Preface

Do not talk unencrypted "Neboltai"

Acknowledgements

We would like to express our thanks to the following reviewers and people who have generously offered their time and interest (in alphabetical order): Brown, ScottBrulebois, CyrilBurghardt, KrzysztofDirksen-Thedens, MathisDulaunoy, AlexandreEndres, JohannesGühring PhilippGrigg, IanHaslinger, GunnarHorenbeck, MaartenHuebl, AxelKnecht, PascalKoetter, Patrick BenKovacic, DanielLenzhofer, StefanLorünser, ThomasMaass, MaxMehlmauer, ChristianMillauer, TobiasMirbach, AndreasO’Brien, HughPacher, ChristophPalfrader, PeterPape, Tobias (layout)Petukhova, Anna (Logo)Pichler, PatrickRiebesel, NicolasRoeckx, KurtRoesen, JensRublik, MartinSchiffbauer, MarcSchosser, AndreasSchüpany, MathiasSchulze, AndreasSchwartzkopff, MichaelSchwarz, René («DigNative»)Seidl, Eva (PDF layout)Van Horenbeeck, MaartenWagner, Sebastian («sebix»)Zangerl, Alexander The reviewers did review parts of the document in their area of expertise; all remaining errors in this document are the sole responsibility of the primary authors.

Abstract

Unfortunately, the computer security and cryptology communities have drifted apart over the last 25 years. Security people don’t always understand the available crypto tools, and crypto people don’t always understand the real-world problems.

— Ross Anderson (Anderson, 2008) This guide arose out of the need for system administrators to have an updated, solid, well researched and thought-through guide for configuring SSL, PGP, SSH and other cryptographic tools in the post-Snowden age. Triggered by the NSA leaks in the summer of 2013, many system administrators and IT security officers saw the need to strengthen their encryption settings. This guide is specifically written for these system administrators. As Schneier noted in (Schneier, 2013), it seems that intelligence agencies and adversaries on the Internet are not breaking so much the mathematics of encryption per se, but rather use software and hardware weaknesses, subvert standardization processes, plant backdoors, rig random number generators and most of all exploit careless settings in server configurations and encryption systems to listen in on private communications. Worst of all, most communication on the internet is not encrypted at all by default (for SMTP, opportunistic TLS would be a solution). This guide can only address one aspect of securing our information systems: getting the crypto settings right to the best of the authors' current knowledge. Other attacks, as the above mentioned, require different protection schemes which are not covered in this guide. This guide is not an introduction to cryptography. For background information on cryptography and cryptoanalysis we would like to refer the reader to the references in appendix Links and Suggested Reading at the end of this document. The focus of this guide is merely to give current best practices for configuring complex cipher suites and related parameters in a copy & paste-able manner. The guide tries to stay as concise as is possible for such a complex topic as cryptography. Naturally, it can not be complete. There are many excellent guides (II & SYM, 2012) and best practice documents available when it comes to cryptography. However none of them focuses specifically on what an average system administrator needs for hardening his or her systems' crypto settings. This guide tries to fill this gap.

The guide was produced in an open source manner: every step of editing can be traced back to a specific author via our version control system.

Introduction

Audience

Sysadmins. Sysadmins. Sysadmins. They are a force-multiplier.

Related publications

Ecrypt II [ii2011ecrypt] Ecrypt II (II & SYM, 2012), ENISA’s report on Algorithms, key sizes and parameters (ENISA and Vincent Rijmen, Nigel P. Smart, Bogdan warinschi, Gaven Watson, 2013) and BSI’s Technische Richtlinie TR-02102 (für Sicherheit in der Informationstechnik (BSI), 2018) are great publications which are more in depth than this guide. However, this guide has a different approach: it focuses on copy & paste-able settings for system administrators, effectively breaking down the complexity in the above mentioned reports to an easy to use format for the intended target audience.

How to read this guide

This guide tries to accommodate two needs: first of all, having a handy reference on how to configure the most common services’ crypto settings and second of all, explain a bit of background on cryptography. This background is essential if the reader wants to choose his or her own cipher string settings. System administrators who want to copy & paste recommendations quickly without spending a lot of time on background reading on cryptography or cryptanalysis can do so, by simply searching for the corresponding section in Best Practice. It is important to know that in this guide the authors arrived at two recommendations: Cipher string A and Cipher string B. While the former is a hardened recommendation a latter is a weaker one but provides wider compatibility. Cipher strings A and B are described in Recommended cipher suites. However, for the quick copy & paste approach it is important to know that this guide assumes users are happy with Cipher string B. While Best Practice is intended to serve as a copy & paste reference, Theory explains the reasoning behind cipher string B. In particular Architectural overview explains how to choose individual cipher strings. We advise the reader to actually read this section and challenge our reasoning in choosing Cipher string B and to come up with a better or localized solution.

Disclaimer

A chain is no stronger than its weakest link, and life is after all a chain.

— William James

Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it.

— Edward Snowden answering questions live on the Guardian’s website This guide specifically does not address physical security, protecting software and hardware against exploits, basic IT security housekeeping, information assurance techniques, traffic analysis attacks, issues with key-roll over and key management, securing client PCs and mobile devices (theft, loss), proper Operations Security, social engineering attacks, protection against tempest (i_wikipedia_Tempest (codename)_, 2018) attack techniques, thwarting different side-channel attacks (timing–, cache timing–, differential fault analysis, differential power analysis or power monitoring attacks), downgrade attacks, jamming the encrypted channel or other similar attacks which are typically employed to circumvent strong encryption. The authors can not overstate the importance of these other techniques. Interested readers are advised to read about these attacks in detail since they give a lot of insight into other parts of cryptography engineering which need to be dealt with[1]) ]. This guide does not talk much about the well-known insecurities of trusting a public-key infrastructure (PKI)[2]. Nor does this text fully explain how to run your own Certificate Authority (CA). Most of this zoo of information security issues are addressed in the very comprehensive book Security Engineering by Ross Anderson (Anderson, 2008). For some experts in cryptography this text might seem too informal. However, we strive to keep the language as non-technical as possible and fitting for our target audience: system administrators who can collectively improve the security level for all of their users.

Security is a process, not a product.

— Bruce Schneier This guide can only describe what the authors currently believe to be the best settings based on their personal experience and after intensive cross checking with literature and experts. For a complete list of people who reviewed this paper, see the <acknowledgements>. Even though multiple specialists reviewed the guide, the authors can give no guarantee whatsoever that they made the right recommendations. Keep in mind that tomorrow there might be new attacks on some ciphers and many of the recommendations in this guide might turn out to be wrong. Security is a process. We therefore recommend that system administrators keep up to date with recent topics in IT security and cryptography. In this sense, this guide is very focused on getting the cipher strings done right even though there is much more to do in order to make a system more secure. We the authors, need this document as much as the reader needs it.

Scope

In this guide, we restricted ourselves to:* Internet-facing services

Commonly used services
Devices which are used in business environments (this specifically excludes XBoxes, Playstations and similar consumer devices)
OpenSSL

We explicitly excluded:* Specialized systems such as medical devices, most embedded systems, industrial control systems (ICS), etc.

Wireless Access Points
Smart-cards/chip cards

Methods

C.O.S.H.E.R - completely open source, headers, engineering and research.

— A. Kaplan His mail signature for many years For writing this guide, we chose to collect the most well researched facts about cryptography settings and let as many trusted specialists as possible review those settings. The review process is completely open and done on a public mailing list. The document is available (read-only) to the public Internet on the web page and the source code of this document is on a public git server, mirrored on GitHub.com and open for public scrutiny. However, write permissions to the document are only granted to vetted people. The list of reviewers can be found in Acknowledgements. Every write operation to the document is logged via the git version control system and can thus be traced back to a specific author. We accept git pull requests on the github mirror for this paper. Public peer-review and multiple eyes checking of our guide is the best strategy we can imagine at the present moment [3]. We invite the gentle reader to participate in this public review process. Please read the Contributing document.

Appendix

Links

IANA official list of Transport Layer Security (TLS) Parameters Elliptic curves and their implementation (04 Dec 2010) A (relatively easy to understand) primer on elliptic curve cryptography Duraconf, A collection of hardened configuration files for SSL/TLSservices (Jacob Appelbaum’s github) Attacks on SSL a comprehensive study of BEAST, CRIME, TIME, BREACH, LUCKY 13 & RC4 Biases EFF How to deploy HTTPS correctly Bruce Almighty: Schneier preaches security to Linux faithful (on not recommending to use Blowfish anymore in favor of Twofish) Implement FIPS 183-3 for DSA keys (1024bit constraint) Elliptic Curve Cryptography in Practice Factoring as a Service Black Ops of TCP/IP 2012 SSL and the Future of Authenticity, Moxie Marlinspike - Black Hat USA 2011 ENISA - Algorithms, Key Sizes and Parameters Report (Oct.’13 Diffie-Hellman Groups standardized in RFC3526 TLS Security (Survey + Lucky13 + RC4 Attack) by Kenny Paterson Ensuring High-Quality Randomness in Cryptographic Key Generation Wikipedia: Ciphertext Stealing Wikipedia: Malleability (Cryptography) Ritter’s Crypto Glossary and Dictionary of Technical Cryptography

Further Research

The following is a list of services, software packages, hardware devices or protocols that we considered documenting but either did not manage to document yet or might be able to document later. We encourage input from the community. Table 16. Further Protocols

DNSSec (mention BCPs)	DANE	Tor
S/Mime (check are there any BCPs? )	TrueCrypt, LUKS, FileVault	AFS
Kerberos	NNTP	NTPs tlsdate
Moxa , APC, und co… ICS
rsyslog	tftp	(s)ftp(s)
haproxy

Table 17. Further Protocols (Network centric)

IPv6 security
Wi-Fi, 802.1x	SIP	SRTP
Kerberos	NNTP	NTPs tlsdate
BGP / OSPF	LDAP	seclayer-tcp
RADIUS (RADSEC)	racoon	strongswan
l2tp
Ethernet to serial	DSL modems
UPnP, natPmp
HTTP Key Pinning (HTKP)
Monitoring: SNMPv3

Table 18. Further Applications

Lync	Tomcat
Microsoft SQL Server	Microsoft Exchange
IBM HTTP Server

Commerical Network Equipment Vendors Other ideas: SAML federated auth providers [42] Elastic Load Balancing (ELB)[43]

Software not covered by this guide

telnet: Usage of telnet for anything other than fun projects is highly discouraged Puppet DB: A Proxy or a tunnel is recommended if it needs to be facing public network interfaces.[44] rsync: Best use it only via SSH for an optimum of security and easiest to maintain.

Bibliography

Adam Langley, Ben Laurie, Emilia Kasper. (2013). Certificate Transparency. http://www.certificate-transparency.org https://datatracker.ietf.org/doc/rfc6962/ . Adam Langley, et. al. (2013). Go X.509 Verification Source Code. https://code.google.com/p/go/source/browse/src/pkg/crypto/x509/verify.go#173 . Anderson, R. (2008). Security engineering. Wiley.com. Retrieved from rja14/book.html http://www.cl.cam.ac.uk/ rja14/book.html Bernstein, D. J., & Lange, T. (2013). Security dangers of the NIST curves (Presentation slides). Retrieved from http://cr.yp.to/talks/2013.09.16/slides-djb-20130916-a4.pdf C. Evans and C. Palmer. (2013). Public Key Pinning Extension for HTTP. https://tools.ietf.org/html/draft-ietf-websec-key-pinning-09 . Damon Poeter. (2011). Fake Google Certificate Puts Gmail at Risk. http://www.pcmag.com/article2/0,2817,2392063,00.asp . Durumeric, Z., Kasten, J., Bailey, M., & Halderman, J. A. (2013). Analysis of the HTTPS Certificate Ecosystem. In Proceedings of the 13th Internet Measurement Conference. Retrieved from https://jhalderm.com/pub/papers/https-imc13.pdf Elinor Mills. (2011). Fraudulent Google certificate points to Internet attack. http://news.cnet.com/8301-27080_3-20098894-245/fraudulent-google-certificate-points-to-internet-attack/ . Engblom, J. (2011). Evaluating HAVEGE Randomness (Blog: Observations from Uppsala). Retrieved from http://jakob.engbloms.se/archives/1374 ENISA and Vincent Rijmen, Nigel P. Smart, Bogdan warinschi, Gaven Watson. (2013). ENISA - Algorithms, Key Sizes and Parameters Report. Retrieved from http://www.enisa.europa.eu/activities/identity-and-trust/library/deliverables/algorithms-key-sizes-and-parameters-report für Sicherheit in der Informationstechnik (BSI), B. (2018). BSI TR-02102 Kryptographische Verfahren. Retrieved from https://www.bsi.bund.de/EN/Publications/TechnicalGuidelines/tr02102/tr02102_node.html H. Tschofenig and E. Lear. (2013). Evolving the Web Public Key Infrastructure. https://tools.ietf.org/html/draft-tschofenig-iab-webpki-evolution-01.txt . Heninger, N., Durumeric, Z., Wustrow, E., & Halderman, J. A. (2012). Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices. In Proceedings of the 21st USENIX Security Symposium. Retrieved from https://factorable.net/weakkeys12.extended.pdf Hoffman, P., & Schlyter, J. (2012). The DNS-Based Authentication of Named Entities (DANE) Transport Layer Security (TLS) Protocol: TLSA. IETF. Retrieved from https://www.ietf.org/rfc/rfc6698.txt i_mit_Realm configuration decisions_. (2013). (Documentation). Retrieved from http://web.mit.edu/kerberos/krb5-latest/doc/admin/realm_config.html i_wikipedia_Discrete logarithm_. (2013). (Wikipedia). Retrieved from https://en.wikipedia.org/wiki/Discrete_logarithm i_wikipedia_Tempest (codename). (2018). (Wikipedia). Retrieved from https://en.wikipedia.org/wiki/Tempest(codename) II, E. C. R. Y. P. T., & SYM, D. (2012). ECRYPT II, 79–86. Retrieved from http://www.ecrypt.eu.org/ecrypt2/documents/D.SPA.20.pdf Katz, J., & Lindell, Y. (2008). Introduction to modern cryptography. Chapman & Hall/CRC. Retrieved from http://books.google.at/books?id=WIc_AQAAIAAJ Kivinen, T., & Kojo, M. (2003). More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE). IETF. Retrieved from https://www.ietf.org/rfc/rfc3526.txt Postel, J. (1980). DoD standard Transmission Control Protocol. IETF. Retrieved from https://www.ietf.org/rfc/rfc761.txt Raeburn, K. (2005). Advanced Encryption Standard (AES) Encryption for Kerberos 5. IETF. Retrieved from https://www.ietf.org/rfc/rfc3962.txt SafeCurves: choosing safe curves for elliptic-curve cryptography. (2013). (Technical Background). Retrieved from http://safecurves.cr.yp.to/rigid.html Schneier, B. (2013). The NSA Is Breaking Most Encryption on the Internet (Blog: Schneier on Security). Retrieved from https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html Yarom, Y., & Falkner, K. (2013). Flush+ Reload: a high resolution, low noise, L3 cache side-channel attack. Cryptology ePrint Archive, Report 2013/448, 2013. http://eprint. iacr. org/2013/448/. 3. Retrieved from http://eprint.iacr.org/2013/448.pdf