[OWASP-cheat-sheets] Transport Layer Protection Cheat Sheet: Strong Protocols and Ciphers for TLS/SSL

Torsten Gigler torsten.gigler at owasp.org
Tue Jun 3 14:50:04 UTC 2014


during the last months, I have done some researches about how to find a
good Protocol and Cipher Policy for TLS/SSL.
The resuls are documented in Top 10 Developer Edition, in German

I'd like to discuss them here and add them in the Transport Layer
Protection Cheat Sheet. <http://Transport Layer Protection Cheat Sheet>
Do you have any comments. Should I add my input in a new 'DRAFT:'-Copy of
the document before transfering it to the Cheat Sheet?
Perhaps you find more points that should be updated.

Kind Regards

*Only Support Strong Cryptographic Ciphers:*

* use the very latest recommendations, they may be volantile these days
* Secure length for cryptographic keys and parameters (like DH-parameter)
>=2048 bits or equivalent Elliptic Curves

Example for a Policy to get a Whitelist for recommenderd Ciphers:
* Activate to set the Cipher Order by the Server
* Highest Priority for Ciphers that support 'Forward Secrecy'
* Favor DHE over ECDHE, ECDHE lacks now of really reliable Elliptic Curves,
cf. http://safecurves.cr.yp.to;
* Use RSA-Keys (no DSA/DSS, cf. https://projectbullrun.org/dual-ec/tls.html)
* Favor GCM over CBC regardless of the cipher size
* Priorize the ciphers by the sizes of the Cipher and the MAC
* Disable weak ciphers without diabling latency browsers and bots that have
to be supported (find the best compromise), actually the cipher
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) does this job.
* Ciphers should be usable for DH-Pamameters >= 2048 bits, without blocking
latency browsers (The cipher ‘DHE-RSA-AES128-SHA’ is suppressed as some
browsers like to use it but are not capable to cope with DH-Params > 1024
* Define a Cipher String that works with different Versions of your encryption
tool, like openssl,
* Verify your cipher string
  ° with an autit-tool, like OWASP 'O-Saft'
  ° listing it manually with your encryption software, e.g. openssl ciphers
-v <cipher-string> (the result may differ by version), e.g.: openssl
ciphers -v
#add optionally
protect older Versions of OpenSSL

* This results in this recommended Cpihers and their Order:

0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA
Enc=AESGCM(256) Mac=AEAD
0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA
Enc=AESGCM(128) Mac=AEAD
0x00,0x6B - DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA
Enc=AES(256)  Mac=SHA256
0x00,0x39 - DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA
Enc=AES(256)  Mac=SHA1
0x00,0x67 - DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA
Enc=AES(128)  Mac=SHA256
0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA
Enc=AESGCM(256) Mac=AEAD
0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA
Enc=AESGCM(128) Mac=AEAD
0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA
Enc=AES(256)  Mac=SHA384
0xC0,0x14 - ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA
Enc=AES(256)  Mac=SHA1
0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA
Enc=AES(128)  Mac=SHA256
0xC0,0x13 - ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA
Enc=AES(128)  Mac=SHA1
0x00,0x9D - AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA
Enc=AESGCM(256) Mac=AEAD
0x00,0x9C - AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA
Enc=AESGCM(128) Mac=AEAD
0x00,0x35 - AES256-SHA              SSLv3 Kx=RSA      Au=RSA
Enc=AES(256)  Mac=SHA1
0x00,0x2F - AES128-SHA              SSLv3 Kx=RSA      Au=RSA
Enc=AES(128)  Mac=SHA1
0x00,0x0A - DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA
Enc=3DES(168) Mac=SHA1

- According to my researches the most common browsers should be
supported with this setting, too.
- Monitor the performance of your server, e.g. the TLS handshake with
DHE hinders the CPU abt 2.4 times than ECDHE (cf. [Vincent Bernat,
2011] <http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html#some-benchmarks>)

*On additional Point:*
I'd like to launch also a discussion if we should find references to good
practices that are not dependant on Documents from NIST.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cheat-sheets/attachments/20140603/b7301e29/attachment.html>

More information about the OWASP-cheat-sheets mailing list