[OWASP-cheat-sheets] Transport Layer Protection Cheat Sheet: Strong Protocols and Ciphers for TLS/SSL

David Holmes d.holmes at f5.com
Sat Jun 7 13:49:54 UTC 2014


Overall, very nice work!

I was a little surprised about the promotion of DHE over ECDHE ciphers. Has the crypto community as a whole already demoted EC ciphers? While some curves have been found to be suboptimal, is that enough to eschew the CPU savings ECDHE is supposed to offer?

From: owasp-cheat-sheets-bounces at lists.owasp.org [mailto:owasp-cheat-sheets-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Friday, June 06, 2014 9:46 PM
To: Torsten Gigler; owasp-cheat-sheets at lists.owasp.org
Subject: Re: [OWASP-cheat-sheets] Transport Layer Protection Cheat Sheet: Strong Protocols and Ciphers for TLS/SSL

Please go ahead and just edit that directly, I trust you – anything else you can do to update the TLS Cheatsheet , please go for it!

I’ll review when you are done.



From: owasp-cheat-sheets-bounces at lists.owasp.org<mailto:owasp-cheat-sheets-bounces at lists.owasp.org> [mailto:owasp-cheat-sheets-bounces at lists.owasp.org<mailto:owasp-cheat-sheets-bounces at lists.owasp.org>] On Behalf Of Torsten Gigler
Sent: Tuesday, June 03, 2014 4:50 AM
To: owasp-cheat-sheets at lists.owasp.org<mailto:owasp-cheat-sheets at lists.owasp.org>
Subject: [OWASP-cheat-sheets] Transport Layer Protection Cheat Sheet: Strong Protocols and Ciphers for TLS/SSL

during the last months, I have done some researches about how to find a good Protocol and Cipher Policy for TLS/SSL.
The resuls are documented in Top 10 Developer Edition, in German<https://www.owasp.org/index.php/Germany/Projekte/Top_10_fuer_Entwickler-2013/A6-Verlust_der_Vertraulichkeit_sensibler_Daten#tab=JAVA2>, yet.
I'd like to discuss them here and add them in the Transport Layer Protection Cheat Sheet.<http://Transport%20Layer%20Protection%20Cheat%20Sheet>
Do you have any comments. Should I add my input in a new 'DRAFT:'-Copy of the document before transfering it to the Cheat Sheet?
Perhaps you find more points that should be updated.

Kind Regards

Only Support Strong Cryptographic Ciphers:

* use the very latest recommendations, they may be volantile these days
* Secure length for cryptographic keys and parameters (like DH-parameter) >=2048 bits or equivalent Elliptic Curves

Example for a Policy to get a Whitelist for recommenderd Ciphers:
* Activate to set the Cipher Order by the Server
* Highest Priority for Ciphers that support 'Forward Secrecy'
* Favor DHE over ECDHE, ECDHE lacks now of really reliable Elliptic Curves, cf. http://safecurves.cr.yp.to;
* Use RSA-Keys (no DSA/DSS, cf. https://projectbullrun.org/dual-ec/tls.html)
* Favor GCM over CBC regardless of the cipher size
* Priorize the ciphers by the sizes of the Cipher and the MAC
* Disable weak ciphers without diabling latency browsers and bots that have to be supported (find the best compromise), actually the cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) does this job.
* Ciphers should be usable for DH-Pamameters >= 2048 bits, without blocking latency browsers (The cipher ‘DHE-RSA-AES128-SHA’ is suppressed as some browsers like to use it but are not capable to cope with DH-Params > 1024 bits.)
* Define a Cipher String that works with different Versions of your encryption tool, like openssl,
* Verify your cipher string
  ° with an autit-tool, like OWASP 'O-Saft'<https://www.owasp.org/index.php/O-Saft>
  ° listing it manually with your encryption software, e.g. openssl ciphers -v <cipher-string> (the result may differ by version), e.g.: openssl ciphers -v 'EDH+aRSA+AESGCM:EDH+aRSA+AES:DHE-RSA-AES256-SHA:EECDH+aRSA+AESGCM:EECDH+aRSA+AES:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:RSA+AESGCM:RSA+AES+SHA:DES-CBC3-SHA:-DHE-RSA-AES128-SHA'
#add optionally ':!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA' to protect older Versions of OpenSSL

* This results in this recommended Cpihers and their Order:

0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD

0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD

0x00,0x6B - DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256

0x00,0x39 - DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1

0x00,0x67 - DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256

0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD

0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD

0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384

0xC0,0x14 - ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1

0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256

0xC0,0x13 - ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1

0x00,0x9D - AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD

0x00,0x9C - AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD

0x00,0x35 - AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1

0x00,0x2F - AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

0x00,0x0A - DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1

- According to my researches the most common browsers should be supported with this setting, too.
- Monitor the performance of your server, e.g. the TLS handshake with DHE hinders the CPU abt 2.4 times than ECDHE (cf. [Vincent Bernat, 2011]<http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html#some-benchmarks>)

On additional Point:
I'd like to launch also a discussion if we should find references to good practices that are not dependant on Documents from NIST.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cheat-sheets/attachments/20140607/73b00442/attachment.html>

More information about the OWASP-cheat-sheets mailing list