![Page 1: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/1.jpg)
Project „ACH“ (Applied Crypto Hardening)
www.be;ercrypto.org
![Page 2: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/2.jpg)
Mo=va=on
![Page 3: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/3.jpg)
Don‘t give them anything for free
It‘s your home, you fight
![Page 4: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/4.jpg)
TL;DR -‐ Quickinfos
• Website: www.be;ercrypto.org • Git repo: h;ps://git.be;ercrypto.org • Mailing list: h;p://lists.cert.at/cgi-‐bin/mailman/lis=nfo/ach
• Jabber chat: [email protected]
![Page 5: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/5.jpg)
Why is this relevant for you?
• You run networks and services. These are targets. It seems that even sysadmins are targets (source: ZDNet/the leaks)
• However good crypto is hard to achieve • Crypto does not solve all problems, but it helps "The Bo/om Line Is That Encryp9on Does Work“,
Edward Snowden
![Page 6: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/6.jpg)
Who?
Wolfgang Breyha (uni VIE), David Durvaux (CERT.be), Tobias Dussa (KIT-‐CERT), L. Aaron Kaplan (CERT.at), Chris=an Mock (coretec), Daniel Kovacic (A-‐Trust), Manuel Koschuch (FH Campus Wien), Adi Kriegisch (VRVis), Ramin Sabet (A-‐Trust), Aaron Zauner (azet.org), Pepi Zawodsky (maclemon.at), Tobias Pape New contributors: IAIK, A-‐Sit
![Page 7: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/7.jpg)
Idea • Do at least something against the Cryptocalypse • Check SSL, SSH, PGP crypto Seangs in the most common services and cer=ficates: – Apache, Nginx, lighth;p – IMAP/POP servers (dovecot, cyrus, ...) – openssl.conf – Etc.
• Create easy, copy & paste-‐able seEngs which are „OK“ (as far as we know) for sysadmins.
• Keep it short. There are many good recommenda=ons out there wri;en by cryptographers for cryptographers
• Many eyes must check this!
![Page 8: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/8.jpg)
Contents so far • Disclaimer • Methods • Ellip=c Curve Cryptography • Keylengths • Random Number Generators • Cipher suites – general overview & how to choose one
• Recommenda=ons on prac=cal seangs • Tools • Links
![Page 9: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/9.jpg)
Methods
• How we develop this whitepaper • Public review • We need your review!
![Page 10: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/10.jpg)
GENERAL REMARKS ON CRYPTO
![Page 11: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/11.jpg)
Some thoughts on ECC
• Currently this is under heavy debate • Trust the Math • “Nothing Up My Sleeve Numbers” – eg. NIST P-‐256 (h;p://safecurves.cr.yp.to/rigid.html) – Coefficients generated by hashing the unexplained
seed c49d3608 86e70493 6a6678e1 139d26b7 819f7e90.!
• Might have to change seangs tomorrow • Most Applica=ons only work with NIST-‐Curves
![Page 12: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/12.jpg)
Keylengths
• h;p://www.keylength.com/ • Recommended Keylengths, Hashing algorithms, etc.
• Currently: – RSA: >= 3248 bits (Ecrypt II) – ECC: >= 256 – SHA 2+ (SHA 256,…) – AES 128 is good enough
![Page 13: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/13.jpg)
AES 128? Isn‘t that enough?
• “On the choice between AES256 and AES128: I would never consider using AES256, just like I don’t wear a helmet when I sit inside my car. It’s too much bother for the epsilon improvement in security.” — Vincent Rijmen in a personal mail exchange Dec 2013
• Some theore=cal a;acks on AES-‐256
![Page 14: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/14.jpg)
![Page 15: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/15.jpg)
Forward Secrecy-‐Mo=va=on: – Three le;er agency (TLA) stores all ssl traffic – Someday TLA gains access to ssl-‐private key (Brute Force, Physical Force)
– TLA can decrypt all stored traffic
Ramin, Daniel
![Page 16: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/16.jpg)
Perfect Forward Secrecy
• DHE: Diffie Hellman Ephemeral • Ephemeral: new key for each execu=on of a key exchange process
• SSL private-‐Key only for authen=ca=on • Alterna=ve new ssl private key every x days months • Pro:
– Highest Security against future a;acks • Contra:
– Ellip=c Curve – Processing costs
![Page 17: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/17.jpg)
RNGs
• RNGs are important. • Nadia Heninger et al / Lenstra et al
• Entropy awer startup: embedded devices
![Page 18: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/18.jpg)
RNGs
• Weak RNG – Dual EC_DRBG is weak (slow, used in RSA-‐toolkit) – Intel RNG ? Recommenda=on: add System-‐Entropy (Network). Entropy only goes up.
• Tools (eg. HaveGE h;p://dl.acm.org/cita=on.cfm?id=945516) • RTFM – when is the router key generated – Default Keys ?
• Re-‐generate keys from =me to =me
![Page 19: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/19.jpg)
ATTACKS
![Page 20: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/20.jpg)
A;acks -‐ BEAST • Browser Exploit Against SSL/TLS (BEAST) a;ack
• Predict IV of CBC
– Subsequent packet use IV that is the last cyphertext block of the previous packet
– Chosen Plaintext A;ack (eg. Cookie-‐name)
![Page 21: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/21.jpg)
A;acks -‐ CRIME
• Compression Ra=o Info-‐leak Made Easy (CRIME) a;ack – Sidechannel a;ack – Informa=on based on compressed size of h;p requests – MITM, Bruteforce: Client Javascript to Browse to …
– Compressed size smaller when secretcookie correct.
![Page 22: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/22.jpg)
CIPHER SUITES
![Page 23: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/23.jpg)
Some general thoughts on seangs
• General – Disable SSL 2.0 (weak algorithms) – Disable SSL 3.0 (BEAST vs IE/XP) – Enable TLS 1.0 or be;er – Disable TLS-‐Compression (SSL-‐CRIME A;ack) – Implement HSTS (HTTP Strict Transport Security)
• Variant A: fewer supported clients • Variant B: more clients, weaker seangs
![Page 24: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/24.jpg)
Variant A ’EECDH+aRSA+AES256:EDH+aRSA+AES256:!SSLv3’
Compa9bility: Only clients which support TLS1.2 are covered by these cipher suites (Chrome 30, Win 7 and Win 8.1, Opera 17, OpenSSL ≥ 1.0.1e, Safari 6 / iOS 6.0.1, Safari 7 / OS X 10.9)
![Page 25: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/25.jpg)
Variant B
weaker ciphers, many clients
![Page 26: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/26.jpg)
Variant B: Compa=bility
End-‐of-‐life
![Page 27: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/27.jpg)
Choosing your own cipher string (1)
• Rolling your own cipher suite string involves a trade-‐off between: – Compa=bility (server <-‐> client), vs. – Known weak ciphers/hashes/MACs – The choice ECC or not, vs. – Support by different ssl libs (gnutls, openssl,...) vs. – Different versions of ssl libs
• In case of ssl lib version issues: do you want to re-‐compile the whole server for a newer version?
• Be aware of these issues before choosing your own cipher suite
![Page 28: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/28.jpg)
Choosing your own cipher string (2)
• Complexity • Mul=-‐dimensional op=misa=on
• Consider strong alterna=ves to de-‐facto standards
• Poten=al future solu=on: generator for seangs?
![Page 29: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/29.jpg)
PRACTICAL SETTINGS
![Page 30: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/30.jpg)
What we have so far
• Web server: Apache, nginx, MS IIS, ligh;pd • Mail: Dovecot, cyrus, Pos�ix, Exim • DBs: Mysql, Oracle, Postgresql, DB2 • VPN: OpenVPN, IPSec, Checkpoint, ... • Proxies: Squid, Pound • GnuPG • SSH • IM servers (jabber, irc)
![Page 31: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/31.jpg)
What we would like to see
• Mail: Exchange • SIP • RDP
• Everything as HTML (easier to copy & paste) • Config generator on the website
![Page 32: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/32.jpg)
Example: Apache
Selec=ng cipher suites:
Addi=onally:
Aaron
![Page 33: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/33.jpg)
TESTING
![Page 34: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/34.jpg)
How to test? -‐ Tools
• openssl s_client (or gnutls-‐cli) • ssllabs.com: checks for servers as well as clients
• xmpp.net • sslscan • SSLyze
![Page 35: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/35.jpg)
Tools: openss s_client openssl s_client -‐showcerts –connect git.be;ercrypto.org:443
![Page 36: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/36.jpg)
Tools: sslscan
![Page 37: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/37.jpg)
Tools: ssllabs
![Page 38: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/38.jpg)
ssllabs (2)
![Page 39: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/39.jpg)
Ssllabs (3)
![Page 40: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/40.jpg)
WRAP-‐UP
![Page 41: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/41.jpg)
Current state as of 2014/04
ü Solid basis with Variant (A) and (B) ü Public draw was presented at the CCC • Sec=on „cipher suites“ s=ll a bit messy, needs more work
• Need to convert to HTML
![Page 42: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/42.jpg)
How to par=cipate 1. We need: cryptologists, sysadmins, hackers 2. Read the document, find bugs 3. Subscribe to the mailing list 4. Understand the cipher strings Variant (A) and (B) before
proposing some changes 5. If you add content to a subsec=on, make a sample config
with variant (B) 6. Git repo is world-‐readable 7. We need:
1. Add content to an subsec=on from the TODO list à send us diffs
2. Reviewers!
![Page 43: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/43.jpg)
Links
• Website: www.be;ercrypto.org • Git repo: h;ps://git.be;ercrypto.org • Mailing list: h;p://lists.cert.at/cgi-‐bin/mailman/lis=nfo/ach
![Page 44: Project„ACH“( (Applied Crypto(Hardening) · Choosing(your(own(cipher(string(1) • Rolling(your(own(cipher(suite(string(involves(a tradeMoff(between: – Compability ((server(](https://reader034.vdocuments.mx/reader034/viewer/2022050300/5f695390f3da495c545ec616/html5/thumbnails/44.jpg)
Thank you!