AppliedCryptoHardening - BetterCrypto

1 AppliedCryptoHardeningWolfgangBreyha,Dav idDurvaux,TobiasDussa, ,FlorianMendel,ChristianMock,ManuelKosch uch,AdiKriegisch,UlrichP schl,RaminSabet,BergSan,RalfSchlatterbec k,ThomasSchreck,AlexanderW rstlein,AaronZauner,PepiZawodsky(Univers ityofVienna, ,KIT-CERT, ,A-SIT/IAIK, ,FHCampusWien,VRVis,MilCERTA ustria,A-Trust, ,Friedrich-AlexanderUniversityErlangen-N uremberg, , )November10,2016 DonottalkunencryptedAppliedCryptoHardeni ngpage2of111 AcknowledgementsWewouldliketoexpressourt hankstothefollowingreviewersandpeoplewho havegenerouslyofferedtheirtimeandinteres t(inalphabeticalorder):Brown,ScottBruleb ois,CyrilDirksen-Thedens,MathisDulaunoy, AlexandreG hringPhilippGrigg,IanHaslinger,GunnarHue bl,AxelKovacic,DanielLenzhofer,StefanLor nser,ThomasMaass,MaxMehlmauer,ChristianM illauer,TobiasMirbach,AndreasO Brien,HughPacher,ChristophPalfrader,Pete rPape,Tobias(layout)Petukhova,Anna(Logo) Pichler,PatrickRiebesel,NicolasRoeckx,Ku rtRoesen,JensRublik,MartinSch pany,MathiasSchwarz,Ren ( DigNative )Seidl,Eva(PDFlayout)VanHorenbeeck,Maart enWagner,Sebastian( sebix )Zangerl,AlexanderThereviewersdidreviewp artsofthedocumentintheirareaofexpertise; Unfortunately, talwaysunderstandtheavailablecryptotools ,andcryptopeopledon talwaysunderstandthereal-worldproblems.

2 RossAndersonin[And08]Thisguidearoseoutof theneedforsystemadministratorstohaveanup dated,solid,wellre-searchedandthought-th roughguideforconfiguringSSL,PGP, , [Sch13a],itseemsthatintelligenceagencies andadversariesontheInternetarenotbreakin gsomuchthemathematicsofencryptionperse,b utratherusesoftwareandhardwareweaknesses ,subvertstandardizationprocesses,plantba ckdoors, ,mostcommunicationontheinternetisnotencr yptedatallbydefault(forSMTP,opportunisti cTLSwouldbeasolution).Thisguidecanonlyad dressoneaspectofsecuringourinformationsy stems:gettingthecryptosettingsrighttothe bestoftheauthors ,astheabovementioned, , [IS12,fSidIB13,ENI13] Audience .. Relatedpublications .. Methods .. 102. Webservers .. nginx .. SSH .. CiscoASA .. MailServers .. Dovecot .. Postfix .. Exim .. CiscoESA/IronPort.

3 VPNs .. OpenVPN .. PPTP .. CiscoASA .. tinc .. , .. ejabberd .. Chatprivacy-Off-the-RecordMessaging(OTR) .. Charybdis .. DatabaseSystems .. Oracle .. MySQL .. PostgreSQL .. Bluecoat .. HAProxy .. Pound .. 683. Overview .. Architecturaloverview .. ForwardSecrecy .. Recommendedciphersuites .. Compatibility .. Whenrandomnumbergeneratorsfail .. Linux .. Recommendations .. Keylengths .. AnoteonEllipticCurveCryptography .. AnoteonDiffieHellmanKeyExchanges .. PublicKeyInfrastructures .. CertificateAuthorities .. CertificationAuthorizationRecords .. HTTPS trictTransportSecurity(HSTS) .. HTTPP ublicKeyPinning(HPKP) .. 87A. SSL& Keylength .. RNGs .. Guides .. 94B. Links95C. [IS12],ENISA sreportonAlgorithms,keysizesandparameter s[ENI13]andBSI sTechnischeRichtlinieTR-02102[fSidIB13] ,thisguidehasadifferentapproach:itfocuse soncopy&paste-ablesettingsforsystemadmin istrators, :firstofall,havingahandyreferenceonhowto configurethemostcommonservices cryptosettingsandsecondofall, ,bysimplysearchingforthecorrespondingsec tioninchapter2( Practicalrecommendations ).

4 ,forthequickcopy& ,chapter3( Theory ) , ,Ijustwanttocopy&pastereadPracticalrecom mendationsTounderstandwhywechosecertains ettings,readTheoryfirstre-readPracticalr ecommendationsAppendix:references, Achainisnostrongerthanitsweakestlink,and lifeisafterallachain WilliamJames ,endpointsecurityissoterrificallyweaktha tNSAcanfrequentlyfindwaysaroundit. EdwardSnowden,answeringquestionsliveonth eGuardian swebsite[Gle13]Thisguidespecificallydoes notaddressphysicalsecurity,protectingsof twareandhardwareagainstexploits,basicITs ecurityhousekeeping,informationassurance techniques,trafficanalysisattacks,issues withkey-rolloverandkeymanagement,securin gclientPCsandmobiledevices(theft,loss),p roperOperationsSecurity1,socialengineeri ngattacks,protectionagainsttempest[Wik13 c]attacktechniques,thwartingdifferentsid e-channelattacks(timing ,cachetiming ,differentialfaultanalysis,differentialp oweranalysisorpowermonitoringattacks),do wngradeattacks, (PKI) (CA).

5 Mostofthiszooofinformationsecurityissues areaddressedintheverycomprehensivebook SecurityEngineering byRossAnderson[And08]. ,westrivetokeepthelanguageasnon-technica laspossibleandfittingforourtargetaudienc e:systemadministratorswhocancollectively improvethesecuritylevelforalloftheiruser s. Securityisaprocess,notaproduct. , , , , ,werestrictedourselvesto: Internet-facingservices Commonlyusedservices Deviceswhichareusedinbusinessenvironment s(thisspecificallyexcludesXBoxes,Playsta -tionsandsimilarconsumerdevices) OpenSSLW eexplicitlyexcluded: Specializedsystems(suchasmedicaldevices, mostembeddedsystems,industrialcontrolsys tems,etc.)2 Aneasytoreadyetveryinsightfulrecentexamp leisthe"FLUSH+RELOAD"technique[YF13] WirelessAccessPoints Smart- ,headers,engineeringandresearch smailsignatureformanyyearsForwritingthis guide, (read-only)tothepublicInternetonthewebpa geandthesourcecodeofthisdocumentisonapub licgitserver, , Acknowledgements.

6 Everywriteoperationtothedocumentislogged viathe git gitpullrequests ,ifindoubt.(Comparedtothetheorysection,E ECDHinApacheandECDHEinOpenSSLaresynonyms 1)TestedwithVersions , , , , ,CentOSLinux7(Core) /etc/ssl/ /etc/ssl/ #SSLC ertificateChainFile /etc/apache2 #SSLCAC ertificateFile /etc/apache2 All -SSLv2 -SSLv3 SSLH onorCipherOrder OnSSLC ompression off# Add six earth month HSTS header for all always set Strict-Transport-Security "max-age=15768000"# If you want to protect all subdomains, use the following header# ALL subdomains HAVE TO support HTTPS if you use this!# Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"# HTTP Public Key Pinning (HPKP) for 90 days (60*60*24*90=7776000)# At least use one Backup-Key and/or add whole CA, think of always set Public-Key-Pins "pin-sha256=\"YOUR_HASH=\"; pin-sha256=\"\\YOUR_BACKUP_HASH=\"; max-age=7776000; report-uri=\" \""SSLC ipherSuite'EDH+CAMELLIA:EDH+aRSA:EECDH+a RSA+AESGCM:EECDH+aRSA+SHA256:EECDH\\:+CA MELLIA128:+AES128:+SSLv3:!

7 ANULL:!eNULL:!LOW:!3 DES:!MD5:!EXP:!PSK:!DSS:!\\RC4:!SEED:!ID EA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SH A' :SSLconfigurationforanApachevhost[config uration/Webservers/Apache/default-ssl] :<VirtualHost *:80>Redirect permanent / https://SERVER_NAME/</VirtualHost> :httpsauto-redirectvhost[configuration/W ebservers/Apache/hsts-vhost]References Apache2 DocsonSSLandTLS: ( ) ( ) , $SERVER["socket"] == " :443" { = "enable" = "disable" = "disable" = "/etc/ " = "/etc/ssl/ " = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM :EECDH+aRSA+SHA256:\\EECDH:+CAMELLIA128: +AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3 DES:!MD5:!EXP:!PSK:!\\DSS:!RC4:!SEED:!ID EA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SH A" = "enable" = ( "Strict-Transport-Security" => "max-age\\=15768000") # six months# use this only if all subdomains support HTTPS!# = ( "Strict-Transport-Security" => "max-age\\=15768000; includeSubDomains")} :SSLconfigurationforlighttpd[configurati on/Webservers/ ] ,ellipticcurve"prime256v1"(also"secp256r 1")willbeused, , # use group16 dh = "/etc/lighttpd/ " = "secp384r1" :SSLEC/DHconfigurationforlighttpd[config uration/Webservers/ ] ,youmightwanttoautomaticallyredirecthttp ://traffictowardhttps://.

8 Itisalsorecommendedtosettheenvironmentva riableHTTPS,sothePHPapplicationsrunbythe webservercaneasilydetectthatHTTPS isinuse.$HTTP["scheme"] == "http" {# capture vhost name with regex condition -> %0 in redirect pattern# must be the most inner block to the redirect rule$HTTP["host"] =~ ".*" { = (".*" => "https://%0$0")}# Set the environment variable = ( "HTTPS" => "on")} :httpsauto-redirectconfiguration[configu ration/Webservers/ ] ,thesupportedciphersdependontheusedOpenS SL-version(atruntime).ECDHE hastobeavailableinOpenSSLatcompile-time, (ifnot,it sactive). , HTTPS redirection: LighttpdDocsSSL: (HowtomitigateBEAST attack) SSLC ompressiondisabledbydefault: + + ( ) on;ssl_protocols TLSv1 ; # not possible to do exclusivessl_ciphers'EDH+CAMELLIA:EDH+aR SA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:E ECDH:+\\CAMELLIA128:+AES128:+SSLv3:!

9 ANULL:!eNULL:!LOW:!3 DES:!MD5:!EXP:!PSK:!DSS:!RC4\\:!SEED:!ID EA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SH A';add_header Strict-Transport-Security max-age=15768000; # six months# use this only if all subdomains support HTTPS!# add_header Strict-Transport-Security "max-age=15768000; includeSubDomains"; :SSLsettingsfornginx[configuration/Webse rvers/nginx/default]Ifyouabsolutelywantt ospecifyyourownDHparameters,youcanspecif ythemviassl_dhparam file;However, (aslongastheyare>1024bits).Additionalset tingsIfyoudecidetotrustNIST sECCcurverecommendation,youcanaddthefoll owinglinetonginx sconfigurationfiletoselectspecialcurves: ssl_ecdh_curve secp384r1; :SSLEC/DHsettingsfornginx[configuration/ Webservers/nginx/default-ec] :return 301 https://$server_name$request_uri; :httpsauto-redirectinnginx[configuration /Webservers/nginx/default-hsts]Thevariab le$ $ ,theimportantlinesofsuchaconfigurationfi lecanbefoundattheendofthissection.

10 GeneralSettings Network*SSL/TLSback-end:OpenSSL/libssl Portstolisten*Port:443,TLS:TLS/SSLport VirtualServers,ForeachvServerontabSecuri ty: RequiredSSL/TLSV alues:FillinthecorrectpathsforCertificat eandCertificatekey AdvancedOptions*Ciphers:EDH+CAMELLIA:EDH +aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA25 6:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNU LL:!eNULL:!LOW:!3 DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA :!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA* ServerPreference:Prefer*Compression:Disa bled Advanced:TLS SSLversion2andSSLversion3:No TLSversion1, > :TLSitispossibletosetthepathtoaDiffieHel lmanparametersfilefor512,1024, (HSTS): EnableHSTS:Accept HSTSMax-Age:15768000 IncludeSubdomains:dependsonyoursetupTore directHTTPtoHTTPS, (.*)$asRegularExpressionandhttps://${hos t}/$ !bind!2!port = 443server!bind!2!tls = 1server!tls = libsslvserver!1!hsts = 1vserver!