[Owasp_Top_10_fuer_Entwickler] Fwd: Transport Layer Protection Cheat Sheet: Strong Protocols and Ciphers for TLS/SSL

Torsten Gigler torsten.gigler at owasp.org
Di Jun 3 15:00:19 UTC 2014


Hallo,

Zu Eurer Info und viele Grüße

Torsten


---------- Forwarded message ----------
From: Torsten Gigler <torsten.gigler at owasp.org>
Date: 2014-06-03 16:50 GMT+02:00
Subject: Transport Layer Protection Cheat Sheet: Strong Protocols and
Ciphers for TLS/SSL
To: owasp-cheat-sheets at lists.owasp.org


Hi,

during the last months, I have done some researches about how to find a
good Protocol and Cipher Policy for TLS/SSL.
The resuls are documented in Top 10 Developer Edition, in German
<https://www.owasp.org/index.php/Germany/Projekte/Top_10_fuer_Entwickler-2013/A6-Verlust_der_Vertraulichkeit_sensibler_Daten#tab=JAVA2>,
yet.

I'd like to discuss them here and add them in the Transport Layer
Protection Cheat Sheet.
Do you have any comments. Should I add my input in a new 'DRAFT:'-Copy of
the document before transfering it to the Cheat Sheet?
Perhaps you find more points that should be updated.

Kind Regards
Torsten


*Only Support Strong Cryptographic Ciphers:*
…

* use the very latest recommendations, they may be volantile these days
* Secure length for cryptographic keys and parameters (like DH-parameter)
>=2048 bits or equivalent Elliptic Curves

Example for a Policy to get a Whitelist for recommenderd Ciphers:
* Activate to set the Cipher Order by the Server
* Highest Priority for Ciphers that support 'Forward Secrecy'
* Favor DHE over ECDHE, ECDHE lacks now of really reliable Elliptic Curves,
cf. http://safecurves.cr.yp.to;
* Use RSA-Keys (no DSA/DSS, cf. https://projectbullrun.org/dual-ec/tls.html)
* Favor GCM over CBC regardless of the cipher size
* Priorize the ciphers by the sizes of the Cipher and the MAC
* Disable weak ciphers without diabling latency browsers and bots that have
to be supported (find the best compromise), actually the cipher
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) does this job.
* Ciphers should be usable for DH-Pamameters >= 2048 bits, without blocking
latency browsers (The cipher ‘DHE-RSA-AES128-SHA’ is suppressed as some
browsers like to use it but are not capable to cope with DH-Params > 1024
bits.)
* Define a Cipher String that works with different Versions of your encryption
tool, like openssl,
* Verify your cipher string
  ° with an autit-tool, like OWASP 'O-Saft'
<https://www.owasp.org/index.php/O-Saft>
  ° listing it manually with your encryption software, e.g. openssl ciphers
-v <cipher-string> (the result may differ by version), e.g.: openssl
ciphers -v
'EDH+aRSA+AESGCM:EDH+aRSA+AES:DHE-RSA-AES256-SHA:EECDH+aRSA+AESGCM:EECDH+aRSA+AES:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:RSA+AESGCM:RSA+AES+SHA:DES-CBC3-SHA:-DHE-RSA-AES128-SHA'
#add optionally
':!aNULL:!eNULL:!LOW:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:!ADH:!IDEA' to
protect older Versions of OpenSSL

* This results in this recommended Cpihers and their Order:

0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA
Enc=AESGCM(256) Mac=AEAD
0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA
Enc=AESGCM(128) Mac=AEAD
0x00,0x6B - DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA
Enc=AES(256)  Mac=SHA256
0x00,0x39 - DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA
Enc=AES(256)  Mac=SHA1
0x00,0x67 - DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA
Enc=AES(128)  Mac=SHA256
0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA
Enc=AESGCM(256) Mac=AEAD
0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA
Enc=AESGCM(128) Mac=AEAD
0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA
Enc=AES(256)  Mac=SHA384
0xC0,0x14 - ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA
Enc=AES(256)  Mac=SHA1
0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA
Enc=AES(128)  Mac=SHA256
0xC0,0x13 - ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA
Enc=AES(128)  Mac=SHA1
0x00,0x9D - AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA
Enc=AESGCM(256) Mac=AEAD
0x00,0x9C - AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA
Enc=AESGCM(128) Mac=AEAD
0x00,0x35 - AES256-SHA              SSLv3 Kx=RSA      Au=RSA
Enc=AES(256)  Mac=SHA1
0x00,0x2F - AES128-SHA              SSLv3 Kx=RSA      Au=RSA
Enc=AES(128)  Mac=SHA1
0x00,0x0A - DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA
Enc=3DES(168) Mac=SHA1

Remarks:
- According to my researches the most common browsers should be
supported with this setting, too.
- Monitor the performance of your server, e.g. the TLS handshake with
DHE hinders the CPU abt 2.4 times than ECDHE (cf. [Vincent Bernat,
2011] <http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html#some-benchmarks>)


*On additional Point:*
I'd like to launch also a discussion if we should find references to good
practices that are not dependant on Documents from NIST.
-------------- nächster Teil --------------
Ein Dateianhang mit HTML-Daten wurde abgetrennt...
URL: <http://lists.owasp.org/pipermail/owasp_top_10_fuer_entwickler/attachments/20140603/c7dbd095/attachment.html>


More information about the Owasp_Top_10_fuer_Entwickler mailing list