Kryptografie/Chiffrier Suits: Unterschied zwischen den Versionen
Zeile 72: | Zeile 72: | ||
== Cipher suites == | == Cipher suites == | ||
=== | === Architektonischer Überblick === | ||
==== | ==== Begriffe ==== | ||
; Cipher Suite | |||
Eine Chiffriersuite ist eine standardisierte Sammlung, die authentifizierte Verschlüsselungsverfahren bietet | |||
* Algorithmen für den Schlüsselaustausch | |||
* Verschlüsselungsalgorithmen (Chiffren) und | |||
* Algorithmus für Nachrichtenauthentifizierungscodes (MAC) | |||
;Sie besteht aus den folgenden Komponenten: | |||
# Schlüsselaustauschprotokoll | |||
# Authentifizierung | |||
# Chiffre | |||
# Nachrichten-Authentifizierungs-Code (MAC) | |||
# Authentifizierte Verschlüsselung mit zugehörigen Daten (AEAD) | |||
; Cipher suite | ; Cipher suite | ||
A cipher suite is a standardized collection that provides authenticated encryption schemes | A cipher suite is a standardized collection that provides authenticated encryption schemes | ||
Zeile 85: | Zeile 98: | ||
# Cipher | # Cipher | ||
# Message authentication code (MAC) | # Message authentication code (MAC) | ||
# Authenticated Encryption with Associated Data (AEAD) | # Authenticated Encryption with Associated Data (AEAD) | ||
=== Composition of a typical cipher string === | === Composition of a typical cipher string === | ||
{|border="2" cellspacing="0" cellpadding="5" style="border-collapse:collapse;" | {|border="2" cellspacing="0" cellpadding="5" style="border-collapse:collapse;" |
Version vom 1. Januar 2023, 16:29 Uhr
Überblick
- Hintergrundinformationen
- Warum in Kapitel [practicalsettings] cipher string B empfohlen wird.
- Wir beginnen mit einer Erläuterung der Struktur von Chiffrierzeichenketten in Abschnitt [Architektur] (Architektur) und definieren PFS in [pfs].
- Als nächstes stellen wir Cipher String A und Cipher String B im Abschnitt Empfohlene Chiffriersuiten vor.
- Cipher Strings
- Theoretisch sollte der Leser nun in der Lage sein, seine eigene Chiffrierkette zu konstruieren.
- Die Frage, warum bestimmte Einstellungen gewählt wurden, bleibt jedoch bestehen.
- Um diesen Teil zu beantworten, müssen wir uns die empfohlenen Schlüssellängen, die Probleme bestimmter Algorithmen und Hash-Funktionen sowie andere kryptografische Parameter ansehen.
- Wie eingangs im Abschnitt [relatedPublications] erwähnt, gehen die Berichte von ENISA (ENISA und Vincent Rijmen, Nigel P. Smart, Bogdan warinschi, Gaven Watson, 2013), ECRYPT 2 (II & SYM, 2012) und BSI (für Sicherheit in der Informationstechnik (BSI), 2018) viel mehr auf diese Themen ein und sollten zusätzlich konsultiert werden.
- Themen
- Zufallszahlengeneratoren (Abschnitt Zufallszahlengeneratoren),
- Keylängen (Abschnitt Keylengths),
- ECC (Abschnitt A note on Elliptic Curve Cryptography), ein Warnhinweis zu SHA-1 (Abschnitt A note on SHA-1)
- Diffie-Hellman-Schlüsselaustausch (Abschnitt A note on Diffie Hellman Key Exchanges).
- All dies ist wichtig, um zu verstehen, warum bestimmte Entscheidungen für Cipher String A und B getroffen wurden
- Für die meisten Systemadministratoren ist jedoch die Frage der Kompatibilität eine der dringendsten.
- Die Freiheit, mit jedem beliebigen Client kompatibel zu sein (auch mit veralteten Betriebssystemen), verringert natürlich die Sicherheit unserer Chiffrierzeichenfolgen.
- Wir behandeln diese Themen im Abschnitt TODO.
- Alle diese Abschnitte ermöglichen es einem Systemadministrator, seine oder ihre Bedürfnisse nach starker Verschlüsselung mit Benutzerfreundlichkeit und Kompatibilität in Einklang zu bringen.
- Themen
- PKIs (Abschnitt Public Key Infrastructures),
- Zertifizierungsstellen und über
- Härtung einer PKI
- Die letztgenannten Themen verdienen ein eigenes Buch.
- Daher kann dieser Leitfaden nur einige aktuelle Themen in diesem Bereich erwähnen.
Chiffriersuiten
Architektonischer Überblick
Begriffe
- Chiffriersuite
Eine Chiffriersuite ist eine standardisierte Sammlung, die authentifizierte Verschlüsselungsverfahren bietet
- Algorithmen für den Schlüsselaustausch
- Verschlüsselungsalgorithmen (Chiffren) und
- Algorithmus für Nachrichtenauthentifizierungscodes (MAC)
- Komponenten
- Schlüsselaustauschprotokoll
- Authentifizierung
- Chiffre
- Nachrichten-Authentifizierungs-Code (MAC)
- Authentifizierte Verschlüsselung mit zugehörigen Daten (AEAD)
Zusammensetzung einer typischen Chiffrierzeichenfolge
DHE | RSA | AES256 | SHA256 |
Nomenklatur
- Gängige Benennungsschemata für Chiffrierstrings
- IANA-Namen (siehe Anhang Links) und
- die bekannteren OpenSSL-Namen
- Hier werden OpenSSL-Namen verwenden
- es sei denn, ein bestimmter Dienst verwendet IANA-Namen
Forward Secrecy
Forward Secrecy oder Perfect Forward Secrecy ist eine Eigenschaft einer Cipher Suite, die die Vertraulichkeit auch dann gewährleistet, wenn der Serverschlüssel kompromittiert wurde.
- Wenn also Datenverkehr aufgezeichnet wurde, kann er nicht entschlüsselt werden, selbst wenn ein Angreifer in den Besitz des Serverschlüssels gelangt ist.
- Vorwärtsgeheimnis (Wikipedia)
- Pushing for Perfect Forward Secrecy, an Important Web Privacy Protection (EFF)
- SSL: Heute abgefangen, morgen entschlüsselt (Netcraft)
Empfohlene Chiffriersuiten
Cipher suites
Architektonischer Überblick
Begriffe
- Cipher Suite
Eine Chiffriersuite ist eine standardisierte Sammlung, die authentifizierte Verschlüsselungsverfahren bietet
- Algorithmen für den Schlüsselaustausch
- Verschlüsselungsalgorithmen (Chiffren) und
- Algorithmus für Nachrichtenauthentifizierungscodes (MAC)
- Sie besteht aus den folgenden Komponenten
- Schlüsselaustauschprotokoll
- Authentifizierung
- Chiffre
- Nachrichten-Authentifizierungs-Code (MAC)
- Authentifizierte Verschlüsselung mit zugehörigen Daten (AEAD)
- Cipher suite
A cipher suite is a standardized collection that provides authenticated encryption schemes
- key exchange algorithms
- encryption algorithms (ciphers) and
- Message authentication codes (MAC) algorithm
- It consists of the following components
- Key exchange protocol
- Authentication
- Cipher
- Message authentication code (MAC)
- Authenticated Encryption with Associated Data (AEAD)
Composition of a typical cipher string
DHE | RSA | AES256 | SHA256 |
Nomenclature
- There are two common naming schemes for cipher strings
- IANA names (see appendix Links) and
- the more well known OpenSSL names
In this document we will always use OpenSSL names unless a specific service uses IANA names.
Forward Secrecy
Forward Secrecy oder Perfect Forward Secrecy ist eine Eigenschaft einer Cipher Suite, die die Vertraulichkeit auch dann gewährleistet, wenn der Serverschlüssel kompromittiert wurde.
- Wenn also Datenverkehr aufgezeichnet wurde, kann er nicht entschlüsselt werden, selbst wenn ein Angreifer in den Besitz des Serverschlüssels gelangt ist.
- Vorwärtsgeheimnis (Wikipedia)
- Pushing for Perfect Forward Secrecy, an Important Web Privacy Protection (EFF)
- SSL: Heute abgefangen, morgen entschlüsselt (Netcraft)
Recommended cipher suites
Recommended cipher suites
In principle system administrators who want to improve their communication security have to make a difficult decision between effectively locking out some users and keeping high cipher suite security while supporting as many users as possible.
- The web-site Qualys SSL Labs gives administrators and security engineers a tool to test their setup and compare compatibility with clients.
- The authors made use of ssllabs.com to arrive at a set of cipher suites which we will recommend throughout this document.
- Caution
- these settings can only represent a subjective choice of the authors at the time of writing.
- It might be a wise choice to select your own and review cipher suites based on the instructions in section [ChoosingYourOwnCipherSuites].
Strong ciphers, fewer clients
At the time of writing, our recommendation is to use the following set of strong cipher suites which may be useful in an environment where one does not depend on many, different clients and where compatibility is not a big issue.
- An example of such an environment might be machine-to-machine communication or corporate deployments where software that is to be used can be defined without restrictions.
- We arrived at this set of cipher suites by selecting
- TLS 1.2
- Perfect forward secrecy / ephemeral Diffie Hellman
- strong MACs (SHA-2) or
- GCM as Authenticated Encryption scheme
This results in the OpenSSL string: EDH+aRSA+AES256:EECDH+aRSA+AES256:!SSLv3
- Configuration A ciphers
ID | OpenSSL Name | Version | KeyEx | Auth | Cipher | MAC |
---|---|---|---|---|---|---|
0x009F | DHE-RSA-AES256-GCM-SHA384 | TLSv1.2 | DH | RSA | AESGCM(256) | AEAD |
0x006B | DHE-RSA-AES256-SHA256 | TLSv1.2 | DH | RSA | AES(256) (CBC) | SHA256 |
0xC030 | ECDHE-RSA-AES256-GCM-SHA384 | TLSv1.2 | ECDH | RSA | AESGCM(256) | AEAD |
0xC028 | ECDHE-RSA-AES256-SHA384 | TLSv1.2 | ECDH | RSA | AES(256) (CBC) | SHA384 |
- Compatibility
- At the time of this writing only Win 7 and Win 8.1 crypto stack, OpenSSL >= 1.0.1e, Safari 6 / iOS 6.0.1 and Safari 7 / OS X 10.9 are covered by that cipher string.
Weaker ciphers but better compatibility
In this section we propose a slightly weaker set of cipher suites.
- For example, there are known weaknesses for the SHA-1 hash function that is included in this set.
- The advantage of this set of cipher suites is not only better compatibility with a broad range of clients, but also less computational workload on the provisioning hardware.
All examples in this publication use Configuration B. We arrived at this set of cipher suites by selecting:* TLS 1.2, TLS 1.1, TLS 1.0
- allowing SHA-1 (see the comments on SHA-1 in section [SHA])
This results in the OpenSSL string:
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
- Configuration B ciphers
ID | OpenSSL Name | Version | KeyEx | Auth | Cipher | MAC |
---|---|---|---|---|---|---|
0x009F | DHE-RSA-AES256-GCM-SHA384 | TLSv1.2 | DH | RSA | AESGCM(256) | AEAD |
0x006B | DHE-RSA-AES256-SHA256 | TLSv1.2 | DH | RSA | AES(256) | SHA256 |
0xC030 | ECDHE-RSA-AES256-GCM-SHA384 | TLSv1.2 | ECDH | RSA | AESGCM(256) | AEAD |
0xC028 | ECDHE-RSA-AES256-SHA384 | TLSv1.2 | ECDH | RSA | AES(256) | SHA384 |
0x009E | DHE-RSA-AES128-GCM-SHA256 | TLSv1.2 | DH | RSA | AESGCM(128) | AEAD |
0x0067 | DHE-RSA-AES128-SHA256 | TLSv1.2 | DH | RSA | AES(128) | SHA256 |
0xC02F | ECDHE-RSA-AES128-GCM-SHA256 | TLSv1.2 | ECDH | RSA | AESGCM(128) | AEAD |
0xC027 | ECDHE-RSA-AES128-SHA256 | TLSv1.2 | ECDH | RSA | AES(128) | SHA256 |
0x0088 | DHE-RSA-CAMELLIA256-SHA | SSLv3 | DH | RSA | Camellia(256) | SHA1 |
0x0039 | DHE-RSA-AES256-SHA | SSLv3 | DH | RSA | AES(256) | SHA1 |
0xC014 | ECDHE-RSA-AES256-SHA | SSLv3 | ECDH | RSA | AES(256) | SHA1 |
0x0045 | DHE-RSA-CAMELLIA128-SHA | SSLv3 | DH | RSA | Camellia(128) | SHA1 |
0x0033 | DHE-RSA-AES128-SHA | SSLv3 | DH | RSA | AES(128) | SHA1 |
0xC013 | ECDHE-RSA-AES128-SHA | SSLv3 | ECDH | RSA | AES(128) | SHA1 |
0x0084 | CAMELLIA256-SHA | SSLv3 | RSA | RSA | Camellia(256) | SHA1 |
0x0035 | AES256-SHA | SSLv3 | RSA | RSA | AES(256) | SHA1 |
0x0041 | CAMELLIA128-SHA | SSLv3 | RSA | RSA | Camellia(128) | SHA1 |
0x002F | AES128-SHA | SSLv3 | RSA | RSA | AES(128) | SHA1 |
- Compatibility
- Note that these cipher suites will not work with Windows XP’s crypto stack (e.g. IE, Outlook),
- Explanation
- For a detailed explanation of the cipher suites chosen, please see [ChoosingYourOwnCipherSuites].
- In short, finding a single perfect cipher string is practically impossible and there must be a tradeoff between compatibility and security.
- On the one hand there are mandatory and optional ciphers defined in a few RFCs, on the other hand there are clients and servers only implementing subsets of the specification.
- Straightforwardly, the authors wanted strong ciphers, forward secrecy [25] and the best client compatibility possible while still ensuring a cipher string that can be used on legacy installations (e.g. OpenSSL 0.9.8).
- out of the box
Our recommended cipher strings are meant to be used via copy and paste and need to work "out of the box".
- TLSv1.2 is preferred over TLSv1.0 (while still providing a useable cipher string for TLSv1.0 servers).
- AES256 and CAMELLIA256 count as very strong ciphers at the moment.
- AES128 and CAMELLIA128 count as strong ciphers at the moment
- DHE or ECDHE for forward secrecy
- RSA as this will fit most of today’s setups
- AES256-SHA as a last resort: with this cipher at the end, even server systems with very old OpenSSL versions will work out of the box (version 0.9.8 for example does not provide support for ECC and TLSv1.1 or above).
- Note however that this cipher suite will not provide forward secrecy.
- It is meant to provide the same client coverage(eg.
- support Microsoft crypto libraries) on legacy setups.
Random Number Generators
Keylengths
Notes
3DES
We want to note that 3DES theoretically has 168 bits of security, however based on the NIST Special Publication 800-57 [26]. Due to several security problems the effective key length should be considered 80 bits.
- The NIST recommends not to use 3DES any more and to migrate to AES as soon as possible.
Elliptic Curve Cryptography
Everyone knows what a curve is, until he has studied enough mathematics to become confused through the countless number of possible exceptions. Elliptic Curve Cryptography (simply called ECC from now on) is a branch of cryptography that emerged in the mid-1980s.
- The security of the RSA algorithm is based on the assumption that factoring large numbers is infeasible.
- Likewise, the security of ECC, DH and DSA is based on the discrete logarithm problem (i_wikipedia_Discrete logarithm_, 2013).
- Finding the discrete logarithm of an elliptic curve from its public base point is thought to be infeasible.
- This is known as the Elliptic Curve Discrete Logarithm Problem (ECDLP).
- ECC and the underlying mathematical foundation are not easy to understand - luckily, there have been some great introductions on the topic. [27] [28] [29].
ECC provides for much stronger security with less computationally expensive operations in comparison to traditional asymmetric algorithms (See the Section Keylengths).
- The security of ECC relies on the elliptic curves and curve points chosen as parameters for the algorithm in question.
- Well before the NSA-leak scandal, there has been a lot of discussion regarding these parameters and their potential subversion.
- A part of the discussion involved recommended sets of curves and curve points chosen by different standardization bodies such as the National Institute of Standards and Technology (NIST) [30] which were later widely implemented in most common crypto libraries.
- Those parameters came under question repeatedly from cryptographers (Bernstein & Lange, 2013).
At the time of writing, there is ongoing research as to the security of various ECC parameters (SafeCurves: choosing safe curves for elliptic-curve cryptography, 2013).
- Most software configured to rely on ECC (be it client or server) is not able to promote or black-list certain curves.
- It is the hope of the authors that such functionality will be deployed widely soon.
- The authors of this paper include configurations and recommendations with and without ECC - the reader may choose to adopt those settings as he finds best suited to his environment.
- The authors will not make this decision for the reader.
- Warning
- One should get familiar with ECC, different curves and parameters if one chooses to adopt ECC configurations.
- Since there is much discussion on the security of ECC, flawed settings might very well compromise the security of the entire system!
SHA-1
In the last years several weaknesses have been shown for SHA-1.
- In particular, collisions on SHA-1 can be found using 263 operations, and recent results even indicate a lower complexity.
- Therefore, ECRYPT II and NIST recommend against using SHA-1 for generating digital signatures and for other applications that require collision resistance.
- The use of SHA-1 in message authentication, e.g. HMAC, is not immediately threatened.
We recommend using SHA-2 whenever available.
- Since SHA-2 is not supported by older versions of TLS, SHA-1 can be used for message authentication if a higher compatibility with a more diverse set of clients is needed.
Our configurations A and B reflect this.
- While configuration A does not include SHA-1, configuration B does and thus is more compatible with a wider range of clients.
Diffie Hellman Key Exchanges
A common question is which Diffie-Hellman (DH) parameters should be used for Diffie Hellman key-exchanges [31].
- We follow the recommendations in ECRYPT II (II & SYM, 2012).
Where configurable, we recommend using the Diffie Hellman groups defined for IKE, specifically groups 14-18 (2048–8192 bit MODP) (Kivinen & Kojo, 2003).
- These groups have been checked by many eyes and can be assumed to be secure.
For convenience, we provide these parameters as PEM files on our webserver [32].