Presentation is loading. Please wait.

Presentation is loading. Please wait.

Project „ACH“ (Applied Crypto Hardening) www.bettercrypto.org.

Published byDella Sheena Cook Modified over 8 years ago

Similar presentations

Presentation on theme: "Project „ACH“ (Applied Crypto Hardening) www.bettercrypto.org."— Presentation transcript:

1 Project „ACH“ (Applied Crypto Hardening) www.bettercrypto.org

2 Motivation (Aaron)

3 Don‘t give them anything for free It‘s your home, you fight

4 TL;DR - Quickinfos Website: www.bettercrypto.orgwww.bettercrypto.org Git repo: https://git.bettercrypto.orghttps://git.bettercrypto.org Mailing list: http://lists.cert.at/cgi- bin/mailman/listinfo/achhttp://lists.cert.at/cgi- bin/mailman/listinfo/ach

5 Who? Wolfgang Breyha (uni VIE), David Durvaux (CERT.be), Tobias Dussa (KIT.edu CERT), L. Aaron Kaplan (CERT.at), Christian Mock (coretec), Daniel Kovacic (A-Trust), Manuel Koschuch (FH Campus Wien), Adi Kriegisch (VRVis), Ramin Sabet (A-Trust), Aaron Zauner (azet.org), Pepi Zawodsky (maclemon.at), New contributors: IAIK, A-Sit Aaron

6 Idea Do at least something against the Cryptocalypse Check SSL, SSH, PGP crypto Settings in the most common services and certificates: – Apache, Nginx, lighthttp – IMAP/POP servers (dovecot, cyrus,...) – openssl.conf – Etc. Create easy, copy & paste-able settings which are „OK“ (as far as we know) for sysadmins. Keep it short. There are many good recommendations out there written by cryptographers for cryptographers Many eyes must check this!

7 Contents so far Disclaimer Methods Elliptic Curve Cryptography Keylengths Random Number Generators Cipher suites – general overview & how to choose one Recommendations on practical settings Tools Links Aaron

8 Methods How we develop this whitepaper Public review We need your review! Aaron

9 GENERAL REMARKS ON CRYPTO

10 Some thoughts on ECC Currently this is under heavy debate Trust the Math “Nothing Up My Sleeve Numbers” – eg. NIST P-256 ( http://safecurves.cr.yp.to/rigid.html ) http://safecurves.cr.yp.to/rigid.html –Coefficients generated by hashing the unexplained seed c49d3608 86e70493 6a6678e1 139d26b7 819f7e90. Might have to change settings tomorrow Most Applications only work with NIST-Curves Ramin, Daniel

11 Keylengths http://www.keylength.com/ Recommended Keylengths, Hashing algorithms, etc. Currently: – RSA: >= 2048 bits – ECC: >= 256 – SHA 2+ (SHA 256,…) Ramin, Daniel

12

13 Forward Secrecy-Motivation: – Three letter agency (TLA) stores all ssl traffic – Someday TLA gains access to ssl-private key (Brute Force, Physical Force) – TLA can decrypt all stored traffic Ramin, Daniel

14 Perfect Forward Secrecy DHE: Diffie Hellman Ephemeral Ephemeral: new key for each execution of a key exchange process SSL private-Key only for authentication Alternative new ssl private key every x days months Pro: – Highest Security against future attacks Contra: – Elliptic Curve – Processing costs

15 RNGs RNGs are important. Nadia Heninger et al / Lenstra et al Entropy after startup: embedded devices

16 RNGs Weak RNG – Dual EC_DRBG is weak (slow, used in RSA-toolkit) – Intel RNG ? Recommendation: add System- Entropy (Network). Entropy only goes up. Tools (eg. HaveGE http://dl.acm.org/citation.cfm?id=945516 ) http://dl.acm.org/citation.cfm?id=945516 RTFM – when is the router key generated – Default Keys ? Re-generate keys from time to time Ramin, Daniel

17 ATTACKS Ramin, Daniel

18 Attacks - BEAST Browser Exploit Against SSL/TLS (BEAST) attack Predict IV of CBC – Subsequent packet use IV that is the last cyphertext block of the previous packet – Chosen Plaintext Attack (eg. Cookie-name) Ramin, Daniel

19 Attacks - CRIME Compression Ratio Info-leak Made Easy (CRIME) attack – Sidechannel attack – Information based on compressed size of http requests – MITM, Bruteforce: Client Javascript to Browse to … – Compressed size smaller when secretcookie correct.

20 CIPHER SUITES

21 Some general thoughts on settings General – Disable SSL 2.0 (weak algorithms) – Disable SSL 3.0 (BEAST vs IE/XP) – Enable TLS 1.0 or better – Disable TLS-Compression (SSL-CRIME Attack) – Implement HSTS (HTTP Strict Transport Security) Variant A: fewer supported clients Variant B: more clients, weaker settings Ramin, Daniel

22 Variant A ’EECDH+aRSA+AES256:EDH+aRSA+AES256:!SSLv3’ Compatibility: Only clients which support TLS1.2 are covered by these cipher suites (Chrome 30, Win 7 and Win 8.1, Opera 17, OpenSSL ≥ 1.0.1e, Safari 6 / iOS 6.0.1, Safari 7 / OS X 10.9) Ramin, Daniel

23 Variant B weaker ciphers, many clients Ramin, Daniel

24 Variant B: Compatibility End-of-life

25 Choosing your own cipher string (1) Rolling your own cipher suite string involves a trade-off between: – Compatibility (server client), vs. – Known weak ciphers/hashes/MACs – The choice ECC or not, vs. – Support by different ssl libs (gnutls, openssl,...) vs. – Different versions of ssl libs In case of ssl lib version issues: do you want to re- compile the whole server for a newer version? Be aware of these issues before choosing your own cipher suite Adi

26 Choosing your own cipher string (2) Complexity Multi-dimensional optimisation Consider strong alternatives to de-facto standards Potential future solution: generator for settings? Adi

27 PRACTICAL SETTINGS Aaron

28 What we have so far Web server: Apache, nginx, IIS, lighttpd Mail: Dovecot, cyrus, Postfix, Exim DBs: Mysql Proxies Aaron

29 What we would like to see Mail: Exchange SSH VPN: OpenVPN, IPSec, PPTP, Cisco IPSec, Juniper Ipsec, L2TP, Racoon PGP IPMI, ILO,... SIP XMPP DBs: Postgresql, Oracle, DB2, Informix Aaron

30 Example: Apache Selecting cipher suites: Additionally: Aaron

31 TESTING Aaron

32 How to test? - Tools openssl s_client (or gnutls-cli) ssllabs.com: checks for servers as well as clients xmpp.net sslscan SSLyze Aaron

33 Tools: openss s_client openssl s_client -showcerts –connect git.bettercrypto.org:443

34 Tools: sslscan

35 Tools: ssllabs Aaron

36 ssllabs (2)

37 Ssllabs (3)

38 WRAP-UP Aaron

39 Current state as of 2013/11/22 Solid basis with Variant (A) and (B) ToC is in freeze state Section „cipher suites“ still a bit messy, needs more work Section „practical settings“ – WIP. Need more input on VPNs, PGP, SSH, IPMI, SIP, XMPP, DBs Aaron

40 How to participate 1.We need: cryptologists, sysadmins, hackers 2.Read the document, find bugs 3.Subscribe to the mailing list 4.Understand the cipher strings Variant (A) and (B) before proposing some changes 5.If you add content to a subsection, make a sample config with variant (B) 6.Git repo is world-readable 7.We need: 1.Add content to an subsection from the TODO list  send us diffs 2.Reviewers! Aaron

41 Links Website: www.bettercrypto.orgwww.bettercrypto.org Git repo: https://git.bettercrypto.orghttps://git.bettercrypto.org Mailing list: http://lists.cert.at/cgi- bin/mailman/listinfo/achhttp://lists.cert.at/cgi- bin/mailman/listinfo/ach Aaron

42 Thank you! Authors: Wolfgang Breyha, David Durvaux, Tobias Dussa, L. Aaron Kaplan kaplan@cert.at kaplan@cert.at Manuel Koschuch, Daniel Kovacic, Adi Kriegisch adi@kriegisch.atadi@kriegisch.at Christian Mock, Ramin Sabet, Aaron Zauner Pepi Zawodsky pepi@maclemon.atpepi@maclemon.at

Download ppt "Project „ACH“ (Applied Crypto Hardening) www.bettercrypto.org."

Similar presentations

Key Management Nick Feamster CS 6262 Spring 2009.

Key Management Nick Feamster CS 6262 Spring 2009.
Web security: SSL and TLS

Web security: SSL and TLS
Modelling and Analysing of Security Protocol: Lecture 14 Some Real Life Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 14 Some Real Life Protocols Tom Chothia CWI.
Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.

Spring 2012: CS419 Computer Security Vinod Ganapathy SSL, etc.
Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.

Spring 2000CS 4611 Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls.
SSL CS772 Fall 2011. Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.
17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.

17.1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 17 Security at the Transport Layer: SSL and TLS.
Transport Layer Security (TLS) Bill Burr November 2, 2001.

Transport Layer Security (TLS) Bill Burr November 2, 2001.
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
ITA, 2.11.2011, 8-TLS.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 8 Transport.

ITA, , 8-TLS.pptx 1 Internet Security 1 (IntSi1) Prof. Dr. Andreas Steffen Institute for Internet Technologies and Applications (ITA) 8 Transport.
1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.

1 Supplement III: Security Controls What security services should network systems provide? Confidentiality Access Control Integrity Non-repudiation Authentication.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
© 2004, The Technology Firm WWW.THETECHFIRM.COM SSL Packet Decodes From Wikipedia, the free encyclopedia.  Secure Sockets Layer (SSL) is a cryptographic.

© 2004, The Technology Firm SSL Packet Decodes From Wikipedia, the free encyclopedia.  Secure Sockets Layer (SSL) is a cryptographic.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 30 Internet Security.
Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.

Encryption An Overview. Fundamental problems Internet traffic goes through many networks and routers Many of those networks are broadcast media Sniffing.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.

How cryptography is used to secure web services Josh Benaloh Cryptographer Microsoft Research.
Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.

Lecture 4 Cryptographic Tools (cont) modified from slides of Lawrie Brown.

Similar presentations

Ads by Google