[OWASP-cheat-sheets] Transport Layer Protection Cheat Sheet: Strong Protocols and Ciphers for TLS/SSL

Jim Manico jim.manico at owasp.org
Thu Jun 12 17:49:39 UTC 2014


Without ANY doubt, ephemeral cipher suites need to be prioritized ciphers.

David, can you propose specific changes and I'll update the wiki for 
you? Or can I get you a wiki account?

Aloha,
Jim



On 6/10/14, 6:45 AM, David Holmes wrote:
>
> Hm, no never did an answer.
>
> *From:*Jim Manico [mailto:jim.manico at owasp.org]
> *Sent:* Monday, June 09, 2014 10:09 PM
> *To:* David Holmes
> *Cc:* Torsten Gigler; owasp-cheat-sheets at lists.owasp.org
> *Subject:* Re: [OWASP-cheat-sheets] Transport Layer Protection Cheat 
> Sheet: Strong Protocols and Ciphers for TLS/SSL
>
> Did this get answered David?
>
> Aloha,
>
> --
>
> Jim Manico
>
> @Manicode
>
> (808) 652-3805
>
>
> On Jun 7, 2014, at 6:49 AM, David Holmes <d.holmes at f5.com 
> <mailto:d.holmes at f5.com>> wrote:
>
>     Torsten,
>
>     Overall, very nice work!
>
>     I was a little surprised about the promotion of DHE over ECDHE
>     ciphers. Has the crypto community as a whole already demoted EC
>     ciphers? While some curves have been found to be suboptimal, is
>     that enough to eschew the CPU savings ECDHE is supposed to offer?
>
>     *From:*owasp-cheat-sheets-bounces at lists.owasp.org
>     <mailto:owasp-cheat-sheets-bounces at lists.owasp.org>
>     [mailto:owasp-cheat-sheets-bounces at lists.owasp.org] *On Behalf Of
>     *Jim Manico
>     *Sent:* Friday, June 06, 2014 9:46 PM
>     *To:* Torsten Gigler; owasp-cheat-sheets at lists.owasp.org
>     <mailto:owasp-cheat-sheets at lists.owasp.org>
>     *Subject:* Re: [OWASP-cheat-sheets] Transport Layer Protection
>     Cheat Sheet: Strong Protocols and Ciphers for TLS/SSL
>
>     Please go ahead and just edit that directly, I trust you –
>     anything else you can do to update the TLS Cheatsheet , please go
>     for it!
>
>     I’ll review when you are done.
>
>     Cool?
>
>     Aloha,
>
>     Jim
>
>     *From:*owasp-cheat-sheets-bounces at lists.owasp.org
>     <mailto:owasp-cheat-sheets-bounces at lists.owasp.org>
>     [mailto:owasp-cheat-sheets-bounces at lists.owasp.org
>     <mailto:owasp-cheat-sheets-bounces at lists.owasp.org>] *On Behalf Of
>     *Torsten Gigler
>     *Sent:* Tuesday, June 03, 2014 4:50 AM
>     *To:* owasp-cheat-sheets at lists.owasp.org
>     <mailto:owasp-cheat-sheets at lists.owasp.org>
>     *Subject:* [OWASP-cheat-sheets] Transport Layer Protection Cheat
>     Sheet: Strong Protocols and Ciphers for TLS/SSL
>
>     Hi,
>
>     during the last months, I have done some researches about how to
>     find a good Protocol and Cipher Policy for TLS/SSL.
>
>     The resuls are documented in Top 10 Developer Edition, in German
>     <https://www.owasp.org/index.php/Germany/Projekte/Top_10_fuer_Entwickler-2013/A6-Verlust_der_Vertraulichkeit_sensibler_Daten#tab=JAVA2>,
>     yet.
>
>     I'd like to discuss them here and add them in the Transport Layer
>     Protection Cheat Sheet.
>     <http://Transport%20Layer%20Protection%20Cheat%20Sheet>
>
>     Do you have any comments. Should I add my input in a new
>     'DRAFT:'-Copy of the document before transfering it to the Cheat
>     Sheet?
>
>     Perhaps you find more points that should be updated.
>
>
>     Kind Regards
>
>     Torsten
>
>
>     *
>     Only Support Strong Cryptographic Ciphers:*
>>
>     * use the very latest recommendations, they may be volantile these
>     days
>     * Secure length for cryptographic keys and parameters (like
>     DH-parameter) >=2048 bits or equivalent Elliptic Curves
>
>     Example for a Policy to get a Whitelist for recommenderd Ciphers:
>     * Activate to set the Cipher Order by the Server
>     * Highest Priority for Ciphers that support 'Forward Secrecy'
>     * Favor DHE over ECDHE, ECDHE lacks now of really reliable
>     Elliptic Curves, cf. http://safecurves.cr.yp.to
>     <http://safecurves.cr.yp.to>;
>     * Use RSA-Keys (no DSA/DSS, cf.
>     https://projectbullrun.org/dual-ec/tls.html
>     <https://projectbullrun.org/dual-ec/tls.html>)
>     * Favor GCM over CBC regardless of the cipher size
>     * Priorize the ciphers by the sizes of the Cipher and the MAC
>     * Disable weak ciphers without diabling latency browsers and bots
>     that have to be supported (find the best compromise), actually the
>     cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) does this job.
>     * Ciphers should be usable for DH-Pamameters >= 2048 bits, without
>     blocking latency browsers (The cipher ‘DHE-RSA-AES128-SHA’ is
>     suppressed as some browsers like to use it but are not capable to
>     cope with DH-Params > 1024 bits.)
>
>     * Define a Cipher String that works with different Versions of
>     your encryption tool, like openssl,
>     * Verify your cipher string
>       ° with an autit-tool, like OWASP 'O-Saft'
>     <https://www.owasp.org/index.php/O-Saft>
>       ° listing it manually with your encryption software, e.g.
>     openssl ciphers -v <cipher-string> (the result may differ by
>     version), e.g.: openssl ciphers -v
>     'EDH+aRSA+AESGCM:EDH+aRSA+AES:DHE-RSA-AES256-SHA:EECDH+aRSA+AESGCM:EECDH+aRSA+AES:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:RSA+AESGCM:RSA+AES+SHA:DES-CBC3-SHA:-DHE-RSA-AES128-SHA'
>     #add optionally
>     ':!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA'
>     to protect older Versions of OpenSSL
>
>     * This results in this recommended Cpihers and their Order:
>
>     0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
>
>     0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
>
>     0x00,0x6B - DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
>
>     0x00,0x39 - DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
>
>     0x00,0x67 - DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
>
>     0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
>
>     0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
>
>     0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
>
>     0xC0,0x14 - ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
>
>     0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
>
>     0xC0,0x13 - ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
>
>     0x00,0x9D - AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
>
>     0x00,0x9C - AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
>
>     0x00,0x35 - AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
>
>     0x00,0x2F - AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
>
>     0x00,0x0A - DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
>
>     Remarks:
>     - According to my researches the most common browsers should be supported with this setting, too.
>     - Monitor the performance of your server, e.g. the TLS handshake with DHE hinders the CPU abt 2.4 times than ECDHE (cf.[Vincent Bernat, 2011]  <http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html#some-benchmarks>)
>
>
>     *On additional Point:*
>     I'd like to launch also a discussion if we should find references
>     to good practices that are not dependant on Documents from NIST.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cheat-sheets/attachments/20140612/c8159d6b/attachment.html>


More information about the OWASP-cheat-sheets mailing list