== Configuration B: Weaker ciphers but better compatibility ===
=== Schwächere Chiffren ===
In this section we propose a slightly weaker set of cipher suites. For example, there are known weaknesses for the SHA-1 hash function that is included in this set. The advantage of this set of cipher suites is not only better compatibility with a broad range of clients, but also less computational workload on the provisioning hardware.
; Schwächere Chiffren = bessere Kompatibilität
* Zum Beispiel gibt es bekannte Schwachstellen für die SHA-1-Hash-Funktion, die in diesem Satz enthalten ist.  


'''All examples in this publication use Configuration B'''.
; Vorteil
We arrived at this set of cipher suites by selecting:* TLS 1.2, TLS 1.1, TLS 1.0
* bessere Kompatibilität mit einer breiten Palette von Clients
* allowing SHA-1 (see the comments on SHA-1 in section [https://bettercrypto.org/#SHA [SHA]])
* geringere Rechenlast für die Bereitstellungshardware


This results in the OpenSSL string:
; Nachteil
'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'


Table 15. Configuration B ciphers
; Cipher Suites
* TLS 1.2
* TLS 1.1
* TLS 1.0
* Erlauben von '''[[SHA-1]]'''


{| style="border-spacing:0;width:17cm;"
; OpenSSL-Zeichenkette
|- style="border:none;padding:0.049cm;"
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
 
; Konfiguration B-Chiffren
{| class="wikitable sortable options"
! align=center| ID
! align=center| ID
! align=center| OpenSSL Name
! align=center| OpenSSL Name
Zeile 283: Zeile 296:
|}
|}


;Compatibility
;Kompatibilität
: Note that these cipher suites will not work with Windows XP’s crypto stack (e.g. IE, Outlook),
: Beachten Sie, dass diese Cipher Suites nicht mit dem Crypto Stack von Windows XP funktionieren (z.&nbsp;B.&nbsp;IE, Outlook),


; Explanation
; Erläuterung
: For a detailed explanation of the cipher suites chosen, please see [https://bettercrypto.org/#ChoosingYourOwnCipherSuites [ChoosingYourOwnCipherSuites]]. In short, finding a single perfect cipher string is practically impossible and there must be a tradeoff between compatibility and security. On the one hand there are mandatory and optional ciphers defined in a few RFCs, on the other hand there are clients and servers only implementing subsets of the specification.
: Für eine ausführliche Erklärung der gewählten Chiffriersuiten siehe [[https://bettercrypto.org/#ChoosingYourOwnCipherSuites ChoosingYourOwnCipherSuites]].  
: Straightforwardly, the authors wanted strong ciphers, forward secrecy [[https://bettercrypto.org/#_footnotedef_25 25]] and the best client compatibility possible while still ensuring a cipher string that can be used on legacy installations (e.g. OpenSSL 0.9.8).
* Kurz gesagt, es ist praktisch unmöglich, eine einzige perfekte Chiffrierkette zu finden, und es muss ein Kompromiss zwischen Kompatibilität und Sicherheit gefunden werden.  
* Auf der einen Seite gibt es obligatorische und optionale Chiffren, die in einigen RFCs definiert sind, auf der anderen Seite gibt es Clients und Server, die nur Teilmengen der Spezifikation implementieren.
: Die Autoren wollten starke Chiffren, vorwärts gerichtete Geheimhaltung [[https://bettercrypto.org/#_footnotedef_25 25]] und die bestmögliche Kompatibilität mit den Clients, während sie gleichzeitig einen Chiffrierstring sicherstellen wollten, der auf älteren Installationen (z.&nbsp;B.&nbsp;OpenSSL 0.9.8) verwendet werden kann.


Our recommended cipher strings are meant to be used via copy and paste and need to work "out of the box".* TLSv1.2 is preferred over TLSv1.0 (while still providing a useable cipher string for TLSv1.0 servers).
; Out of the box
* AES256 and CAMELLIA256 count as very strong ciphers at the moment.
Die von uns empfohlenen Chiffrierzeichenfolgen sind für die Verwendung durch Kopieren und Einfügen gedacht und müssen "out of the box" funktionieren.
* AES128 and CAMELLIA128 count as strong ciphers at the moment
* TLSv1.2 wird gegenüber TLSv1.0 bevorzugt (und bietet dennoch eine brauchbare Chiffrierkette für TLSv1.0-Server).
* DHE or ECDHE for forward secrecy
* AES256 und CAMELLIA256 gelten derzeit als sehr starke Kryptografieen.
* RSA as this will fit most of today’s setups
* AES128 und CAMELLIA128 gelten derzeit als starke Kryptografieen.
* AES256-SHA as a last resort: with this cipher at the end, even server systems with very old OpenSSL versions will work out of the box (version 0.9.8 for example does not provide support for ECC and TLSv1.1 or above). Note however that this cipher suite will not provide forward secrecy. It is meant to provide the same client coverage(eg. support Microsoft crypto libraries) on legacy setups.
* DHE oder ECDHE für Vorwärtsgeheimnis
* RSA, da dies für die meisten heutigen Konfigurationen geeignet ist
* AES256-SHA als letzter Ausweg: Mit dieser Chiffre am Ende funktionieren sogar Serversysteme mit sehr alten OpenSSL-Versionen (Version 0.9.8 bietet zum Beispiel keine Unterstützung für ECC und TLSv1.1 oder höher).  
* Beachten Sie jedoch, dass diese Cipher-Suite keine Vorwärtsverschlüsselung bietet.  
* Sie soll die gleiche Client-Abdeckung bieten (z.&nbsp;B.&nbsp;Unterstützung der Microsoft Krypto-Bibliotheken) auf älteren Systemen.


=== Compatibility ===
== Weblinks ==
 
# https://bettercrypto.org
; TODO
: Write this section. The idea here is to first document which server (and openssl) version we assumed. Once these parameters are fixed, we then list all clients which are supported for Variant A) and B). Therefore we can document compatibilities to some extent. The sysadmin can then choose roughly what he looses or gains by omitting certain cipher suites.
 
== Random Number Generators ==
[[Image:Bild11.png|top|alt="A real fair random number generator"]]
(Image license: [http://creativecommons.org/licenses/by-nc/2.5/ CC-BY-NC])
A good source of random numbers is essential for many crypto operations. The key feature of a good random number generator is the non-predictability of the generated numbers. This means that hardware support for generating entropy is essential.
Hardware random number generators in operating systems or standalone components collect entropy from various random events mostly by using the (low bits of the) time an event occurs as an entropy source. The entropy is merged into an entropy pool and in some implementations there is some bookkeeping about the number of random bits available.
 
=== When Random Number Generators Fail ===
Random number generators can fail – returning predictable non-random numbers – if not enough entropy is available when random numbers should be generated.
This typically occurs for embedded devices and virtual machines. Embedded devices lack some entropy sources other devices have, e.g.:
* No persistent clock, so boot-time is not contributing to the initial RNG state.
* No hard-disk: No entropy from hard-disk timing, no way to store entropy between reboots.
Virtual machines emulate some hardware components so that the generated entropy is over-estimated. The most critical component that has been shown to return wrong results is an emulated environment is the timing source ([https://bettercrypto.org/#bibliography-default-Eng11 Engblom, 2011]).
Typically the most vulnerable time where low-entropy situations occur is shortly after a reboot. Unfortunately many operating system installers create cryptographic keys shortly after a reboot ([https://bettercrypto.org/#bibliography-default-HDWH12 Heninger, Durumeric, Wustrow, & Halderman, 2012]).
Another problem is that OpenSSL seeds its internal random generator only seldomly from the hardware random number generator of the operating system. This can lead to situations where a daemon that is started at a time when entropy is low keeps this low-entropy situation for hours leading to predictable session keys ([https://bettercrypto.org/#bibliography-default-HDWH12 Heninger, Durumeric, Wustrow, & Halderman, 2012]).
For systems where – during the lifetime of the keys – it is expected that low-entropy situations occur, RSA keys should be preferred over DSA keys: For DSA, if there is ever insufficient entropy at the time keys are used for signing this may lead to repeated ephemeral keys. An attacker who can guess an ephemeral private key used in such a signature can compromise the DSA secret key. For RSA this can lead to discovery of encrypted plaintext or forged signatures but not to the compromise of the secret key ([https://bettercrypto.org/#bibliography-default-HDWH12 Heninger, Durumeric, Wustrow, & Halderman, 2012]).
 
== Keylengths ==
On the choice between AES256 and AES128: I would never consider
using AES256, just like I don't wear a helmet when I sit inside my car. It's
too much bother for the epsilon improvement in security.
Recommendations on keylengths need to be adapted regularly. Since this document first of all is static and second of all, does not consider itself to be authoritative on keylengths, we would rather refer to existing publications and websites. Recommending a safe key length is a hit-and-miss issue.
Furthermore, when choosing an encryption algorithm and key length, the designer/sysadmin always needs to consider the value of the information and how long it must be protected. In other words: consider the number of years the data needs to stay confidential.
The [http://www.ecrypt.eu.org/ecrypt2/documents.html ECRYPT II publication] gives a fascinating overview of strengths of symmetric keys in chapter 5 and chapter 7. Summarizing ECRYPT II, we recommend 128 bit of key strength for symmetric keys. In ECRYPT II, this is considered safe for security level 7, long term protection.
In the same ECRYPT II publication you can find a practical comparison of key size equivalence between symmetric key sizes and RSA, discrete log (DLOG) and EC keylengths. ECRYPT II arrives at the interesting conclusion that for an equivalence of 128 bit symmetric size, you will need to use an 3248 bit RSA key&nbsp;([https://bettercrypto.org/#bibliography-default-ii2011ecrypt II & SYM, 2012]).
There are a couple of other studies comparing keylengths and their respective strengths. The website [https://www.keylength.com/ https://www.keylength.com/] compares these papers and offers a good overview of approximations for key lengths based on recommendations by different standardization bodies and academic publications. Figure #fig:keylengths.com[1] shows a typical comparison of keylengths on this web site.
[[Image:Bild12.png|top|alt="Screenshot for 128 bit symmetric key size equivalents"]]
 
=== Summary ===
For asymmetric public-key cryptography we consider any key length below 3248 bits to be deprecated at the time of this writing (for long term protection).
For elliptic curve cryptography we consider key lengths below 256 bits to be inadequate for long term protection.
For symmetric algorithms we consider anything below 128 bits to be inadequate for long term protection.


=== Special remark on 3DES: ===
; ENISA-Berichte
We want to note that 3DES theoretically has 168 bits of security, however based on the NIST Special Publication 800-57 [[https://bettercrypto.org/#_footnotedef_26 26]].
Gehen viel mehr auf diese Themen ein und sollten zusätzlich konsultiert werden
Due to several [https://en.wikipedia.org/wiki/Triple_DES#Security security problems] the effective key length should be considered 80 bits. The NIST [https://csrc.nist.gov/news/2017/update-to-current-use-and-deprecation-of-tdea recommends] not to use 3DES any more and to migrate to AES as soon as possible.
* [https://bettercrypto.org/#bibliography-default-ENISA2013 ENISA und Vincent Rijmen, Nigel P. Smart, Bogdan warinschi, Gaven Watson, 2013]
* ECRYPT 2 ([https://bettercrypto.org/#bibliography-default-ii2011ecrypt II & SYM, 2012])
* BSI ([https://bettercrypto.org/#bibliography-default-TR02102 für Sicherheit in der Informationstechnik (BSI), 2018])


== A note on Elliptic Curve Cryptography ==
; Themen
Everyone knows what a curve is, until he has studied enough
* [[Zufallszahlengeneratoren]]
mathematics to become confused through the countless number
* [[Keylängen]]
of possible exceptions.
* ECC (Abschnitt [https://bettercrypto.org/#EllipticCurveCryptography A note on Elliptic Curve Cryptography]), ein Warnhinweis zu SHA-1 (Abschnitt [https://bettercrypto.org/#sha A note on SHA-1])
Elliptic Curve Cryptography (simply called ECC from now on) is a branch of cryptography that emerged in the mid-1980s. The security of the RSA algorithm is based on the assumption that factoring large numbers is infeasible. Likewise, the security of ECC, DH and DSA is based on the discrete logarithm problem ([https://bettercrypto.org/#bibliography-default-Wikipedia:Discrete i_wikipedia_Discrete logarithm_, 2013]). Finding the discrete logarithm of an elliptic curve from its public base point is thought to be infeasible. This is known as the Elliptic Curve Discrete Logarithm Problem (ECDLP). ECC and the underlying mathematical foundation are not easy to understand - luckily, there have been some great introductions on the topic. [[https://bettercrypto.org/#_footnotedef_27 27]] [[https://bettercrypto.org/#_footnotedef_28 28]] [[https://bettercrypto.org/#_footnotedef_29 29]].
* Diffie-Hellman (Abschnitt [https://bettercrypto.org/#dh A note on Diffie Hellman Key Exchanges]).  
ECC provides for much stronger security with less computationally expensive operations in comparison to traditional asymmetric algorithms (See the Section [https://bettercrypto.org/#keylengths Keylengths]). The security of ECC relies on the elliptic curves and curve points chosen as parameters for the algorithm in question. Well before the NSA-leak scandal, there has been a lot of discussion regarding these parameters and their potential subversion. A part of the discussion involved recommended sets of curves and curve points chosen by different standardization bodies such as the National Institute of Standards and Technology (NIST) [[https://bettercrypto.org/#_footnotedef_30 30]] which were later widely implemented in most common crypto libraries. Those parameters came under question repeatedly from cryptographers ([https://bettercrypto.org/#bibliography-default-BL13 Bernstein & Lange, 2013]).
At the time of writing, there is ongoing research as to the security of various ECC parameters ([https://bettercrypto.org/#bibliography-default-DJBSC SafeCurves: choosing safe curves for elliptic-curve cryptography, 2013]). Most software configured to rely on ECC (be it client or server) is not able to promote or black-list certain curves. It is the hope of the authors that such functionality will be deployed widely soon. The authors of this paper include configurations and recommendations with and without ECC - the reader may choose to adopt those settings as he finds best suited to his environment. The authors will not make this decision for the reader.


{| style="border-spacing:0;width:17cm;"
; All dies ist wichtig, um zu verstehen, warum bestimmte Entscheidungen für ''Cipher String A und B'' getroffen wurden
|- style="border:none;padding:0.049cm;"
* Für die meisten Systemadministratoren ist jedoch die Frage der Kompatibilität eine der dringendsten.  
||
* Die Freiheit, mit jedem beliebigen Client kompatibel zu sein (auch mit veralteten Betriebssystemen), verringert natürlich die Sicherheit unserer Chiffrierzeichenfolgen.
|| Warning
* Wir behandeln diese Themen im Abschnitt [https://bettercrypto.org/#compatibility TODO].
One should get familiar with ECC, different curves and parameters if one chooses to adopt ECC configurations. Since there is much discussion on the security of ECC, flawed settings might very well compromise the security of the entire system!
* Alle diese Abschnitte ermöglichen es einem Systemadministrator, seine oder ihre Bedürfnisse nach starker Kryptografie mit Benutzerfreundlichkeit und Kompatibilität in Einklang zu bringen.
|-
|}


== A note on SHA-1 ==
; Themen
In the last years several weaknesses have been shown for SHA-1. In particular, collisions on SHA-1 can be found using 263 operations, and recent results even indicate a lower complexity. Therefore, ECRYPT II and NIST recommend against using SHA-1 for generating digital signatures and for other applications that require collision resistance. The use of SHA-1 in message authentication, e.g. HMAC, is not immediately threatened.
* [[PKI|Public Key Infrastructures]]
We recommend using SHA-2 whenever available. Since SHA-2 is not supported by older versions of TLS, SHA-1 can be used for message authentication if a higher compatibility with a more diverse set of clients is needed.
Our configurations A and B reflect this. While configuration A does not include SHA-1, configuration B does and thus is more compatible with a wider range of clients.


== A note on Diffie Hellman Key Exchanges ==
== Siehe auch ==
A common question is which Diffie-Hellman (DH) parameters should be used for Diffie Hellman key-exchanges [[https://bettercrypto.org/#_footnotedef_31 31]]. We follow the recommendations in ECRYPT II ([https://bettercrypto.org/#bibliography-default-ii2011ecrypt II & SYM, 2012]).
# [[3DES]]
Where configurable, we recommend using the Diffie Hellman groups defined for IKE, specifically groups 14-18 (2048–8192 bit MODP) ([https://bettercrypto.org/#bibliography-default-rfc3526 Kivinen & Kojo, 2003]). These groups have been checked by many eyes and can be assumed to be secure.
# [[Elliptische Kurven Kryptographie]]
For convenience, we provide these parameters as PEM files on our webserver [[https://bettercrypto.org/#_footnotedef_32 32]].
# [[SHA-1]]
 
# [[Diffie Hellman Key Exchanges]]
== Public Key Infrastructures ==
# [[Random Number Generator]]
Public-Key Infrastructures try to solve the problem of verifying whether a public key belongs to a given entity, so as to prevent Man In The Middle attacks.
# [[Kryptografie/Schlüssellängen]]
There are two approaches to achieve that: ''Certificate Authorities'' and the ''Web of Trust''.
# [[Public Key Infrastructure]]
Certificate Authorities (CAs) sign end-entities’ certificates, thereby associating some kind of identity (e.g. a domain name or an email address) with a public key. CAs are used with TLS and S/MIME certificates, and the CA system has a big list of possible and real problems which are summarized in section [https://bettercrypto.org/#hardeningpki Hardening PKI] and ([https://bettercrypto.org/#bibliography-default-https13 Durumeric, Kasten, Bailey, & Halderman, 2013]).
# [[TLS]]
The Web of Trust is a decentralized system where people sign each other’s keys, so that there is a high chance that there is a "trust path" from one key to another. This is used with PGP keys, and while it avoids most of the problems of the CA system, it is more cumbersome.
As alternatives to these public systems, there are two more choices: running a private CA, and manually trusting keys (as it is used with SSH keys or manually trusted keys in web browsers).
The first part of this section addresses how to obtain a certificate in the CA system. The second part offers recommendations on how to improve the security of your PKI.
 
=== Certificate Authorities ===
In order to get a certificate, you can find an external CA willing to issue a certificate for you, run your own CA, or use self-signed certificates. As always, there are advantages and disadvantages for every one of these options; a balance of security versus usability needs to be found.
 
==== Certificates From an External Certificate Authority ====
There is a fairly large number of commercial CAs that will issue certificates for money. Some of the most ubiquitous commercial CAs are Verisign, GoDaddy, and Teletrust. However, there are also CAs that offer certificates for free. The most notable examples are StartSSL, which is a company that offers some types of certificates for free, and CAcert, which is a non-profit volunteer-based organization that does not charge at all for issuing certificates. Finally, in the research and education field, a number of CAs exist that are generally well-known and well-accepted within the higher-education community.
A large number of CAs is pre-installed in client software’s or operating system’s`‘trust stores’'; depending on your application, you have to select your CA according to this, or have a mechanism to distribute the chosen CA’s root certificate to the clients.
When requesting a certificate from a CA, it is vital that you generate the key pair yourself. In particular, the private key should never be known to the CA. If a CA offers to generate the key pair for you, you should not trust that CA.
Generating a key pair and a certificate request can be done with a number of tools. On Unix-like systems, it is likely that the OpenSSL suite is available to you.
 
In this case, you can generate a private key and a corresponding certificate request as follows:
$ openssl req -new -nodes -keyout <servername>.key -out <servername>.csr -newkey rsa:<keysize> -sha256
Country Name (2 letter code) [AU]:DE
State or Province Name (full name) [Some-State]:Bavaria
Locality Name (eg, city) []:Munich
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example
Organizational Unit Name (eg, section) []:Example Section
Common Name (e.g. server FQDN or YOUR name) []:example.com
Email Address []:admin@example.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
 
==== Setting Up Your Own Certificate Authority ====
In some situations it is advisable to run your own certificate authority. Whether this is a good idea depends on the exact circumstances. Generally speaking, the more centralized the control of the systems in your environment, the fewer pains you will have to go through to deploy your own CA. On the other hand, running your own CA maximizes the trust level that you can achieve because it minimizes external trust dependencies.
 
Again using OpenSSL as an example, you can set up your own CA with the following commands on a Debian system:
$ cd /usr/lib/ssl/misc
$ sudo ./CA.pl -newca
Answer the questions according to your setup. Now that you have configured your basic settings and issued a new root certificate, you can issue new certificates as follows:
$ cd /usr/lib/ssl/misc
$ sudo ./CA.pl -newreq
Alternatively, software such as TinyCA that acts as a "wrapper" around OpenSSL and tries to make life easier is available.
 
==== Creating a Self-Signed Certificate ====
If the desired trust level is very high and the number of systems involved is limited, the easiest way to set up a secure environment may be to use self-signed certificates. A self-signed certificate is not issued by any CA at all, but is signed by the entity that it is issued to. Thus, the organizational overhead of running a CA is eliminated at the expense of having to establish all trust relationships between entities manually.
With OpenSSL, you can self-sign a previously created certificate with this command:
$ openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095
You can also create a self-signed certificate in just one command:
$ openssl req -new -x509 -keyout privkey.pem -out cacert.pem -days 1095 -nodes -newkey rsa:<keysize> -sha256
The resulting certificate will by default not be trusted by anyone at all, so in order to be useful, the certificate will have to be made known a priori to all parties that may encounter it.
 
=== Hardening PKI ===
In recent years several CAs were compromised by attackers in order to get a hold of trusted certificates for malicious activities. In 2011 the Dutch CA Diginotar was hacked and all certificates were revoked&nbsp;([https://bettercrypto.org/#bibliography-default-diginotar-hack Elinor Mills, 2011]). Recently Google found certificates issued to them, which were not used by the company&nbsp;([https://bettercrypto.org/#bibliography-default-googlecahack Damon Poeter, 2011]). The concept of PKIs heavily depends on the security of CAs. If they get compromised the whole PKI system will fail. Some CAs tend to incorrectly issue certificates that were designated to do a different job than what they were intended to by the CA&nbsp;([https://bettercrypto.org/#bibliography-default-gocode Adam Langley, et. al., 2013]).
Therefore several security enhancements were introduced by different organizations and vendors&nbsp;([https://bettercrypto.org/#bibliography-default-tschofenig-webpki H. Tschofenig and E. Lear, 2013]). Currently two methods are used, DANE ([https://bettercrypto.org/#bibliography-default-rfc6698 Hoffman & Schlyter, 2012]) and Certificate Pinning&nbsp;([https://bettercrypto.org/#bibliography-default-draft-ietf-websec-key-pinning C. Evans and C. Palmer, 2013]). Google recently proposed a new system to detect malicious CAs and certificates called Certificate Transparency&nbsp;([https://bettercrypto.org/#bibliography-default-certtransparency Adam Langley, Ben Laurie, Emilia Kasper, 2013]). In addition, RFC 6844 describes Certification Authorization Records, a mechanism for domain name owners to signal which Certificate Authorities are authorized to issue certificates for their domain.
 
=== Certification Authorization Records ===
RFC 6844 describes Certification Authorization Records, a mechanism for domain name owners to signal which Certificate Authorities are authorized to issue certificates for their domain.
When a CAA record is defined for a particular domain, it specifies that the domain owner requests Certificate Authorities to validate any request against the CAA record. If the certificate issuer is not listed in the CAA record, it should not issue the certificate.
The RFC also permits Certificate Evaluators to test an issued certificate against the CAA record, but should exercise caution, as the CAA record may change during the lifetime of a certificate, without affecting its validity.
CAA also supports an iodef property type which can be requested by a Certificate Authority to report certificate issue requests which are inconsistent with the issuer’s Certificate Policy.
 
==== Configuration of CAA records ====
BIND supports CAA records as of version 9.9.6.
A CAA record can be configured by adding it to the zone file:
$ORIGIN example.com
      CAA 0 issue "ca1.example"
      CAA 0 iodef "mailto:security@example.com"
If your organization uses multiple CA’s, you can configure multiple records:
      CAA 0 issue "ca1.example"
      CAA 0 issue "ca2.example"
"ca1.example" and "ca2.example" are unique identifiers for the CA you plan on using. These strings can be obtained from your Certificate Authority, and typically are its top level domain. An example is "letsencrypt.org" for the Let’s Encrypt CA operated by the Internet Security Research Group.
Knot-DNS supports CAA records as of version 2.2.0.
 
==== Validation of CAA records ====
Once a CAA record is deployed, it can be validated using the following dig query:
$ dig CAA google.com
<nowiki>; <<>> DiG 9.10.3-P4-Debian <<>> CAA google.com</nowiki>
<nowiki>;; ANSWER SECTION:</nowiki>
google.com.          3600 IN  CAA  0 issue "symantec.com"
On older versions of Dig, which do not support CAA records, you can query the record type manually:
$ dig +short -t TYPE257 google.com
\# 19 0005697373756573796D616E7465632E636F6D
 
== TLS and its support mechanisms ==
 
=== HTTP Strict Transport Security (HSTS) ===
HTTP Strict Transport Security (HSTS) is a web security policy mechanism. HSTS is realized through HTTP header by which a web server declares that complying user agents (web browsers) should interact with it by using ''only'' secure HTTPS connections. [[https://bettercrypto.org/#_footnotedef_33 33]]
HSTS header is bound to a DNS name or domain by which the server was accessed. For example if server serves content for two domains and it is HTTPS enabled only for one domain, the browser won’t enforce HSTS for the latter.
HSTS reduces the risk of active man-in-the-middle attacks such as SSL stripping, and impersonation attacks with ''untrusted'' certificate. HSTS also helps to avoid unintentional mistakes such as insecure links to a secure web site (missing HTTPS links [[https://bettercrypto.org/#_footnotedef_34 34]]), and mistyped HTTPS URLs.
After the web browser receives a HSTS header in a ''correctly'' [[https://bettercrypto.org/#_footnotedef_35 35]] prepared SSL session it will automatically use secure HTTPS links for accessing the server.
This prevents unencrypted HTTP access (SSL striping, mistyped HTTPS URLs, etc.) when the server is accessed later by the client.
When a server (that previously emitted a HSTS header) starts using an untrusted certificate, complying user agents must show an error message and ''block the server connection''. Thus impersonation MITM attack with ''untrusted'' certificates cannot occur.
For the initial setup HSTS header needs a trusted secure connection over HTTPS. This limitation can be addressed by compiling a list of STS enabled sites directly into a browser. [[https://bettercrypto.org/#_footnotedef_36 36]]
 
==== HSTS Header Directives ====
HSTS header can be parametrized by two directives:* max-age=<number-of-seconds>
* includeSubdomains
''max-age'' is a required directive. This directive indicates the number of seconds during which the user agent should enforce the HSTS policy (after the reception of the STS header field from a server).
''includeSubdomains'' is an optional directive. This directive indicates that the HSTS policy applies to this HSTS host as well as ''any subdomains of the host’s domain name''.
 
==== HSTS Client Support ====
HSTS is supported [[https://bettercrypto.org/#_footnotedef_37 37]] by these web browsers:* Firefox version >= v4.0
* Chrome version >= 4.0
* Android Browser >=4.4
* Opera version >= 12.0
* Opera mobile >= 16.0
* Safari >= 7.0
* Microsoft Internet Explorer >= 11 (with update provided 09. June 2015)
* Microsoft Edge >= 12
 
==== HSTS Considerations ====
Before enabling HSTS it is recommended to consider following:* Is it ''required'' to serve content or services over HTTP?
* Enabling ''includeSubdomains'' and SSL certificate management.
* Proper value of ''max-age''.
It is recommended to serve all content using HTTPS, but there are exceptions to this rule as well. Consider running a private PKI [[https://bettercrypto.org/#_footnotedef_38 38]]. CRLs and OCSP responses are published typically by HTTP protocol. If HSTS is enabled on the site where OCSP and CRLs are published the browser might fail fetching CRL or validating OCSP response.
Similar reasoning goes for ''includeSubdomains''. One needs to be sure that HTTPS can be enforced for all subdomains. Moreover the administrators are advised to watch for expiration of the SSL certificate and handle the renewal process with caution. If a SSL certificate is renewed after expiration or misses a (HSTS enabled) domain name, the connection to site will break (without providing override mechanism to the end user).
Finally HSTS should be tested with lower ''max-age'' values and deployed with higher ''max-age'' values.
 
==== Testing HSTS ====
HSTS can be tested either using locally or through the Internet.
For local testing it is possible to utilize Chrome Web browser UI by typing chrome://net-internals/#hsts [[https://bettercrypto.org/#_footnotedef_39 39]] in the address bar.
Testing over the Internet can be conducted by Qualys SSL Labs test [https://www.ssllabs.com/ssltest/ https://www.ssllabs.com/ssltest/]. ''Strict Transport Security (HSTS)'' information is located in the ''Protocol Details'' section.
 
==== References ====
* Websites Must Use HSTS in Order to Be Secure: [https://www.eff.org/deeplinks/2014/02/websites-hsts https://www.eff.org/deeplinks/2014/02/websites-hsts]
* OWASP: HTTP Strict Transport Security: [https://www.owasp.org/index.php/HTTP_Strict_Transport_Security https://www.owasp.org/index.php/HTTP_Strict_Transport_Security]
* HSTS Browser Compatibility List: [https://caniuse.com/stricttransportsecurity https://caniuse.com/stricttransportsecurity]
* RFC 6797:HTTP Strict Transport Security (HSTS) - Examples: [https://tools.ietf.org/html/rfc6797#section-6.2 https://tools.ietf.org/html/rfc6797#section-6.2]
 
=== HTTP Public Key Pinning (HPKP) ===
Much like HTTP Strict Transport Security (HSTS), HTTP Public Key Pinning (HPKP) is a Trust-On-First-Use (TOFU) mechanism. It protects HTTPS websites from impersonation using certificates issued by compromised certificate authorities. The data for Pinning is supplied by an HTTP-Header sent by the WebServer.
 
==== HPKP Header Directives ====
HPKP provides two different types of headers:* Public-Key-Pins
* Public-Key-Pins-Report-Only
HPKP header can be parametrized by following directives:* pin-sha256="<YOUR_PUBLICKEY_HASH⇒"
* max-age=<number-of-seconds>
* includeSubdomains
* report-uri="<[https://YOUR.URL/TO-REPORT%3E https://YOUR.URL/TO-REPORT>"]
'''pin-sha256''' is a required directive. It can and should be used several (at least two) times for specifying the public keys of your domain-certificates or CA-certificates. Operators can pin any one or more of the public keys in the certificate-chain, and indeed must pin to issuers not in the chain (as, for example, a backup-pin). Pinning to an intermediate issuer, or even to a trust anchor or root, still significantly reduces the number of issuers who can issue end-entity certificates for the Known Pinned Host, while still giving that host flexibility to change keys without a disruption of service. OpenSSL can be used to convert the public-key of an X509-certificate as follows:
$ openssl x509 -in <certificate.cer> -pubkey -noout |
  openssl rsa -pubin -outform der |
  openssl dgst -sha256 -binary |
  openssl enc -base64
writing RSA key
pG3WsstDsfMkRdF3hBClXRKYxxKUJIOu8DwabG8MFrU=
This piped usage of OpenSSL first gets the Public-Key of <certificate.cer>, converts it do DER (binary) format, calculates an SHA256 Hash and finally encodes it Base64. The output (including the ending Equal-Sign) is exactly whats needed for the ''pin-sha256="<YOUR_PUBLICKEY_HASH⇒"'' parameter.
To generate the hash for a prepared backup-key just create a certificate-signing-request and replace <tt>openssl x509</tt> by <tt>openssl req -in <backup-cert.csr> -pubkey -noout</tt> as first OpenSSL command.
Instead of using OpenSSL even web-services like [https://report-uri.io/home/pkp_hash/ https://report-uri.io/home/pkp_hash/] can be used to get a suggestion for the possible Public-Key-Hashes for a given website.
'''max-age''' is a required directive (when using the ''Public-Key-Pins'' header). This directive specifies the number of seconds during which the user agent should regard the host (from whom the message was received) as a "Known Pinned Host".
'''includeSubdomains''' is an optional directive. This directive indicates that the same pinning applies to this host as well as ''any subdomains of the host’s domain name''. Be careful - you need to use a multi-domain/wildcard-certificate or use the same pub/private-keypair in all subdomain-certificates or need to pin to CA-certificates signing all your subdomain-certificates.
'''report-uri''' is an optional directive. The presence of a report-uri directive indicates to the web-browser that in the event of pin-validation failure, it should post a report to the report-uri (HTTP-Post is done using JSON, Syntax see {RFC-7469 Section 3} [[https://bettercrypto.org/#_footnotedef_40 40]]). There are WebServices like [https://report-uri.io/ https://report-uri.io/] out there which can be used to easily collect and visualize these reports.
 
==== HPKP Client Support ====
HPKP is supported [[https://bettercrypto.org/#_footnotedef_41 41]] by these web browsers:* Firefox version >= 35
* Chrome version between version 38 and 72
* Android Browser >= 44
* Opera version >= 25
Currently (20. Dec 2018) there is no HPKP support in: Apple Safari, Microsoft Internet Explorer and Edge. HPKP Support has been removed from Google Chrome and Chromium from version 72 onwards.
 
==== HPKP Considerations ====
Before enabling HPKP it is recommended to consider following:* Which Public-Keys to use for Pinning (Certificate + Backup-Certificate, CAs, Intermediate-CAs)
* Proper value of ''max-age''. Start testing with a short Period, increase Period after deployment.
* Be careful when using ''includeSubdomains'', are all your subdomains covered by the defined Public-Key-Hashes?
The administrators are advised to watch for expiration of the SSL certificate and handle the renewal process with caution.
If a SSL certificate is renewed without keeping the public-key (reusing the CSR) for an HPKP enabled domain name, the connection to site will break (without providing override mechanism to the end user).
 
==== Testing HPKP ====
HPKP can be tested either using locally or through the Internet.
There is a handy bash-script which uses OpenSSL for doing several SSL/TLS-Tests available at [https://testssl.sh/ https://testssl.sh/]
$ wget -q https://testssl.sh/testssl.sh
$ wget -q https://testssl.sh/mapping-rfc.txt
$ chmod 755 ./testssl.sh
$ ./testssl.sh https://example.com
<nowiki># Sample Output, just HSTS and HPKP Section (Full report is quite long!):</nowiki>
Strict Transport Security    182 days=15724800 s, includeSubDomains
Public Key Pinning # of keys: 2, 90 days=7776000 s, just this domain
            matching host key: pG3WsstDsfMkRdF3hBClXRKYxxKUJIOu8DwabG8MFrU
For local testing it is possible to utilize Google Chrome web-browser, just open the Chrome net-internals-URL: chrome://net-internals/#hsts.
For Mozilla Firefox there is an plug-in provided by the "Secure Information Technology Center Austria" available: [https://demo.a-sit.at/firefox-plugin-highlighting-safety-information/ https://demo.a-sit.at/firefox-plugin-highlighting-safety-information/]
Testing over the Internet can be conducted by Qualys SSL Labs test [https://www.ssllabs.com/ssltest/ https://www.ssllabs.com/ssltest/]. ''Public Key Pinning (HPKP)'' information is located in the ''Protocol Details'' section.
There is also a fast online HPKP-only check at [https://report-uri.io/home/pkp_analyse https://report-uri.io/home/pkp_analyse].
 
==== References ====
* OWASP: Certificate and Public Key Pinning: [https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning]
* HPKP Browser Compatibility List: [https://caniuse.com//#feat=publickeypinning https://caniuse.com/\#feat=publickeypinning]
* RFC 7469:Public Key Pinning Extension for HTTP - Examples: [https://tools.ietf.org/html/rfc7469/#section-2.1.5 https://tools.ietf.org/html/rfc7469\#section-2.1.5]
 
== Weblinks ==
# https://bettercrypto.org/


[[Kategorie:Verschlüsselung]]
[[Kategorie:Kryptografie/Algorithmus]]

Aktuelle Version vom 21. April 2024, 09:24 Uhr

Chiffrier Suits

Sammlung von Kryptografieverfahren

Komponenten

Standardisierte Algorithmen
  • Schlüsselaustausch
  • Kryptografiealgorithmen (Chiffren)
  • Algorithmus für Nachrichtenauthentifizierungscodes (MAC)
  • Authentifizierung
  • Authentifizierte Kryptografie mit zugehörigen Daten (AEAD)

Aufbau einer Chiffrierzeichenfolge

DHE RSA AES256 SHA256

Nomenklatur

Benennungsschemata für Chiffrezeichenfolgen
  • IANA-Namen
  • OpenSSL-Namen

Forward Secrecy

Vertraulichkeit auch dann gewährleisten, wenn der Serverschlüssel kompromittiert wurde

Perfect Forward Secrecy - Eigenschaft einer Kryptografie, die Vertraulichkeit auch dann zu gewährleistet, wenn der Serverschlüssel kompromittiert wurde

Beschreibung

Perfect Forward Secrecy (PFS) oder Forward Secrecy
  • perfekte vorwärts gerichtete Geheimhaltung
  • In der Kryptographie eine Eigenschaft bestimmter Schlüsselaustauschprotokolle
  • Eigenschaft einer Cipher Suite
  • Vertraulichkeit gewährleistet, wenn Serverschlüssel kompromittiert wurde
Aufgezeichneter Datenverkehr
  • kann nicht entschlüsselt werden
  • auch, falls ein Angreifer in den Besitz des Serverschlüssels gelangt ist
Ziel

Gemeinsamen Sitzungsschlüssel so vereinbaren

  • dass dieser von einem Dritten auch dann nicht rekonstruiert werden kann, wenn einer der beiden Langzeitschlüssel später einmal kompromittiert werden sollte
Folgenlosigkeit und break-backward protection
  • aufgezeichnete, verschlüsselte Kommunikation auch bei Kenntnis des Langzeitschlüssels nicht nachträglich entschlüsselt werden
  • Gelegentlich wird diese Eigenschaft auch unter dem Schlagwort Folgenlosigkeit behandelt, da ein späteres Aufdecken des Langzeitschlüssels folgenlos für die Sicherheit aller früheren Sitzungen bleibt
  • Diese Eigenschaft betont auch die alternative englische Bezeichnung break-backward protection

Hintergrund

Prinzipiell kann jeder Schlüssel aufgedeckt werden
  • Aufwendige Analyseverfahren
  • Ausspähung
  • Diebstahl
  • Bestechung
  • Erpressung
  • Nachlässigkeit
  • Brute-Force
Sitzungsschlüssel
  • Deswegen werden Sitzungsschlüssel verwendet, die in kurzen Abständen immer wieder neu ausgehandelt werden
  • Ein Angreifer, dem ein derartiger Sitzungsschlüssel bekannt wird, kann deshalb nur den Teil der Kommunikation entschlüsseln, der mit diesem Sitzungsschlüssel verschlüsselt worden war.
Langzeitschlüssel
  • Allerdings sind sämtliche Sitzungsschlüssel der Gefahr ausgesetzt, dass derjenige Langzeitschlüssel kompromittiert wird, der für die gesicherte Übertragung der Sitzungsschlüssel verwendet wird.
  • Durch die Kenntnis dieses Langzeitschlüssels könnte ein möglicher Angreifer sämtlichen Datenverkehr entschlüsseln, insbesondere auch die Übertragung der Sitzungsschlüssel und somit Zugriff auf den gesamten früheren Datenverkehr erhalten.
Perfect Forward Secrecy

Dies wird durch Perfect Forward Secrecy unterbunden

  • Angreifer können trotz Kenntnis des Langzeitschlüssels keinerlei Rückschlüsse auf die ausgehandelten Sitzungsschlüssel ziehen
  • Bei TLS wird dies dadurch erreicht, dass der Langzeitschlüssel zu einem Signaturverfahren gehört und nur benutzt wird, um Kurzzeitschlüssel zu signieren
  • Mit diesen wird jeweils durch einen Diffie-Hellman ein Sitzungsschlüssel ausgehandelt
  • Wird ein Server kompromittiert, erfährt der Angreifer nur den langfristigen Signaturschlüssel und die Sitzungsschlüssel gerade aktiver Verbindungen.
  • Die Sitzungsschlüssel zurückliegender Verbindungen sind bereits gelöscht und lassen sich nicht mehr rekonstruieren.

Praxis

Standardverfahren

Bei den heutigen Standardverfahren, bei denen zusammen mit symmetrischen Sitzungsschlüsseln (session key) auch asymmetrische Master-Keys eingesetzt werden, müssen auch die sehr viel langlebigeren Hauptschlüssel (master keys) eines Kommunikationskanals PFS-fähig sein.

  • Die Kenntnis eines oder beider privater Schlüssel der Kommunikationsendpunkte darf Angreifern das Aufdecken der Sitzungsschlüssel nicht erleichtern.
Nachteil

Ein Nachteil von Perfect Forward Secrecy ist der deutlich höhere Aufwand zur Generierung von Sitzungsschlüsseln und die dadurch geringere Verarbeitungsgeschwindigkeit.

  • Aus diesem Grunde kann es bei manchen Kryptografieverfahren (z. B. IPsec) deaktiviert werden.
Empfehlung

Im April 2019 empfahl das deutsche Bundesamt für Sicherheit in der Informationstechnik in seinen Sicherheitsanforderungen für den Einsatz von TLS bei der Übertragung von Daten die Version TLS 1.2 oder TLS 1.3 in Kombination mit Perfect Forward Secrecy zu nutzen.

Unterstützung
  • Von den großen internationalen IT-Unternehmen war Google das Erste, das den Standard unterstützte.
  • Mittlerweile wenden auch Facebook, YouTube und andere dieses Verfahren an.
  • Nach Angabe des Trustworthy Internet Movement vom Januar 2015 waren damals ca. 20,9 Prozent aller Webseiten, die eine TLS-Kryptografie nutzen, dazu konfiguriert, Cipher Suites zu verwenden, die Perfect Forward Secrecy mit modernen Browsern unterstützten.

Dokumentation

RFC

  • RFC 2409, Beispiel bei The Internet Key Exchange (IKE)
  • RFC 2412, Beispiel bei IPsec
  • RFC 4650

Man-Page

Info-Pages

Siehe auch

Links

Projekt

Weblinks

  1. Netcraft: SSL: Intercepted today, decrypted tomorrow
  2. Vorwärtsgeheimnis (Wikipedia)
  3. Pushing for Perfect Forward Secrecy, an Important Web Privacy Protection (EFF)
  4. SSL: Heute abgefangen, morgen entschlüsselt (Netcraft)

Cipher Strings

Wann sollten welche Einstellungen gewählt werden?
  • Schlüssellängen
  • Algorithmen
  • Hash-Funktionen
  • Andere kryptografische Parameter
Entscheidungen
  1. Sicherheit der Kommunikation
  2. Hohen Sicherheit der Cipher-Suite bei
    • Ausschluss einiger Benutzer
    • Unterstützung möglichst vieler Benutzer
Qualys SSL Labs

Werkzeug zum Test der Einrichtung und Kompatibilität des Webservers

https://www.ssllabs.com
Achtung
Hier gewählte Einstellungen sind nur beispielhaft und MÜSSEN angepasst werden!
Chiffriersuiten auszuwählen und überprüfen

Starke Chiffren

Starken Chiffriersuiten = Weniger Clients
Umgebung
  • Lokales Netzwerk
  • Einheitliche Client-Infrastruktur
  • Maschine-zu-Maschine-Kommunikation
Cipher suites
  • TLS 1.2
  • Perfect forward secrecy / ephemeral Diffie Hellman
  • strong MACs (SHA-2) or
  • GCM as Authenticated Encryption scheme
OpenSSL string
EDH+aRSA+AES256:EECDH+aRSA+AES256:!SSLv3
Configuration A ciphers
ID OpenSSL Name Version KeyEx Auth Cipher MAC
0x009F DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH RSA AESGCM(256) AEAD
0x006B DHE-RSA-AES256-SHA256 TLSv1.2 DH RSA AES(256) (CBC) SHA256
0xC030 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH RSA AESGCM(256) AEAD
0xC028 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH RSA AES(256) (CBC) SHA384
Compatibility

Zeitweise waren von diesem Cipher String nur abgedeckt

  • Win 7
  • Win 8.1 Crypto Stack,
  • OpenSSL >= 1.0.1e,
  • Safari 6 / iOS 6.0.1 und Safari 7 / OS X 10.9

Schwächere Chiffren

Schwächere Chiffren = bessere Kompatibilität
  • Zum Beispiel gibt es bekannte Schwachstellen für die SHA-1-Hash-Funktion, die in diesem Satz enthalten ist.
Vorteil
  • bessere Kompatibilität mit einer breiten Palette von Clients
  • geringere Rechenlast für die Bereitstellungshardware
Nachteil
Cipher Suites
  • TLS 1.2
  • TLS 1.1
  • TLS 1.0
  • Erlauben von SHA-1
OpenSSL-Zeichenkette
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
Konfiguration B-Chiffren
ID OpenSSL Name Version KeyEx Auth Cipher MAC
0x009F DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH RSA AESGCM(256) AEAD
0x006B DHE-RSA-AES256-SHA256 TLSv1.2 DH RSA AES(256) SHA256
0xC030 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH RSA AESGCM(256) AEAD
0xC028 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH RSA AES(256) SHA384
0x009E DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH RSA AESGCM(128) AEAD
0x0067 DHE-RSA-AES128-SHA256 TLSv1.2 DH RSA AES(128) SHA256
0xC02F ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH RSA AESGCM(128) AEAD
0xC027 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH RSA AES(128) SHA256
0x0088 DHE-RSA-CAMELLIA256-SHA SSLv3 DH RSA Camellia(256) SHA1
0x0039 DHE-RSA-AES256-SHA SSLv3 DH RSA AES(256) SHA1
0xC014 ECDHE-RSA-AES256-SHA SSLv3 ECDH RSA AES(256) SHA1
0x0045 DHE-RSA-CAMELLIA128-SHA SSLv3 DH RSA Camellia(128) SHA1
0x0033 DHE-RSA-AES128-SHA SSLv3 DH RSA AES(128) SHA1
0xC013 ECDHE-RSA-AES128-SHA SSLv3 ECDH RSA AES(128) SHA1
0x0084 CAMELLIA256-SHA SSLv3 RSA RSA Camellia(256) SHA1
0x0035 AES256-SHA SSLv3 RSA RSA AES(256) SHA1
0x0041 CAMELLIA128-SHA SSLv3 RSA RSA Camellia(128) SHA1
0x002F AES128-SHA SSLv3 RSA RSA AES(128) SHA1
Kompatibilität
Beachten Sie, dass diese Cipher Suites nicht mit dem Crypto Stack von Windows XP funktionieren (z. B. IE, Outlook),
Erläuterung
Für eine ausführliche Erklärung der gewählten Chiffriersuiten siehe [ChoosingYourOwnCipherSuites].
  • Kurz gesagt, es ist praktisch unmöglich, eine einzige perfekte Chiffrierkette zu finden, und es muss ein Kompromiss zwischen Kompatibilität und Sicherheit gefunden werden.
  • Auf der einen Seite gibt es obligatorische und optionale Chiffren, die in einigen RFCs definiert sind, auf der anderen Seite gibt es Clients und Server, die nur Teilmengen der Spezifikation implementieren.
Die Autoren wollten starke Chiffren, vorwärts gerichtete Geheimhaltung [25] und die bestmögliche Kompatibilität mit den Clients, während sie gleichzeitig einen Chiffrierstring sicherstellen wollten, der auf älteren Installationen (z. B. OpenSSL 0.9.8) verwendet werden kann.
Out of the box

Die von uns empfohlenen Chiffrierzeichenfolgen sind für die Verwendung durch Kopieren und Einfügen gedacht und müssen "out of the box" funktionieren.

  • TLSv1.2 wird gegenüber TLSv1.0 bevorzugt (und bietet dennoch eine brauchbare Chiffrierkette für TLSv1.0-Server).
  • AES256 und CAMELLIA256 gelten derzeit als sehr starke Kryptografieen.
  • AES128 und CAMELLIA128 gelten derzeit als starke Kryptografieen.
  • DHE oder ECDHE für Vorwärtsgeheimnis
  • RSA, da dies für die meisten heutigen Konfigurationen geeignet ist
  • AES256-SHA als letzter Ausweg: Mit dieser Chiffre am Ende funktionieren sogar Serversysteme mit sehr alten OpenSSL-Versionen (Version 0.9.8 bietet zum Beispiel keine Unterstützung für ECC und TLSv1.1 oder höher).
  • Beachten Sie jedoch, dass diese Cipher-Suite keine Vorwärtsverschlüsselung bietet.
  • Sie soll die gleiche Client-Abdeckung bieten (z. B. Unterstützung der Microsoft Krypto-Bibliotheken) auf älteren Systemen.

Weblinks

  1. https://bettercrypto.org
ENISA-Berichte

Gehen viel mehr auf diese Themen ein und sollten zusätzlich konsultiert werden

Themen
All dies ist wichtig, um zu verstehen, warum bestimmte Entscheidungen für Cipher String A und B getroffen wurden
  • Für die meisten Systemadministratoren ist jedoch die Frage der Kompatibilität eine der dringendsten.
  • Die Freiheit, mit jedem beliebigen Client kompatibel zu sein (auch mit veralteten Betriebssystemen), verringert natürlich die Sicherheit unserer Chiffrierzeichenfolgen.
  • Wir behandeln diese Themen im Abschnitt TODO.
  • Alle diese Abschnitte ermöglichen es einem Systemadministrator, seine oder ihre Bedürfnisse nach starker Kryptografie mit Benutzerfreundlichkeit und Kompatibilität in Einklang zu bringen.
Themen

Siehe auch

  1. 3DES
  2. Elliptische Kurven Kryptographie
  3. SHA-1
  4. Diffie Hellman Key Exchanges
  5. Random Number Generator
  6. Kryptografie/Schlüssellängen
  7. Public Key Infrastructure
  8. TLS