[Owasp_Top_10_fuer_Entwickler] Fwd: Transport Layer Protection Cheat Sheet: Strong Protocols and Ciphers for TLS/SSL

Torsten Gigler torsten.gigler at owasp.org
Di Jun 3 15:00:19 UTC 2014


Zu Eurer Info und viele Grüße


---------- Forwarded message ----------
From: Torsten Gigler <torsten.gigler at owasp.org>
Date: 2014-06-03 16:50 GMT+02:00
Subject: Transport Layer Protection Cheat Sheet: Strong Protocols and
Ciphers for TLS/SSL
To: owasp-cheat-sheets at lists.owasp.org


during the last months, I have done some researches about how to find a
good Protocol and Cipher Policy for TLS/SSL.
The resuls are documented in Top 10 Developer Edition, in German

I'd like to discuss them here and add them in the Transport Layer
Protection Cheat Sheet.
Do you have any comments. Should I add my input in a new 'DRAFT:'-Copy of
the document before transfering it to the Cheat Sheet?
Perhaps you find more points that should be updated.

Kind Regards

*Only Support Strong Cryptographic Ciphers:*

* use the very latest recommendations, they may be volantile these days
* Secure length for cryptographic keys and parameters (like DH-parameter)
>=2048 bits or equivalent Elliptic Curves

Example for a Policy to get a Whitelist for recommenderd Ciphers:
* Activate to set the Cipher Order by the Server
* Highest Priority for Ciphers that support 'Forward Secrecy'
* Favor DHE over ECDHE, ECDHE lacks now of really reliable Elliptic Curves,
cf. http://safecurves.cr.yp.to;
* Use RSA-Keys (no DSA/DSS, cf. https://projectbullrun.org/dual-ec/tls.html)
* Favor GCM over CBC regardless of the cipher size
* Priorize the ciphers by the sizes of the Cipher and the MAC
* Disable weak ciphers without diabling latency browsers and bots that have
to be supported (find the best compromise), actually the cipher
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) does this job.
* Ciphers should be usable for DH-Pamameters >= 2048 bits, without blocking
latency browsers (The cipher ‘DHE-RSA-AES128-SHA’ is suppressed as some
browsers like to use it but are not capable to cope with DH-Params > 1024
* Define a Cipher String that works with different Versions of your encryption
tool, like openssl,
* Verify your cipher string
  ° with an autit-tool, like OWASP 'O-Saft'
  ° listing it manually with your encryption software, e.g. openssl ciphers
-v <cipher-string> (the result may differ by version), e.g.: openssl
ciphers -v
#add optionally
protect older Versions of OpenSSL

* This results in this recommended Cpihers and their Order:

0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA
Enc=AESGCM(256) Mac=AEAD
0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA
Enc=AESGCM(128) Mac=AEAD
0x00,0x6B - DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA
Enc=AES(256)  Mac=SHA256
0x00,0x39 - DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA
Enc=AES(256)  Mac=SHA1
0x00,0x67 - DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA
Enc=AES(128)  Mac=SHA256
0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA
Enc=AESGCM(256) Mac=AEAD
0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA
Enc=AESGCM(128) Mac=AEAD
0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA
Enc=AES(256)  Mac=SHA384
0xC0,0x14 - ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA
Enc=AES(256)  Mac=SHA1
0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA
Enc=AES(128)  Mac=SHA256
0xC0,0x13 - ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA
Enc=AES(128)  Mac=SHA1
0x00,0x9D - AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA
Enc=AESGCM(256) Mac=AEAD
0x00,0x9C - AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA
Enc=AESGCM(128) Mac=AEAD
0x00,0x35 - AES256-SHA              SSLv3 Kx=RSA      Au=RSA
Enc=AES(256)  Mac=SHA1
0x00,0x2F - AES128-SHA              SSLv3 Kx=RSA      Au=RSA
Enc=AES(128)  Mac=SHA1
0x00,0x0A - DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA
Enc=3DES(168) Mac=SHA1

- According to my researches the most common browsers should be
supported with this setting, too.
- Monitor the performance of your server, e.g. the TLS handshake with
DHE hinders the CPU abt 2.4 times than ECDHE (cf. [Vincent Bernat,
2011] <http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html#some-benchmarks>)

*On additional Point:*
I'd like to launch also a discussion if we should find references to good
practices that are not dependant on Documents from NIST.
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <http://lists.owasp.org/pipermail/owasp_top_10_fuer_entwickler/attachments/20140603/c7dbd095/attachment.html>

More information about the Owasp_Top_10_fuer_Entwickler mailing list