Kryptografie/Chiffrier Suits

Aus Foxwiki

Overview

Background information
Cipher strings
Issues
All of this is important in understanding why certain choices were made for Cipher String A and B
  • However, for most system administrators, the question of compatibility is one of the most pressing ones.
  • Having the freedom to be compatible with any client (even running on outdated operating systems) of course, reduces the security of our cipher strings.
  • We address these topics in section TODO.
  • All these sections will allow a system administrator to balance his or her needs for strong encryption with usability and compatibility.
Issues in
  • PKIs (section Public Key Infrastructures),
  • Certificate Authorities and on
  • hardening a PKI
  • Note that these last few topics deserve a book on their own.
  • Hence this guide can only mention a few current topics in this area.

Cipher suites

Architectural overview

This section defines some terms which will be used throughout this guide. A cipher suite is a standardized collection of key exchange algorithms, encryption algorithms (ciphers) and Message authentication codes (MAC) algorithm that provides authenticated encryption schemes. It consists of the following components:

  1. Key exchange protocol
  2. Authentication
  3. Cipher
  4. Message authentication code (MAC)
  5. Authenticated Encryption with Associated Data (AEAD)
Composition of a typical cipher string
+-----+  +-----+  +--------+  +--------+
| DHE +--+ RSA +--+ AES256 +--+ SHA256 +
+-----+  +-----+  +--------+  +--------+
A note on nomenclature
There are two common naming schemes for cipher strings – IANA names (see appendix Links) and the more well known OpenSSL names. In this document we will always use OpenSSL names unless a specific service uses IANA names.

Forward Secrecy

Forward Secrecy or Perfect Forward Secrecy is a property of a cipher suite that ensures confidentiality even if the server key has been compromised.

Recommended cipher suites

Recommended cipher suites

In principle system administrators who want to improve their communication security have to make a difficult decision between effectively locking out some users and keeping high cipher suite security while supporting as many users as possible.

  • The web-site Qualys SSL Labs gives administrators and security engineers a tool to test their setup and compare compatibility with clients.
  • The authors made use of ssllabs.com to arrive at a set of cipher suites which we will recommend throughout this document.
Caution
  • these settings can only represent a subjective choice of the authors at the time of writing.
  • It might be a wise choice to select your own and review cipher suites based on the instructions in section [ChoosingYourOwnCipherSuites].

Configuration A: Strong ciphers, fewer clients

At the time of writing, our recommendation is to use the following set of strong cipher suites which may be useful in an environment where one does not depend on many, different clients and where compatibility is not a big issue.

  • An example of such an environment might be machine-to-machine communication or corporate deployments where software that is to be used can be defined without restrictions.
We arrived at this set of cipher suites by selecting
  • TLS 1.2
  • Perfect forward secrecy / ephemeral Diffie Hellman
  • strong MACs (SHA-2) or
  • GCM as Authenticated Encryption scheme

This results in the OpenSSL string: EDH+aRSA+AES256:EECDH+aRSA+AES256:!SSLv3

Configuration A ciphers
ID OpenSSL Name Version KeyEx Auth Cipher MAC
0x009F DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH RSA AESGCM(256) AEAD
0x006B DHE-RSA-AES256-SHA256 TLSv1.2 DH RSA AES(256) (CBC) SHA256
0xC030 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH RSA AESGCM(256) AEAD
0xC028 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH RSA AES(256) (CBC) SHA384
Compatibility
At the time of this writing only Win 7 and Win 8.1 crypto stack, OpenSSL >= 1.0.1e, Safari 6 / iOS 6.0.1 and Safari 7 / OS X 10.9 are covered by that cipher string.

Configuration B: Weaker ciphers but better compatibility

In this section we propose a slightly weaker set of cipher suites.

  • For example, there are known weaknesses for the SHA-1 hash function that is included in this set.
  • The advantage of this set of cipher suites is not only better compatibility with a broad range of clients, but also less computational workload on the provisioning hardware.

All examples in this publication use Configuration B. We arrived at this set of cipher suites by selecting:* TLS 1.2, TLS 1.1, TLS 1.0

  • allowing SHA-1 (see the comments on SHA-1 in section [SHA])

This results in the OpenSSL string:

'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
Configuration B ciphers
ID OpenSSL Name Version KeyEx Auth Cipher MAC
0x009F DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH RSA AESGCM(256) AEAD
0x006B DHE-RSA-AES256-SHA256 TLSv1.2 DH RSA AES(256) SHA256
0xC030 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH RSA AESGCM(256) AEAD
0xC028 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH RSA AES(256) SHA384
0x009E DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH RSA AESGCM(128) AEAD
0x0067 DHE-RSA-AES128-SHA256 TLSv1.2 DH RSA AES(128) SHA256
0xC02F ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH RSA AESGCM(128) AEAD
0xC027 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH RSA AES(128) SHA256
0x0088 DHE-RSA-CAMELLIA256-SHA SSLv3 DH RSA Camellia(256) SHA1
0x0039 DHE-RSA-AES256-SHA SSLv3 DH RSA AES(256) SHA1
0xC014 ECDHE-RSA-AES256-SHA SSLv3 ECDH RSA AES(256) SHA1
0x0045 DHE-RSA-CAMELLIA128-SHA SSLv3 DH RSA Camellia(128) SHA1
0x0033 DHE-RSA-AES128-SHA SSLv3 DH RSA AES(128) SHA1
0xC013 ECDHE-RSA-AES128-SHA SSLv3 ECDH RSA AES(128) SHA1
0x0084 CAMELLIA256-SHA SSLv3 RSA RSA Camellia(256) SHA1
0x0035 AES256-SHA SSLv3 RSA RSA AES(256) SHA1
0x0041 CAMELLIA128-SHA SSLv3 RSA RSA Camellia(128) SHA1
0x002F AES128-SHA SSLv3 RSA RSA AES(128) SHA1
Compatibility
Note that these cipher suites will not work with Windows XP’s crypto stack (e.g. IE, Outlook),
Explanation
For a detailed explanation of the cipher suites chosen, please see [ChoosingYourOwnCipherSuites].
  • In short, finding a single perfect cipher string is practically impossible and there must be a tradeoff between compatibility and security.
  • On the one hand there are mandatory and optional ciphers defined in a few RFCs, on the other hand there are clients and servers only implementing subsets of the specification.
Straightforwardly, the authors wanted strong ciphers, forward secrecy [25] and the best client compatibility possible while still ensuring a cipher string that can be used on legacy installations (e.g. OpenSSL 0.9.8).

Our recommended cipher strings are meant to be used via copy and paste and need to work "out of the box".* TLSv1.2 is preferred over TLSv1.0 (while still providing a useable cipher string for TLSv1.0 servers).

  • AES256 and CAMELLIA256 count as very strong ciphers at the moment.
  • AES128 and CAMELLIA128 count as strong ciphers at the moment
  • DHE or ECDHE for forward secrecy
  • RSA as this will fit most of today’s setups
  • AES256-SHA as a last resort: with this cipher at the end, even server systems with very old OpenSSL versions will work out of the box (version 0.9.8 for example does not provide support for ECC and TLSv1.1 or above).
  • Note however that this cipher suite will not provide forward secrecy.
  • It is meant to provide the same client coverage(eg.
  • support Microsoft crypto libraries) on legacy setups.

Random Number Generators

"A real fair random number generator" (Image license: CC-BY-NC) A good source of random numbers is essential for many crypto operations.

  • The key feature of a good random number generator is the non-predictability of the generated numbers.
  • This means that hardware support for generating entropy is essential.

Hardware random number generators in operating systems or standalone components collect entropy from various random events mostly by using the (low bits of the) time an event occurs as an entropy source.

  • The entropy is merged into an entropy pool and in some implementations there is some bookkeeping about the number of random bits available.

When Random Number Generators Fail

Random number generators can fail – returning predictable non-random numbers – if not enough entropy is available when random numbers should be generated. This typically occurs for embedded devices and virtual machines.

Embedded devices lack some entropy sources other devices have
  • No persistent clock, so boot-time is not contributing to the initial RNG state.
  • No hard-disk: No entropy from hard-disk timing, no way to store entropy between reboots.
Virtual machines emulate some hardware components so that the generated entropy is over-estimated
  • The most critical component that has been shown to return wrong results is an emulated environment is the timing source (Engblom, 2011).

Typically the most vulnerable time where low-entropy situations occur is shortly after a reboot.

Another problem is that OpenSSL seeds its internal random generator only seldomly from the hardware random number generator of the operating system.

For systems where – during the lifetime of the keys – it is expected that low-entropy situations occur, RSA keys should be preferred over DSA keys: For DSA, if there is ever insufficient entropy at the time keys are used for signing this may lead to repeated ephemeral keys.

  • An attacker who can guess an ephemeral private key used in such a signature can compromise the DSA secret key.
  • For RSA this can lead to discovery of encrypted plaintext or forged signatures but not to the compromise of the secret key (Heninger, Durumeric, Wustrow, & Halderman, 2012).

Keylengths

On the choice between AES256 and AES128: I would never consider using AES256, just like I don't wear a helmet when I sit inside my car. It's too much bother for the epsilon improvement in security. Recommendations on keylengths need to be adapted regularly. Since this document first of all is static and second of all, does not consider itself to be authoritative on keylengths, we would rather refer to existing publications and websites. Recommending a safe key length is a hit-and-miss issue. Furthermore, when choosing an encryption algorithm and key length, the designer/sysadmin always needs to consider the value of the information and how long it must be protected. In other words: consider the number of years the data needs to stay confidential. The ECRYPT II publication gives a fascinating overview of strengths of symmetric keys in chapter 5 and chapter 7. Summarizing ECRYPT II, we recommend 128 bit of key strength for symmetric keys. In ECRYPT II, this is considered safe for security level 7, long term protection. In the same ECRYPT II publication you can find a practical comparison of key size equivalence between symmetric key sizes and RSA, discrete log (DLOG) and EC keylengths. ECRYPT II arrives at the interesting conclusion that for an equivalence of 128 bit symmetric size, you will need to use an 3248 bit RSA key (II & SYM, 2012). There are a couple of other studies comparing keylengths and their respective strengths. The website https://www.keylength.com/ compares these papers and offers a good overview of approximations for key lengths based on recommendations by different standardization bodies and academic publications. Figure #fig:keylengths.com[1] shows a typical comparison of keylengths on this web site. "Screenshot for 128 bit symmetric key size equivalents"

Summary

For asymmetric public-key cryptography we consider any key length below 3248 bits to be deprecated at the time of this writing (for long term protection). For elliptic curve cryptography we consider key lengths below 256 bits to be inadequate for long term protection. For symmetric algorithms we consider anything below 128 bits to be inadequate for long term protection.

Special remark on 3DES:

We want to note that 3DES theoretically has 168 bits of security, however based on the NIST Special Publication 800-57 [26]. Due to several security problems the effective key length should be considered 80 bits. The NIST recommends not to use 3DES any more and to migrate to AES as soon as possible.

A note on Elliptic Curve Cryptography

Everyone knows what a curve is, until he has studied enough mathematics to become confused through the countless number of possible exceptions. Elliptic Curve Cryptography (simply called ECC from now on) is a branch of cryptography that emerged in the mid-1980s. The security of the RSA algorithm is based on the assumption that factoring large numbers is infeasible. Likewise, the security of ECC, DH and DSA is based on the discrete logarithm problem (i_wikipedia_Discrete logarithm_, 2013). Finding the discrete logarithm of an elliptic curve from its public base point is thought to be infeasible. This is known as the Elliptic Curve Discrete Logarithm Problem (ECDLP). ECC and the underlying mathematical foundation are not easy to understand - luckily, there have been some great introductions on the topic. [27] [28] [29]. ECC provides for much stronger security with less computationally expensive operations in comparison to traditional asymmetric algorithms (See the Section Keylengths). The security of ECC relies on the elliptic curves and curve points chosen as parameters for the algorithm in question. Well before the NSA-leak scandal, there has been a lot of discussion regarding these parameters and their potential subversion. A part of the discussion involved recommended sets of curves and curve points chosen by different standardization bodies such as the National Institute of Standards and Technology (NIST) [30] which were later widely implemented in most common crypto libraries. Those parameters came under question repeatedly from cryptographers (Bernstein & Lange, 2013). At the time of writing, there is ongoing research as to the security of various ECC parameters (SafeCurves: choosing safe curves for elliptic-curve cryptography, 2013). Most software configured to rely on ECC (be it client or server) is not able to promote or black-list certain curves. It is the hope of the authors that such functionality will be deployed widely soon. The authors of this paper include configurations and recommendations with and without ECC - the reader may choose to adopt those settings as he finds best suited to his environment. The authors will not make this decision for the reader.

Warning

One should get familiar with ECC, different curves and parameters if one chooses to adopt ECC configurations. Since there is much discussion on the security of ECC, flawed settings might very well compromise the security of the entire system!

A note on SHA-1

In the last years several weaknesses have been shown for SHA-1. In particular, collisions on SHA-1 can be found using 263 operations, and recent results even indicate a lower complexity. Therefore, ECRYPT II and NIST recommend against using SHA-1 for generating digital signatures and for other applications that require collision resistance. The use of SHA-1 in message authentication, e.g. HMAC, is not immediately threatened. We recommend using SHA-2 whenever available. Since SHA-2 is not supported by older versions of TLS, SHA-1 can be used for message authentication if a higher compatibility with a more diverse set of clients is needed. Our configurations A and B reflect this. While configuration A does not include SHA-1, configuration B does and thus is more compatible with a wider range of clients.

A note on Diffie Hellman Key Exchanges

A common question is which Diffie-Hellman (DH) parameters should be used for Diffie Hellman key-exchanges [31]. We follow the recommendations in ECRYPT II (II & SYM, 2012). Where configurable, we recommend using the Diffie Hellman groups defined for IKE, specifically groups 14-18 (2048–8192 bit MODP) (Kivinen & Kojo, 2003). These groups have been checked by many eyes and can be assumed to be secure. For convenience, we provide these parameters as PEM files on our webserver [32].

Public Key Infrastructures

Public Key Infrastructure

TLS and its support mechanisms

TLS

Weblinks

  1. https://bettercrypto.org/