390 likes | 402 Views
A project aimed at providing practical settings to enhance the security of cryptographic services and certificates. Recommendations and tools for SSL, SSH, PGP, and more.
E N D
Project „ACH“(Applied CryptoHardening) www.bettercrypto.org
Motivation (Aaron)
Don‘tgivethemanythingforfree It‘syourhome, youfight
Who? Wolfgang Breyha (uni VIE), David Durvaux (CERT.be), Tobias Dussa (KIT-CERT), L. Aaron Kaplan (CERT.at), Christian Mock (coretec), Daniel Kovacic (A-Trust), Manuel Koschuch (FH Campus Wien), Adi Kriegisch (VRVis), Ramin Sabet (A-Trust), Aaron Zauner (azet.org), Pepi Zawodsky(maclemon.at), New contributors: IAIK, A-Sit Aaron
Idea • Do at least somethingagainsttheCryptocalypse • Check SSL, SSH, PGPcrypto Settings in themostcommonservicesandcertificates: • Apache, Nginx, lighthttp • IMAP/POP servers (dovecot, cyrus, ...) • openssl.conf • Etc. • Create easy, copy & paste-ablesettingswhich are „OK“ (asfarasweknow) forsysadmins. • Keep itshort. There are manygoodrecommendations out therewrittenbycryptographersforcryptographers • Manyeyes must check this!
Contents so far • Disclaimer • Methods • EllipticCurveCryptography • Keylengths • Random Number Generators • Ciphersuites – generaloverview & howtochooseone • Recommendationson practicalsettings • Tools • Links Aaron
Methods • Howwedevelopthiswhitepaper • Public review • Weneedyourreview! Aaron
Somethoughts on ECC • Currentlythisisunder heavy debate • Trust theMath • “Nothing Up My Sleeve Numbers” • eg. NIST P-256 (http://safecurves.cr.yp.to/rigid.html) • Coefficients generated by hashing the unexplained seed c49d3608 86e70493 6a6678e1 139d26b7 819f7e90. • Mighthavetochangesettingstomorrow • Most Applicationsonlyworkwith NIST-Curves Ramin, Daniel
Keylengths • http://www.keylength.com/ • Recommended Keylengths, Hashingalgorithms, etc. • Currently: • RSA: >= 3248 bits (Ecrypt II) • ECC: >= 256 • SHA 2+ (SHA 256,…) • AES 128 isgoodenough Ramin, Daniel
AES 128? Isn‘tthatenough? • “On thechoicebetween AES256 and AES128: I wouldneverconsiderusing AES256, just like I don’twear a helmetwhen I sitinsidemycar. It’stoomuchbotherfortheepsilonimprovementin security.” — Vincent Rijmen in a personal mailexchangeDec 2013 • Sometheoreticalattacks on AES-256
Forward Secrecy-Motivation: • Threeletteragency (TLA) stores all ssltraffic • Someday TLA gainsaccesstossl-private key(Brute Force, Physical Force) • TLA candecrypt all storedtraffic Ramin, Daniel
Perfect Forward Secrecy • DHE: Diffie Hellman Ephemeral • Ephemeral: newkeyforeachexecutionof a keyexchangeprocess • SSL private-Key onlyforauthentication • Alternative newssl private keyevery x daysmonths • Pro: • Highest Security againstfutureattacks • Contra: • EllipticCurve • Processing costs
RNGs • RNGs areimportant. • Nadia Heninger et al / Lenstra et al • Entropyafter startup: embeddeddevices
RNGs • Weak RNG • Dual EC_DRBG isweak (slow, used in RSA-toolkit) • Intel RNG ?Recommendation: add System-Entropy (Network). Entropyonlygoesup. • Tools (eg. HaveGEhttp://dl.acm.org/citation.cfm?id=945516) • RTFM • whenistherouterkeygenerated • Default Keys ? • Re-generatekeysfrom time to time
Somegeneralthoughts on settings • General • Disable SSL 2.0 (weakalgorithms) • Disable SSL 3.0 (BEAST vs IE/XP) • Enable TLS 1.0 orbetter • Disable TLS-Compression (SSL-CRIME Attack) • Implement HSTS (HTTP Strict Transport Security) • Variant A: fewersupportedclients • Variant B: moreclients, weakersettings
Variant A ’EECDH+aRSA+AES256:EDH+aRSA+AES256:!SSLv3’ Compatibility: Onlyclientswhich support TLS1.2 are coveredbytheseciphersuites (Chrome 30, Win 7 andWin8.1, Opera 17, OpenSSL ≥ 1.0.1e, Safari 6 / iOS 6.0.1, Safari 7 / OS X 10.9)
Variant B weakerciphers, manyclients
Variant B: Compatibility End-of-life
Choosingyourowncipherstring (1) • Rolling yourownciphersuitestringinvolves a trade-off between: • Compatibility (server <-> client), vs. • Knownweakciphers/hashes/MACs • The choice ECC or not, vs. • Support by different ssllibs (gnutls, openssl,...) vs. • Different versions of ssllibs • In case of ssllibversionissues: do youwanttore-compilethewhole server for a newerversion? • Beaware of theseissuesbeforechoosingyourownciphersuite
Choosingyourowncipherstring (2) • Complexity • Multi-dimensional optimisation • Consider strong alternativesto de-facto standards • Potential futuresolution: generatorforsettings?
Practicalsettings David
Whatwehave so far • Web server: Apache, nginx, MS IIS, lighttpd • Mail: Dovecot, cyrus, Postfix, Exim • DBs:Mysql, Oracle, Postgresql, DB2 • VPN: OpenVPN, IPSec, Checkpoint, ... • Proxies: Squid, Pound • GnuPG • SSH • IM servers (jabber, irc) David
Whatwewouldliketosee • Mail: Exchange • SIP • RDP • Everythingas HTML (easiertocopy & paste) • Configgenerator on thewebsite David
Example: Apache Selectingciphersuites: Additionally: Aaron
Testing Tobias
Howtotest? - Tools • openssl s_client (orgnutls-cli) • ssllabs.com: checksforserversaswellasclients • xmpp.net • sslscan • SSLyze Tobias
Tools: opensss_client openssl s_client -showcerts–connect git.bettercrypto.org:443
Tools: ssllabs Aaron
Wrap-up Aaron
Currentstateas of 2014/02/11 • Solid basiswith Variant (A) and (B) • Public draft was presentedatthe CCC • Section „ciphersuites“ still a bitmessy, needsmorework • Need toconvertto HTML Aaron
Howtoparticipate • Weneed: cryptologists, sysadmins, hackers • Read thedocument, find bugs • Subscribetothemailinglist • Understandthecipherstrings Variant (A) and (B) beforeproposingsomechanges • Ifyouaddcontentto a subsection, make a sample configwith variant (B) • Gitrepoisworld-readable • Weneed: • Add contentto an subsectionfromthe TODO list send usdiffs • Reviewers! Aaron
Links • Website: www.bettercrypto.org • Gitrepo: https://git.bettercrypto.org • Mailing list: http://lists.cert.at/cgi-bin/mailman/listinfo/ach Aaron