[OWASP-cheat-sheets] Transport Layer Protection Cheat Sheet: Strong Protocols and Ciphers for TLS/SSL

Torsten Gigler torsten.gigler at owasp.org
Thu Jun 12 20:07:28 UTC 2014


Hi David,

sorry for the delay of my answer, I had been offline the last 8 days.

I'd like to say that I am not a cryptographic specialist. The last months I read what I could find
about Ciphers that remain to be usable these days.

So the issue with ECDHE is that there are no(!) really reliable Elliptic Curves, cf.
http://safecurves.cr.yp.to <http://safecurves.cr.yp.to>;
http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8,

The most promising candidate is https://tools.ietf.org/html/draft-josefsson-tls-curve25519-05

Could you verity the results of[Vincent Bernat, 2011]
<http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html#some-benchmarks> with your
systems that the TLS handshake with DHE hinders the CPU abt 2.4 times than ECDHE?
If there are any performance issues I'd recommend to invert the Rule "Priorize the ciphers by the
sizes of the Cipher and the MAC"
So I think you could start with DHE-RSA-AES128-GCM-SHA256, or DHE-RSA-AES128-SHA256.
If you do so, please check also for a good cipher string that is usable by different versions of
openssl (1.0.1 and 0.9.8-families).
I did it with some versions manually and Aaron from ach at lists.cert.at (bettercrypto.org) tested it
with all automatically compiled versions.
 
Is it generally OK for you to promote DHE over ECDHE ciphers? Or do you see any practical issues?

Kind regards
Torsten

Am 12.06.2014 19:49, schrieb Jim Manico:
> Without ANY doubt, ephemeral cipher suites need to be prioritized ciphers.
>
> David, can you propose specific changes and I'll update the wiki for you? Or can I get you a wiki
> account?
>
> Aloha,
> Jim
>
>
>
> On 6/10/14, 6:45 AM, David Holmes wrote:
>>
>> Hm, no never did an answer.
>>
>>  
>>
>> *From:*Jim Manico [mailto:jim.manico at owasp.org]
>> *Sent:* Monday, June 09, 2014 10:09 PM
>> *To:* David Holmes
>> *Cc:* Torsten Gigler; owasp-cheat-sheets at lists.owasp.org
>> *Subject:* Re: [OWASP-cheat-sheets] Transport Layer Protection Cheat Sheet: Strong Protocols and
>> Ciphers for TLS/SSL
>>
>>  
>>
>> Did this get answered David?
>>
>>  
>>
>> Aloha,
>>
>> --
>>
>> Jim Manico
>>
>> @Manicode
>>
>> (808) 652-3805
>>
>>
>> On Jun 7, 2014, at 6:49 AM, David Holmes <d.holmes at f5.com <mailto:d.holmes at f5.com>> wrote:
>>
>>     Torsten,
>>
>>      
>>
>>     Overall, very nice work!
>>
>>      
>>
>>     I was a little surprised about the promotion of DHE over ECDHE ciphers. Has the crypto
>>     community as a whole already demoted EC ciphers? While some curves have been found to be
>>     suboptimal, is that enough to eschew the CPU savings ECDHE is supposed to offer?
>>
>>      
>>
>>     *From:*owasp-cheat-sheets-bounces at lists.owasp.org
>>     <mailto:owasp-cheat-sheets-bounces at lists.owasp.org>
>>     [mailto:owasp-cheat-sheets-bounces at lists.owasp.org] *On Behalf Of *Jim Manico
>>     *Sent:* Friday, June 06, 2014 9:46 PM
>>     *To:* Torsten Gigler; owasp-cheat-sheets at lists.owasp.org
>>     <mailto:owasp-cheat-sheets at lists.owasp.org>
>>     *Subject:* Re: [OWASP-cheat-sheets] Transport Layer Protection Cheat Sheet: Strong Protocols
>>     and Ciphers for TLS/SSL
>>
>>      
>>
>>     Please go ahead and just edit that directly, I trust you – anything else you can do to update
>>     the TLS Cheatsheet , please go for it!
>>
>>      
>>
>>     I’ll review when you are done.
>>
>>      
>>
>>     Cool?
>>
>>      
>>
>>     Aloha,
>>
>>     Jim
>>
>>      
>>
>>     *From:*owasp-cheat-sheets-bounces at lists.owasp.org
>>     <mailto:owasp-cheat-sheets-bounces at lists.owasp.org>
>>     [mailto:owasp-cheat-sheets-bounces at lists.owasp.org
>>     <mailto:owasp-cheat-sheets-bounces at lists.owasp.org>] *On Behalf Of *Torsten Gigler
>>     *Sent:* Tuesday, June 03, 2014 4:50 AM
>>     *To:* owasp-cheat-sheets at lists.owasp.org <mailto:owasp-cheat-sheets at lists.owasp.org>
>>     *Subject:* [OWASP-cheat-sheets] Transport Layer Protection Cheat Sheet: Strong Protocols and
>>     Ciphers for TLS/SSL
>>
>>      
>>
>>     Hi,
>>
>>     during the last months, I have done some researches about how to find a good Protocol and
>>     Cipher Policy for TLS/SSL.
>>
>>     The resuls are documented in Top 10 Developer Edition, in German
>>     <https://www.owasp.org/index.php/Germany/Projekte/Top_10_fuer_Entwickler-2013/A6-Verlust_der_Vertraulichkeit_sensibler_Daten#tab=JAVA2>,
>>     yet.
>>
>>     I'd like to discuss them here and add them in the Transport Layer Protection Cheat Sheet.
>>     <http://Transport%20Layer%20Protection%20Cheat%20Sheet>
>>
>>     Do you have any comments. Should I add my input in a new 'DRAFT:'-Copy of the document before
>>     transfering it to the Cheat Sheet?
>>
>>     Perhaps you find more points that should be updated.
>>
>>
>>     Kind Regards
>>
>>     Torsten
>>
>>
>>      *
>>     Only Support Strong Cryptographic Ciphers:*
>>>>
>>     * use the very latest recommendations, they may be volantile these days
>>     * Secure length for cryptographic keys and parameters (like DH-parameter) >=2048 bits or
>>     equivalent Elliptic Curves
>>
>>     Example for a Policy to get a Whitelist for recommenderd Ciphers:
>>     * Activate to set the Cipher Order by the Server
>>     * Highest Priority for Ciphers that support 'Forward Secrecy'
>>     * Favor DHE over ECDHE, ECDHE lacks now of really reliable Elliptic Curves, cf.
>>     http://safecurves.cr.yp.to <http://safecurves.cr.yp.to>;
>>     * Use RSA-Keys (no DSA/DSS, cf. https://projectbullrun.org/dual-ec/tls.html
>>     <https://projectbullrun.org/dual-ec/tls.html>)
>>     * Favor GCM over CBC regardless of the cipher size
>>     * Priorize the ciphers by the sizes of the Cipher and the MAC
>>     * Disable weak ciphers without diabling latency browsers and bots that have to be supported
>>     (find the best compromise), actually the cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) does this
>>     job.
>>     * Ciphers should be usable for DH-Pamameters >= 2048 bits, without blocking latency browsers
>>     (The cipher ‘DHE-RSA-AES128-SHA’ is suppressed as some browsers like to use it but are not
>>     capable to cope with DH-Params > 1024 bits.)
>>
>>     * Define a Cipher String that works with different Versions of your encryption tool, like
>>     openssl,
>>     * Verify your cipher string
>>       ° with an autit-tool, like OWASP 'O-Saft' <https://www.owasp.org/index.php/O-Saft>
>>       ° listing it manually with your encryption software, e.g. openssl ciphers -v
>>     <cipher-string> (the result may differ by version), e.g.: openssl ciphers -v
>>     'EDH+aRSA+AESGCM:EDH+aRSA+AES:DHE-RSA-AES256-SHA:EECDH+aRSA+AESGCM:EECDH+aRSA+AES:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:RSA+AESGCM:RSA+AES+SHA:DES-CBC3-SHA:-DHE-RSA-AES128-SHA'
>>     #add optionally ':!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA' to
>>     protect older Versions of OpenSSL
>>
>>     * This results in this recommended Cpihers and their Order:
>>
>>     0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
>>
>>     0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
>>
>>     0x00,0x6B - DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
>>
>>     0x00,0x39 - DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
>>
>>     0x00,0x67 - DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
>>
>>     0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
>>
>>     0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
>>
>>     0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
>>
>>     0xC0,0x14 - ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
>>
>>     0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
>>
>>     0xC0,0x13 - ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
>>
>>     0x00,0x9D - AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
>>
>>     0x00,0x9C - AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
>>
>>     0x00,0x35 - AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
>>
>>     0x00,0x2F - AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
>>
>>     0x00,0x0A - DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
>>
>>     Remarks:
>>     - According to my researches the most common browsers should be supported with this setting, too.
>>     - Monitor the performance of your server, e.g. the TLS handshake with DHE hinders the CPU abt 2.4 times than ECDHE (cf. [Vincent Bernat, 2011] <http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html#some-benchmarks>)
>>
>>
>>     *On additional Point:*
>>     I'd like to launch also a discussion if we should find references to good practices that are
>>     not dependant on Documents from NIST.
>>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cheat-sheets/attachments/20140612/22adad27/attachment-0001.html>


More information about the OWASP-cheat-sheets mailing list