AppliedCryptoHardening - BetterCrypto

1 AppliedCryptoHardeningWolfgangBreyha,Dav idDurvaux,TobiasDussa, ,FlorianMendel,ChristianMock,ManuelKosch uch,AdiKriegisch,UlrichP schl,RaminSabet,BergSan,RalfSchlatterbec k,ThomasSchreck,AlexanderW rstlein,AaronZauner,PepiZawodsky(Univers ityofVienna, ,KIT-CERT, ,A-SIT/IAIK, ,FHCampusWien,VRVis,MilCERTA ustria,A-Trust, ,Friedrich-AlexanderUniversityErlangen-N uremberg, , )November10,2016 DonottalkunencryptedAppliedCryptoHardeni ngpage2of111 AcknowledgementsWewouldliketoexpressourt hankstothefollowingreviewersandpeoplewho havegenerouslyofferedtheirtimeandinteres t(inalphabeticalorder).

2 Brown,ScottBrulebois,CyrilDirksen-Theden s,MathisDulaunoy,AlexandreG hringPhilippGrigg,IanHaslinger,GunnarHue bl,AxelKovacic,DanielLenzhofer,StefanLor nser,ThomasMaass,MaxMehlmauer,ChristianM illauer,TobiasMirbach,AndreasO Brien,HughPacher,ChristophPalfrader,Pete rPape,Tobias(layout)Petukhova,Anna(Logo) Pichler,PatrickRiebesel,NicolasRoeckx,Ku rtRoesen,JensRublik,MartinSch pany,MathiasSchwarz,Ren ( DigNative )Seidl,Eva(PDFlayout)VanHorenbeeck,Maart enWagner,Sebastian( sebix )Zangerl,AlexanderThereviewersdidreviewp artsofthedocumentintheirareaofexpertise; Unfortunately, talwaysunderstandtheavailablecryptotools ,andcryptopeopledon talwaysunderstandthereal-worldproblems.

3 RossAndersonin[And08]Thisguidearoseoutof theneedforsystemadministratorstohaveanup dated,solid,wellre-searchedandthought-th roughguideforconfiguringSSL,PGP, , [Sch13a],itseemsthatintelligenceagencies andadversariesontheInternetarenotbreakin gsomuchthemathematicsofencryptionperse,b utratherusesoftwareandhardwareweaknesses ,subvertstandardizationprocesses,plantba ckdoors, ,mostcommunicationontheinternetisnotencr yptedatallbydefault(forSMTP,opportunisti cTLSwouldbeasolution).Thisguidecanonlyad dressoneaspectofsecuringourinformationsy stems:gettingthecryptosettingsrighttothe bestoftheauthors ,astheabovementioned, , [IS12,fSidIB13,ENI13] Audience.

4 Relatedpublications .. Methods .. 102. Webservers .. nginx .. SSH .. CiscoASA .. MailServers .. Dovecot .. Postfix .. Exim .. CiscoESA/IronPort .. VPNs .. OpenVPN .. PPTP .. CiscoASA .. tinc .. , .. ejabberd .. Chatprivacy-Off-the-RecordMessaging(OTR) .. Charybdis .. DatabaseSystems .. Oracle .. MySQL .. PostgreSQL .. Bluecoat .. HAProxy .. Pound .. 683. Overview .. Architecturaloverview .. ForwardSecrecy .. Recommendedciphersuites.

5 Compatibility .. Whenrandomnumbergeneratorsfail .. Linux .. Recommendations .. Keylengths .. AnoteonEllipticCurveCryptography .. AnoteonDiffieHellmanKeyExchanges .. PublicKeyInfrastructures .. CertificateAuthorities .. CertificationAuthorizationRecords .. HTTPS trictTransportSecurity(HSTS) .. HTTPP ublicKeyPinning(HPKP) .. 87A. SSL& Keylength .. RNGs .. Guides .. 94B. Links95C. [IS12],ENISA sreportonAlgorithms,keysizesandparameter s[ENI13]andBSI sTechnischeRichtlinieTR-02102[fSidIB13] ,thisguidehasadifferentapproach:itfocuse soncopy&paste-ablesettingsforsystemadmin istrators, :firstofall,havingahandyreferenceonhowto configurethemostcommonservices cryptosettingsandsecondofall, ,bysimplysearchingforthecorrespondingsec tioninchapter2( Practicalrecommendations ).

6 ,forthequickcopy& ,chapter3( Theory ) , ,Ijustwanttocopy&pastereadPracticalrecom mendationsTounderstandwhywechosecertains ettings,readTheoryfirstre-readPracticalr ecommendationsAppendix:references, Achainisnostrongerthanitsweakestlink,and lifeisafterallachain WilliamJames ,endpointsecurityissoterrificallyweaktha tNSAcanfrequentlyfindwaysaroundit. EdwardSnowden,answeringquestionsliveonth eGuardian swebsite[Gle13]Thisguidespecificallydoes notaddressphysicalsecurity,protectingsof twareandhardwareagainstexploits,basicITs ecurityhousekeeping,informationassurance techniques,trafficanalysisattacks,issues withkey-rolloverandkeymanagement,securin gclientPCsandmobiledevices(theft,loss)

7 ,properOperationsSecurity1,socialenginee ringattacks,protectionagainsttempest[Wik 13c]attacktechniques,thwartingdifferents ide-channelattacks(timing ,cachetiming ,differentialfaultanalysis,differentialp oweranalysisorpowermonitoringattacks),do wngradeattacks, (PKI) (CA).Mostofthiszooofinformationsecurityi ssuesareaddressedintheverycomprehensiveb ook SecurityEngineering byRossAnderson[And08]. ,westrivetokeepthelanguageasnon-technica laspossibleandfittingforourtargetaudienc e:systemadministratorswhocancollectively improvethesecuritylevelforalloftheiruser s. Securityisaprocess,notaproduct.

8 , , , , ,werestrictedourselvesto: Internet-facingservices Commonlyusedservices Deviceswhichareusedinbusinessenvironment s(thisspecificallyexcludesXBoxes,Playsta -tionsandsimilarconsumerdevices) OpenSSLW eexplicitlyexcluded: Specializedsystems(suchasmedicaldevices, mostembeddedsystems,industrialcontrolsys tems,etc.)2 Aneasytoreadyetveryinsightfulrecentexamp leisthe"FLUSH+RELOAD"technique[YF13] WirelessAccessPoints Smart- ,headers,engineeringandresearch smailsignatureformanyyearsForwritingthis guide, (read-only)tothepublicInternetonthewebpa geandthesourcecodeofthisdocumentisonapub licgitserver, , Acknowledgements.

9 Everywriteoperationtothedocumentislogged viathe git gitpullrequests ,ifindoubt.(Comparedtothetheorysection,E ECDHinApacheandECDHEinOpenSSLaresynonyms 1)TestedwithVersions , , , , ,CentOSLinux7(Core) /etc/ssl/ /etc/ssl/ #SSLC ertificateChainFile /etc/apache2 #SSLCAC ertificateFile /etc/apache2 All -SSLv2 -SSLv3 SSLH onorCipherOrder OnSSLC ompression off# Add six earth month HSTS header for all always set Strict-Transport-Security "max-age=15768000"# If you want to protect all subdomains, use the following header# ALL subdomains HAVE TO support HTTPS if you use this!

10 # Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"# HTTP Public Key Pinning (HPKP) for 90 days (60*60*24*90=7776000)# At least use one Backup-Key and/or add whole CA, think of always set Public-Key-Pins "pin-sha256=\"YOUR_HASH=\"; pin-sha256=\"\\YOUR_BACKUP_HASH=\"; max-age=7776000; report-uri=\" \""SSLC ipherSuite'EDH+CAMELLIA:EDH+aRSA:EECDH+a RSA+AESGCM:EECDH+aRSA+SHA256:EECDH\\:+CA MELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:! LOW:!3 DES:!MD5:!EXP:!PSK:!DSS:!\\RC4:!SEED:!ID EA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SH A' :SSLconfigurationforanApachevhost[config uration/Webservers/Apache/default-ssl] :<VirtualHost *:80>Redirect permanent / https://SERVER_NAME/</VirtualHost> :httpsauto-redirectvhost[configuration/W ebservers/Apache/hsts-vhost]References Apache2 DocsonSSLandTLS: ( ) ( ) , $SERVER["socket"] == " :443" { = "enable" = "disable" = "disable" = "/etc/ " = "/etc/ssl/ " = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM :EECDH+aRSA+SHA256:\\EECDH:+CAMELLIA128: +AES128:+SSLv3:!}