|
|
| (11 dazwischenliegende Versionen desselben Benutzers werden nicht angezeigt) |
| Zeile 1: |
Zeile 1: |
| == PGP/GPG - Pretty Good Privacy ==
| | [[Kategorie:Kryptografie/Konzept]] |
| The [https://tools.ietf.org/search/rfc4880 OpenPGP protocol] defines a set of asymmetric- and symmetric encryption algorithms, signature methods and compression protocols. [https://gnupg.org/ GnuPG], a FOSS implementation of the OpenPGP standard, is widely used for mail encryption.
| |
| GnuPG signs a message, encrypts it symmetrically and encrypts the symmetric key and the hash with Bob’s public key asymmetrically.
| |
| Research on SHA-1 conducted back in 2005 (see: [https://www.schneier.com/blog/archives/2005/02/sha1_broken.html SHA-1 Broken]) as well as the first practical successful collision in early 2017 (see: [https://shattered.io/ SHAttered]) has made clear that collision attacks are a real threat to the security of the SHA-1 hash function.
| |
| Since SHA-1 is defined as a must implementation by the OpenPGP specification, GnuPG is still using it. Currently settings should be adapted to preferably avoid using SHA-1.
| |
| When using GnuPG, there are a couple of things to take care of:* keylengths (see: [https://bettercrypto.org/#keylengths Keylengths])
| |
| * randomness (see: [https://bettercrypto.org/#rngs Random Number Generators])
| |
| * preference of symmetric encryption algorithm (see: [https://bettercrypto.org/#ciphersuites Architectural overview])
| |
| * preference of hash function (see: [https://bettercrypto.org/#ciphersuites Architectural overview])
| |
| Properly dealing with key material, passphrases and the web-of-trust is outside of the scope of this document. The [https://www.gnupg.org/ GnuPG website] has a good tutorial on GnuPG.
| |
| After 31 December 2017 GnuPG version 2.0.x is no longer supported and [https://lists.gnupg.org/pipermail/gnupg-announce/2017q3/000413.html shall not be used anymore]. Use the new long term version 2.1 instead.
| |
| | |
| === Hashing ===
| |
| Avoid SHA-1 by preferring better hashing methods. GnuPG. Edit <tt>$HOME/.gnupg/gpg.conf</tt>:
| |
| | |
| ; Digest selection in GnuPG
| |
| personal-digest-preferences SHA512
| |
| cert-digest-algo SHA512
| |
| default-preference-list AES256 CAMELLIA256 AES192 CAMELLIA192 AES CAMELLIA128 TWOFISH SHA512 SHA384 SHA256 BZIP2 ZLIB ZIP
| |
| | |
| === Key Generation ===
| |
| Because of lack of forward secrecy (see: [https://bettercrypto.org/#pfs [pfs]]) in OpenPGP it is preferable to use large asymmetric keys for long term communication protection. A RSA key of <tt>4096</tt> bits should provide enough confidentiality for the next 10 years (see: [https://www.keylength.com/ Cryptographic Key Length Recommendation]).
| |
| | |
| ; New key generation with GnuPG version 2.1
| |
| $ gpg --batch --full-gen-key $HOME/Desktop/params.txt`
| |
| | |
| ; Parameters for key generation with GnuPG version 2.1
| |
| Key-Type: RSA
| |
| Key-Length: 4096
| |
| Subkey-Type: RSA
| |
| Subkey-Length: 4096
| |
| Name-Real: <your-name>
| |
| Name-Email: <your-email-address>
| |
| Passphrase: <password>
| |
| Expires: 2y
| |
| # My preferences: AES256, CAMELLIA256, AES192, CAMELLIA192, AES128, CAMELLIA128, TWOFISH, SHA512, SHA384, SHA256, BZIP2, ZLIB and ZIP
| |
| Preferences: S9 S13 S8 S12 S7 S11 S10 H10 H9 H8 Z3 Z2 Z1
| |
| | |
| {| class="wikitable sortable options"
| |
| |-
| |
| ||
| |
| || The preferences parameters S9 to Z1 correspond to AES256, CAMELLIA256, AES192, CAMELLIA192, AES, CAMELLIA128, TWOFISH, SHA512, SHA384, SHA256, BZIP2, ZLIB and ZIP. The parameters 3DES, SHA-1 and uncompressed are set automatically by GnuPG.
| |
| |-
| |
| |}
| |
| | |
| === ECC - Elliptic Curve Cryptography ===
| |
| Since the release of [https://www.gnupg.org/faq/whats-new-in-2.1.html GnuPG version 2.1] end-2014 ECC is supported. Older versions though are still widely used therefore ECC is not yet applicable in practice.
| |
| | |
| == IPMI, ILO and other lights out management solutions ==
| |
| Consider creating an unrouted management VLAN and access that only via VPN.
| |
| | |
| {| class="wikitable sortable options"
| |
| |-
| |
| ||
| |
| || We ''strongly'' recommend that any remote management system for servers such as ILO, iDRAC, IPMI based solutions and similar systems ''never'' be connected to the public internet.
| |
| |-
| |
| |}
| |
| | |
| == Instant Messaging Systems ==
| |
| | |
| === General server configuration recommendations ===
| |
| For servers, we mostly recommend to apply what’s proposed by the [https://github.com/stpeter/manifesto Peter’s manifesto].
| |
| In short:* require the use of TLS for both client-to-server and server-to-server connections
| |
| * prefer or require TLS cipher suites that enable forward secrecy
| |
| * deploy certificates issued by well-known and widely-deployed certification authorities (CAs)
| |
| The last point being out-of-scope for this section, we will only cover the first two points.
| |
| | |
| === ejabberd ===
| |
| | |
| ==== Tested with Versions ====
| |
| * ejabberd 14.12, Debian 7 Wheezy
| |
| * ejabberd 14.12, Ubuntu 14.04 Trusty
| |
| * ejabberd 15.03, Ubuntu 14.04 Trusty
| |
| * ejabberd 16.01, Ubuntu 14.04 Trusty
| |
| | |
| ==== Settings ====
| |
| ejabberd is one of the popular Jabber servers. In order to be compliant with the manifesto, you should adapt your configuration:
| |
| | |
| ; TLS setup for ejabberd
| |
| listen:
| |
| -
| |
| port: 5222
| |
| module: ejabberd_c2s
| |
| certfile: "/path/to/ssl.pem"
| |
| starttls: true
| |
| starttls_required: true
| |
| protocol_options:
| |
| - "no_sslv3"
| |
| - "no_tlsv1"
| |
| - "cipher_server_preference"
| |
| max_stanza_size: 65536
| |
| dhfile: "/path/to/dhparams.pem"
| |
| shaper: c2s_shaper
| |
| access: c2s
| |
| -
| |
| port: 5269
| |
| module: ejabberd_s2s_in
| |
| s2s_use_starttls: required_trusted
| |
| s2s_certfile: "/path/to/ssl.pem"
| |
| s2s_dhfile: "/etc/ejabberd/dhparams.pem" # Available from version 15.03
| |
| s2s_protocol_options:
| |
| - "no_sslv3"
| |
| - "no_tlsv1"
| |
| - "cipher_server_preference"
| |
| | |
| {| class="wikitable sortable options" style="border-spacing:0;width:5.398cm;"
| |
| |-
| |
| ||
| |
| || Available from version 15.06
| |
| |-
| |
| |}
| |
| | |
| ==== Additional settings ====
| |
| It is possible to explicitly specify a cipher string for TLS connections.
| |
| | |
| ; Specifying a cipher order and enforcing it
| |
| listen:
| |
| -
| |
| port: 5222
| |
| module: ejabberd_c2s
| |
| certfile: "/path/to/ssl.pem"
| |
| starttls: true
| |
| starttls_required: true
| |
| protocol_options:
| |
| - "no_sslv3"
| |
| - "no_tlsv1"
| |
| - "cipher_server_preference"
| |
| max_stanza_size: 65536
| |
| dhfile: "/path/to/dhparams.pem"
| |
| ciphers: "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
| |
| -
| |
| port: 5269
| |
| module: ejabberd_s2s_in
| |
| s2s_use_starttls: required_trusted
| |
| s2s_certfile: "/path/to/ssl.pem"
| |
| s2s_dhfile: "/etc/ejabberd/dhparams.pem"
| |
| s2s_protocol_options:
| |
| - "no_sslv3"
| |
| - "no_tlsv1"
| |
| - "cipher_server_preference"
| |
| s2s_ciphers: "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
| |
| | |
| {| class="wikitable sortable options" style="border-spacing:0;width:5.398cm;"
| |
| |-
| |
| ||
| |
| || Available from version 15.06
| |
| |-
| |
| ||
| |
| || Available from version 15.03
| |
| |-
| |
| |}
| |
| | |
| {| class="wikitable sortable options"
| |
| |-
| |
| ||
| |
| || Weak Ciphers
| |
| Note that we are setting the SSL option <tt>cipher_server_preference</tt>. This enforces our cipher order when negotiating which ciphers are used, as the cipher order of [https://blog.thijsalkema.de/blog/2013/09/02/the-state-of-tls-on-xmpp-3/ some clients chooses weak ciphers] over stronger ciphers.
| |
| |-
| |
| |}
| |
| Starting with version 15.03[[https://bettercrypto.org/#_footnotedef_17 17]], it is possible to use custom Diffie-Hellman-Parameters. This allows us to negotiate stronger Diffie-Hellman-keys, and also helps us avoid problems with using common [https://weakdh.org/ weak Diffie-Hellman-Parameters]. You can generate your own parameter file by running:
| |
| $ openssl dhparam -out dhparams.pem 4096
| |
| By default, ejabberd provides an administration website (look for the ejabberd_http module). Enable TLS protection for it like this:
| |
| port: 5280
| |
| module: ejabberd_http
| |
| web_admin: true
| |
| http_poll: true
| |
| http_bind: true
| |
| captcha: true
| |
| certfile: "/path/to/ssl.pem"
| |
| tls: true
| |
| | |
| ==== Tested with Versions ====
| |
| * Debian Wheezy 2.1.10-4+deb7u1
| |
| | |
| ==== Settings ====
| |
| Older versions of ejabberd use a different configuration file syntax. In order to be compliant with the manifesto, you should adapt your configuration[[https://bettercrypto.org/#_footnotedef_18 18]] as follows:
| |
| | |
| {listen,
| |
| [
| |
| {5222, ejabberd_c2s, [
| |
| {access, c2s},
| |
| {shaper, c2s_shaper},
| |
| {max_stanza_size, 65536},
| |
| starttls,
| |
| starttls_required,
| |
| {certfile, "/etc/ejabberd/ejabberd.pem"}
| |
| ]},
| |
| ]}.
| |
| | |
| {s2s_use_starttls, required_trusted}.
| |
| | |
| {s2s_certfile, "/etc/ejabberd/ejabberd.pem"}.
| |
| | |
| ==== Additional settings ====
| |
| Older versions of ejabberd (< 2.0.0) need to be [https://hyperstruct.net/2007/06/20/installing-the-startcom-ssl-certificate-in-ejabberd/ patched] to be able to parse all of the certificates in the CA chain. Specifying a custom cipher string is only possible starting with version 13.12 (see configuration for version 14.12 above).
| |
| | |
| ==== References ====
| |
| * [https://docs.ejabberd.im/ ejabberd, your superpowerful messaging framework]
| |
| | |
| ==== How to test ====
| |
| [https://xmpp.net/ IM Observatory] is a useful website to test Jabber server configurations.
| |
| | |
| === Chat privacy - Off-the-Record Messaging (OTR) ===
| |
| [https://otr.cypherpunks.ca/Protocol-v3-4.1.1.html Off-the-Record Messaging Protocol] works on top of the Jabber protocol. It adds to popular chat clients (Adium, Pidgin…) the following properties for encrypted chats:* Authentication
| |
| * Integrity
| |
| * Confidentiality
| |
| * Forward secrecy
| |
| It basically uses Diffie-Hellman, AES and SHA1. Communicating over an insecure instant messaging network, OTR can be used for end to end encryption.
| |
| There are no specific configurations required but the protocol itself is worth to be mentioned.
| |
| | |
| === Charybdis ===
| |
| There are numerous implementations of IRC servers. In this section, we choose ''Charybdis'' which serves as basis for [https://github.com/freenode/ircd-seven ircd-seven], developed and used by freenode. Freenode is actually the biggest IRC network[[https://bettercrypto.org/#_footnotedef_19 19]]. ''Charybdis'' is part of the ''Debian'' & ''Ubuntu'' distributions.
| |
| | |
| ; SSL relevant configuration for Charybdis/ircd-seven
| |
| /* Extensions */
| |
| #loadmodule "extensions/chm_sslonly_compat.so";
| |
| loadmodule "extensions/extb_ssl.so";
| |
| serverinfo {
| |
| ssl_private_key = "etc/test.key";
| |
| ssl_cert = "etc/test.cert";
| |
| ssl_dh_params = "etc/dh.pem";
| |
| # set ssld_count as number of cores - 1
| |
| ssld_count = 1;
| |
| };
| |
| listen {
| |
| sslport = 6697;
| |
| };
| |
| | |
| === SILC ===
| |
| [http://www.silcnet.org/ SILC] is instant messaging protocol publicly released in 2000. SILC is a per-default [https://en.wikipedia.org/wiki/SILC_(protocol) secure chat protocol] thanks to a generalized usage of symmetric encryption. Keys are generated by the server meaning that if compromised, communication could be compromised.
| |
| The protocol is not really popular anymore.
| |
| | |
| == Databases ==
| |
| | |
| === Oracle ===
| |
| No information available / known.
| |
| | |
| === MySQL ===
| |
| | |
| ==== Tested with Versions ====
| |
| * MySQL 5.5 on Debian Wheezy
| |
| * MySQL 5.7.20 on Ubuntu 16.04.3
| |
| | |
| ==== Settings ====
| |
| | |
| ==== References ====
| |
| MySQL Documentation on [https://dev.mysql.com/doc/refman/5.7/en/using-encrypted-connections.html Configuring MySQL to Use Encrypted Connections].
| |
| | |
| ==== How to test ====
| |
| After restarting the server run the following query to see if the ssl settings are correct:
| |
| show variables like '%ssl%';
| |
| | |
| === DB2 ===
| |
| | |
| ==== Tested with Version ====
| |
| We do not test this here, since we only reference other papers for DB2 so far.
| |
| | |
| ==== Settings ====
| |
| | |
| ===== ssl_cipherspecs: =====
| |
| In the link above the whole SSL-configuration is described in-depth. The following command shows only how to set the recommended ciphersuites.
| |
| | |
| ; Recommended and supported ciphersuites
| |
| db2 update dbm cfg using SSL_CIPHERSPECS
| |
| TLS_RSA_WITH_AES_256_CBC_SHA256,
| |
| TLS_RSA_WITH_AES_128_GCM_SHA256,
| |
| TLS_RSA_WITH_AES_128_CBC_SHA256,
| |
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
| |
| TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
| |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
| |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
| |
| TLS_RSA_WITH_AES_256_GCM_SHA384,
| |
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,
| |
| TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
| |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
| |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
| |
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
| |
| TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
| |
| TLS_RSA_WITH_AES_256_CBC_SHA,
| |
| TLS_RSA_WITH_AES_128_CBC_SHA,
| |
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
| |
| TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
| |
| | |
| ==== References ====
| |
| IBM DB2 Documentation on ''Supported cipher suites''.[https://www.ibm.com/support/knowledgecenter/SSEPGG_9.7.0/com.ibm.db2.luw.admin.sec.doc/doc/c0053544.html https://www.ibm.com/support/knowledgecenter/SSEPGG_9.7.0/com.ibm.db2.luw.admin.sec.doc/doc/c0053544.html]
| |
| | |
| === PostgreSQL ===
| |
| | |
| ==== Tested with Versions ====
| |
| * Debian Wheezy and PostgreSQL 9.1
| |
| * Linux Mint 14 nadia / Ubuntu 12.10 quantal with PostgreSQL 9.1+136 and OpenSSL 1.0.1c
| |
| | |
| ==== Settings ====
| |
| To start in SSL mode the <tt>server.crt</tt> and <tt>server.key</tt> must exist in the servers data directory <tt>$PGDATA</tt>.
| |
| | |
| {| class="wikitable sortable options" style="border-spacing:0;width:13.102cm;"
| |
| |-
| |
| ||
| |
| || Starting with version 9.2, you have the possibility to set the path manually.
| |
| |-
| |
| |}
| |
| | |
| ==== References ====
| |
| It’s recommended to read [https://www.postgresql.org/docs/9.1/runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-SECURITY Security and Authentication] in the manual.
| |
| PostgreSQL Documentation on [https://www.postgresql.org/docs/9.1/ssl-tcp.html Secure TCP/IP Connections with SSL].
| |
| PostgreSQL Documentation on [https://www.postgresql.org/docs/9.1/auth-pg-hba-conf.html Client Authentication].
| |
| | |
| ==== How to test ====
| |
| To test your ssl settings, run <tt>psql</tt> with the sslmode parameter:
| |
| $ psql "sslmode=require host=postgres-server dbname=database" your-username
| |
| | |
| == Proxy Solutions ==
| |
| Within enterprise networks and corporations with increased levels of paranoia or at least some defined security requirements it is common '''not''' to allow direct connections to the public internet.
| |
| For this reason proxy solutions are deployed on corporate networks to intercept and scan the traffic for potential threats within sessions.
| |
| For encrypted traffic there are four options:* Block the connection because it cannot be scanned for threats.
| |
| * Bypass the threat-mitigation and pass the encrypted session to the client, which results in a situation where malicious content is transferred directly to the client without visibility to the security system.
| |
| * Intercept (i.e. terminate) the session at the proxy, scan there and re-encrypt the session towards the client (effectively MITM).
| |
| * Deploy special Certificate Authorities to enable Deep Packet Inspection on the wire.
| |
| While the latest solution might be the most "up to date", it arises a new front in the context of this paper, because the most secure part of a client’s connection could only be within the corporate network, if the proxy-server handles the connection to the destination server in an insecure manner.
| |
| Conclusion: Don’t forget to check your proxy solutions SSL-capabilities. Also do so for your reverse proxies!
| |
| | |
| === Bluecoat / Symantec ===
| |
| Blue Coat Systems was a well-known manufacturer of enterprise proxy appliances. In 2016 it was acquired by Symantec. The products are now known as Symantec ProxySG and Advanced Secure Gateway (ASG).
| |
| The description below is for the original Blue Coat SG Operating System (SGOS).
| |
| BlueCoat Proxy SG Appliances can be used as forward and reverse proxies. The reverse proxy feature is rather under-developed, and while it is possible and supported, there only seems to be limited use of this feature "in the wild" - nonetheless there are a few cipher suites to choose from, when enabling SSL features.
| |
| | |
| ==== Tested with Versions ====
| |
| | |
| {| class="wikitable sortable options" style="border-spacing:0;width:10.343cm;"
| |
| |-
| |
| ! align=center| Proxy Appliance
| |
| ! align=center| SGOS 6.5.x
| |
| ! align=center| Blue Coat, now Symantec
| |
| |-
| |
| |}
| |
| | |
| ==== Only allow TLS 1.0,1.1 and 1.2 protocols: ====
| |
| $conf t
| |
| $(config)ssl
| |
| $(config ssl)edit ssl-device-profile default
| |
| $(config device-profile default)protocol tlsv1 tlsv1.1 tlsv1.2
| |
| ok
| |
| | |
| ==== Select your accepted cipher-suites: ====
| |
| $conf t
| |
| Enter configuration commands, one per line. End with CTRL-Z.
| |
| $(config)proxy-services
| |
| $(config proxy-services)edit ReverseProxyHighCipher
| |
| $(config ReverseProxyHighCipher)attribute cipher-suite
| |
| Cipher# Use Description Strength
| |
| ------- --- ----------------------- --------
| |
| 1 yes AES128-SHA256 High
| |
| 2 yes AES256-SHA256 High
| |
| 3 yes AES128-SHA Medium
| |
| 4 yes AES256-SHA High
| |
| 5 yes DHE-RSA-AES128-SHA High
| |
| 6 yes DHE-RSA-AES256-SHA High
| |
| [...]
| |
| 13 yes EXP-RC2-CBC-MD5 Export
| |
| Select cipher numbers to use, separated by commas: 2,5,6
| |
| ok
| |
| The same protocols are available for forward proxy settings and should be adjusted accordingly: In your local policy file add the following section:
| |
| <ssl>
| |
| DENY server.connection.negotiated_ssl_version=(SSLV2, SSLV3)
| |
| Disabling protocols and ciphers in a forward proxy environment could lead to unexpected results on certain (misconfigured?) webservers (i.e. ones accepting only SSLv2/3 protocol connections)
| |
| | |
| === HAProxy ===
| |
| See [https://www.haproxy.org/ https://www.haproxy.org/]
| |
| See [https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/ https://timtaubert.de/blog/2014/11/the-sad-state-of-server-side-tls-session-resumption-implementations/]
| |
| See [https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-npn https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#5.1-npn]
| |
| See [https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#3.2-tune.ssl.cachesize https://cbonte.github.io/haproxy-dconv/configuration-1.5.html#3.2-tune.ssl.cachesize]
| |
| See [https://kura.io/2014/07/02/haproxy-ocsp-stapling/ https://kura.io/2014/07/02/haproxy-ocsp-stapling/]
| |
| See [https://kura.io/2015/01/27/hpkp-http-public-key-pinning-with-haproxy/ https://kura.io/2015/01/27/hpkp-http-public-key-pinning-with-haproxy/]
| |
| HAProxy can be used as loadbalancer and proxy for TCP and HTTP-based applications. Since version 1.5 it supports SSL and IPv6.
| |
| | |
| ==== Tested with Versions ====
| |
| HAProxy 1.5.11 with OpenSSL 1.0.1e on Debian Wheezy
| |
| | |
| ==== Settings ====
| |
| | |
| ; global configuration
| |
| global
| |
| ssl-default-bind-ciphers EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
| |
| ssl-default-bind-options no-sslv3 no-tls-tickets #disable SSLv3
| |
| tune.ssl.default-dh-param 2048 #tune DH to 2048
| |
| | |
| ; frontend configuration
| |
| frontend public
| |
| bind *:80
| |
| bind *:443 ssl crt server.pem
| |
| mode http
| |
| redirect scheme https code 301 if !{ ssl_fc } # redirect HTTP to HTTPS
| |
| | |
| ; backend configuration
| |
| backend backend
| |
| mode http
| |
| server server 192.168.1.1:80 check
| |
| http-request set-header X-Forwarded-Port %[dst_port]
| |
| http-request add-header X-Forwarded-Proto https if { ssl_fc }
| |
| rspadd Strict-Transport-Security:\ max-age=15768000;\ includeSubDomains #enable HSTS header for this backend
| |
| | |
| ==== Additional Settings ====
| |
| | |
| ==== Enable NPN Support: ====
| |
| bind *:443 ssl crt server.pem npn "http/1.1,http/1.0"
| |
| Append the npn command in the frontend configuration of HAProxy.
| |
| | |
| ==== Enable OCSP stapling: ====
| |
| HAProxy supports since version 1.5.0 OCSP stapling. To enable it you have to generate the OCSP singing file in the same folder, with the same name as your certificate file plus the extension .ocsp. (e.g. your certificate file is named server.crt then the OCSP file have to be named server.crt.oscp)To generate the OCSP file use these commands:
| |
| $ openssl x509 -in your.certificate.crt -noout -ocsp_uri # <- get your ocsp uri
| |
| $ openssl ocsp -noverify -issuer ca.root.cert.crt -cert your.certificate.crt -url "YOUR OCSP URI" -respout your.certificate.crt.ocsp
| |
| Reload HAProxy and now OCSP stapling should be enabled.Note: This OCSP signature file is only valid for a limited time. The simplest way of updating this file is by using cron.daily or something similar.
| |
| | |
| ==== Enable HPKP: ====
| |
| Get certificate informations:
| |
| $ openssl x509 -in server.crt -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | base64
| |
| Then you append the returned string in the HAProxy configuration. Add the following line to the backend configuration:
| |
| rspadd Public-Key-Pins:\ pin-sha256="YOUR_KEY";\ max-age=15768000;\ includeSubDomains
| |
| Reload HAProxy and HPKP should now be enabled.Note: Keep in mind to generate a backup key in case of problems with your primary key file.
| |
| | |
| ==== How to test ====
| |
| See appendix [https://bettercrypto.org/#tools Tools]
| |
| | |
| === Pound ===
| |
| | |
| ==== Tested with Versions ====
| |
| Pound 2.6
| |
| See [http://www.apsis.ch/pound http://www.apsis.ch/pound]
| |
| See [https://help.ubuntu.com/community/Pound https://help.ubuntu.com/community/Pound]
| |
| | |
| ==== Settings ====
| |
| | |
| ; HTTPS Listener in Pound
| |
| # HTTP Listener, redirects to HTTPS
| |
| ListenHTTP
| |
| Address 10.10.0.10
| |
| Port 80
| |
| Service
| |
| Redirect "https://some.site.tld"
| |
| End
| |
| End
| |
| ## HTTPS Listener
| |
| ListenHTTPS
| |
| Address 10.10.0.10
| |
| Port 443
| |
| AddHeader "Front-End-Https: on"
| |
| Cert "/path/to/your/cert.pem"
| |
| ## See 'man ciphers'.
| |
| Ciphers "TLSv1.2:TLSv1.1:!SSLv3:!SSLv2:EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
| |
| Service
| |
| BackEnd
| |
| Address 10.20.0.10
| |
| Port 80
| |
| End
| |
| End
| |
| End
| |
| | |
| === stunnel ===
| |
| | |
| ==== Tested with Versions ====
| |
| * stunnel 4.53-1.1ubuntu1 on Ubuntu 14.04 Trusty with OpenSSL 1.0.1f, without disabling Secure Client-Initiated Renegotiation
| |
| * stunnel 5.02-1 on Ubuntu 14.04 Trusty with OpenSSL 1.0.1f
| |
| * stunnel 4.53-1.1 on Debian Wheezy with OpenSSL 1.0.1e, without disabling Secure Client-Initiated Renegotiation
| |
| | |
| ==== Settings ====
| |
| | |
| ; HTTPS Listener in stunnel
| |
| ciphers = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
| |
| curve = secp384r1
| |
| options = NO_SSLv2
| |
| options = NO_SSLv3
| |
| options = cipher_server_preference
| |
| ; Secure Client-Initiated Renegotiation can only be disabled wit stunnel >= 4.54
| |
| ;renegotiation = no
| |
| | |
| ==== Additional information ====
| |
| Secure Client-Initiated Renegotiation can only be disabled for stunnel versions >= 4.54, when the renegotiation parameter has been added (See changelog).
| |
| | |
| ==== References ====
| |
| stunnel documentation: [https://www.stunnel.org/static/stunnel.html https://www.stunnel.org/static/stunnel.html]
| |
| stunnel changelog: [https://www.stunnel.org/sdf_ChangeLog.html https://www.stunnel.org/sdf_ChangeLog.html]
| |
| | |
| ==== How to test ====
| |
| See appendix [https://bettercrypto.org/#tools Tools]
| |
| | |
| == Kerberos ==
| |
| This section discusses various implementations of the Kerberos 5 authentication protocol on Unix and Unix-like systems as well as on Microsoft Windows.
| |
| | |
| === Overview ===
| |
| Kerberos provides mutual authentication of two communicating parties, e.g. a user using a network service. The authentication process is mediated by a trusted third party, the Kerberos key distribution centre (KDC). Kerberos implements secure single-sign-on across a large number of network protocols and operating systems. Optionally, Kerberos can be used to create encrypted communications channels between the user and service.
| |
| | |
| ==== Recommended reading ====
| |
| An understanding of the Kerberos protocol is necessary for properly implementing a Kerberos setup. Also, in the following section some knowledge about the inner workings of Kerberos is assumed. Therefore we strongly recommend reading the excellent introduction [http://gost.isi.edu/publications/kerberos-neuman-tso.html Kerberos: An Authentication Service for Computer Networks] first.
| |
| No further overview over Kerberos terminology and functions will be provided, for a discussion and a selection of relevant papers refer to [https://web.mit.edu/kerberos/papers.html Kerberos Papers and Documentation].
| |
| The Kerberos protocol over time has been extended with a variety of extensions and Kerberos implementations provide additional services in addition to the aforementioned KDC. All discussed implementations provide support for trust relations between multiple realms, an administrative network service (kerberos-adm, kadmind) as well as a password changing service (kpasswd). Sometimes, alternative database backends for ticket storage, X.509 and SmartCard authentication are provided. Of those, only administrative and password changing services will be discussed.
| |
| | |
| {| class="wikitable sortable options"
| |
| |-
| |
| ||
| |
| || Protocol versions
| |
| Only the Kerberos 5 protocol and implementation will be discussed. Kerberos 4 is obsolete, insecure and its use is strongly discouraged.
| |
| |-
| |
| |}
| |
| | |
| ==== Providing a suitable Setup for secure Kerberos Operations ====
| |
| The aim of Kerberos is to unify authentication across a wide range of services, for many different users and use cases and on many computer platforms. The resulting complexity and attack surface make it necessary to carefully plan and continuously evaluate the security of the overall ecosystem in which Kerberos is deployed. Several assumptions are made on which the security of a Kerberos infrastructure relies:* Every KDC in a realm needs to be trustworthy. The KDC’s principal database must not become known to or changed by an attacker. The contents of the principal database enables the attacker to impersonate any user or service in the realm.
| |
| * Synchronisation between KDCs must be secure, reliable and frequent. An attacker that is able to intercept or influence synchronisation messages obtains or influences parts of the principal database, enabling impersonation of affected principals. Unreliable or infrequent synchronisation enlarges the window of vulnerability after disabling principals or changing passwords that have been compromised or lost.
| |
| * KDCs must be available. An attacker is able to inhibit authentication for services and users by cutting off their access to a KDC.
| |
| * Users’ passwords must be secure. Since Kerberos is a single-sign-on mechanism, a single password may enable an attacker to access a large number of services.
| |
| * Service keytabs need to be secured against unauthorized access similarly to SSL/TLS server certificates. Obtaining a service keytab enables an attacker to impersonate a service.
| |
| * DNS infrastructure must be secure and reliable. Hosts that provide services need consistent forward and reverse DNS entries. The identity of a service is tied to its DNS name, similarly the realm a client belongs to as well as the KDC, kpasswd and kerberos-adm servers may be specified in DNS TXT and SRV records. Spoofed DNS entries will cause denial-of-service situations and might endanger ([https://bettercrypto.org/#bibliography-default-MITKrbDoc:realm_config i_mit_Realm configuration decisions_, 2013]) the security of a Kerberos realm.
| |
| * Clients and servers in Kerberos realms need to have synchronized clocks. Tickets in Kerberos are created with a limited, strictly enforced lifetime. This limits an attacker’s window of opportunity for various attacks such as the decryption of tickets in sniffed network traffic or the use of tickets read from a client computer’s memory. Kerberos will refuse tickets with old timestamps or timestamps in the future. This would enable an attacker with access to a systems clock to deny access to a service or all users logging in from a specific host.
| |
| Therefore we suggest:* Secure all KDCs at least as strongly as the most secure service in the realm.
| |
| * Dedicate physical (i.e. non-VM) machines to be KDCs. Do not run any services on those machines beyond the necessary KDC, kerberos-adm, kpasswd and kprop services.
| |
| * Restrict physical and administrative access to the KDCs as severely as possible. E.g. ssh access should be limited to responsible adminstrators and trusted networks.
| |
| * Encrypt and secure the KDCs backups.
| |
| * Replicate your primary KDC to at least one secondary KDC.
| |
| * Prefer easy-to-secure replication (propagation in Kerberos terms) methods.Especially avoid LDAP replication and database backends. LDAP enlarges the attack surface of your KDC and facilitates unauthorized access to the principal database e.g. by ACL misconfiguration.
| |
| * Use DNSSEC. If that is not possible, at least ensure that all servers and clients in a realm use a trustworthy DNS server contacted via secure network links.
| |
| * Use NTP on a trustworthy server via secure network links.
| |
| * Avoid services that require the user to enter a password which is then checked against Kerberos. Prefer services that are able to use authentication via service tickets, usually not requiring the user to enter a password except for the initial computer login to obtain a ticket-granting-ticket (TGT). This limits the ability of attackers to spy out passwords through compromised services.
| |
| | |
| === Implementations ===
| |
| | |
| ==== Cryptographic Algorithms in Kerberos Implementations ====
| |
| The encryption algorithms (commonly abbreviated ’etypes’ or ’enctypes’) in Kerberos exchanges are subject to negotiation between both sides of an exchange. Similarly, a ticket granting ticket (TGT), which is usually obtained on initial login, can only be issued if the principal contains a version of the password encrypted with an etype that is available both on the KDC and on the client where the login happens.
| |
| Therefore, to ensure interoperability among components using different implementations as shown in [https://bettercrypto.org/#kerberos_enctypes Commonly supported Kerberos encryption types by implementation. Algorithm names], a selection of available etypes is necessary. However, the negotiation process may be subject to downgrade attacks and weak hashing algorithms endanger integrity protection and password security.
| |
| | |
| {| class="wikitable sortable options"
| |
| |-
| |
| ||
| |
| || This means that the <tt>des3-cbc-sha1-kd</tt> or <tt>rc4-hmac algorithms</tt> should not be used, except if there is a concrete and unavoidable need to do so. Other <tt>des3-*</tt>, <tt>des-*</tt> and <tt>rc4-hmac-exp</tt> algorithms should never be used.
| |
| |-
| |
| |}
| |
| Along the lines of cipher string B, the following etypes are recommended: <tt>aes256-cts-hmac-sha1-96</tt> <tt>camellia256-cts-cmac</tt> <tt>aes128-cts-hmac-sha1-96</tt> <tt>camellia128-cts-cmac</tt>.
| |
| Commonly supported Kerberos encryption types by implementation. Algorithm names
| |
| according to RFC3961, except where aliases can be used or the algorithm is named differently altogether as stated ([https://bettercrypto.org/#bibliography-default-rfc3962 Raeburn, 2005])
| |
| | |
| {| class="wikitable sortable options"
| |
| |-
| |
| ! align=center| ID
| |
| ! align=center| Algorithm
| |
| ! align=center| MIT
| |
| ! align=center| Heimdal
| |
| ! align=center| GNU Shishi
| |
| ! align=center| MS ActiveDirectory
| |
| |-
| |
| || 1
| |
| || des-cbc-crc
| |
| || yes
| |
| || yes
| |
| || yes
| |
| || yes
| |
| |-
| |
| || 2
| |
| || des-cbc-md4
| |
| || yes
| |
| || yes
| |
| || yes
| |
| || no
| |
| |-
| |
| || 3
| |
| || des-cbc-md5
| |
| || yes
| |
| || yes
| |
| || yes
| |
| || yes
| |
| |-
| |
| || 6
| |
| || des3-cbc-none
| |
| || no
| |
| || yes
| |
| || yes
| |
| || no
| |
| |-
| |
| || 7
| |
| || des3-cbc-sha1
| |
| || no
| |
| || yes[[https://bettercrypto.org/#_footnotedef_20 20]]
| |
| || no
| |
| || no
| |
| |-
| |
| || 16
| |
| || des3-cbc-sha1-kd
| |
| || yes[[https://bettercrypto.org/#_footnotedef_21 21]]
| |
| || yesfoonote:[named des3-cbc-sha1]
| |
| || yes
| |
| || no
| |
| |-
| |
| || 17
| |
| || aes128-cts-hmac-sha1-96
| |
| || yes
| |
| || yes
| |
| || yes
| |
| || yesfoonote:[since Vista, Server 2008]
| |
| |-
| |
| || 18
| |
| || aes256-cts-hmac-sha1-96
| |
| || yes
| |
| || yes
| |
| || yes
| |
| || yes[[https://bettercrypto.org/#_footnotedef_22 22]]
| |
| |-
| |
| || 23
| |
| || rc4-hmac
| |
| || yes
| |
| || yes
| |
| || yes
| |
| || yes
| |
| |-
| |
| || 24
| |
| || rc4-hmac-exp
| |
| || yes
| |
| || no
| |
| || yes
| |
| || yes
| |
| |-
| |
| || 25
| |
| || camellia128-cts-cmac
| |
| || yes[[https://bettercrypto.org/#_footnotedef_23 23]]
| |
| || no
| |
| || no
| |
| || no
| |
| |-
| |
| || 26
| |
| || camellia256-cts-cmac
| |
| || yes[[https://bettercrypto.org/#_footnotedef_24 24]]
| |
| || no
| |
| || no
| |
| || no
| |
| |-
| |
| |}
| |
| | |
| ==== Existing installations ====
| |
| The configuration samples below assume new installations without preexisting principals.
| |
| For existing installations:* Existing setups should be migrated to a new master key if the current master key is using a weak enctype.
| |
| * When changing the list of supported_enctypes, principals where all enctypes are no longer supported will cease to work.
| |
| * Be aware that Kerberos 4 is obsolete and should not be used.
| |
| * Principals with weak enctypes pose an increased risk for password bruteforce attacks if an attacker gains access to the database.
| |
| To get rid of principals with unsupported or weak enctypes, a password change is usually the easiest way. Service principals can simply be recreated.
| |
| | |
| ==== MIT krb5 ====
| |
| | |
| ===== KDC configuration =====
| |
| In <tt>/etc/krb5kdc/kdc.conf</tt> set the following in your realm’s configuration:
| |
| | |
| ; Encryption flags for MIT krb5 KDC
| |
| supported_enctypes = aes256-cts-hmac-sha1-96:normal camellia256-cts-cmac:normal aes128-cts-hmac-sha1-96:normal camellia128-cts-cmac:normal
| |
| default_principal_flags = +preauth
| |
| In <tt>/etc/krb5.conf</tt> set in the <tt>[libdefaults]</tt> section:
| |
| | |
| ; Encryption flags for MIT krb5 client
| |
| [libdefaults]
| |
| allow_weak_crypto = false
| |
| permitted_enctypes= aes256-cts-hmac-sha1-96 camellia256-cts-cmac aes128-cts-hmac -sha1-96 camellia128-cts-cmac
| |
| default_tkt_enctypes= aes256-cts-hmac-sha1-96 camellia256-cts-cmac aes128-cts-hmac-sha1-96 camellia128-cts-cmac
| |
| default_tgs_enctypes= aes256-cts-hmac-sha1-96 camellia256-cts-cmac aes128-cts-hmac-sha1-96 camellia128-cts-cmac
| |
| | |
| ===== Upgrading a MIT krb5 database to a new enctype =====
| |
| To check if an upgrade is necessary, execute the following on the KDC in question:
| |
| root@kdc.example.com:~# kdb5_util list_mkeys
| |
| Master keys for Principal: K/M@EXAMPLE.COM
| |
| KVNO: 1, Enctype: des-cbc-crc, Active on: Thu Jan 01 00:00:00 UTC 1970 *
| |
| | |
| {| class="wikitable sortable options"
| |
| |-
| |
| ||
| |
| || In this case, an old unsafe enctype is in use as indicated by the star following the key line.
| |
| |-
| |
| |}
| |
| | |
| To upgrade, proceed as follows. First create a new master key for the database with the appropriate enctype. You will be prompted for a master password that can later be used to decrypt the database. A stash-file containing this encryption key will also be written.
| |
| root@kdc.example.com:~# kdb5_util add_mkey -s -e aes256-cts-hmac-sha1-96
| |
| Creating new master key for master key principal 'K/M@EXAMPLE.COM'
| |
| You will be prompted for a new database Master Password.
| |
| It is important that you NOT FORGET this password.
| |
| Enter KDC database master key:
| |
| Re-enter KDC database master key to verify:
| |
| Verify that the new master key has been successfully created. Note the key version number (KVNO) of the new master key, in this case 2.
| |
| root@kdc.example.com:~# kdb5_util list_mkeys
| |
| Master keys for Principal: K/M@EXAMPLE.COM
| |
| KVNO: 2, Enctype: aes256-cts-hmac-sha1-96, No activate time set
| |
| KVNO: 1, Enctype: des-cbc-crc, Active on: Thu Jan 01 00:00:00 UTC 1970 *
| |
| Set the new master key as the active master key by giving its KVNO. The active master key will be indicated by an asterisk in the master key list.
| |
| root@kdc.example.com:~# kdb5_util use_mkey 2
| |
| root@kdc.example.com:~# kdb5_util list_mkeys
| |
| Master keys for Principal: K/M@EXAMPLE.COM
| |
| KVNO: 2, Enctype: aes256-cts-hmac-sha1-96, Active on: Wed May 13 14:14:18 UTC 2015 *
| |
| KVNO: 1, Enctype: des-cbc-crc, Active on: Thu Jan 01 00:00:00 UTC 1970
| |
| Reencrypt all principals to the new master key.
| |
| root@kdc.example.com:~# kdb5_util update_princ_encryption
| |
| Re-encrypt all keys not using master key vno 2?
| |
| (type 'yes' to confirm)? yes
| |
| 504 principals processed: 504 updated, 0 already current
| |
| After verifying that everything still works as desired it is possible to remove unused master keys.
| |
| root@kdc.example.com:~# kdb5_util purge_mkeys
| |
| Will purge all unused master keys stored in the 'K/M@EXAMPLE.COM' principal, are you sure?
| |
| (type 'yes' to confirm)? yes
| |
| OK, purging unused master keys from 'K/M@EXAMPLE.COM'...
| |
| Purging the following master key(s) from K/M@EXAMPLE.COM:
| |
| KVNO: 1
| |
| 1 key(s) purged.
| |
| | |
| == Weblinks ==
| |
| # https://bettercrypto.org/
| |
| | |
| [[Kategorie:Verschlüsselung]]
| |