1 / 39

Project „ACH“ (Applied Crypto Hardening )

A project aimed at providing practical settings to enhance the security of cryptographic services and certificates. Recommendations and tools for SSL, SSH, PGP, and more.

keaton-petty
Télécharger la présentation

Project „ACH“ (Applied Crypto Hardening )

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Project „ACH“(Applied CryptoHardening) www.bettercrypto.org

  2. Motivation (Aaron)

  3. Don‘tgivethemanythingforfree It‘syourhome, youfight

  4. Who? Wolfgang Breyha (uni VIE), David Durvaux (CERT.be), Tobias Dussa (KIT-CERT), L. Aaron Kaplan (CERT.at), Christian Mock (coretec), Daniel Kovacic (A-Trust), Manuel Koschuch (FH Campus Wien), Adi Kriegisch (VRVis), Ramin Sabet (A-Trust), Aaron Zauner (azet.org), Pepi Zawodsky(maclemon.at), New contributors: IAIK, A-Sit Aaron

  5. Idea • Do at least somethingagainsttheCryptocalypse • Check SSL, SSH, PGPcrypto Settings in themostcommonservicesandcertificates: • Apache, Nginx, lighthttp • IMAP/POP servers (dovecot, cyrus, ...) • openssl.conf • Etc. • Create easy, copy & paste-ablesettingswhich are „OK“ (asfarasweknow) forsysadmins. • Keep itshort. There are manygoodrecommendations out therewrittenbycryptographersforcryptographers • Manyeyes must check this!

  6. Contents so far • Disclaimer • Methods • EllipticCurveCryptography • Keylengths • Random Number Generators • Ciphersuites – generaloverview & howtochooseone • Recommendationson practicalsettings • Tools • Links Aaron

  7. Methods • Howwedevelopthiswhitepaper • Public review • Weneedyourreview! Aaron

  8. General remarks on crypto

  9. Somethoughts on ECC • Currentlythisisunder heavy debate • Trust theMath • “Nothing Up My Sleeve Numbers” • eg. NIST P-256 (http://safecurves.cr.yp.to/rigid.html) • Coefficients generated by hashing the unexplained seed c49d3608 86e70493 6a6678e1 139d26b7 819f7e90. • Mighthavetochangesettingstomorrow • Most Applicationsonlyworkwith NIST-Curves Ramin, Daniel

  10. Keylengths • http://www.keylength.com/ • Recommended Keylengths, Hashingalgorithms, etc. • Currently: • RSA: >= 3248 bits (Ecrypt II) • ECC: >= 256 • SHA 2+ (SHA 256,…) • AES 128 isgoodenough Ramin, Daniel

  11. AES 128? Isn‘tthatenough? • “On thechoicebetween AES256 and AES128: I wouldneverconsiderusing AES256, just like I don’twear a helmetwhen I sitinsidemycar. It’stoomuchbotherfortheepsilonimprovementin security.” — Vincent Rijmen in a personal mailexchangeDec 2013 • Sometheoreticalattacks on AES-256

  12. Forward Secrecy-Motivation: • Threeletteragency (TLA) stores all ssltraffic • Someday TLA gainsaccesstossl-private key(Brute Force, Physical Force) • TLA candecrypt all storedtraffic Ramin, Daniel

  13. Perfect Forward Secrecy • DHE: Diffie Hellman Ephemeral • Ephemeral: newkeyforeachexecutionof a keyexchangeprocess • SSL private-Key onlyforauthentication • Alternative newssl private keyevery x daysmonths • Pro: • Highest Security againstfutureattacks • Contra: • EllipticCurve • Processing costs

  14. RNGs • RNGs areimportant. • Nadia Heninger et al / Lenstra et al • Entropyafter startup: embeddeddevices

  15. RNGs • Weak RNG • Dual EC_DRBG isweak (slow, used in RSA-toolkit) • Intel RNG ?Recommendation: add System-Entropy (Network). Entropyonlygoesup. • Tools (eg. HaveGEhttp://dl.acm.org/citation.cfm?id=945516) • RTFM • whenistherouterkeygenerated • Default Keys ? • Re-generatekeysfrom time to time

  16. Ciphersuites

  17. Somegeneralthoughts on settings • General • Disable SSL 2.0 (weakalgorithms) • Disable SSL 3.0 (BEAST vs IE/XP) • Enable TLS 1.0 orbetter • Disable TLS-Compression (SSL-CRIME Attack) • Implement HSTS (HTTP Strict Transport Security) • Variant A: fewersupportedclients • Variant B: moreclients, weakersettings

  18. Variant A ’EECDH+aRSA+AES256:EDH+aRSA+AES256:!SSLv3’ Compatibility: Onlyclientswhich support TLS1.2 are coveredbytheseciphersuites (Chrome 30, Win 7 andWin8.1, Opera 17, OpenSSL ≥ 1.0.1e, Safari 6 / iOS 6.0.1, Safari 7 / OS X 10.9)

  19. Variant B weakerciphers, manyclients

  20. Variant B: Compatibility End-of-life

  21. Choosingyourowncipherstring (1) • Rolling yourownciphersuitestringinvolves a trade-off between: • Compatibility (server <-> client), vs. • Knownweakciphers/hashes/MACs • The choice ECC or not, vs. • Support by different ssllibs (gnutls, openssl,...) vs. • Different versions of ssllibs • In case of ssllibversionissues: do youwanttore-compilethewhole server for a newerversion? • Beaware of theseissuesbeforechoosingyourownciphersuite

  22. Choosingyourowncipherstring (2) • Complexity • Multi-dimensional optimisation • Consider strong alternativesto de-facto standards • Potential futuresolution: generatorforsettings?

  23. Practicalsettings David

  24. Whatwehave so far • Web server: Apache, nginx, MS IIS, lighttpd • Mail: Dovecot, cyrus, Postfix, Exim • DBs:Mysql, Oracle, Postgresql, DB2 • VPN: OpenVPN, IPSec, Checkpoint, ... • Proxies: Squid, Pound • GnuPG • SSH • IM servers (jabber, irc) David

  25. Whatwewouldliketosee • Mail: Exchange • SIP • RDP • Everythingas HTML (easiertocopy & paste) • Configgenerator on thewebsite David

  26. Example: Apache Selectingciphersuites: Additionally: Aaron

  27. Testing Tobias

  28. Howtotest? - Tools • openssl s_client (orgnutls-cli) • ssllabs.com: checksforserversaswellasclients • xmpp.net • sslscan • SSLyze Tobias

  29. Tools: opensss_client openssl s_client -showcerts–connect git.bettercrypto.org:443

  30. Tools: sslscan

  31. Tools: ssllabs Aaron

  32. ssllabs (2)

  33. Ssllabs (3)

  34. Wrap-up Aaron

  35. Currentstateas of 2014/02/11 • Solid basiswith Variant (A) and (B) • Public draft was presentedatthe CCC • Section „ciphersuites“ still a bitmessy, needsmorework • Need toconvertto HTML Aaron

  36. Howtoparticipate • Weneed: cryptologists, sysadmins, hackers • Read thedocument, find bugs • Subscribetothemailinglist • Understandthecipherstrings Variant (A) and (B) beforeproposingsomechanges • Ifyouaddcontentto a subsection, make a sample configwith variant (B) • Gitrepoisworld-readable • Weneed: • Add contentto an subsectionfromthe TODO list send usdiffs • Reviewers! Aaron

  37. Links • Website: www.bettercrypto.org • Gitrepo: https://git.bettercrypto.org • Mailing list: http://lists.cert.at/cgi-bin/mailman/listinfo/ach Aaron

  38. Thankyou!

More Related