Preface

Do not talk unencrypted "Neboltai"

Acknowledgements

We would like to express our thanks to the following reviewers and people who have generously offered their time and interest (in alphabetical order): Brown, ScottBrulebois, CyrilBurghardt, KrzysztofDirksen-Thedens, MathisDulaunoy, AlexandreEndres, JohannesGühring PhilippGrigg, IanHaslinger, GunnarHorenbeck, MaartenHuebl, AxelKnecht, PascalKoetter, Patrick BenKovacic, DanielLenzhofer, StefanLorünser, ThomasMaass, MaxMehlmauer, ChristianMillauer, TobiasMirbach, AndreasO’Brien, HughPacher, ChristophPalfrader, PeterPape, Tobias (layout)Petukhova, Anna (Logo)Pichler, PatrickRiebesel, NicolasRoeckx, KurtRoesen, JensRublik, MartinSchiffbauer, MarcSchosser, AndreasSchüpany, MathiasSchulze, AndreasSchwartzkopff, MichaelSchwarz, René («DigNative»)Seidl, Eva (PDF layout)Van Horenbeeck, MaartenWagner, Sebastian («sebix»)Zangerl, Alexander The reviewers did review parts of the document in their area of expertise; all remaining errors in this document are the sole responsibility of the primary authors.

Abstract

Unfortunately, the computer security and cryptology communities have drifted apart over the last 25 years. Security people don’t always understand the available crypto tools, and crypto people don’t always understand the real-world problems. 

— Ross Anderson (Anderson, 2008) This guide arose out of the need for system administrators to have an updated, solid, well researched and thought-through guide for configuring SSL, PGP, SSH and other cryptographic tools in the post-Snowden age. Triggered by the NSA leaks in the summer of 2013, many system administrators and IT security officers saw the need to strengthen their encryption settings. This guide is specifically written for these system administrators. As Schneier noted in (Schneier, 2013), it seems that intelligence agencies and adversaries on the Internet are not breaking so much the mathematics of encryption per se, but rather use software and hardware weaknesses, subvert standardization processes, plant backdoors, rig random number generators and most of all exploit careless settings in server configurations and encryption systems to listen in on private communications. Worst of all, most communication on the internet is not encrypted at all by default (for SMTP, opportunistic TLS would be a solution). This guide can only address one aspect of securing our information systems: getting the crypto settings right to the best of the authors' current knowledge. Other attacks, as the above mentioned, require different protection schemes which are not covered in this guide. This guide is not an introduction to cryptography. For background information on cryptography and cryptoanalysis we would like to refer the reader to the references in appendix Links and Suggested Reading at the end of this document. The focus of this guide is merely to give current best practices for configuring complex cipher suites and related parameters in a copy & paste-able manner. The guide tries to stay as concise as is possible for such a complex topic as cryptography. Naturally, it can not be complete. There are many excellent guides (II & SYM, 2012) and best practice documents available when it comes to cryptography. However none of them focuses specifically on what an average system administrator needs for hardening his or her systems' crypto settings. This guide tries to fill this gap.

I: Introduction

Audience

Sysadmins. Sysadmins. Sysadmins. They are a force-multiplier.

Related publications

Ecrypt II [ii2011ecrypt] Ecrypt II (II & SYM, 2012), ENISA’s report on Algorithms, key sizes and parameters (ENISA and Vincent Rijmen, Nigel P. Smart, Bogdan warinschi, Gaven Watson, 2013) and BSI’s Technische Richtlinie TR-02102 (für Sicherheit in der Informationstechnik (BSI), 2018) are great publications which are more in depth than this guide. However, this guide has a different approach: it focuses on copy & paste-able settings for system administrators, effectively breaking down the complexity in the above mentioned reports to an easy to use format for the intended target audience.

How to read this guide

This guide tries to accommodate two needs: first of all, having a handy reference on how to configure the most common services’ crypto settings and second of all, explain a bit of background on cryptography. This background is essential if the reader wants to choose his or her own cipher string settings. System administrators who want to copy & paste recommendations quickly without spending a lot of time on background reading on cryptography or cryptanalysis can do so, by simply searching for the corresponding section in Best Practice. It is important to know that in this guide the authors arrived at two recommendations: Cipher string A and Cipher string B. While the former is a hardened recommendation a latter is a weaker one but provides wider compatibility. Cipher strings A and B are described in Recommended cipher suites. However, for the quick copy & paste approach it is important to know that this guide assumes users are happy with Cipher string B. While Best Practice is intended to serve as a copy & paste reference, Theory explains the reasoning behind cipher string B. In particular Architectural overview explains how to choose individual cipher strings. We advise the reader to actually read this section and challenge our reasoning in choosing Cipher string B and to come up with a better or localized solution.

Disclaimer

A chain is no stronger than its weakest link, and life is after all a chain.  

— William James

Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.  

— Edward Snowden answering questions live on the Guardian’s website This guide specifically does not address physical security, protecting software and hardware against exploits, basic IT security housekeeping, information assurance techniques, traffic analysis attacks, issues with key-roll over and key management, securing client PCs and mobile devices (theft, loss), proper Operations Security, social engineering attacks, protection against tempest (i_wikipedia_Tempest (codename)_, 2018) attack techniques, thwarting different side-channel attacks (timing–, cache timing–, differential fault analysis, differential power analysis or power monitoring attacks), downgrade attacks, jamming the encrypted channel or other similar attacks which are typically employed to circumvent strong encryption. The authors can not overstate the importance of these other techniques. Interested readers are advised to read about these attacks in detail since they give a lot of insight into other parts of cryptography engineering which need to be dealt with[1]) ]. This guide does not talk much about the well-known insecurities of trusting a public-key infrastructure (PKI)[2]. Nor does this text fully explain how to run your own Certificate Authority (CA). Most of this zoo of information security issues are addressed in the very comprehensive book Security Engineering by Ross Anderson (Anderson, 2008). For some experts in cryptography this text might seem too informal. However, we strive to keep the language as non-technical as possible and fitting for our target audience: system administrators who can collectively improve the security level for all of their users.

Security is a process, not a product.  

— Bruce Schneier This guide can only describe what the authors currently believe to be the best settings based on their personal experience and after intensive cross checking with literature and experts. For a complete list of people who reviewed this paper, see the <acknowledgements>. Even though multiple specialists reviewed the guide, the authors can give no guarantee whatsoever that they made the right recommendations. Keep in mind that tomorrow there might be new attacks on some ciphers and many of the recommendations in this guide might turn out to be wrong. Security is a process. We therefore recommend that system administrators keep up to date with recent topics in IT security and cryptography. In this sense, this guide is very focused on getting the cipher strings done right even though there is much more to do in order to make a system more secure. We the authors, need this document as much as the reader needs it.

Scope

In this guide, we restricted ourselves to:* Internet-facing services

• Commonly used services
• Devices which are used in business environments (this specifically excludes XBoxes, Playstations and similar consumer devices)
• OpenSSL

We explicitly excluded:* Specialized systems such as medical devices, most embedded systems, industrial control systems (ICS), etc.

• Wireless Access Points
• Smart-cards/chip cards

Methods

C.O.S.H.E.R - completely open source, headers, engineering and research.  

— A. Kaplan His mail signature for many years For writing this guide, we chose to collect the most well researched facts about cryptography settings and let as many trusted specialists as possible review those settings. The review process is completely open and done on a public mailing list. The document is available (read-only) to the public Internet on the web page and the source code of this document is on a public git server, mirrored on GitHub.com and open for public scrutiny. However, write permissions to the document are only granted to vetted people. The list of reviewers can be found in Acknowledgements. Every write operation to the document is logged via the git version control system and can thus be traced back to a specific author. We accept git pull requests on the github mirror for this paper. Public peer-review and multiple eyes checking of our guide is the best strategy we can imagine at the present moment [3]. We invite the gentle reader to participate in this public review process. Please read the Contributing document.

IV: Appendix

Tools

This section lists tools for checking the security settings.

SSL & TLS

Server checks via the web ssllabs.com offers a great way to check your webserver for misconfigurations. See https://www.ssllabs.com/ssltest/. Furthermore, ssllabs.com has a good best practices tutorial, which focuses on avoiding the most common mistakes in SSL. SSL Server certificate installation issues https://www.sslshopper.com/ssl-checker.html Check SPDY protocol support and basic TLS setup http://spdycheck.org/ XMPP/Jabber Server check (Client-to-Server and Server-to-Server) https://xmpp.net/ Luxsci SMTP TLS Checker https://luxsci.com/extranet/tlschecker.html DNSsec and DANE support of your domain and e-mail server? https://dane.sys4.de http://checktls.com is a tool for testing arbitrary TLS services. http://tls.secg.org is a tool for testing interoperability of HTTPS implementations for ECC cipher suites. http://www.whynopadlock.com/ Testing for mixed SSL parts loaded via http that can totally lever your HTTPS.

Browser Checks

Check your browser’s SSL capabilities: https://cc.dcsec.uni-hannover.de/ and https://www.ssllabs.com/ssltest/viewMyClient.html. Check Browsers SSL/TLS support and vulnerability to attacks: https://www.howsmyssl.com

Command Line Tools

https://sourceforge.net/projects/sslscan connects to a given SSL service and shows the cipher suites that are offered. http://www.bolet.org/TestSSLServer/ tests for BEAST and CRIME vulnerabilities. https://github.com/drwetter/testssl.sh checks a server’s service on any port for the support of TLS/SSL ciphers, protocols as well as some cryptographic flaws (CRIME, BREACH, CCS, Heartbleed). https://github.com/iSECPartners/sslyze Fast and full-featured SSL scanner. https://github.com/jvehent/cipherscan Fast TLS scanner (ciphers, order, protocols, key size and more) http://nmap.org/ nmap security scanner http://www.openssl.net OpenSSL s_client Monitoring TLS services with Zabbix (sorry, German) https://blog.sys4.de/zertifikate-uberwachen-mit-zabbix-de.html

Key length

http://www.keylength.com comprehensive online resource for comparison of key lengths according to common recommendations and standards in cryptography.

Random Number Generators

ENT is a pseudo random number generator sequence tester. Dieharder a random number generator testing tool. CAcert Random another random number generator testing service.

Guides

See: https://www.ssllabs.com/downloads/SSL_TLS_Deployment_Best_Practices.pdf.

Links

IANA official list of Transport Layer Security (TLS) Parameters Elliptic curves and their implementation (04 Dec 2010) A (relatively easy to understand) primer on elliptic curve cryptography Duraconf, A collection of hardened configuration files for SSL/TLSservices (Jacob Appelbaum’s github) Attacks on SSL a comprehensive study of BEAST, CRIME, TIME, BREACH, LUCKY 13 & RC4 Biases EFF How to deploy HTTPS correctly Bruce Almighty: Schneier preaches security to Linux faithful (on not recommending to use Blowfish anymore in favor of Twofish) Implement FIPS 183-3 for DSA keys (1024bit constraint) Elliptic Curve Cryptography in Practice Factoring as a Service Black Ops of TCP/IP 2012 SSL and the Future of Authenticity, Moxie Marlinspike - Black Hat USA 2011 ENISA - Algorithms, Key Sizes and Parameters Report (Oct.’13 Diffie-Hellman Groups standardized in RFC3526 TLS Security (Survey + Lucky13 + RC4 Attack) by Kenny Paterson Ensuring High-Quality Randomness in Cryptographic Key Generation Wikipedia: Ciphertext Stealing Wikipedia: Malleability (Cryptography) Ritter’s Crypto Glossary and Dictionary of Technical Cryptography

Suggested Reading

This section contains suggested reading material. Cryptography Engineering: Design Principles and Practical Applications, Ferguson, N. and Schneier, B. and Kohno, T. (ISBN-13: 978-0470474242) Security Engineering: A Guide to Building Dependable Distributed Systems, Anderson, R.J. (ISBN-13: 978-0470068526) Applied cryptography: protocols, algorithms, and source code in C, Schneier, B. (ISBN-13: 978-0471117094) Guide to Elliptic Curve Cryptography, Hankerson, D. and Vanstone, S. and Menezes, A.J. (ISBN-13: 978-0387952734) A Introduction To The Theory of Numbers, Godfrey Harold Hardy, E. M. Wrigh (ISBN-13: 978-0199219865) Malicious Cryptography: Exposing Cryptovirology, Young A., Yung, M. (ISBN-13: 978-0764549755)

Cipher Suite Name Cross-Reference

This table shows the cipher suite names as IANA defined them, the names OpenSSL uses, and the respective codes.

The list of IANA cipher suite names was retrieved from https://www.iana.org/assignments/tls-parameters/tls-parameters-4.csv on Tue Jun 3 22:36:58 2014. The list of OpenSSL Ciphers was generated with OpenSSL 1.0.1e 11 Feb 2013.

Further Research

The following is a list of services, software packages, hardware devices or protocols that we considered documenting but either did not manage to document yet or might be able to document later. We encourage input from the community. Table 16. Further Protocols

Table 17. Further Protocols (Network centric)

Table 18. Further Applications

Commerical Network Equipment Vendors Other ideas: SAML federated auth providers [42] Elastic Load Balancing (ELB)[43]

Software not covered by this guide

telnet: Usage of telnet for anything other than fun projects is highly discouraged Puppet DB: A Proxy or a tunnel is recommended if it needs to be facing public network interfaces.[44] rsync: Best use it only via SSH for an optimum of security and easiest to maintain.

Bibliography

Adam Langley, Ben Laurie, Emilia Kasper. (2013). Certificate Transparency. http://www.certificate-transparency.org https://datatracker.ietf.org/doc/rfc6962/ . Adam Langley, et. al. (2013). Go X.509 Verification Source Code. https://code.google.com/p/go/source/browse/src/pkg/crypto/x509/verify.go#173 . Anderson, R. (2008). Security engineering. Wiley.com. Retrieved from rja14/book.html http://www.cl.cam.ac.uk/ rja14/book.html Bernstein, D. J., & Lange, T. (2013). Security dangers of the NIST curves (Presentation slides). Retrieved from http://cr.yp.to/talks/2013.09.16/slides-djb-20130916-a4.pdf C. Evans and C. Palmer. (2013). Public Key Pinning Extension for HTTP. https://tools.ietf.org/html/draft-ietf-websec-key-pinning-09 . Damon Poeter. (2011). Fake Google Certificate Puts Gmail at Risk. http://www.pcmag.com/article2/0,2817,2392063,00.asp . Durumeric, Z., Kasten, J., Bailey, M., & Halderman, J. A. (2013). Analysis of the HTTPS Certificate Ecosystem. In Proceedings of the 13th Internet Measurement Conference. Retrieved from https://jhalderm.com/pub/papers/https-imc13.pdf Elinor Mills. (2011). Fraudulent Google certificate points to Internet attack. http://news.cnet.com/8301-27080_3-20098894-245/fraudulent-google-certificate-points-to-internet-attack/ . Engblom, J. (2011). Evaluating HAVEGE Randomness (Blog: Observations from Uppsala). Retrieved from http://jakob.engbloms.se/archives/1374 ENISA and Vincent Rijmen, Nigel P. Smart, Bogdan warinschi, Gaven Watson. (2013). ENISA - Algorithms, Key Sizes and Parameters Report. Retrieved from http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report für Sicherheit in der Informationstechnik (BSI), B. (2018). BSI TR-02102 Kryptographische Verfahren. Retrieved from https://www.bsi.bund.de/EN/Publications/TechnicalGuidelines/tr02102/tr02102_node.html H. Tschofenig and E. Lear. (2013). Evolving the Web Public Key Infrastructure. https://tools.ietf.org/html/draft-tschofenig-iab-webpki-evolution-01.txt . Heninger, N., Durumeric, Z., Wustrow, E., & Halderman, J. A. (2012). Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices. In Proceedings of the 21st USENIX Security Symposium. Retrieved from https://factorable.net/weakkeys12.extended.pdf Hoffman, P., & Schlyter, J. (2012). The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. IETF. Retrieved from https://www.ietf.org/rfc/rfc6698.txt i_mit_Realm configuration decisions_. (2013). (Documentation). Retrieved from http://web.mit.edu/kerberos/krb5-latest/doc/admin/realm_config.html i_wikipedia_Discrete logarithm_. (2013). (Wikipedia). Retrieved from https://en.wikipedia.org/wiki/Discrete_logarithm i_wikipedia_Tempest (codename). (2018). (Wikipedia). Retrieved from https://en.wikipedia.org/wiki/Tempest(codename) II, E. C. R. Y. P. T., & SYM, D. (2012). ECRYPT II, 79–86. Retrieved from http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf Katz, J., & Lindell, Y. (2008). Introduction to modern cryptography. Chapman & Hall/CRC. Retrieved from http://books.google.at/books?id=WIc_AQAAIAAJ Kivinen, T., & Kojo, M. (2003). More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE). IETF. Retrieved from https://www.ietf.org/rfc/rfc3526.txt Postel, J. (1980). DoD standard Transmission Control Protocol. IETF. Retrieved from https://www.ietf.org/rfc/rfc761.txt Raeburn, K. (2005). Advanced Encryption Standard (AES) Encryption for Kerberos 5. IETF. Retrieved from https://www.ietf.org/rfc/rfc3962.txt SafeCurves: choosing safe curves for elliptic-curve cryptography. (2013). (Technical Background). Retrieved from http://safecurves.cr.yp.to/rigid.html Schneier, B. (2013). The NSA Is Breaking Most Encryption on the Internet (Blog: Schneier on Security). Retrieved from https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html Yarom, Y., & Falkner, K. (2013). Flush+ Reload: a high resolution, low noise, L3 cache side-channel attack. Cryptology ePrint Archive, Report 2013/448, 2013. http://eprint. iacr. org/2013/448/. 3. Retrieved from http://eprint.iacr.org/2013/448.pdf

Index

1. An easy to read yet very insightful recent example is the "FLUSH+RELOAD" technique for leaking cryptographic keys from one virtual machine to another via L3 cache timing attacks. (xref:bibliography-default-yarom2013flush[Yarom & Falkner, 2013 2. Interested readers are referred to https://bugzilla.mozilla.org/show_bug.cgi?id=647959 or http://www.h-online.com/security/news/item/Honest-Achmed-asks-for-trust-1231314.html which brings the problem of trusting PKIs right to the point 3. http://www.wired.com/opinion/2013/10/how-to-design-and-defend-against-the-perfect-backdoor/ 4. https://www.mail-archive.com/openssl-dev@openssl.org/msg33405.html 5. https://bugzilla.mindrot.org/show_bug.cgi?id=1647 6. https://www.dovecot.org/doc/NEWS-2.2 7. https://hg.dovecot.org/dovecot-2.2/rev/43ab5abeb8f0 8. https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-5/ESA_9-5_Release_Notes.pdf, Changed Behaviour, page 4 9. 64 possible values = 6 bits 10. RFC6379 , RFC4308  11. http://ikecrack.sourceforge.net/ 12. https://sweet32.info/ 13. https://sweet32.info/#impact 14. https://community.openvpn.net/openvpn/ticket/304 15. http://technet.microsoft.com/en-us/security/advisory/2743314 16. https://www.cloudcracker.com/blog/2012/07/29/cracking-ms-chap-v2/ 17. Early versions seem to have a few bugs - although officially supported, it did not work in tests with version 15.06. Version 16.01 is confirmed to work. 18. https://docs.ejabberd.im 19. IRC-Netze - Top 10 im Jahresvergleich 20. named old-des3-cbc-sha1 21. alias des3-cbc-sha1, des3-hmac-sha1 22. since 7, Server 2008R2 23. since 1.9 24. since 1.9 25. https://nikmav.blogspot.com/2011/12/price-to-pay-for-perfect-forward.html 26. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf, page 51 27. https://arstechnica.com/security/2013/10/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography 28. https://www.imperialviolet.org/2010/12/04/ecc.html 29. http://www.isg.rhul.ac.uk/~sdg/ecc.html 30. https://www.nist.gov 31. http://crypto.stackexchange.com/questions/1963/how-large-should-a-diffie-hellman-p-be 32. https://www.bettercrypto.org/static/dhparams/ 33. https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security 34. Thus, it might be useful for fixing HTTPS mixed-content related errors, see https://community.qualys.com/blogs/securitylabs/2014/03/19/https-mixed-content-still-the-easiest-way-to-break-ssl. 35. Website must load without SSL/TLS browser warnings (certificate is issued by a trusted CA, contains correct DNS name, it is time valid, etc.). 36. List of the preloaded sites can be found at https://www.chromium.org/hsts. This list is managed by Google/Chrome, but it is also used by Firefox https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List 37. https://caniuse.com/stricttransportsecurity 38. see Public Key Infrastructures 39. see https://blog.chromium.org/2011/06/new-chromium-security-features-june.html 40. https://tools.ietf.org/html/rfc7469\#section-3 41. https://caniuse.com/\#feat=publickeypinning 42. e.g., all the REFEDS folks (https://refeds.org/), including InCommon (http://www.incommon.org/federation/metadata.html https://wiki.shibboleth.net/confluence/display/SHIB2/TrustManagement) 43. https://lists.cert.at/pipermail/ach/2014-May/001422.html 44. https://lists.cert.at/pipermail/ach/2014-November/001626.html