TLS/SSL Hardening And Compatibility Report 2011 - G-SEC
TLS/SSL hardening andcompatibility Report 2011Update to the 2010ReportAuthor: Thierry ZOLLERcontact@g-sec.luhttp://www.g-sec.luG-SEC is a non-commercial and independent group ofInformation Security Specialists based in Luxembourg.
TLS/SSL Hardening & Compatibility Report 2011Table of ContentsIntroduction . 5Revisions . 6Introduction to SSL/TLS . 7SSL/TLS Protocol versions. 7SSLv2. 7Differences between SSLv3 and SSLv2. 8Differences between TLS v1and SSLv3 . 8Differences between TLS v1.1 and TLS v1 . 8Differences between TLSv1.2 and TLSv1.1 . 8Protocol Key exchange . 9RSA . 9DH. 9DHE . 9ADH . 9ECDHE . 9Authentication . 10No authentication. 10RSA . 10DSS. 10ECDSA . 10KRB5 . 10PSK. 10Encryption . 11NULL . 11AES. 11CAMELLIA. 11RC4 / RC2 . 11IDEA . 113DES. 11DES . 11Minimum industry Encryption and Key length recommendations. 12Recommended Asymmetric key length . 12Recommended Symmetric key length . 12Recommended Hashing algorithm and size . 12Client-side and Server-side Compatibility Overview . 13Client-side: TLS / SSL Compatibility overview. 14Default Protocol support . 14Default Key exchange support . 14RSA support . 152
TLS/SSL Hardening & Compatibility Report 2011Default ECC support . 16Server-Side: TLS / SSL Compatibility overview . 17Default protocol support . 17Default key exchange support. 17Default RSA size support . 18Recommend Server-Side SSL configuration - Putting it all together - . 19IIS7.5. 19IIS7. 20IIS6 . 20Apache https / Tomcat (OpenSSL 1.0) . 21Server configurations – undocumented behaviour . 22General Note . 22IIS 7.5 / Windows 7 / Windows 2008R2 . 22IIS 6 / Windows 2003 . 23Apache httpd / Tomcat (OpenSSL) . 23General Recommendations . 24Minimum SSL configuration . 24Recommended SSL configuration . 24Sources . 24Thanks . 25Disclaimer. 25Copyright . 25Appendix . 26Example code - Listing ciphers (Windows7 & Windows 2008R2) . 26Example Code - Setting preferred cipher (Windows7 & Windows 2008R2) . 27Code - Remove ciphers . 27Default Windows SCHANNEL cipher support . 28Windows 7 and Windows Server 2008R2 . 28Windows Vista AND Windows Server 2008 R1 . 29Windows XP,2000,2003 . 29Default Browser support . 30IE6, 7, 8 – Windows XP, 2003, 2000 . 30IE7, IE 8 – Windows Vista . 303
TLS/SSL Hardening & Compatibility Report 2011Firefox, Google Chrome (NSS) - All Operation Systems . 30Opera . 31TLS/SSL Interop Test services . 314
TLS/SSL Hardening & Compatibility Report 2011IntroductionThis report gives general recommendations as to how to configure SSL/TLS in order to providestate of the art authentication and encryption. The options offered by SSL engines grew fromthe early days since Netscape developed SSL2.0. The introduction of TLS made matters morechallenging as servers and clients offer different sets of available options depending on whichSSL engine (OpenSSL, NSS, SCHANNEL etc.) they use. Finding the middle ground has provendifficult especially as the supported protocols and cipher suites are mostly not documented.To make matters more complicated Browsers may not use all functionality offered by the SSLstack, this report will only list functionality used by current Browsers.This report provides an overview of the currently available TLS options across Servers andClients and allows you to offer support for a wide variety of Browsers an offer “good enough”security.The 2011 version was updated as follows: Google Chrome moved away from Microsoft SCHANNEL and now uses Network SecurityServices (NSS) offering high end cryptography on legacy windows systems (XP,2000).Added Opera Cipher and Protocol SupportStyle ErrorsDuring the creation of this Document two Tools have been developed: SSL Harden (beta) – Allows users of Windows 2000, XP, Vista, 7 and particularlyadministrators of Windows Server 2003 & 2008R2 to harden SSL/TLS support.Administrators can manually edit and backup the SSL configuration and set PCI-DSScompliant SSL rules with a click of a button. LinkSSL Audit (alpha) - A remote SSL audit tool able scan for SSL/TLS support against remoteservers. SSL Audit uses its own small parsing engine and does not rely on OpenSSL orother SSL engines allowing it to detect ciphers not supported by OpenSSL. LinkPlease note that this summary does not take into account the arrival of quantum computing.Large quantum computers able to crack large RSA keys are foreseen for 2014 by the ARDA and2018 by Prof Lloyd 1 . Shor’s algorithm could then be used to break the RSA key sizes very fast.We recommend to push for ECC based certificates as soon as possible.The information is believed to be correct at the time of writing, due to the nature ofundocumented features there might be slight errors in this version if you believe relevant-today.html5
TLS/SSL Hardening & Compatibility Report 2011information displayed within this paper is wrong please contact contact@g-sec.lu. Feedbackfrom Microsoft, Apache, Opera and Apple was integrated when 121.09.201125.09.201128.09.2011AnnotationsInitial draftAdded recommendations, Added BSI, NIST, FSIArecommendationsAdded Browser supportAdded Server supportSynopsisReleased for RFCReleased as RCFixed a few typosAdded changes to chrome, corrected grammar.Released as 1.0Layout, added details provided by OperaUpdate mod gnutls, formating6
TLS/SSL Hardening & Compatibility Report 2011Introduction to SSL/TLSIn order to securely transport data from one endpoint to another SSL and TLS protocols are usedas they provide data confidentiality and data integrity. TLS was designed to offer a flexible andsecure protocol that is able to interoperate with any service or application, furthermore TLSprovides cryptographic support that SSL could not offer.SSL/TLS Protocol versionsSSLv2SSL version 2 was developed byNetscape in 1996 and is 13 years old;it is vulnerable to various attacks andshould not be supported. Internet browsers like Internet Explorer 7 (2006), Firefox 2 (2005)and Opera 9 (2006) do no longer support SSLv2.Users should not be encouraged to use older browsers as they suffer from othervulnerabilities that put them at risk. Should another requirement such as third party coderequire SSLv2 for an e-banking platform it needs to be upgraded to TLS, as it is vulnerable toseveral known attacks.Should you absolutely need to conform to foreign regulations we recommend relocatingthese customers to a separated banking server/system. They pose a risk for other e-bankingusers. (SSLv2 does not support perfect forward secrecy)The SSLv2 protocol suffers from Re-usage of key material (message authentication and encryption) thus, in case of EXPORTciphers unnecessarily weakening the MAC (not required by export restrictions) Ciphers marked as “Export” have an arbitrary small key size and can be cracked easily withtoday’s hardware. weak MAC construction and supports only MD5 hash function padding length field is unauthenticated 2 Downgrade attack – an attacker may downgrade the encryption to the lowest availableand after doing so crack the keys. Truncation attacks – The attacker may reset the TCP connection and as such2Analysis of the SSL 3.0 Protocol - David Wagner et al7
TLS/SSL Hardening & Compatibility Report 2011Differences between SSLv3 and SSLv2 Key material is no longer reused in both Message authentication and encryption makingsuites marked as EXPORT „stronger“.MAC construction enhanced and support for SHA1 addedSSLv3 adds protection of the Handshake, server-side can detect downgrade attacksSSLv3 adds support for a closure alertDifferences between TLS v1and SSLv3 Expansion of cryptographic keys from the initially exchanged secret was improvedMAC construction mechanism modified into an HMACMandatory support for Diffie-Hellman key exchange, the Digital Signature Standard, andTriple-DES encryptionDifferences between TLS v1.1 and TLS v1 3 The implicit Initialization Vector (IV) is replaced with an explicit IV to protect against CBCattacks4 Handling of padding errors is changed to use the bad record mac Alert rather than the decryption failed alert to protect against CBC attacks IANA registries are defined for protocol parameters. Premature closes no longer cause a session to be nonresumable. Additional informational notes were added for various new attacks on TLSDifferences between TLSv1.2 and TLSv1.1 5 SHA-256 is the default digest methodSeveral new cipher suites use SHA-256It has better ways to negotiate what signature algorithms the client supportsAlerts are mandatory now be sent in many casesAfter a certificate request, if no certificates are available, clients now MUST send anempty certificate listTLS RSA WITH AES 128 CBC SHA is now the mandatory to implement cipher suiteAdded HMAC-SHA256 cipher suitesRemoved IDEA and DES cipher suites, they are now deprecated.Support for the SSLv2 backward-compatible is now optional w.openssl.org/ xt48
TLS/SSL Hardening & Compatibility Report 2011Protocol Key exchangeThe key exchange is used to generate apre master secret known to the clientand the server but not to somebody inthe middle of the connection (Attacker). The pre master secret is then used to generate themaster secret which is used to generate the certificate “verify” and “finished” messages,encryption keys, and MAC secrets.RSAWith RSA, key exchange and server authentication are combined. The public key may beeither contained in the server's certificate or may be a temporary RSA key sent in a serverkey exchange message, old signatures and temporary keys cannot be replayed.DHDH stands for Diffie Hellman, when using DH the server supplies a certificate containing afixed Diffie-Hellman parameter. Temporary parameters are hashed and signed to ensure thatattackers cannot replay parameters. The client then verifies the certificate and signature toensure that the parameters belong to the actual server. When using DH the client and serverwill generate the same pre master secret every time.DHEDHE stands for Ephemeral Diffie Hellmann, the server supplies a certificate containingtemporary Diffie-Hellman parameter signed with the servers RSA or DSS certificate. Thishas the effect that it offers perfect forward secrecy. This means that even if you havecompromised/broken/stolen the server private key that you cannot decrypt past capturedtraffic.For this reason DHE and ECDHE are the recommended key exchange protocols. If formonitoring reasons decryption needs to be done we would recommend to write the DiffieHellmann parameters to a database for every new session.ADHADH stands for Anonymous Diffie Hellmann and allows completely anonymous connections,the server and client public parameters are contained in the corresponding exchangemessages. Passive man-in-the-middle attacker should not be able to find the Diffie-Hellmanresult (i.e. the pre master secret), however this method of key exchange is vulnerable toactive man-in-the-middle attacks.ECDHEECDHE (or EECDH in Openssl 1.0) is DHE combined with elliptic key cryptography.9
TLS/SSL Hardening & Compatibility Report 2011AuthenticationTLS supports three authenticationmodes: authentication of server andclient (through server and clientcertificate), server only authentication and anonymous connections. The algorithms availableare:No authenticationNo authenticationRSAThe algorithm used to sign the certificate is RSA6 7DSSThe digital signature standard is used to sign the certificateECDSAECDSA stands for Elliptic Curve Digital Signature Algorithm; it is a variant of the DigitalSignature algorithm that uses Elliptic Curve cryptography.KRB58Kerberos credentials are used to achieve mutual authentication and to establish a mastersecret which is subsequently used to secure client-server communication.PSKAuthentication takes place pre-shared keys, these symmetric keys are known to both partiesprior to tp://www.di-mgt.com.au/rsa alg.html8http://www.ietf.org/rfc/rfc2712.txt710
TLS/SSL Hardening & Compatibility Report 2011EncryptionEncryption serves the purpose totransform plaintext into unreadabledata through usage of an algorithm.NULLNo encryption will take place; this is for example useful when you want to ensure theauthenticity of the dataAES9The Advanced Encryption Standard, previously known as Rjindael, was the winner of the NISTcompetition as it regarded as state of the art encryption. AES offers key sizes from 128, 192to 256 bits of sizeCAMELLIA10Developed by Mitsubishi and NTT is available under a royalty free license and according tosources has been “has been evaluated favorably by several organisations, including theEuropean Union's NESSIE project (a selected algorithm), and the Japanese CRYPTREC project(a recommended algorithm)”RC4 / RC2RC4 is a Stream cipher invented by Ron Rivest and was closed source until the release of thesource code in 1994 to cypherpunks mailing list. There were several attacks that have beenuncovered against RC4, particularly as used within WEP. RC2 is a block cipher invented byRon Rivest in 1996 the source code was leaked to the sci.crypt UseNet group. RC2 isvulnerable to several attacks.IDEA11The International Data Encryption Algorithm is a block cipher invented by James Massey , It isstill considered secure however it is patented and slower than modern ciphers. The patentwill expire in 2011.3DESTriple-DES was created when DES was found to be vulnerable due to a key size being toosmall, it uses the e Data Encryption Standard cipher algorithm three times over each block.DESThe history of DES is interesting as it was believed that the NSA tampered with the s-boxes,Wikipedia has a good summary - Simple DES is weak and should no longer be used.9http://en.wikipedia.org/wiki/Advanced Encryption Standardhttp://en.wikipedia.org/wiki/Camellia tional Data Encryption Algorithm1011
TLS/SSL Hardening & Compatibility Report 2011Minimum industry Encryption and Key length recommendationsThis summary does not take into account the arrival of quantum computing, large quantumcomputers able to crack large keys are foreseen for 2014 by the ARDA and 2018 by Prof Lloyd12 .Shors’ algorithm could then be used to break the RSA key sizes presented here below.Recommended Asymmetric key 8102411141536102411521536Until 2012Minimum1976Recommended 2048204812292048Until til 2009Until ended Symmetric key lengthPeriodUntil 2009Minimum-807480Until 2010Minimum-807580Until 2012Minimum-11276100Until 2020Minimum-11282100Recommended Hashing algorithm and sizePeriodTypeBSINISTLenstraAfter 2009-80148160 minimumAfter 2010-224150160 minimumAfter 2012SHA-224, SHA-256SHA-384, SHA-512224152256 minimum(SHA)After 2020-224163256 minimum ode.asp?id lob/476754/publicationFile/31104/BSI Final 07 y ra17http://www.ssi.gouv.fr/site article76.html1312
TLS/SSL Hardening & Compatibility Report 2011Client-side and Server-side Compatibility OverviewThis section gives an overview over the current SSL/TLS capabilities across Operation Systems,Clients (Browsers) and Servers (Web servers). We conclude with advice on how to securelyconfigure your SSL/TLS service and in particularly which Encryption, Authentication, Keyexchange settings to use.Throughout this document we will use the colour blue to indicate our recommended settings;this recommendation is based on compatibility and security.13
TLS/SSL Hardening & Compatibility Report 2011Client-side: TLS / SSL Compatibility overviewIn order to assess the SSL/TLS support of modern Internet browsers we had to take a look at theSSL engines they use. Some SSL stacks generally have capabilities that browsers do not makeuse of per default, the lists below only reflect real default browser usage. Chrome and Firefox use the NSS18 engineIE5, 6, 7, 8 and Safari use Microsoft SCHANNEL19Opera and Safari (OSX) use custom SSL engines.Default Protocol supportAll browsers tested do explicitly not support SSLv2ProtocolSSLv2SSLv3TLS 1.0TLS 1.1NSS1ALL OSNoYesYesNoSCHANNELXP/2K/20032NoYesYesNoSCHANNEL SCHANNEL7/2008R23 Vista /20082NoNoYesYesYesYesYes (disabledNoOpera 10All OSNoYesYesYesSafari 44OSXNoYesYesNoYesNoper default)TLS 1.2NoNoYes (disabledNoper default)Default Key exchange supportWe recommend using Ephemeral Diffie Hellmann paired with either RSA or DSS as RSAECDHE-ECDSAECDH-ECDSAADHNSS1ALL esNoNoNoNoNoSCHANNEL SCHANNEL Opera 107/2008R23 Vista /20082All oNoNoNoNoNoSafari 44OSXYesYesYesNoNoNoNoNo1 Firefox, Google chrome (New) – All OS 2 IE 7 & IE 8 & Safari 3 IE8 & IE9 (not Safari – see VISTAcolumn for Safari 7/2008R2 support) 4 ibrary/windows/desktop/ms678421(v vs.85).aspx14
TLS/SSL Hardening & Compatibility Report 2011RSA supportRSA public-key cryptosystem is an asymmetric encryption method; it can be used for signaturesas well as encryption. In SSL/TLS RSA is used during key exchange (handshake). RSA bases itssecurity on the length of the modulus that must be factored. The bigger the modulus the harderit is to break the algorithm.Browser supported RSA key size, DH and SRP 20These are the key sizes that are supported by major Browsers, there is no client siderestriction to use 1024 bit instead of 2048, and additionally 1024 bit are considered weak bytoday’s standards.RSA Modulus102420484096Note:NSS1SCHANNEL SCHANNELALL OS XP/2K/2003 2 7/2008R2 3YesYesYesYesYesYesYesYesYesSCHANNELVista /2008 2YesYesYesOpera 10ALL OSYesYesYesSafari 44OSXYesYesYesGenerallyno limit; 4klimit onclient certDefault supported Ciphers 21In order for this list to stay focused on best practices we list modern or strong ciphers S128256256128128256168NSS1ALL OSYesYesNoYesYesYesYesSCHANNEL SCHANNELSCHANNEL Opera 10 Safari 44XP/2K/2003 2 7/2008R2 3 Vista /2008 2 ALL sYesYesYesYesNoNoNoNoNoNoNoNoNoNoYesYesYesYesYes1 Firefox, Google chrome (New) – All OS 2 IE 7 & IE 8 & Safari 3 IE8 & IE9 (not Safari – see VISTAcolumn for Safari 7/2008R2 support) 4 library/bb931357%28VS.85%29.aspxWith heavy support from SSLLAB (Ivan Ristic)15
TLS/SSL Hardening & Compatibility Report 2011Default ECC supportElliptic curve cryptography bases on a discrete logarithm problem, ECC needs less key size toachieve the same strength then RSA, as an example, an ECC 160-bit field offers the sameresistance as an 1024-bit RSA modulus. This allows for smaller keys and offers improvedperformance. Unfortunately ECC is not widely supported in Browser as of yet, but certainly willbe in the future. We are currently not aware of any Certificate authority that allows you to buyECC certificates.Elliptic key cryptographyCurve sizeP-256P-348P-521NSS 1All OSYesYesYesSCHANNEL SCHANNEL SCHANNEL Opera 10XP/2K/20032 73/2008R2 Vista2/2008 ALL OSNoYesYesNoNoYesYesNoNoNoYesNoSafari 44OSXNoNoNo1 Firefox, Google chrome (New) – All OS 2 IE 7 & IE 8 & Safari 3 IE8 & IE9 (not Safari – see VISTAcolumn for Safari 7/2008R2 support) 4 OSXAccording to Microsoft support for P521 mode has been removed from Windows 7 and 2008R2 dueto not being part of the official NIST Suite B.Recommended16
TLS/SSL Hardening & Compatibility Report 2011Server-Side: TLS / SSL Compatibility overviewDefault protocol supportThis matrix shows the protocol support of modern web servers - There is no reason to continuesupporting SSLv2.ProtocolSSLv2SSLv3TLS 1.0TLS 1.1IIS6 1YesYesYesNoIIS7 2YesYesYesYesIIS7.5 3YesYesYesYesmod ssl mod gnutlsYesNoYesYesYesNoYesJSSE 4YesYesYesNoNSS 5YesYesYesYesNoYes(disabled perdefault)TLS 1.2NoNoYesNo(disabled perdefault)Yes(disabled perdefault)* See appendix on how to enable TLS 1.2 support on IIS 7.5Default key exchange supportWe recommend offering ephemeral Diffie Hellmann paired with either RSA or DSS as signatureIIS6 1YesNoYesNoNoIIS7 2YesYesYesYesNoIIS7.5 3YesYesYesYesNoECDHE-ECDSANoYesYesYesNoNoNo (Default)ECDH-ECDSANoNoNoYesNoNoNo (Default)NoNoNoNoNoNoAlgorithmRSADHE-RSADH
administrators of Windows Server 2003 & 2008R2 to harden SSL/TLS support. Administrators can manually edit and backup the SSL configuration and set PCI-DSS compliant SSL rules with a click of a button. Link SSL Audit (alpha) - A remote SSL audit tool able scan for SSL/TLS support against remote servers.
Case Study: Laser Hardening By Markus A. Ruetering The hardening of materials by laser is a specialized and fast-growing field, as it offers improved wear resistance, . the industry — e.g., oven hardening, flame hardening, and induction hardening — mill - ing, shaping, and grinding are necessary after hardening. Hence, the necessary material
The TLS-5 is a portable unit weighing just over 4 pounds. A detachable power cord is supplied with the TLS-5A and TLS-5C; it is not supplied with the TLS-5B and TLS-5D. As shown in Figure 1, the front panel provides four modular RJ-11 ja
What Is SSL/TLS? Secure Sockets Layer and Transport Layer Security protocols Same protocol design, different crypto algorithms . Internet standard, Jan 1999 Based on SSL 3.0, but not interoperable (uses different cryptographic algorithms) TLS 1.1 - Apr 2006 TLS 1.2 - Aug 2008 . slide 6
The transition from TLS 1.1 to TLS 1.2 has been steady, with 27% more hosts making the move in 2017. Currently, 89% of hosts are using TLS 1.2. IETF's progress on TLS 1.3 has been slow for many reasons, not the least of which is debate about whether TLS 1.2 is really "broken" enough to require fixing.
TLS description, we refer the reader to RFC 5246 [40]. Note that while we predominantly use the term TLS, our measurements also cover the earlier Secure Sockets Layer (SSL) protocol. 2.1 TLS Connection Establishment To establish a TLS connection, the client and server first negotiate the parameters of the connection using Client Hello and Server
2. To begin, enter and apply a display filter of "ssl". (see below) This filter will help to simplify the display by showing only SSL and TLS messages. It will exclude other TCP segments that are part of the trace, such as Acks and connection open/close. Figure 2: Trace of "SSL" traffic showing the details of the SSL header 3.
Sep 28, 2021 · use strong TLS (i.e., TLS 1.2 or later) and reject all earlier versions of SSL and TLS [13]. Other CNSSP 15 requirements for NSS are explained in the draft IETF document Commercial National Security Algorithm (CNSA) Suite Profile for TLS and DTLS 1.2 and 1.3 and NIST requirements for other
(OSH Act) standards because they were rarely exposed to construction jobsite hazards. However, with the increasing roles that designers are playing on worksites, such as being part of a design-build team, it is becoming increasingly important that they receive construction safety training, including information about federal and state construction safety standards. The Occupational Safety .
