[OWASP-cheat-sheets] Transport Layer Protection Cheat Sheet: Strong Protocols and Ciphers for TLS/SSL

David Holmes d.holmes at f5.com
Mon Jun 16 15:58:56 UTC 2014


Sorry for my delay. I checked around F5 and we’re neutral on the issue of DHE vs ECDHE. So we are okay with this ciphers as you proposed them (at least in that regards)

From: Torsten Gigler [mailto:torsten.gigler at owasp.org]
Sent: Thursday, June 12, 2014 2:07 PM
To: David Holmes
Cc: Jim Manico; owasp-cheat-sheets at lists.owasp.org
Subject: Re: [OWASP-cheat-sheets] Transport Layer Protection Cheat Sheet: Strong Protocols and Ciphers for TLS/SSL

Hi David,

sorry for the delay of my answer, I had been offline the last 8 days.

I'd like to say that I am not a cryptographic specialist. The last months I read what I could find about Ciphers that remain to be usable these days.

So the issue with ECDHE is that there are no(!) really reliable Elliptic Curves, cf. http://safecurves.cr.yp.to;
http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8,

The most promising candidate is https://tools.ietf.org/html/draft-josefsson-tls-curve25519-05

Could you verity the results of [Vincent Bernat, 2011]<http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html#some-benchmarks> with your systems that the TLS handshake with DHE hinders the CPU abt 2.4 times than ECDHE?
If there are any performance issues I'd recommend to invert the Rule "Priorize the ciphers by the sizes of the Cipher and the MAC"
So I think you could start with DHE-RSA-AES128-GCM-SHA256, or DHE-RSA-AES128-SHA256.
If you do so, please check also for a good cipher string that is usable by different versions of openssl (1.0.1 and 0.9.8-families).
I did it with some versions manually and Aaron from ach at lists.cert.at<mailto:ach at lists.cert.at> (bettercrypto.org) tested it with all automatically compiled versions.

Is it generally OK for you to promote DHE over ECDHE ciphers? Or do you see any practical issues?

Kind regards
Torsten

Am 12.06.2014 19:49, schrieb Jim Manico:
Without ANY doubt, ephemeral cipher suites need to be prioritized ciphers.

David, can you propose specific changes and I'll update the wiki for you? Or can I get you a wiki account?

Aloha,
Jim

On 6/10/14, 6:45 AM, David Holmes wrote:
Hm, no never did an answer.

From: Jim Manico [mailto:jim.manico at owasp.org]
Sent: Monday, June 09, 2014 10:09 PM
To: David Holmes
Cc: Torsten Gigler; owasp-cheat-sheets at lists.owasp.org<mailto:owasp-cheat-sheets at lists.owasp.org>
Subject: Re: [OWASP-cheat-sheets] Transport Layer Protection Cheat Sheet: Strong Protocols and Ciphers for TLS/SSL

Did this get answered David?

Aloha,
--
Jim Manico
@Manicode
(808) 652-3805

On Jun 7, 2014, at 6:49 AM, David Holmes <d.holmes at f5.com<mailto:d.holmes at f5.com>> wrote:
Torsten,

Overall, very nice work!

I was a little surprised about the promotion of DHE over ECDHE ciphers. Has the crypto community as a whole already demoted EC ciphers? While some curves have been found to be suboptimal, is that enough to eschew the CPU savings ECDHE is supposed to offer?

From: owasp-cheat-sheets-bounces at lists.owasp.org<mailto:owasp-cheat-sheets-bounces at lists.owasp.org> [mailto:owasp-cheat-sheets-bounces at lists.owasp.org] On Behalf Of Jim Manico
Sent: Friday, June 06, 2014 9:46 PM
To: Torsten Gigler; owasp-cheat-sheets at lists.owasp.org<mailto:owasp-cheat-sheets at lists.owasp.org>
Subject: Re: [OWASP-cheat-sheets] Transport Layer Protection Cheat Sheet: Strong Protocols and Ciphers for TLS/SSL

Please go ahead and just edit that directly, I trust you – anything else you can do to update the TLS Cheatsheet , please go for it!

I’ll review when you are done.

Cool?

Aloha,
Jim

From: owasp-cheat-sheets-bounces at lists.owasp.org<mailto:owasp-cheat-sheets-bounces at lists.owasp.org> [mailto:owasp-cheat-sheets-bounces at lists.owasp.org<mailto:owasp-cheat-sheets-bounces at lists.owasp.org>] On Behalf Of Torsten Gigler
Sent: Tuesday, June 03, 2014 4:50 AM
To: owasp-cheat-sheets at lists.owasp.org<mailto:owasp-cheat-sheets at lists.owasp.org>
Subject: [OWASP-cheat-sheets] Transport Layer Protection Cheat Sheet: Strong Protocols and Ciphers for TLS/SSL

Hi,
during the last months, I have done some researches about how to find a good Protocol and Cipher Policy for TLS/SSL.
The resuls are documented in Top 10 Developer Edition, in German<https://www.owasp.org/index.php/Germany/Projekte/Top_10_fuer_Entwickler-2013/A6-Verlust_der_Vertraulichkeit_sensibler_Daten#tab=JAVA2>, yet.
I'd like to discuss them here and add them in the Transport Layer Protection Cheat Sheet.<http://Transport%20Layer%20Protection%20Cheat%20Sheet>
Do you have any comments. Should I add my input in a new 'DRAFT:'-Copy of the document before transfering it to the Cheat Sheet?
Perhaps you find more points that should be updated.

Kind Regards
Torsten


Only Support Strong Cryptographic Ciphers:
…

* use the very latest recommendations, they may be volantile these days
* Secure length for cryptographic keys and parameters (like DH-parameter) >=2048 bits or equivalent Elliptic Curves

Example for a Policy to get a Whitelist for recommenderd Ciphers:
* Activate to set the Cipher Order by the Server
* Highest Priority for Ciphers that support 'Forward Secrecy'
* Favor DHE over ECDHE, ECDHE lacks now of really reliable Elliptic Curves, cf. http://safecurves.cr.yp.to;
* Use RSA-Keys (no DSA/DSS, cf. https://projectbullrun.org/dual-ec/tls.html)
* Favor GCM over CBC regardless of the cipher size
* Priorize the ciphers by the sizes of the Cipher and the MAC
* Disable weak ciphers without diabling latency browsers and bots that have to be supported (find the best compromise), actually the cipher TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) does this job.
* Ciphers should be usable for DH-Pamameters >= 2048 bits, without blocking latency browsers (The cipher ‘DHE-RSA-AES128-SHA’ is suppressed as some browsers like to use it but are not capable to cope with DH-Params > 1024 bits.)
* Define a Cipher String that works with different Versions of your encryption tool, like openssl,
* Verify your cipher string
  ° with an autit-tool, like OWASP 'O-Saft'<https://www.owasp.org/index.php/O-Saft>
  ° listing it manually with your encryption software, e.g. openssl ciphers -v <cipher-string> (the result may differ by version), e.g.: openssl ciphers -v 'EDH+aRSA+AESGCM:EDH+aRSA+AES:DHE-RSA-AES256-SHA:EECDH+aRSA+AESGCM:EECDH+aRSA+AES:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:RSA+AESGCM:RSA+AES+SHA:DES-CBC3-SHA:-DHE-RSA-AES128-SHA'
#add optionally ':!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA' to protect older Versions of OpenSSL

* This results in this recommended Cpihers and their Order:

0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD

0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD

0x00,0x6B - DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256

0x00,0x39 - DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1

0x00,0x67 - DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256

0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD

0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD

0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384

0xC0,0x14 - ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1

0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256

0xC0,0x13 - ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1

0x00,0x9D - AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD

0x00,0x9C - AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD

0x00,0x35 - AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1

0x00,0x2F - AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

0x00,0x0A - DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1

Remarks:

- According to my researches the most common browsers should be supported with this setting, too.

- Monitor the performance of your server, e.g. the TLS handshake with DHE hinders the CPU abt 2.4 times than ECDHE (cf. [Vincent Bernat, 2011]<http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html#some-benchmarks>)

On additional Point:
I'd like to launch also a discussion if we should find references to good practices that are not dependant on Documents from NIST.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cheat-sheets/attachments/20140616/86f2fe0c/attachment-0001.html>


More information about the OWASP-cheat-sheets mailing list