Version vom 1. Januar 2023, 12:50 Uhr

Preface

Do not talk unencrypted "Neboltai"

Acknowledgements

We would like to express our thanks to the following reviewers and people who have generously offered their time and interest (in alphabetical order): Brown, ScottBrulebois, CyrilBurghardt, KrzysztofDirksen-Thedens, MathisDulaunoy, AlexandreEndres, JohannesGühring PhilippGrigg, IanHaslinger, GunnarHorenbeck, MaartenHuebl, AxelKnecht, PascalKoetter, Patrick BenKovacic, DanielLenzhofer, StefanLorünser, ThomasMaass, MaxMehlmauer, ChristianMillauer, TobiasMirbach, AndreasO’Brien, HughPacher, ChristophPalfrader, PeterPape, Tobias (layout)Petukhova, Anna (Logo)Pichler, PatrickRiebesel, NicolasRoeckx, KurtRoesen, JensRublik, MartinSchiffbauer, MarcSchosser, AndreasSchüpany, MathiasSchulze, AndreasSchwartzkopff, MichaelSchwarz, René («DigNative»)Seidl, Eva (PDF layout)Van Horenbeeck, MaartenWagner, Sebastian («sebix»)Zangerl, Alexander The reviewers did review parts of the document in their area of expertise; all remaining errors in this document are the sole responsibility of the primary authors.

Abstract

Unfortunately, the computer security and cryptology communities have drifted apart over the last 25 years. Security people don’t always understand the available crypto tools, and crypto people don’t always understand the real-world problems.

— Ross Anderson (Anderson, 2008) This guide arose out of the need for system administrators to have an updated, solid, well researched and thought-through guide for configuring SSL, PGP, SSH and other cryptographic tools in the post-Snowden age. Triggered by the NSA leaks in the summer of 2013, many system administrators and IT security officers saw the need to strengthen their encryption settings. This guide is specifically written for these system administrators. As Schneier noted in (Schneier, 2013), it seems that intelligence agencies and adversaries on the Internet are not breaking so much the mathematics of encryption per se, but rather use software and hardware weaknesses, subvert standardization processes, plant backdoors, rig random number generators and most of all exploit careless settings in server configurations and encryption systems to listen in on private communications. Worst of all, most communication on the internet is not encrypted at all by default (for SMTP, opportunistic TLS would be a solution). This guide can only address one aspect of securing our information systems: getting the crypto settings right to the best of the authors' current knowledge. Other attacks, as the above mentioned, require different protection schemes which are not covered in this guide. This guide is not an introduction to cryptography. For background information on cryptography and cryptoanalysis we would like to refer the reader to the references in appendix Links and Suggested Reading at the end of this document. The focus of this guide is merely to give current best practices for configuring complex cipher suites and related parameters in a copy & paste-able manner. The guide tries to stay as concise as is possible for such a complex topic as cryptography. Naturally, it can not be complete. There are many excellent guides (II & SYM, 2012) and best practice documents available when it comes to cryptography. However none of them focuses specifically on what an average system administrator needs for hardening his or her systems' crypto settings. This guide tries to fill this gap.

The guide was produced in an open source manner: every step of editing can be traced back to a specific author via our version control system.

I: Introduction

Audience

Sysadmins. Sysadmins. Sysadmins. They are a force-multiplier.

Related publications

Ecrypt II [ii2011ecrypt] Ecrypt II (II & SYM, 2012), ENISA’s report on Algorithms, key sizes and parameters (ENISA and Vincent Rijmen, Nigel P. Smart, Bogdan warinschi, Gaven Watson, 2013) and BSI’s Technische Richtlinie TR-02102 (für Sicherheit in der Informationstechnik (BSI), 2018) are great publications which are more in depth than this guide. However, this guide has a different approach: it focuses on copy & paste-able settings for system administrators, effectively breaking down the complexity in the above mentioned reports to an easy to use format for the intended target audience.

How to read this guide

This guide tries to accommodate two needs: first of all, having a handy reference on how to configure the most common services’ crypto settings and second of all, explain a bit of background on cryptography. This background is essential if the reader wants to choose his or her own cipher string settings. System administrators who want to copy & paste recommendations quickly without spending a lot of time on background reading on cryptography or cryptanalysis can do so, by simply searching for the corresponding section in Best Practice. It is important to know that in this guide the authors arrived at two recommendations: Cipher string A and Cipher string B. While the former is a hardened recommendation a latter is a weaker one but provides wider compatibility. Cipher strings A and B are described in Recommended cipher suites. However, for the quick copy & paste approach it is important to know that this guide assumes users are happy with Cipher string B. While Best Practice is intended to serve as a copy & paste reference, Theory explains the reasoning behind cipher string B. In particular Architectural overview explains how to choose individual cipher strings. We advise the reader to actually read this section and challenge our reasoning in choosing Cipher string B and to come up with a better or localized solution.

Disclaimer

A chain is no stronger than its weakest link, and life is after all a chain.

— William James

Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.

— Edward Snowden answering questions live on the Guardian’s website This guide specifically does not address physical security, protecting software and hardware against exploits, basic IT security housekeeping, information assurance techniques, traffic analysis attacks, issues with key-roll over and key management, securing client PCs and mobile devices (theft, loss), proper Operations Security, social engineering attacks, protection against tempest (i_wikipedia_Tempest (codename)_, 2018) attack techniques, thwarting different side-channel attacks (timing–, cache timing–, differential fault analysis, differential power analysis or power monitoring attacks), downgrade attacks, jamming the encrypted channel or other similar attacks which are typically employed to circumvent strong encryption. The authors can not overstate the importance of these other techniques. Interested readers are advised to read about these attacks in detail since they give a lot of insight into other parts of cryptography engineering which need to be dealt with[1]) ]. This guide does not talk much about the well-known insecurities of trusting a public-key infrastructure (PKI)[2]. Nor does this text fully explain how to run your own Certificate Authority (CA). Most of this zoo of information security issues are addressed in the very comprehensive book Security Engineering by Ross Anderson (Anderson, 2008). For some experts in cryptography this text might seem too informal. However, we strive to keep the language as non-technical as possible and fitting for our target audience: system administrators who can collectively improve the security level for all of their users.

Security is a process, not a product.

— Bruce Schneier This guide can only describe what the authors currently believe to be the best settings based on their personal experience and after intensive cross checking with literature and experts. For a complete list of people who reviewed this paper, see the <acknowledgements>. Even though multiple specialists reviewed the guide, the authors can give no guarantee whatsoever that they made the right recommendations. Keep in mind that tomorrow there might be new attacks on some ciphers and many of the recommendations in this guide might turn out to be wrong. Security is a process. We therefore recommend that system administrators keep up to date with recent topics in IT security and cryptography. In this sense, this guide is very focused on getting the cipher strings done right even though there is much more to do in order to make a system more secure. We the authors, need this document as much as the reader needs it.

Scope

In this guide, we restricted ourselves to:* Internet-facing services

Commonly used services
Devices which are used in business environments (this specifically excludes XBoxes, Playstations and similar consumer devices)
OpenSSL

We explicitly excluded:* Specialized systems such as medical devices, most embedded systems, industrial control systems (ICS), etc.

Wireless Access Points
Smart-cards/chip cards

Methods

C.O.S.H.E.R - completely open source, headers, engineering and research.

— A. Kaplan His mail signature for many years For writing this guide, we chose to collect the most well researched facts about cryptography settings and let as many trusted specialists as possible review those settings. The review process is completely open and done on a public mailing list. The document is available (read-only) to the public Internet on the web page and the source code of this document is on a public git server, mirrored on GitHub.com and open for public scrutiny. However, write permissions to the document are only granted to vetted people. The list of reviewers can be found in Acknowledgements. Every write operation to the document is logged via the git version control system and can thus be traced back to a specific author. We accept git pull requests on the github mirror for this paper. Public peer-review and multiple eyes checking of our guide is the best strategy we can imagine at the present moment [3]. We invite the gentle reader to participate in this public review process. Please read the Contributing document.

III: Theory

Overview

Number theorists are like lotus-eaters - having tasted this food they can never give it up.

— Leopold Kronecker This chapter provides the necessary background information on why chapter [practicalsettings] recommended cipher string B. We start off by explaining the structure of cipher strings in section [architecture] (architecture) and define PFS in [pfs]. Next we present Cipher String A and Cipher String B in section Recommended cipher suites. This concludes the section on cipher strings. In theory, the reader should now be able to construct his or her own cipher string. However, the question why certain settings were chosen still remains. To answer this part, we need to look at recommended keylengths, problems in specific algorithms and hash functions and other cryptographic parameters. As mentioned initially in section [relatedPublications], the ENISA (ENISA and Vincent Rijmen, Nigel P. Smart, Bogdan warinschi, Gaven Watson, 2013), ECRYPT 2 (II & SYM, 2012) and BSI (für Sicherheit in der Informationstechnik (BSI), 2018) reports go much more into these topics and should be consulted in addition. We try to answer the questions by explaining issues with random number generators (section Random Number Generators), keylengths (section Keylengths), current issues in ECC (section A note on Elliptic Curve Cryptography), a note of warning on SHA-1 (section A note on SHA-1) and some comments on Diffie Hellman key exchanges (section A note on Diffie Hellman Key Exchanges). All of this is important in understanding why certain choices were made for Cipher String A and B. However, for most system administrators, the question of compatibility is one of the most pressing ones. Having the freedom to be compatible with any client (even running on outdated operating systems) of course, reduces the security of our cipher strings. We address these topics in section TODO. All these sections will allow a system administrator to balance his or her needs for strong encryption with usability and compatibility. Last but not least, we finish this chapter by talking about issues in PKIs (section Public Key Infrastructures), Certificate Authorities and on hardening a PKI. Note that these last few topics deserve a book on their own. Hence this guide can only mention a few current topics in this area.

Cipher suites

Architectural overview

This section defines some terms which will be used throughout this guide. A cipher suite is a standardized collection of key exchange algorithms, encryption algorithms (ciphers) and Message authentication codes (MAC) algorithm that provides authenticated encryption schemes. It consists of the following components:

Key exchange protocol  
 
Authentication  
 
Cipher  
 
Message authentication code (MAC)  
 
Authenticated Encryption with Associated Data (AEAD)

Listing 46. Composition of a typical cipher string +-----+ +-----+ +--------+ +--------+ | DHE +--+ RSA +--+ AES256 +--+ SHA256 + +-----+ +-----+ +--------+ +--------+

A note on nomenclature

There are two common naming schemes for cipher strings – IANA names (see appendix Links) and the more well known OpenSSL names. In this document we will always use OpenSSL names unless a specific service uses IANA names.

Forward Secrecy

Forward Secrecy or Perfect Forward Secrecy is a property of a cipher suite that ensures confidentiality even if the server key has been compromised. Thus if traffic has been recorded it can not be decrypted even if an adversary has got hold of the server key.* Forward secrecy (Wikipedia)

Recommended cipher suites

In principle system administrators who want to improve their communication security have to make a difficult decision between effectively locking out some users and keeping high cipher suite security while supporting as many users as possible. The web-site Qualys SSL Labs gives administrators and security engineers a tool to test their setup and compare compatibility with clients. The authors made use of ssllabs.com to arrive at a set of cipher suites which we will recommend throughout this document.

Caution

these settings can only represent a subjective choice of the authors at the time of writing. It might be a wise choice to select your own and review cipher suites based on the instructions in section [ChoosingYourOwnCipherSuites].

Configuration A: Strong ciphers, fewer clients

At the time of writing, our recommendation is to use the following set of strong cipher suites which may be useful in an environment where one does not depend on many, different clients and where compatibility is not a big issue. An example of such an environment might be machine-to-machine communication or corporate deployments where software that is to be used can be defined without restrictions. We arrived at this set of cipher suites by selecting:* TLS 1.2

Perfect forward secrecy / ephemeral Diffie Hellman
strong MACs (SHA-2) or
GCM as Authenticated Encryption scheme

This results in the OpenSSL string: EDH+aRSA+AES256:EECDH+aRSA+AES256:!SSLv3 Table 14. Configuration A ciphers

ID	OpenSSL Name	Version	KeyEx	Auth	Cipher	MAC
0x009F	DHE-RSA-AES256-GCM-SHA384	TLSv1.2	DH	RSA	AESGCM(256)	AEAD
0x006B	DHE-RSA-AES256-SHA256	TLSv1.2	DH	RSA	AES(256) (CBC)	SHA256
0xC030	ECDHE-RSA-AES256-GCM-SHA384	TLSv1.2	ECDH	RSA	AESGCM(256)	AEAD
0xC028	ECDHE-RSA-AES256-SHA384	TLSv1.2	ECDH	RSA	AES(256) (CBC)	SHA384

Compatibility

At the time of this writing only Win 7 and Win 8.1 crypto stack, OpenSSL >= 1.0.1e, Safari 6 / iOS 6.0.1 and Safari 7 / OS X 10.9 are covered by that cipher string.

Configuration B: Weaker ciphers but better compatibility

In this section we propose a slightly weaker set of cipher suites. For example, there are known weaknesses for the SHA-1 hash function that is included in this set. The advantage of this set of cipher suites is not only better compatibility with a broad range of clients, but also less computational workload on the provisioning hardware. All examples in this publication use Configuration B. We arrived at this set of cipher suites by selecting:* TLS 1.2, TLS 1.1, TLS 1.0

allowing SHA-1 (see the comments on SHA-1 in section [SHA])

This results in the OpenSSL string: 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA' Table 15. Configuration B ciphers

ID	OpenSSL Name	Version	KeyEx	Auth	Cipher	MAC
0x009F	DHE-RSA-AES256-GCM-SHA384	TLSv1.2	DH	RSA	AESGCM(256)	AEAD
0x006B	DHE-RSA-AES256-SHA256	TLSv1.2	DH	RSA	AES(256)	SHA256
0xC030	ECDHE-RSA-AES256-GCM-SHA384	TLSv1.2	ECDH	RSA	AESGCM(256)	AEAD
0xC028	ECDHE-RSA-AES256-SHA384	TLSv1.2	ECDH	RSA	AES(256)	SHA384
0x009E	DHE-RSA-AES128-GCM-SHA256	TLSv1.2	DH	RSA	AESGCM(128)	AEAD
0x0067	DHE-RSA-AES128-SHA256	TLSv1.2	DH	RSA	AES(128)	SHA256
0xC02F	ECDHE-RSA-AES128-GCM-SHA256	TLSv1.2	ECDH	RSA	AESGCM(128)	AEAD
0xC027	ECDHE-RSA-AES128-SHA256	TLSv1.2	ECDH	RSA	AES(128)	SHA256
0x0088	DHE-RSA-CAMELLIA256-SHA	SSLv3	DH	RSA	Camellia(256)	SHA1
0x0039	DHE-RSA-AES256-SHA	SSLv3	DH	RSA	AES(256)	SHA1
0xC014	ECDHE-RSA-AES256-SHA	SSLv3	ECDH	RSA	AES(256)	SHA1
0x0045	DHE-RSA-CAMELLIA128-SHA	SSLv3	DH	RSA	Camellia(128)	SHA1
0x0033	DHE-RSA-AES128-SHA	SSLv3	DH	RSA	AES(128)	SHA1
0xC013	ECDHE-RSA-AES128-SHA	SSLv3	ECDH	RSA	AES(128)	SHA1
0x0084	CAMELLIA256-SHA	SSLv3	RSA	RSA	Camellia(256)	SHA1
0x0035	AES256-SHA	SSLv3	RSA	RSA	AES(256)	SHA1
0x0041	CAMELLIA128-SHA	SSLv3	RSA	RSA	Camellia(128)	SHA1
0x002F	AES128-SHA	SSLv3	RSA	RSA	AES(128)	SHA1

Compatibility

Note that these cipher suites will not work with Windows XP’s crypto stack (e.g. IE, Outlook),

Explanation

For a detailed explanation of the cipher suites chosen, please see [ChoosingYourOwnCipherSuites]. In short, finding a single perfect cipher string is practically impossible and there must be a tradeoff between compatibility and security. On the one hand there are mandatory and optional ciphers defined in a few RFCs, on the other hand there are clients and servers only implementing subsets of the specification. Straightforwardly, the authors wanted strong ciphers, forward secrecy [25] and the best client compatibility possible while still ensuring a cipher string that can be used on legacy installations (e.g. OpenSSL 0.9.8).

Our recommended cipher strings are meant to be used via copy and paste and need to work "out of the box".* TLSv1.2 is preferred over TLSv1.0 (while still providing a useable cipher string for TLSv1.0 servers).

AES256 and CAMELLIA256 count as very strong ciphers at the moment.
AES128 and CAMELLIA128 count as strong ciphers at the moment
DHE or ECDHE for forward secrecy
RSA as this will fit most of today’s setups
AES256-SHA as a last resort: with this cipher at the end, even server systems with very old OpenSSL versions will work out of the box (version 0.9.8 for example does not provide support for ECC and TLSv1.1 or above). Note however that this cipher suite will not provide forward secrecy. It is meant to provide the same client coverage(eg. support Microsoft crypto libraries) on legacy setups.

Compatibility

TODO

Write this section. The idea here is to first document which server (and openssl) version we assumed. Once these parameters are fixed, we then list all clients which are supported for Variant A) and B). Therefore we can document compatibilities to some extent. The sysadmin can then choose roughly what he looses or gains by omitting certain cipher suites.

Random Number Generators

"A real fair random number generator" (Image license: CC-BY-NC) A good source of random numbers is essential for many crypto operations. The key feature of a good random number generator is the non-predictability of the generated numbers. This means that hardware support for generating entropy is essential. Hardware random number generators in operating systems or standalone components collect entropy from various random events mostly by using the (low bits of the) time an event occurs as an entropy source. The entropy is merged into an entropy pool and in some implementations there is some bookkeeping about the number of random bits available.

When Random Number Generators Fail

Random number generators can fail – returning predictable non-random numbers – if not enough entropy is available when random numbers should be generated. This typically occurs for embedded devices and virtual machines. Embedded devices lack some entropy sources other devices have, e.g.:* No persistent clock, so boot-time is not contributing to the initial RNG state.

No hard-disk: No entropy from hard-disk timing, no way to store entropy between reboots.

Virtual machines emulate some hardware components so that the generated entropy is over-estimated. The most critical component that has been shown to return wrong results is an emulated environment is the timing source (Engblom, 2011). Typically the most vulnerable time where low-entropy situations occur is shortly after a reboot. Unfortunately many operating system installers create cryptographic keys shortly after a reboot (Heninger, Durumeric, Wustrow, & Halderman, 2012). Another problem is that OpenSSL seeds its internal random generator only seldomly from the hardware random number generator of the operating system. This can lead to situations where a daemon that is started at a time when entropy is low keeps this low-entropy situation for hours leading to predictable session keys (Heninger, Durumeric, Wustrow, & Halderman, 2012). For systems where – during the lifetime of the keys – it is expected that low-entropy situations occur, RSA keys should be preferred over DSA keys: For DSA, if there is ever insufficient entropy at the time keys are used for signing this may lead to repeated ephemeral keys. An attacker who can guess an ephemeral private key used in such a signature can compromise the DSA secret key. For RSA this can lead to discovery of encrypted plaintext or forged signatures but not to the compromise of the secret key (Heninger, Durumeric, Wustrow, & Halderman, 2012).

Keylengths

On the choice between AES256 and AES128: I would never consider using AES256, just like I don't wear a helmet when I sit inside my car. It's too much bother for the epsilon improvement in security. Recommendations on keylengths need to be adapted regularly. Since this document first of all is static and second of all, does not consider itself to be authoritative on keylengths, we would rather refer to existing publications and websites. Recommending a safe key length is a hit-and-miss issue. Furthermore, when choosing an encryption algorithm and key length, the designer/sysadmin always needs to consider the value of the information and how long it must be protected. In other words: consider the number of years the data needs to stay confidential. The ECRYPT II publication gives a fascinating overview of strengths of symmetric keys in chapter 5 and chapter 7. Summarizing ECRYPT II, we recommend 128 bit of key strength for symmetric keys. In ECRYPT II, this is considered safe for security level 7, long term protection. In the same ECRYPT II publication you can find a practical comparison of key size equivalence between symmetric key sizes and RSA, discrete log (DLOG) and EC keylengths. ECRYPT II arrives at the interesting conclusion that for an equivalence of 128 bit symmetric size, you will need to use an 3248 bit RSA key (II & SYM, 2012). There are a couple of other studies comparing keylengths and their respective strengths. The website https://www.keylength.com/ compares these papers and offers a good overview of approximations for key lengths based on recommendations by different standardization bodies and academic publications. Figure #fig:keylengths.com[1] shows a typical comparison of keylengths on this web site. "Screenshot for 128 bit symmetric key size equivalents"

Summary

For asymmetric public-key cryptography we consider any key length below 3248 bits to be deprecated at the time of this writing (for long term protection). For elliptic curve cryptography we consider key lengths below 256 bits to be inadequate for long term protection. For symmetric algorithms we consider anything below 128 bits to be inadequate for long term protection.

Special remark on 3DES:

We want to note that 3DES theoretically has 168 bits of security, however based on the NIST Special Publication 800-57 [26]. Due to several security problems the effective key length should be considered 80 bits. The NIST recommends not to use 3DES any more and to migrate to AES as soon as possible.

A note on Elliptic Curve Cryptography

Everyone knows what a curve is, until he has studied enough mathematics to become confused through the countless number of possible exceptions. Elliptic Curve Cryptography (simply called ECC from now on) is a branch of cryptography that emerged in the mid-1980s. The security of the RSA algorithm is based on the assumption that factoring large numbers is infeasible. Likewise, the security of ECC, DH and DSA is based on the discrete logarithm problem (i_wikipedia_Discrete logarithm_, 2013). Finding the discrete logarithm of an elliptic curve from its public base point is thought to be infeasible. This is known as the Elliptic Curve Discrete Logarithm Problem (ECDLP). ECC and the underlying mathematical foundation are not easy to understand - luckily, there have been some great introductions on the topic. [27] [28] [29]. ECC provides for much stronger security with less computationally expensive operations in comparison to traditional asymmetric algorithms (See the Section Keylengths). The security of ECC relies on the elliptic curves and curve points chosen as parameters for the algorithm in question. Well before the NSA-leak scandal, there has been a lot of discussion regarding these parameters and their potential subversion. A part of the discussion involved recommended sets of curves and curve points chosen by different standardization bodies such as the National Institute of Standards and Technology (NIST) [30] which were later widely implemented in most common crypto libraries. Those parameters came under question repeatedly from cryptographers (Bernstein & Lange, 2013). At the time of writing, there is ongoing research as to the security of various ECC parameters (SafeCurves: choosing safe curves for elliptic-curve cryptography, 2013). Most software configured to rely on ECC (be it client or server) is not able to promote or black-list certain curves. It is the hope of the authors that such functionality will be deployed widely soon. The authors of this paper include configurations and recommendations with and without ECC - the reader may choose to adopt those settings as he finds best suited to his environment. The authors will not make this decision for the reader.

Warning

One should get familiar with ECC, different curves and parameters if one chooses to adopt ECC configurations. Since there is much discussion on the security of ECC, flawed settings might very well compromise the security of the entire system!

A note on SHA-1

In the last years several weaknesses have been shown for SHA-1. In particular, collisions on SHA-1 can be found using 263 operations, and recent results even indicate a lower complexity. Therefore, ECRYPT II and NIST recommend against using SHA-1 for generating digital signatures and for other applications that require collision resistance. The use of SHA-1 in message authentication, e.g. HMAC, is not immediately threatened. We recommend using SHA-2 whenever available. Since SHA-2 is not supported by older versions of TLS, SHA-1 can be used for message authentication if a higher compatibility with a more diverse set of clients is needed. Our configurations A and B reflect this. While configuration A does not include SHA-1, configuration B does and thus is more compatible with a wider range of clients.

A note on Diffie Hellman Key Exchanges

A common question is which Diffie-Hellman (DH) parameters should be used for Diffie Hellman key-exchanges [31]. We follow the recommendations in ECRYPT II (II & SYM, 2012). Where configurable, we recommend using the Diffie Hellman groups defined for IKE, specifically groups 14-18 (2048–8192 bit MODP) (Kivinen & Kojo, 2003). These groups have been checked by many eyes and can be assumed to be secure. For convenience, we provide these parameters as PEM files on our webserver [32].

Public Key Infrastructures

Public-Key Infrastructures try to solve the problem of verifying whether a public key belongs to a given entity, so as to prevent Man In The Middle attacks. There are two approaches to achieve that: Certificate Authorities and the Web of Trust. Certificate Authorities (CAs) sign end-entities’ certificates, thereby associating some kind of identity (e.g. a domain name or an email address) with a public key. CAs are used with TLS and S/MIME certificates, and the CA system has a big list of possible and real problems which are summarized in section Hardening PKI and (Durumeric, Kasten, Bailey, & Halderman, 2013). The Web of Trust is a decentralized system where people sign each other’s keys, so that there is a high chance that there is a "trust path" from one key to another. This is used with PGP keys, and while it avoids most of the problems of the CA system, it is more cumbersome. As alternatives to these public systems, there are two more choices: running a private CA, and manually trusting keys (as it is used with SSH keys or manually trusted keys in web browsers). The first part of this section addresses how to obtain a certificate in the CA system. The second part offers recommendations on how to improve the security of your PKI.

Certificate Authorities

In order to get a certificate, you can find an external CA willing to issue a certificate for you, run your own CA, or use self-signed certificates. As always, there are advantages and disadvantages for every one of these options; a balance of security versus usability needs to be found.

Certificates From an External Certificate Authority

There is a fairly large number of commercial CAs that will issue certificates for money. Some of the most ubiquitous commercial CAs are Verisign, GoDaddy, and Teletrust. However, there are also CAs that offer certificates for free. The most notable examples are StartSSL, which is a company that offers some types of certificates for free, and CAcert, which is a non-profit volunteer-based organization that does not charge at all for issuing certificates. Finally, in the research and education field, a number of CAs exist that are generally well-known and well-accepted within the higher-education community. A large number of CAs is pre-installed in client software’s or operating system’s`‘trust stores’'; depending on your application, you have to select your CA according to this, or have a mechanism to distribute the chosen CA’s root certificate to the clients. When requesting a certificate from a CA, it is vital that you generate the key pair yourself. In particular, the private key should never be known to the CA. If a CA offers to generate the key pair for you, you should not trust that CA. Generating a key pair and a certificate request can be done with a number of tools. On Unix-like systems, it is likely that the OpenSSL suite is available to you. In this case, you can generate a private key and a corresponding certificate request as follows: $ openssl req -new -nodes -keyout <servername>.key -out <servername>.csr -newkey rsa:<keysize> -sha256 Country Name (2 letter code) [AU]:DE State or Province Name (full name) [Some-State]:Bavaria Locality Name (eg, city) []:Munich Organization Name (eg, company) [Internet Widgits Pty Ltd]:Example Organizational Unit Name (eg, section) []:Example Section Common Name (e.g. server FQDN or YOUR name) []:example.com Email Address []:admin@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

Setting Up Your Own Certificate Authority

In some situations it is advisable to run your own certificate authority. Whether this is a good idea depends on the exact circumstances. Generally speaking, the more centralized the control of the systems in your environment, the fewer pains you will have to go through to deploy your own CA. On the other hand, running your own CA maximizes the trust level that you can achieve because it minimizes external trust dependencies. Again using OpenSSL as an example, you can set up your own CA with the following commands on a Debian system: $ cd /usr/lib/ssl/misc $ sudo ./CA.pl -newca Answer the questions according to your setup. Now that you have configured your basic settings and issued a new root certificate, you can issue new certificates as follows: $ cd /usr/lib/ssl/misc $ sudo ./CA.pl -newreq Alternatively, software such as TinyCA that acts as a "wrapper" around OpenSSL and tries to make life easier is available.

Creating a Self-Signed Certificate

If the desired trust level is very high and the number of systems involved is limited, the easiest way to set up a secure environment may be to use self-signed certificates. A self-signed certificate is not issued by any CA at all, but is signed by the entity that it is issued to. Thus, the organizational overhead of running a CA is eliminated at the expense of having to establish all trust relationships between entities manually. With OpenSSL, you can self-sign a previously created certificate with this command: $ openssl req -new -x509 -key privkey.pem -out cacert.pem -days 1095 You can also create a self-signed certificate in just one command: $ openssl req -new -x509 -keyout privkey.pem -out cacert.pem -days 1095 -nodes -newkey rsa:<keysize> -sha256 The resulting certificate will by default not be trusted by anyone at all, so in order to be useful, the certificate will have to be made known a priori to all parties that may encounter it.

Hardening PKI

In recent years several CAs were compromised by attackers in order to get a hold of trusted certificates for malicious activities. In 2011 the Dutch CA Diginotar was hacked and all certificates were revoked (Elinor Mills, 2011). Recently Google found certificates issued to them, which were not used by the company (Damon Poeter, 2011). The concept of PKIs heavily depends on the security of CAs. If they get compromised the whole PKI system will fail. Some CAs tend to incorrectly issue certificates that were designated to do a different job than what they were intended to by the CA (Adam Langley, et. al., 2013). Therefore several security enhancements were introduced by different organizations and vendors (H. Tschofenig and E. Lear, 2013). Currently two methods are used, DANE (Hoffman & Schlyter, 2012) and Certificate Pinning (C. Evans and C. Palmer, 2013). Google recently proposed a new system to detect malicious CAs and certificates called Certificate Transparency (Adam Langley, Ben Laurie, Emilia Kasper, 2013). In addition, RFC 6844 describes Certification Authorization Records, a mechanism for domain name owners to signal which Certificate Authorities are authorized to issue certificates for their domain.

Certification Authorization Records

RFC 6844 describes Certification Authorization Records, a mechanism for domain name owners to signal which Certificate Authorities are authorized to issue certificates for their domain. When a CAA record is defined for a particular domain, it specifies that the domain owner requests Certificate Authorities to validate any request against the CAA record. If the certificate issuer is not listed in the CAA record, it should not issue the certificate. The RFC also permits Certificate Evaluators to test an issued certificate against the CAA record, but should exercise caution, as the CAA record may change during the lifetime of a certificate, without affecting its validity. CAA also supports an iodef property type which can be requested by a Certificate Authority to report certificate issue requests which are inconsistent with the issuer’s Certificate Policy.

Configuration of CAA records

BIND supports CAA records as of version 9.9.6. A CAA record can be configured by adding it to the zone file: $ORIGIN example.com

      CAA 0 issue "ca1.example"
      CAA 0 iodef "mailto:security@example.com"

If your organization uses multiple CA’s, you can configure multiple records:

     CAA 0 issue "ca1.example"
     CAA 0 issue "ca2.example"

"ca1.example" and "ca2.example" are unique identifiers for the CA you plan on using. These strings can be obtained from your Certificate Authority, and typically are its top level domain. An example is "letsencrypt.org" for the Let’s Encrypt CA operated by the Internet Security Research Group. Knot-DNS supports CAA records as of version 2.2.0.

Validation of CAA records

Once a CAA record is deployed, it can be validated using the following dig query: $ dig CAA google.com ; <<>> DiG 9.10.3-P4-Debian <<>> CAA google.com ;; ANSWER SECTION: google.com. 3600 IN CAA 0 issue "symantec.com" On older versions of Dig, which do not support CAA records, you can query the record type manually: $ dig +short -t TYPE257 google.com \# 19 0005697373756573796D616E7465632E636F6D

TLS and its support mechanisms

HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is a web security policy mechanism. HSTS is realized through HTTP header by which a web server declares that complying user agents (web browsers) should interact with it by using only secure HTTPS connections. [33] HSTS header is bound to a DNS name or domain by which the server was accessed. For example if server serves content for two domains and it is HTTPS enabled only for one domain, the browser won’t enforce HSTS for the latter. HSTS reduces the risk of active man-in-the-middle attacks such as SSL stripping, and impersonation attacks with untrusted certificate. HSTS also helps to avoid unintentional mistakes such as insecure links to a secure web site (missing HTTPS links [34]), and mistyped HTTPS URLs. After the web browser receives a HSTS header in a correctly [35] prepared SSL session it will automatically use secure HTTPS links for accessing the server. This prevents unencrypted HTTP access (SSL striping, mistyped HTTPS URLs, etc.) when the server is accessed later by the client. When a server (that previously emitted a HSTS header) starts using an untrusted certificate, complying user agents must show an error message and block the server connection. Thus impersonation MITM attack with untrusted certificates cannot occur. For the initial setup HSTS header needs a trusted secure connection over HTTPS. This limitation can be addressed by compiling a list of STS enabled sites directly into a browser. [36]

HSTS Header Directives

HSTS header can be parametrized by two directives:* max-age=<number-of-seconds>

includeSubdomains

max-age is a required directive. This directive indicates the number of seconds during which the user agent should enforce the HSTS policy (after the reception of the STS header field from a server). includeSubdomains is an optional directive. This directive indicates that the HSTS policy applies to this HSTS host as well as any subdomains of the host’s domain name.

HSTS Client Support

HSTS is supported [37] by these web browsers:* Firefox version >= v4.0

Chrome version >= 4.0
Android Browser >=4.4
Opera version >= 12.0
Opera mobile >= 16.0
Safari >= 7.0
Microsoft Internet Explorer >= 11 (with update provided 09. June 2015)
Microsoft Edge >= 12

HSTS Considerations

Before enabling HSTS it is recommended to consider following:* Is it required to serve content or services over HTTP?

Enabling includeSubdomains and SSL certificate management.
Proper value of max-age.

It is recommended to serve all content using HTTPS, but there are exceptions to this rule as well. Consider running a private PKI [38]. CRLs and OCSP responses are published typically by HTTP protocol. If HSTS is enabled on the site where OCSP and CRLs are published the browser might fail fetching CRL or validating OCSP response. Similar reasoning goes for includeSubdomains. One needs to be sure that HTTPS can be enforced for all subdomains. Moreover the administrators are advised to watch for expiration of the SSL certificate and handle the renewal process with caution. If a SSL certificate is renewed after expiration or misses a (HSTS enabled) domain name, the connection to site will break (without providing override mechanism to the end user). Finally HSTS should be tested with lower max-age values and deployed with higher max-age values.

Testing HSTS

HSTS can be tested either using locally or through the Internet. For local testing it is possible to utilize Chrome Web browser UI by typing chrome://net-internals/#hsts [39] in the address bar. Testing over the Internet can be conducted by Qualys SSL Labs test https://www.ssllabs.com/ssltest/. Strict Transport Security (HSTS) information is located in the Protocol Details section.

References

Websites Must Use HSTS in Order to Be Secure: https://www.eff.org/deeplinks/2014/02/websites-hsts
OWASP: HTTP Strict Transport Security: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security
HSTS Browser Compatibility List: https://caniuse.com/stricttransportsecurity
RFC 6797:HTTP Strict Transport Security (HSTS) - Examples: https://tools.ietf.org/html/rfc6797#section-6.2

HTTP Public Key Pinning (HPKP)

Much like HTTP Strict Transport Security (HSTS), HTTP Public Key Pinning (HPKP) is a Trust-On-First-Use (TOFU) mechanism. It protects HTTPS websites from impersonation using certificates issued by compromised certificate authorities. The data for Pinning is supplied by an HTTP-Header sent by the WebServer.

HPKP Header Directives

HPKP provides two different types of headers:* Public-Key-Pins

Public-Key-Pins-Report-Only

HPKP header can be parametrized by following directives:* pin-sha256="<YOUR_PUBLICKEY_HASH⇒"

max-age=<number-of-seconds>
includeSubdomains
report-uri="<https://YOUR.URL/TO-REPORT>"

pin-sha256 is a required directive. It can and should be used several (at least two) times for specifying the public keys of your domain-certificates or CA-certificates. Operators can pin any one or more of the public keys in the certificate-chain, and indeed must pin to issuers not in the chain (as, for example, a backup-pin). Pinning to an intermediate issuer, or even to a trust anchor or root, still significantly reduces the number of issuers who can issue end-entity certificates for the Known Pinned Host, while still giving that host flexibility to change keys without a disruption of service. OpenSSL can be used to convert the public-key of an X509-certificate as follows: $ openssl x509 -in <certificate.cer> -pubkey -noout |

openssl rsa -pubin -outform der |
openssl dgst -sha256 -binary |
openssl enc -base64

writing RSA key pG3WsstDsfMkRdF3hBClXRKYxxKUJIOu8DwabG8MFrU= This piped usage of OpenSSL first gets the Public-Key of <certificate.cer>, converts it do DER (binary) format, calculates an SHA256 Hash and finally encodes it Base64. The output (including the ending Equal-Sign) is exactly whats needed for the pin-sha256="<YOUR_PUBLICKEY_HASH⇒" parameter. To generate the hash for a prepared backup-key just create a certificate-signing-request and replace openssl x509 by openssl req -in <backup-cert.csr> -pubkey -noout as first OpenSSL command. Instead of using OpenSSL even web-services like https://report-uri.io/home/pkp_hash/ can be used to get a suggestion for the possible Public-Key-Hashes for a given website. max-age is a required directive (when using the Public-Key-Pins header). This directive specifies the number of seconds during which the user agent should regard the host (from whom the message was received) as a "Known Pinned Host". includeSubdomains is an optional directive. This directive indicates that the same pinning applies to this host as well as any subdomains of the host’s domain name. Be careful - you need to use a multi-domain/wildcard-certificate or use the same pub/private-keypair in all subdomain-certificates or need to pin to CA-certificates signing all your subdomain-certificates. report-uri is an optional directive. The presence of a report-uri directive indicates to the web-browser that in the event of pin-validation failure, it should post a report to the report-uri (HTTP-Post is done using JSON, Syntax see {RFC-7469 Section 3} [40]). There are WebServices like https://report-uri.io/ out there which can be used to easily collect and visualize these reports.

HPKP Client Support

HPKP is supported [41] by these web browsers:* Firefox version >= 35

Chrome version between version 38 and 72
Android Browser >= 44
Opera version >= 25

Currently (20. Dec 2018) there is no HPKP support in: Apple Safari, Microsoft Internet Explorer and Edge. HPKP Support has been removed from Google Chrome and Chromium from version 72 onwards.

HPKP Considerations

Before enabling HPKP it is recommended to consider following:* Which Public-Keys to use for Pinning (Certificate + Backup-Certificate, CAs, Intermediate-CAs)

Proper value of max-age. Start testing with a short Period, increase Period after deployment.
Be careful when using includeSubdomains, are all your subdomains covered by the defined Public-Key-Hashes?

The administrators are advised to watch for expiration of the SSL certificate and handle the renewal process with caution. If a SSL certificate is renewed without keeping the public-key (reusing the CSR) for an HPKP enabled domain name, the connection to site will break (without providing override mechanism to the end user).

Testing HPKP

HPKP can be tested either using locally or through the Internet. There is a handy bash-script which uses OpenSSL for doing several SSL/TLS-Tests available at https://testssl.sh/ $ wget -q https://testssl.sh/testssl.sh $ wget -q https://testssl.sh/mapping-rfc.txt $ chmod 755 ./testssl.sh $ ./testssl.sh https://example.com # Sample Output, just HSTS and HPKP Section (Full report is quite long!): Strict Transport Security 182 days=15724800 s, includeSubDomains Public Key Pinning # of keys: 2, 90 days=7776000 s, just this domain

          matching host key: pG3WsstDsfMkRdF3hBClXRKYxxKUJIOu8DwabG8MFrU

For local testing it is possible to utilize Google Chrome web-browser, just open the Chrome net-internals-URL: chrome://net-internals/#hsts. For Mozilla Firefox there is an plug-in provided by the "Secure Information Technology Center Austria" available: https://demo.a-sit.at/firefox-plugin-highlighting-safety-information/ Testing over the Internet can be conducted by Qualys SSL Labs test https://www.ssllabs.com/ssltest/. Public Key Pinning (HPKP) information is located in the Protocol Details section. There is also a fast online HPKP-only check at https://report-uri.io/home/pkp_analyse.

References

OWASP: Certificate and Public Key Pinning: https://www.owasp.org/index.php/Certificate_and_Public_Key_Pinning
HPKP Browser Compatibility List: https://caniuse.com/\#feat=publickeypinning
RFC 7469:Public Key Pinning Extension for HTTP - Examples: https://tools.ietf.org/html/rfc7469\#section-2.1.5

IV: Appendix

Tools

This section lists tools for checking the security settings.

SSL & TLS

Server checks via the web ssllabs.com offers a great way to check your webserver for misconfigurations. See https://www.ssllabs.com/ssltest/. Furthermore, ssllabs.com has a good best practices tutorial, which focuses on avoiding the most common mistakes in SSL. SSL Server certificate installation issues https://www.sslshopper.com/ssl-checker.html Check SPDY protocol support and basic TLS setup http://spdycheck.org/ XMPP/Jabber Server check (Client-to-Server and Server-to-Server) https://xmpp.net/ Luxsci SMTP TLS Checker https://luxsci.com/extranet/tlschecker.html DNSsec and DANE support of your domain and e-mail server? https://dane.sys4.de http://checktls.com is a tool for testing arbitrary TLS services. http://tls.secg.org is a tool for testing interoperability of HTTPS implementations for ECC cipher suites. http://www.whynopadlock.com/ Testing for mixed SSL parts loaded via http that can totally lever your HTTPS.

Browser Checks

Check your browser’s SSL capabilities: https://cc.dcsec.uni-hannover.de/ and https://www.ssllabs.com/ssltest/viewMyClient.html. Check Browsers SSL/TLS support and vulnerability to attacks: https://www.howsmyssl.com

Command Line Tools

https://sourceforge.net/projects/sslscan connects to a given SSL service and shows the cipher suites that are offered. http://www.bolet.org/TestSSLServer/ tests for BEAST and CRIME vulnerabilities. https://github.com/drwetter/testssl.sh checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws (CRIME, BREACH, CCS, Heartbleed). https://github.com/iSECPartners/sslyze Fast and full-featured SSL scanner. https://github.com/jvehent/cipherscan Fast TLS scanner (ciphers, order, protocols, key size and more) http://nmap.org/ nmap security scanner http://www.openssl.net OpenSSL s_client Monitoring TLS services with Zabbix (sorry, German) https://blog.sys4.de/zertifikate-uberwachen-mit-zabbix-de.html

Key length

http://www.keylength.com comprehensive online resource for comparison of key lengths according to common recommendations and standards in cryptography.

Random Number Generators

ENT is a pseudo random number generator sequence tester. Dieharder a random number generator testing tool. CAcert Random another random number generator testing service.

Guides

See: https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf.

Links

IANA official list of Transport Layer Security (TLS) Parameters Elliptic curves and their implementation (04 Dec 2010) A (relatively easy to understand) primer on elliptic curve cryptography Duraconf, A collection of hardened configuration files for SSL/TLSservices (Jacob Appelbaum’s github) Attacks on SSL a comprehensive study of BEAST, CRIME, TIME, BREACH, LUCKY 13 & RC4 Biases EFF How to deploy HTTPS correctly Bruce Almighty: Schneier preaches security to Linux faithful (on not recommending to use Blowfish anymore in favor of Twofish) Implement FIPS 183-3 for DSA keys (1024bit constraint) Elliptic Curve Cryptography in Practice Factoring as a Service Black Ops of TCP/IP 2012 SSL and the Future of Authenticity, Moxie Marlinspike - Black Hat USA 2011 ENISA - Algorithms, Key Sizes and Parameters Report (Oct.’13 Diffie-Hellman Groups standardized in RFC3526 TLS Security (Survey + Lucky13 + RC4 Attack) by Kenny Paterson Ensuring High-Quality Randomness in Cryptographic Key Generation Wikipedia: Ciphertext Stealing Wikipedia: Malleability (Cryptography) Ritter’s Crypto Glossary and Dictionary of Technical Cryptography

Cipher Suite Name Cross-Reference

This table shows the cipher suite names as IANA defined them, the names OpenSSL uses, and the respective codes.

Code	IANA Name	OpenSSL Name
`0x00,0x00`	`TLS_NULL_WITH_NULL_NULL`
`0x00,0x01`	`TLS_RSA_WITH_NULL_MD5`	`NULL-MD5`
`0x00,0x02`	`TLS_RSA_WITH_NULL_SHA`	`NULL-SHA`
`0x00,0x03`	`TLS_RSA_EXPORT_WITH_RC4_40_MD5`	`EXP-RC4-MD5`
`0x00,0x04`	`TLS_RSA_WITH_RC4_128_MD5`	`RC4-MD5`
`0x00,0x05`	`TLS_RSA_WITH_RC4_128_SHA`	`RC4-SHA`
`0x00,0x06`	`TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5`	`EXP-RC2-CBC-MD5`
`0x00,0x07`	`TLS_RSA_WITH_IDEA_CBC_SHA`
`0x00,0x08`	`TLS_RSA_EXPORT_WITH_DES40_CBC_SHA`	`EXP-DES-CBC-SHA`
`0x00,0x09`	`TLS_RSA_WITH_DES_CBC_SHA`	`DES-CBC-SHA`
`0x00,0x0A`	`TLS_RSA_WITH_3DES_EDE_CBC_SHA`	`DES-CBC3-SHA`
`0x00,0x0B`	`TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA`
`0x00,0x0C`	`TLS_DH_DSS_WITH_DES_CBC_SHA`
`0x00,0x0D`	`TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA`
`0x00,0x0E`	`TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA`
`0x00,0x0F`	`TLS_DH_RSA_WITH_DES_CBC_SHA`
`0x00,0x10`	`TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA`
`0x00,0x11`	`TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA`	`EXP-EDH-DSS-DES-CBC-SHA`
`0x00,0x12`	`TLS_DHE_DSS_WITH_DES_CBC_SHA`	`EDH-DSS-DES-CBC-SHA`
`0x00,0x13`	`TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA`	`EDH-DSS-DES-CBC3-SHA`
`0x00,0x14`	`TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA`	`EXP-EDH-RSA-DES-CBC-SHA`
`0x00,0x15`	`TLS_DHE_RSA_WITH_DES_CBC_SHA`	`EDH-RSA-DES-CBC-SHA`
`0x00,0x16`	`TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA`	`EDH-RSA-DES-CBC3-SHA`
`0x00,0x17`	`TLS_DH_anon_EXPORT_WITH_RC4_40_MD5`	`EXP-ADH-RC4-MD5`
`0x00,0x18`	`TLS_DH_anon_WITH_RC4_128_MD5`	`ADH-RC4-MD5`
`0x00,0x19`	`TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA`	`EXP-ADH-DES-CBC-SHA`
`0x00,0x1A`	`TLS_DH_anon_WITH_DES_CBC_SHA`	`ADH-DES-CBC-SHA`
`0x00,0x1B`	`TLS_DH_anon_WITH_3DES_EDE_CBC_SHA`	`ADH-DES-CBC3-SHA`
`0x00,0x1E`	`TLS_KRB5_WITH_DES_CBC_SHA`
`0x00,0x1F`	`TLS_KRB5_WITH_3DES_EDE_CBC_SHA`
`0x00,0x20`	`TLS_KRB5_WITH_RC4_128_SHA`
`0x00,0x21`	`TLS_KRB5_WITH_IDEA_CBC_SHA`
`0x00,0x22`	`TLS_KRB5_WITH_DES_CBC_MD5`
`0x00,0x23`	`TLS_KRB5_WITH_3DES_EDE_CBC_MD5`
`0x00,0x24`	`TLS_KRB5_WITH_RC4_128_MD5`
`0x00,0x25`	`TLS_KRB5_WITH_IDEA_CBC_MD5`
`0x00,0x26`	`TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA`
`0x00,0x27`	`TLS_KRB5_EXPORT_WITH_RC2_CBC_40_SHA`
`0x00,0x28`	`TLS_KRB5_EXPORT_WITH_RC4_40_SHA`
`0x00,0x29`	`TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5`
`0x00,0x2A`	`TLS_KRB5_EXPORT_WITH_RC2_CBC_40_MD5`
`0x00,0x2B`	`TLS_KRB5_EXPORT_WITH_RC4_40_MD5`
`0x00,0x2C`	`TLS_PSK_WITH_NULL_SHA`
`0x00,0x2D`	`TLS_DHE_PSK_WITH_NULL_SHA`
`0x00,0x2E`	`TLS_RSA_PSK_WITH_NULL_SHA`
`0x00,0x2F`	`TLS_RSA_WITH_AES_128_CBC_SHA`	`AES128-SHA`
`0x00,0x30`	`TLS_DH_DSS_WITH_AES_128_CBC_SHA`
`0x00,0x31`	`TLS_DH_RSA_WITH_AES_128_CBC_SHA`
`0x00,0x32`	`TLS_DHE_DSS_WITH_AES_128_CBC_SHA`	`DHE-DSS-AES128-SHA`
`0x00,0x33`	`TLS_DHE_RSA_WITH_AES_128_CBC_SHA`	`DHE-RSA-AES128-SHA`
`0x00,0x34`	`TLS_DH_anon_WITH_AES_128_CBC_SHA`	`ADH-AES128-SHA`
`0x00,0x35`	`TLS_RSA_WITH_AES_256_CBC_SHA`	`AES256-SHA`
`0x00,0x36`	`TLS_DH_DSS_WITH_AES_256_CBC_SHA`
`0x00,0x37`	`TLS_DH_RSA_WITH_AES_256_CBC_SHA`
`0x00,0x38`	`TLS_DHE_DSS_WITH_AES_256_CBC_SHA`	`DHE-DSS-AES256-SHA`
`0x00,0x39`	`TLS_DHE_RSA_WITH_AES_256_CBC_SHA`	`DHE-RSA-AES256-SHA`
`0x00,0x3A`	`TLS_DH_anon_WITH_AES_256_CBC_SHA`	`ADH-AES256-SHA`
`0x00,0x3B`	`TLS_RSA_WITH_NULL_SHA256`	`NULL-SHA256`
`0x00,0x3C`	`TLS_RSA_WITH_AES_128_CBC_SHA256`	`AES128-SHA256`
`0x00,0x3D`	`TLS_RSA_WITH_AES_256_CBC_SHA256`	`AES256-SHA256`
`0x00,0x3E`	`TLS_DH_DSS_WITH_AES_128_CBC_SHA256`
`0x00,0x3F`	`TLS_DH_RSA_WITH_AES_128_CBC_SHA256`
`0x00,0x40`	`TLS_DHE_DSS_WITH_AES_128_CBC_SHA256`	`DHE-DSS-AES128-SHA256`
`0x00,0x41`	`TLS_RSA_WITH_CAMELLIA_128_CBC_SHA`	`CAMELLIA128-SHA`
`0x00,0x42`	`TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA`
`0x00,0x43`	`TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA`
`0x00,0x44`	`TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA`	`DHE-DSS-CAMELLIA128-SHA`
`0x00,0x45`	`TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA`	`DHE-RSA-CAMELLIA128-SHA`
`0x00,0x46`	`TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA`	`ADH-CAMELLIA128-SHA`
`0x00,0x67`	`TLS_DHE_RSA_WITH_AES_128_CBC_SHA256`	`DHE-RSA-AES128-SHA256`
`0x00,0x68`	`TLS_DH_DSS_WITH_AES_256_CBC_SHA256`
`0x00,0x69`	`TLS_DH_RSA_WITH_AES_256_CBC_SHA256`
`0x00,0x6A`	`TLS_DHE_DSS_WITH_AES_256_CBC_SHA256`	`DHE-DSS-AES256-SHA256`
`0x00,0x6B`	`TLS_DHE_RSA_WITH_AES_256_CBC_SHA256`	`DHE-RSA-AES256-SHA256`
`0x00,0x6C`	`TLS_DH_anon_WITH_AES_128_CBC_SHA256`	`ADH-AES128-SHA256`
`0x00,0x6D`	`TLS_DH_anon_WITH_AES_256_CBC_SHA256`	`ADH-AES256-SHA256`
`0x00,0x84`	`TLS_RSA_WITH_CAMELLIA_256_CBC_SHA`	`CAMELLIA256-SHA`
`0x00,0x85`	`TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA`
`0x00,0x86`	`TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA`
`0x00,0x87`	`TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA`	`DHE-DSS-CAMELLIA256-SHA`
`0x00,0x88`	`TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA`	`DHE-RSA-CAMELLIA256-SHA`
`0x00,0x89`	`TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA`	`ADH-CAMELLIA256-SHA`
`0x00,0x8A`	`TLS_PSK_WITH_RC4_128_SHA`	`PSK-RC4-SHA`
`0x00,0x8B`	`TLS_PSK_WITH_3DES_EDE_CBC_SHA`	`PSK-3DES-EDE-CBC-SHA`
`0x00,0x8C`	`TLS_PSK_WITH_AES_128_CBC_SHA`	`PSK-AES128-CBC-SHA`
`0x00,0x8D`	`TLS_PSK_WITH_AES_256_CBC_SHA`	`PSK-AES256-CBC-SHA`
`0x00,0x8E`	`TLS_DHE_PSK_WITH_RC4_128_SHA`
`0x00,0x8F`	`TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA`
`0x00,0x90`	`TLS_DHE_PSK_WITH_AES_128_CBC_SHA`
`0x00,0x91`	`TLS_DHE_PSK_WITH_AES_256_CBC_SHA`
`0x00,0x92`	`TLS_RSA_PSK_WITH_RC4_128_SHA`
`0x00,0x93`	`TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA`
`0x00,0x94`	`TLS_RSA_PSK_WITH_AES_128_CBC_SHA`
`0x00,0x95`	`TLS_RSA_PSK_WITH_AES_256_CBC_SHA`
`0x00,0x96`	`TLS_RSA_WITH_SEED_CBC_SHA`	`SEED-SHA`
`0x00,0x97`	`TLS_DH_DSS_WITH_SEED_CBC_SHA`
`0x00,0x98`	`TLS_DH_RSA_WITH_SEED_CBC_SHA`
`0x00,0x99`	`TLS_DHE_DSS_WITH_SEED_CBC_SHA`	`DHE-DSS-SEED-SHA`
`0x00,0x9A`	`TLS_DHE_RSA_WITH_SEED_CBC_SHA`	`DHE-RSA-SEED-SHA`
`0x00,0x9B`	`TLS_DH_anon_WITH_SEED_CBC_SHA`	`ADH-SEED-SHA`
`0x00,0x9C`	`TLS_RSA_WITH_AES_128_GCM_SHA256`	`AES128-GCM-SHA256`
`0x00,0x9D`	`TLS_RSA_WITH_AES_256_GCM_SHA384`	`AES256-GCM-SHA384`
`0x00,0x9E`	`TLS_DHE_RSA_WITH_AES_128_GCM_SHA256`	`DHE-RSA-AES128-GCM-SHA256`
`0x00,0x9F`	`TLS_DHE_RSA_WITH_AES_256_GCM_SHA384`	`DHE-RSA-AES256-GCM-SHA384`
`0x00,0xA0`	`TLS_DH_RSA_WITH_AES_128_GCM_SHA256`
`0x00,0xA1`	`TLS_DH_RSA_WITH_AES_256_GCM_SHA384`
`0x00,0xA2`	`TLS_DHE_DSS_WITH_AES_128_GCM_SHA256`	`DHE-DSS-AES128-GCM-SHA256`
`0x00,0xA3`	`TLS_DHE_DSS_WITH_AES_256_GCM_SHA384`	`DHE-DSS-AES256-GCM-SHA384`
`0x00,0xA4`	`TLS_DH_DSS_WITH_AES_128_GCM_SHA256`
`0x00,0xA5`	`TLS_DH_DSS_WITH_AES_256_GCM_SHA384`
`0x00,0xA6`	`TLS_DH_anon_WITH_AES_128_GCM_SHA256`	`ADH-AES128-GCM-SHA256`
`0x00,0xA7`	`TLS_DH_anon_WITH_AES_256_GCM_SHA384`	`ADH-AES256-GCM-SHA384`
`0x00,0xA8`	`TLS_PSK_WITH_AES_128_GCM_SHA256`
`0x00,0xA9`	`TLS_PSK_WITH_AES_256_GCM_SHA384`
`0x00,0xAA`	`TLS_DHE_PSK_WITH_AES_128_GCM_SHA256`
`0x00,0xAB`	`TLS_DHE_PSK_WITH_AES_256_GCM_SHA384`
`0x00,0xAC`	`TLS_RSA_PSK_WITH_AES_128_GCM_SHA256`
`0x00,0xAD`	`TLS_RSA_PSK_WITH_AES_256_GCM_SHA384`
`0x00,0xAE`	`TLS_PSK_WITH_AES_128_CBC_SHA256`
`0x00,0xAF`	`TLS_PSK_WITH_AES_256_CBC_SHA384`
`0x00,0xB0`	`TLS_PSK_WITH_NULL_SHA256`
`0x00,0xB1`	`TLS_PSK_WITH_NULL_SHA384`
`0x00,0xB2`	`TLS_DHE_PSK_WITH_AES_128_CBC_SHA256`
`0x00,0xB3`	`TLS_DHE_PSK_WITH_AES_256_CBC_SHA384`
`0x00,0xB4`	`TLS_DHE_PSK_WITH_NULL_SHA256`
`0x00,0xB5`	`TLS_DHE_PSK_WITH_NULL_SHA384`
`0x00,0xB6`	`TLS_RSA_PSK_WITH_AES_128_CBC_SHA256`
`0x00,0xB7`	`TLS_RSA_PSK_WITH_AES_256_CBC_SHA384`
`0x00,0xB8`	`TLS_RSA_PSK_WITH_NULL_SHA256`
`0x00,0xB9`	`TLS_RSA_PSK_WITH_NULL_SHA384`
`0x00,0xBA`	`TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256`
`0x00,0xBB`	`TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256`
`0x00,0xBC`	`TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256`
`0x00,0xBD`	`TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256`
`0x00,0xBE`	`TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256`
`0x00,0xBF`	`TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256`
`0x00,0xC0`	`TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256`
`0x00,0xC1`	`TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256`
`0x00,0xC2`	`TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256`
`0x00,0xC3`	`TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256`
`0x00,0xC4`	`TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256`
`0x00,0xC5`	`TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256`
`0x00,0xFF`	`TLS_EMPTY_RENEGOTIATION_INFO_SCSV`
`0xC0,0x01`	`TLS_ECDH_ECDSA_WITH_NULL_SHA`	`ECDH-ECDSA-NULL-SHA`
`0xC0,0x02`	`TLS_ECDH_ECDSA_WITH_RC4_128_SHA`	`ECDH-ECDSA-RC4-SHA`
`0xC0,0x03`	`TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA`	`ECDH-ECDSA-DES-CBC3-SHA`
`0xC0,0x04`	`TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA`	`ECDH-ECDSA-AES128-SHA`
`0xC0,0x05`	`TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA`	`ECDH-ECDSA-AES256-SHA`
`0xC0,0x06`	`TLS_ECDHE_ECDSA_WITH_NULL_SHA`	`ECDHE-ECDSA-NULL-SHA`
`0xC0,0x07`	`TLS_ECDHE_ECDSA_WITH_RC4_128_SHA`	`ECDHE-ECDSA-RC4-SHA`
`0xC0,0x08`	`TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA`	`ECDHE-ECDSA-DES-CBC3-SHA`
`0xC0,0x09`	`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA`	`ECDHE-ECDSA-AES128-SHA`
`0xC0,0x0A`	`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA`	`ECDHE-ECDSA-AES256-SHA`
`0xC0,0x0B`	`TLS_ECDH_RSA_WITH_NULL_SHA`	`ECDH-RSA-NULL-SHA`
`0xC0,0x0C`	`TLS_ECDH_RSA_WITH_RC4_128_SHA`	`ECDH-RSA-RC4-SHA`
`0xC0,0x0D`	`TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA`	`ECDH-RSA-DES-CBC3-SHA`
`0xC0,0x0E`	`TLS_ECDH_RSA_WITH_AES_128_CBC_SHA`	`ECDH-RSA-AES128-SHA`
`0xC0,0x0F`	`TLS_ECDH_RSA_WITH_AES_256_CBC_SHA`	`ECDH-RSA-AES256-SHA`
`0xC0,0x10`	`TLS_ECDHE_RSA_WITH_NULL_SHA`	`ECDHE-RSA-NULL-SHA`
`0xC0,0x11`	`TLS_ECDHE_RSA_WITH_RC4_128_SHA`	`ECDHE-RSA-RC4-SHA`
`0xC0,0x12`	`TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA`	`ECDHE-RSA-DES-CBC3-SHA`
`0xC0,0x13`	`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA`	`ECDHE-RSA-AES128-SHA`
`0xC0,0x14`	`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA`	`ECDHE-RSA-AES256-SHA`
`0xC0,0x15`	`TLS_ECDH_anon_WITH_NULL_SHA`	`AECDH-NULL-SHA`
`0xC0,0x16`	`TLS_ECDH_anon_WITH_RC4_128_SHA`	`AECDH-RC4-SHA`
`0xC0,0x17`	`TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA`	`AECDH-DES-CBC3-SHA`
`0xC0,0x18`	`TLS_ECDH_anon_WITH_AES_128_CBC_SHA`	`AECDH-AES128-SHA`
`0xC0,0x19`	`TLS_ECDH_anon_WITH_AES_256_CBC_SHA`	`AECDH-AES256-SHA`
`0xC0,0x1A`	`TLS_SRP_SHA_WITH_3DES_EDE_CBC_SHA`	`SRP-3DES-EDE-CBC-SHA`
`0xC0,0x1B`	`TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA`	`SRP-RSA-3DES-EDE-CBC-SHA`
`0xC0,0x1C`	`TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA`	`SRP-DSS-3DES-EDE-CBC-SHA`
`0xC0,0x1D`	`TLS_SRP_SHA_WITH_AES_128_CBC_SHA`	`SRP-AES-128-CBC-SHA`
`0xC0,0x1E`	`TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA`	`SRP-RSA-AES-128-CBC-SHA`
`0xC0,0x1F`	`TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA`	`SRP-DSS-AES-128-CBC-SHA`
`0xC0,0x20`	`TLS_SRP_SHA_WITH_AES_256_CBC_SHA`	`SRP-AES-256-CBC-SHA`
`0xC0,0x21`	`TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA`	`SRP-RSA-AES-256-CBC-SHA`
`0xC0,0x22`	`TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA`	`SRP-DSS-AES-256-CBC-SHA`
`0xC0,0x23`	`TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256`	`ECDHE-ECDSA-AES128-SHA256`
`0xC0,0x24`	`TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384`	`ECDHE-ECDSA-AES256-SHA384`
`0xC0,0x25`	`TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256`	`ECDH-ECDSA-AES128-SHA256`
`0xC0,0x26`	`TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384`	`ECDH-ECDSA-AES256-SHA384`
`0xC0,0x27`	`TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256`	`ECDHE-RSA-AES128-SHA256`
`0xC0,0x28`	`TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384`	`ECDHE-RSA-AES256-SHA384`
`0xC0,0x29`	`TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256`	`ECDH-RSA-AES128-SHA256`
`0xC0,0x2A`	`TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384`	`ECDH-RSA-AES256-SHA384`
`0xC0,0x2B`	`TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256`	`ECDHE-ECDSA-AES128-GCM-SHA256`
`0xC0,0x2C`	`TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384`	`ECDHE-ECDSA-AES256-GCM-SHA384`
`0xC0,0x2D`	`TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256`	`ECDH-ECDSA-AES128-GCM-SHA256`
`0xC0,0x2E`	`TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384`	`ECDH-ECDSA-AES256-GCM-SHA384`
`0xC0,0x2F`	`TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256`	`ECDHE-RSA-AES128-GCM-SHA256`
`0xC0,0x30`	`TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384`	`ECDHE-RSA-AES256-GCM-SHA384`
`0xC0,0x31`	`TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256`	`ECDH-RSA-AES128-GCM-SHA256`
`0xC0,0x32`	`TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384`	`ECDH-RSA-AES256-GCM-SHA384`
`0xC0,0x33`	`TLS_ECDHE_PSK_WITH_RC4_128_SHA`
`0xC0,0x34`	`TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA`
`0xC0,0x35`	`TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA`
`0xC0,0x36`	`TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA`
`0xC0,0x37`	`TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256`
`0xC0,0x38`	`TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384`
`0xC0,0x39`	`TLS_ECDHE_PSK_WITH_NULL_SHA`
`0xC0,0x3A`	`TLS_ECDHE_PSK_WITH_NULL_SHA256`
`0xC0,0x3B`	`TLS_ECDHE_PSK_WITH_NULL_SHA384`
`0xC0,0x3C`	`TLS_RSA_WITH_ARIA_128_CBC_SHA256`
`0xC0,0x3D`	`TLS_RSA_WITH_ARIA_256_CBC_SHA384`
`0xC0,0x3E`	`TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256`
`0xC0,0x3F`	`TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384`
`0xC0,0x40`	`TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256`
`0xC0,0x41`	`TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384`
`0xC0,0x42`	`TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256`
`0xC0,0x43`	`TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384`
`0xC0,0x44`	`TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256`
`0xC0,0x45`	`TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384`
`0xC0,0x46`	`TLS_DH_anon_WITH_ARIA_128_CBC_SHA256`
`0xC0,0x47`	`TLS_DH_anon_WITH_ARIA_256_CBC_SHA384`
`0xC0,0x48`	`TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256`
`0xC0,0x49`	`TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384`
`0xC0,0x4A`	`TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256`
`0xC0,0x4B`	`TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384`
`0xC0,0x4C`	`TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256`
`0xC0,0x4D`	`TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384`
`0xC0,0x4E`	`TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256`
`0xC0,0x4F`	`TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384`
`0xC0,0x50`	`TLS_RSA_WITH_ARIA_128_GCM_SHA256`
`0xC0,0x51`	`TLS_RSA_WITH_ARIA_256_GCM_SHA384`
`0xC0,0x52`	`TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256`
`0xC0,0x53`	`TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384`
`0xC0,0x54`	`TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256`
`0xC0,0x55`	`TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384`
`0xC0,0x56`	`TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256`
`0xC0,0x57`	`TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384`
`0xC0,0x58`	`TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256`
`0xC0,0x59`	`TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384`
`0xC0,0x5A`	`TLS_DH_anon_WITH_ARIA_128_GCM_SHA256`
`0xC0,0x5B`	`TLS_DH_anon_WITH_ARIA_256_GCM_SHA384`
`0xC0,0x5C`	`TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256`
`0xC0,0x5D`	`TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384`
`0xC0,0x5E`	`TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256`
`0xC0,0x5F`	`TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384`
`0xC0,0x60`	`TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256`
`0xC0,0x61`	`TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384`
`0xC0,0x62`	`TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256`
`0xC0,0x63`	`TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384`
`0xC0,0x64`	`TLS_PSK_WITH_ARIA_128_CBC_SHA256`
`0xC0,0x65`	`TLS_PSK_WITH_ARIA_256_CBC_SHA384`
`0xC0,0x66`	`TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256`
`0xC0,0x67`	`TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384`
`0xC0,0x68`	`TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256`
`0xC0,0x69`	`TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384`
`0xC0,0x6A`	`TLS_PSK_WITH_ARIA_128_GCM_SHA256`
`0xC0,0x6B`	`TLS_PSK_WITH_ARIA_256_GCM_SHA384`
`0xC0,0x6C`	`TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256`
`0xC0,0x6D`	`TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384`
`0xC0,0x6E`	`TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256`
`0xC0,0x6F`	`TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384`
`0xC0,0x70`	`TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256`
`0xC0,0x71`	`TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384`
`0xC0,0x72`	`TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256`
`0xC0,0x73`	`TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384`
`0xC0,0x74`	`TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256`
`0xC0,0x75`	`TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384`
`0xC0,0x76`	`TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256`
`0xC0,0x77`	`TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384`
`0xC0,0x78`	`TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256`
`0xC0,0x79`	`TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384`
`0xC0,0x7A`	`TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256`
`0xC0,0x7B`	`TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384`
`0xC0,0x7C`	`TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256`
`0xC0,0x7D`	`TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384`
`0xC0,0x7E`	`TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256`
`0xC0,0x7F`	`TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384`
`0xC0,0x80`	`TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256`
`0xC0,0x81`	`TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384`
`0xC0,0x82`	`TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256`
`0xC0,0x83`	`TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384`
`0xC0,0x84`	`TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256`
`0xC0,0x85`	`TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384`
`0xC0,0x86`	`TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256`
`0xC0,0x87`	`TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384`
`0xC0,0x88`	`TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256`
`0xC0,0x89`	`TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384`
`0xC0,0x8A`	`TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256`
`0xC0,0x8B`	`TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384`
`0xC0,0x8C`	`TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256`
`0xC0,0x8D`	`TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384`
`0xC0,0x8E`	`TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256`
`0xC0,0x8F`	`TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384`
`0xC0,0x90`	`TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256`
`0xC0,0x91`	`TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384`
`0xC0,0x92`	`TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256`
`0xC0,0x93`	`TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384`
`0xC0,0x94`	`TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256`
`0xC0,0x95`	`TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384`
`0xC0,0x96`	`TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256`
`0xC0,0x97`	`TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384`
`0xC0,0x98`	`TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256`
`0xC0,0x99`	`TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384`
`0xC0,0x9A`	`TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256`
`0xC0,0x9B`	`TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384`
`0xC0,0x9C`	`TLS_RSA_WITH_AES_128_CCM`
`0xC0,0x9D`	`TLS_RSA_WITH_AES_256_CCM`
`0xC0,0x9E`	`TLS_DHE_RSA_WITH_AES_128_CCM`
`0xC0,0x9F`	`TLS_DHE_RSA_WITH_AES_256_CCM`
`0xC0,0xA0`	`TLS_RSA_WITH_AES_128_CCM_8`
`0xC0,0xA1`	`TLS_RSA_WITH_AES_256_CCM_8`
`0xC0,0xA2`	`TLS_DHE_RSA_WITH_AES_128_CCM_8`
`0xC0,0xA3`	`TLS_DHE_RSA_WITH_AES_256_CCM_8`
`0xC0,0xA4`	`TLS_PSK_WITH_AES_128_CCM`
`0xC0,0xA5`	`TLS_PSK_WITH_AES_256_CCM`
`0xC0,0xA6`	`TLS_DHE_PSK_WITH_AES_128_CCM`
`0xC0,0xA7`	`TLS_DHE_PSK_WITH_AES_256_CCM`
`0xC0,0xA8`	`TLS_PSK_WITH_AES_128_CCM_8`
`0xC0,0xA9`	`TLS_PSK_WITH_AES_256_CCM_8`
`0xC0,0xAA`	`TLS_PSK_DHE_WITH_AES_128_CCM_8`
`0xC0,0xAB`	`TLS_PSK_DHE_WITH_AES_256_CCM_8`
`0xC0,0xAC`	`TLS_ECDHE_ECDSA_WITH_AES_128_CCM`
`0xC0,0xAD`	`TLS_ECDHE_ECDSA_WITH_AES_256_CCM`
`0xC0,0xAE`	`TLS_ECDHE_ECDSA_WITH_AES_128_CCM_8`
`0xC0,0xAF`	`TLS_ECDHE_ECDSA_WITH_AES_256_CCM_8`

The list of IANA cipher suite names was retrieved from https://www.iana.org/assignments/tls-parameters/tls-parameters-4.csv on Tue Jun 3 22:36:58 2014. The list of OpenSSL Ciphers was generated with OpenSSL 1.0.1e 11 Feb 2013.

Further Research

The following is a list of services, software packages, hardware devices or protocols that we considered documenting but either did not manage to document yet or might be able to document later. We encourage input from the community. Table 16. Further Protocols

DNSSec (mention BCPs)	DANE	Tor
S/Mime (check are there any BCPs? )	TrueCrypt, LUKS, FileVault	AFS
Kerberos	NNTP	NTPs tlsdate
Moxa , APC, und co… ICS
rsyslog	tftp	(s)ftp(s)
haproxy

Table 17. Further Protocols (Network centric)

IPv6 security
Wi-Fi, 802.1x	SIP	SRTP
Kerberos	NNTP	NTPs tlsdate
BGP / OSPF	LDAP	seclayer-tcp
RADIUS (RADSEC)	racoon	strongswan
l2tp
Ethernet to serial	DSL modems
UPnP, natPmp
HTTP Key Pinning (HTKP)
Monitoring: SNMPv3

Table 18. Further Applications

Lync	Tomcat
Microsoft SQL Server	Microsoft Exchange
IBM HTTP Server

Commerical Network Equipment Vendors Other ideas: SAML federated auth providers [42] Elastic Load Balancing (ELB)[43]

Software not covered by this guide

telnet: Usage of telnet for anything other than fun projects is highly discouraged Puppet DB: A Proxy or a tunnel is recommended if it needs to be facing public network interfaces.[44] rsync: Best use it only via SSH for an optimum of security and easiest to maintain.

Bibliography

Adam Langley, Ben Laurie, Emilia Kasper. (2013). Certificate Transparency. http://www.certificate-transparency.org https://datatracker.ietf.org/doc/rfc6962/ . Adam Langley, et. al. (2013). Go X.509 Verification Source Code. https://code.google.com/p/go/source/browse/src/pkg/crypto/x509/verify.go#173 . Anderson, R. (2008). Security engineering. Wiley.com. Retrieved from rja14/book.html http://www.cl.cam.ac.uk/ rja14/book.html Bernstein, D. J., & Lange, T. (2013). Security dangers of the NIST curves (Presentation slides). Retrieved from http://cr.yp.to/talks/2013.09.16/slides-djb-20130916-a4.pdf C. Evans and C. Palmer. (2013). Public Key Pinning Extension for HTTP. https://tools.ietf.org/html/draft-ietf-websec-key-pinning-09 . Damon Poeter. (2011). Fake Google Certificate Puts Gmail at Risk. http://www.pcmag.com/article2/0,2817,2392063,00.asp . Durumeric, Z., Kasten, J., Bailey, M., & Halderman, J. A. (2013). Analysis of the HTTPS Certificate Ecosystem. In Proceedings of the 13th Internet Measurement Conference. Retrieved from https://jhalderm.com/pub/papers/https-imc13.pdf Elinor Mills. (2011). Fraudulent Google certificate points to Internet attack. http://news.cnet.com/8301-27080_3-20098894-245/fraudulent-google-certificate-points-to-internet-attack/ . Engblom, J. (2011). Evaluating HAVEGE Randomness (Blog: Observations from Uppsala). Retrieved from http://jakob.engbloms.se/archives/1374 ENISA and Vincent Rijmen, Nigel P. Smart, Bogdan warinschi, Gaven Watson. (2013). ENISA - Algorithms, Key Sizes and Parameters Report. Retrieved from http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report für Sicherheit in der Informationstechnik (BSI), B. (2018). BSI TR-02102 Kryptographische Verfahren. Retrieved from https://www.bsi.bund.de/EN/Publications/TechnicalGuidelines/tr02102/tr02102_node.html H. Tschofenig and E. Lear. (2013). Evolving the Web Public Key Infrastructure. https://tools.ietf.org/html/draft-tschofenig-iab-webpki-evolution-01.txt . Heninger, N., Durumeric, Z., Wustrow, E., & Halderman, J. A. (2012). Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices. In Proceedings of the 21st USENIX Security Symposium. Retrieved from https://factorable.net/weakkeys12.extended.pdf Hoffman, P., & Schlyter, J. (2012). The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. IETF. Retrieved from https://www.ietf.org/rfc/rfc6698.txt i_mit_Realm configuration decisions_. (2013). (Documentation). Retrieved from http://web.mit.edu/kerberos/krb5-latest/doc/admin/realm_config.html i_wikipedia_Discrete logarithm_. (2013). (Wikipedia). Retrieved from https://en.wikipedia.org/wiki/Discrete_logarithm i_wikipedia_Tempest (codename). (2018). (Wikipedia). Retrieved from https://en.wikipedia.org/wiki/Tempest(codename) II, E. C. R. Y. P. T., & SYM, D. (2012). ECRYPT II, 79–86. Retrieved from http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf Katz, J., & Lindell, Y. (2008). Introduction to modern cryptography. Chapman & Hall/CRC. Retrieved from http://books.google.at/books?id=WIc_AQAAIAAJ Kivinen, T., & Kojo, M. (2003). More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE). IETF. Retrieved from https://www.ietf.org/rfc/rfc3526.txt Postel, J. (1980). DoD standard Transmission Control Protocol. IETF. Retrieved from https://www.ietf.org/rfc/rfc761.txt Raeburn, K. (2005). Advanced Encryption Standard (AES) Encryption for Kerberos 5. IETF. Retrieved from https://www.ietf.org/rfc/rfc3962.txt SafeCurves: choosing safe curves for elliptic-curve cryptography. (2013). (Technical Background). Retrieved from http://safecurves.cr.yp.to/rigid.html Schneier, B. (2013). The NSA Is Breaking Most Encryption on the Internet (Blog: Schneier on Security). Retrieved from https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html Yarom, Y., & Falkner, K. (2013). Flush+ Reload: a high resolution, low noise, L3 cache side-channel attack. Cryptology ePrint Archive, Report 2013/448, 2013. http://eprint. iacr. org/2013/448/. 3. Retrieved from http://eprint.iacr.org/2013/448.pdf

Index

1. An easy to read yet very insightful recent example is the "FLUSH+RELOAD" technique for leaking cryptographic keys from one virtual machine to another via L3 cache timing attacks. (xref:bibliography-default-yarom2013flush[Yarom & Falkner, 2013 2. Interested readers are referred to https://bugzilla.mozilla.org/show_bug.cgi?id=647959 or http://www.h-online.com/security/news/item/Honest-Achmed-asks-for-trust-1231314.html which brings the problem of trusting PKIs right to the point 3. http://www.wired.com/opinion/2013/10/how-to-design-and-defend-against-the-perfect-backdoor/ 4. https://www.mail-archive.com/openssl-dev@openssl.org/msg33405.html 5. https://bugzilla.mindrot.org/show_bug.cgi?id=1647 6. https://www.dovecot.org/doc/NEWS-2.2 7. https://hg.dovecot.org/dovecot-2.2/rev/43ab5abeb8f0 8. https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-5/ESA_9-5_Release_Notes.pdf, Changed Behaviour, page 4 9. 64 possible values = 6 bits 10. RFC6379 , RFC4308 11. http://ikecrack.sourceforge.net/ 12. https://sweet32.info/ 13. https://sweet32.info/#impact 14. https://community.openvpn.net/openvpn/ticket/304 15. http://technet.microsoft.com/en-us/security/advisory/2743314 16. https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ 17. Early versions seem to have a few bugs - although officially supported, it did not work in tests with version 15.06. Version 16.01 is confirmed to work. 18. https://docs.ejabberd.im 19. IRC-Netze - Top 10 im Jahresvergleich 20. named old-des3-cbc-sha1 21. alias des3-cbc-sha1, des3-hmac-sha1 22. since 7, Server 2008R2 23. since 1.9 24. since 1.9 25. https://nikmav.blogspot.com/2011/12/price-to-pay-for-perfect-forward.html 26. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf, page 51 27. https://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography 28. https://www.imperialviolet.org/2010/12/04/ecc.html 29. http://www.isg.rhul.ac.uk/~sdg/ecc.html 30. https://www.nist.gov 31. http://crypto.stackexchange.com/questions/1963/how-large-should-a-diffie-hellman-p-be 32. https://www.bettercrypto.org/static/dhparams/ 33. https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security 34. Thus, it might be useful for fixing HTTPS mixed-content related errors, see https://community.qualys.com/blogs/securitylabs/2014/03/19/https-mixed-content-still-the-easiest-way-to-break-ssl. 35. Website must load without SSL/TLS browser warnings (certificate is issued by a trusted CA, contains correct DNS name, it is time valid, etc.). 36. List of the preloaded sites can be found at https://www.chromium.org/hsts. This list is managed by Google/Chrome, but it is also used by Firefox https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List 37. https://caniuse.com/stricttransportsecurity 38. see Public Key Infrastructures 39. see https://blog.chromium.org/2011/06/new-chromium-security-features-june.html 40. https://tools.ietf.org/html/rfc7469\#section-3 41. https://caniuse.com/\#feat=publickeypinning 42. e.g., all the REFEDS folks (https://refeds.org/), including InCommon (http://www.incommon.org/federation/metadata.html https://wiki.shibboleth.net/confluence/display/SHIB2/TrustManagement) 43. https://lists.cert.at/pipermail/ach/2014-May/001422.html 44. https://lists.cert.at/pipermail/ach/2014-November/001626.html