Secure Cipher Suites and TLS

-

 





TLS

As of writing (July 2021), there is really only one widely supported, secure protocol for establishing secure communications on the Internet -- TLS 1.2. 

Even Microsoft which has a history of supporting legacy items (looking at you Internet Explorer) is deprecating TLS 1.0 and TLS 1.1 in many of its products (and in some cases outright disabling). And just in case it wasn't clear, all versions of SSL are insecure as well. Fully updated installs of Windows 10 and macOS, unfortunately, still leave TLS 1.0 enabled for client and server connections.

Chrome, Safari, Firefox, and Edge dropped support for anything less than TLS 1.2 a while back now. If you're using an up-to-date version of one of those browsers you are good-to-go there (note this doesn't mean other applications on your system won't use TLS 1.0/1.1).

Vendors are currently working on adoption and I hope that very soon TLS 1.3 will replace TLS 1.2. Cloudflare has a fantastic blog post on TLS 1.3 covering its design changes, benefits over TLS 1.2, and overall a ton of great information on the topic. Once you're done here I highly encourage checking it out.

If this were a couple years ago, this section would have been A LOT longer. Thankfully now, most everyone agrees just using TLS 1.2 is the way to go. Now on to cipher suites where things are...less decisive, let's say.

Secure Cipher Suites

NIST's latest guidelines (SP 800-52r2) can mostly be broken down into this:
  1. Prefer ephemeral keys over static keys (i.e., prefer DHE over DH, and prefer ECDHE over ECDH). Ephemeral keys provide perfect forward secrecy. 
  2. Prefer GCM or CCM modes over CBC mode. The use of an authenticated encryption mode prevents several attacks (see Section 3.3.2 for more information). Note that these are not available in versions prior to TLS 1.2. 
  3. Prefer CCM over CCM_8. The latter contains a shorter authentication tag, which provides a lower authentication strength.
This means that all of the following are technically acceptable ciphers, but some are more secure than others:
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 (0xC0, 0x2C)
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xC0, 0x30)
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x00, 0x9F)
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x00, 0x39)
  • TLS_DH_DSS_WITH_AES_256_GCM_SHA384 (0x00, 0xA5)
  • TLS_DH_RSA_WITH_AES_256_GCM_SHA384 (0x00, 0xA1)
The ciphers given in NIST documentation also aren't the only ones used. For example, these ciphers Google Chrome v92 uses to negotiate with clienttest.ssllabs.com:

You'll notice CHACHA20 and POLY1305 listed (used for encryption and MAC respectively). NIST may not have adopted these, but tests so far indicate they are secure (not to mention fast which is why they were adopted -- specifically as a stream cipher for mobile devices where AES computations are expensive).

By default, Windows 10 fully patched in July 2021 still allows NULL cipher suites (cipher suites that don't perform any encryption of the data but provide authenticity and integrity checks) among other insecure cipher suites. I'll be covering how to disable these and restrict usage to secure cipher suites in a future post.

References

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf

https://docs.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel

https://blog.cloudflare.com/rfc-8446-aka-tls-1-3/

https://blog.cloudflare.com/do-the-chacha-better-mobile-performance-with-cryptography/

https://eprint.iacr.org/2007/472

https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-

https://support.apple.com/guide/deployment-reference-macos/network-security-apd1775f8cbb/web

Comments

Post a Comment

Popular Posts

Hashcat - Cracking MD5 and NTLM Hashes

-
Image
Today we'll be exploring Hashcat -- "the world’s fastest and most advanced password recovery utility". This, along with similar tools, should be used only for password recovery, pentest engagements, CTFs, etc and never for illegal purposes. I could write an entire series about the capabilities Hashcat provides, but we will cover a few basic examples for now ( besides, Hashcat does a pretty good job of that themselves ): Crack MD5 hashes using the rockyou.txt wordlist. Crack NTLM hashes using the rockyou.txt wordlist. Crack NTLM hashes using a mask attack (modified brute force). I'll be using Kali Linux as Hashcat comes pre-installed, but Hashcat can run on Windows, macOS, and other Linux distributions as well. As you'll see, I'll be using some lists of hashes I made previously. Tools to generate hashes using dozens of algorithms are available online -- just save the output as a text file if you want to follow along. Cracking MD5 Hashes Using rockyou.txt Wordl...
Read more

Configuring Secure Ciphers Suites and TLS

-
Image
Hey everyone, today we're back on cipher suites. If you want a refresher of TLS and secure cipher suites overall, check out my previous post . There are many instances in which you'll need to edit cipher suites on a system -- compliance efforts, CIS benchmarks, or simply ensuring your system doesn't use insecure suites. There are a few ways to go about this and I'll detail two of them now: IIS Crypto and the Windows registry. IIS Crypto My favorite way of editing TLS versions and cipher suites is using IIS Crypto . IIS Crypto allows you to select your desired TLS/SSL version, cipher suites, and backup the registry, all with a few mouse clicks. Only downside is that it's Windows only (even the command line version). This is what IIS Crypto will look like on an unmodified Windows 10 system. Note the separate  Server Protocols  and  Client Protocols  sections. These are important to keep straight depending on what system is listening for connections and what system is ...
Read more

Configuring SSH Key Based Authentication

-
Image
Overview Most personal computers and many organizations running Linux servers utilize password-based authentication. This is what most of us are used to -- you enter a username and password in order to authenticate your account and gain access to a system. While straightforward and commonplace, this isn't the best solution in most cases. Today I'll be explaining why key based authentication is more convenient, more secure, and allows for automation of tasks without saving credentials in plain-text in a text file. Key based authentication involves the use of private and public keys ( public-key cryptography ). The private key is stored on the client and the public key is stored on the server in a special file ( ~/.ssh/authorized_keys ). This allows any system with the corresponding private key to login to the server where we just stored the public key. Our steps are: Generate key pair (public / private key). Transfer public key and add it to the authorized_keys file on the remot...
Read more