[OWASP-cheat-sheets] Transport Layer Protection Cheat Sheet: Strong Protocols and Ciphers for TLS/SSL

Jim Manico jim.manico at owasp.org
Sat Jun 7 03:46:09 UTC 2014


Please go ahead and just edit that directly, I trust you – anything else
you can do to update the TLS Cheatsheet , please go for it!



I’ll review when you are done.



Cool?



Aloha,

Jim



*From:* owasp-cheat-sheets-bounces at lists.owasp.org [mailto:
owasp-cheat-sheets-bounces at lists.owasp.org] *On Behalf Of *Torsten Gigler
*Sent:* Tuesday, June 03, 2014 4:50 AM
*To:* owasp-cheat-sheets at lists.owasp.org
*Subject:* [OWASP-cheat-sheets] Transport Layer Protection Cheat Sheet:
Strong Protocols and Ciphers for TLS/SSL



Hi,

during the last months, I have done some researches about how to find a
good Protocol and Cipher Policy for TLS/SSL.

The resuls are documented in Top 10 Developer Edition, in German
<https://www.owasp.org/index.php/Germany/Projekte/Top_10_fuer_Entwickler-2013/A6-Verlust_der_Vertraulichkeit_sensibler_Daten#tab=JAVA2>,
yet.

I'd like to discuss them here and add them in the Transport Layer
Protection Cheat Sheet.
<http://Transport%20Layer%20Protection%20Cheat%20Sheet>

Do you have any comments. Should I add my input in a new 'DRAFT:'-Copy of
the document before transfering it to the Cheat Sheet?

Perhaps you find more points that should be updated.


Kind Regards

Torsten



*Only Support Strong Cryptographic Ciphers:*
…

* use the very latest recommendations, they may be volantile these days
* Secure length for cryptographic keys and parameters (like DH-parameter)
>=2048 bits or equivalent Elliptic Curves

Example for a Policy to get a Whitelist for recommenderd Ciphers:
* Activate to set the Cipher Order by the Server
* Highest Priority for Ciphers that support 'Forward Secrecy'
* Favor DHE over ECDHE, ECDHE lacks now of really reliable Elliptic Curves,
cf. http://safecurves.cr.yp.to;
* Use RSA-Keys (no DSA/DSS, cf. https://projectbullrun.org/dual-ec/tls.html)
* Favor GCM over CBC regardless of the cipher size
* Priorize the ciphers by the sizes of the Cipher and the MAC
* Disable weak ciphers without diabling latency browsers and bots that have
to be supported (find the best compromise), actually the cipher
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) does this job.
* Ciphers should be usable for DH-Pamameters >= 2048 bits, without blocking
latency browsers (The cipher ‘DHE-RSA-AES128-SHA’ is suppressed as some
browsers like to use it but are not capable to cope with DH-Params > 1024
bits.)

* Define a Cipher String that works with different Versions of your
encryption tool, like openssl,
* Verify your cipher string
  ° with an autit-tool, like OWASP 'O-Saft'
<https://www.owasp.org/index.php/O-Saft>
  ° listing it manually with your encryption software, e.g. openssl ciphers
-v <cipher-string> (the result may differ by version), e.g.: openssl
ciphers -v
'EDH+aRSA+AESGCM:EDH+aRSA+AES:DHE-RSA-AES256-SHA:EECDH+aRSA+AESGCM:EECDH+aRSA+AES:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:RSA+AESGCM:RSA+AES+SHA:DES-CBC3-SHA:-DHE-RSA-AES128-SHA'
#add optionally
':!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA' to
protect older Versions of OpenSSL

* This results in this recommended Cpihers and their Order:

0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA
Enc=AESGCM(256) Mac=AEAD

0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA
Enc=AESGCM(128) Mac=AEAD

0x00,0x6B - DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA
Enc=AES(256)  Mac=SHA256

0x00,0x39 - DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA
Enc=AES(256)  Mac=SHA1

0x00,0x67 - DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA
Enc=AES(128)  Mac=SHA256

0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA
Enc=AESGCM(256) Mac=AEAD

0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA
Enc=AESGCM(128) Mac=AEAD

0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA
Enc=AES(256)  Mac=SHA384

0xC0,0x14 - ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA
Enc=AES(256)  Mac=SHA1

0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA
Enc=AES(128)  Mac=SHA256

0xC0,0x13 - ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA
Enc=AES(128)  Mac=SHA1

0x00,0x9D - AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA
Enc=AESGCM(256) Mac=AEAD

0x00,0x9C - AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA
Enc=AESGCM(128) Mac=AEAD

0x00,0x35 - AES256-SHA              SSLv3 Kx=RSA      Au=RSA
Enc=AES(256)  Mac=SHA1

0x00,0x2F - AES128-SHA              SSLv3 Kx=RSA      Au=RSA
Enc=AES(128)  Mac=SHA1

0x00,0x0A - DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA
Enc=3DES(168) Mac=SHA1

Remarks:
- According to my researches the most common browsers should be
supported with this setting, too.
- Monitor the performance of your server, e.g. the TLS handshake with
DHE hinders the CPU abt 2.4 times than ECDHE (cf. [Vincent Bernat,
2011] <http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html#some-benchmarks>)


*On additional Point:*
I'd like to launch also a discussion if we should find references to good
practices that are not dependant on Documents from NIST.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cheat-sheets/attachments/20140606/ba4e9200/attachment.html>


More information about the OWASP-cheat-sheets mailing list