AppliedCryptoHardening - BetterCrypto

1 AppliedCryptoHardeningWolfgangBreyha,Dav idDurvaux,TobiasDussa, ,FlorianMendel,ChristianMock,ManuelKosch uch,AdiKriegisch,UlrichP schl,RaminSabet,BergSan,RalfSchlatterbec k,ThomasSchreck,AlexanderW rstlein,AaronZauner,PepiZawodsky(Univers ityofVienna, ,KIT-CERT, ,A-SIT/IAIK, ,FHCampusWien,VRVis,MilCERTA ustria,A-Trust, ,Friedrich-AlexanderUniversityErlangen-N uremberg, , )November10,2016 DonottalkunencryptedAppliedCryptoHardeni ngpage2of111 AcknowledgementsWewouldliketoexpressourt hankstothefollowingreviewersandpeoplewho havegenerouslyofferedtheirtimeandinteres t(inalphabeticalorder):Brown,ScottBruleb ois,CyrilDirksen-Thedens,MathisDulaunoy, AlexandreG hringPhilippGrigg,IanHaslinger,GunnarHue bl,AxelKovacic,DanielLenzhofer,StefanLor nser,ThomasMaass,MaxMehlmauer,ChristianM illauer,TobiasMirbach,AndreasO Brien,HughPacher,ChristophPalfrader,Pete rPape,Tobias(layout)Petukhova,Anna(Logo) Pichler,PatrickRiebesel,NicolasRoeckx,Ku rtRoesen,JensRublik,MartinSch pany,MathiasSchwarz,Ren ( DigNative )Seidl,Eva(PDFlayout)VanHorenbeeck,Maart enWagner,Sebastian( sebix )Zangerl,AlexanderThereviewersdidreviewp artsofthedocumentintheirareaofexpertise.

2 Unfortunately, talwaysunderstandtheavailablecryptotools ,andcryptopeopledon talwaysunderstandthereal-worldproblems. RossAndersonin[And08]Thisguidearoseoutof theneedforsystemadministratorstohaveanup dated,solid,wellre-searchedandthought-th roughguideforconfiguringSSL,PGP, , [Sch13a],itseemsthatintelligenceagencies andadversariesontheInternetarenotbreakin gsomuchthemathematicsofencryptionperse,b utratherusesoftwareandhardwareweaknesses ,subvertstandardizationprocesses,plantba ckdoors, ,mostcommunicationontheinternetisnotencr yptedatallbydefault(forSMTP,opportunisti cTLSwouldbeasolution).Thisguidecanonlyad dressoneaspectofsecuringourinformationsy stems:gettingthecryptosettingsrighttothe bestoftheauthors ,astheabovementioned, , [IS12,fSidIB13,ENI13] Audience.

3 Relatedpublications .. Methods .. 102. Webservers .. nginx .. SSH .. CiscoASA .. MailServers .. Dovecot .. Postfix .. Exim .. CiscoESA/IronPort .. VPNs .. OpenVPN .. PPTP .. CiscoASA .. tinc .. , .. ejabberd .. Chatprivacy-Off-the-RecordMessaging(OTR) .. Charybdis .. DatabaseSystems .. Oracle .. MySQL .. PostgreSQL .. Bluecoat .. HAProxy .. Pound .. 683. Overview .. Architecturaloverview .. ForwardSecrecy .. Recommendedciphersuites .. Compatibility .. Whenrandomnumbergeneratorsfail.

4 Linux .. Recommendations .. Keylengths .. AnoteonEllipticCurveCryptography .. AnoteonDiffieHellmanKeyExchanges .. PublicKeyInfrastructures .. CertificateAuthorities .. CertificationAuthorizationRecords .. HTTPS trictTransportSecurity(HSTS) .. HTTPP ublicKeyPinning(HPKP) .. 87A. SSL& Keylength .. RNGs .. Guides .. 94B. Links95C. [IS12],ENISA sreportonAlgorithms,keysizesandparameter s[ENI13]andBSI sTechnischeRichtlinieTR-02102[fSidIB13] ,thisguidehasadifferentapproach:itfocuse soncopy&paste-ablesettingsforsystemadmin istrators, :firstofall,havingahandyreferenceonhowto configurethemostcommonservices cryptosettingsandsecondofall, ,bysimplysearchingforthecorrespondingsec tioninchapter2( Practicalrecommendations ).

5 ,forthequickcopy& ,chapter3( Theory ) , ,Ijustwanttocopy&pastereadPracticalrecom mendationsTounderstandwhywechosecertains ettings,readTheoryfirstre-readPracticalr ecommendationsAppendix:references, Achainisnostrongerthanitsweakestlink,and lifeisafterallachain WilliamJames ,endpointsecurityissoterrificallyweaktha tNSAcanfrequentlyfindwaysaroundit. EdwardSnowden,answeringquestionsliveonth eGuardian swebsite[Gle13]Thisguidespecificallydoes notaddressphysicalsecurity,protectingsof twareandhardwareagainstexploits,basicITs ecurityhousekeeping,informationassurance techniques,trafficanalysisattacks,issues withkey-rolloverandkeymanagement,securin gclientPCsandmobiledevices(theft,loss),p roperOperationsSecurity1,socialengineeri ngattacks,protectionagainsttempest[Wik13 c]attacktechniques,thwartingdifferentsid e-channelattacks(timing ,cachetiming ,differentialfaultanalysis,differentialp oweranalysisorpowermonitoringattacks),do wngradeattacks, (PKI) (CA).

6 Mostofthiszooofinformationsecurityissues areaddressedintheverycomprehensivebook SecurityEngineering byRossAnderson[And08]. ,westrivetokeepthelanguageasnon-technica laspossibleandfittingforourtargetaudienc e:systemadministratorswhocancollectively improvethesecuritylevelforalloftheiruser s. Securityisaprocess,notaproduct. , , , , ,werestrictedourselvesto: Internet-facingservices Commonlyusedservices Deviceswhichareusedinbusinessenvironment s(thisspecificallyexcludesXBoxes,Playsta -tionsandsimilarconsumerdevices) OpenSSLW eexplicitlyexcluded: Specializedsystems(suchasmedicaldevices, mostembeddedsystems,industrialcontrolsys tems,etc.)2 Aneasytoreadyetveryinsightfulrecentexamp leisthe"FLUSH+RELOAD"technique[YF13] WirelessAccessPoints Smart- ,headers,engineeringandresearch smailsignatureformanyyearsForwritingthis guide, (read-only)tothepublicInternetonthewebpa geandthesourcecodeofthisdocumentisonapub licgitserver, , Acknowledgements.

7 Everywriteoperationtothedocumentislogged viathe git gitpullrequests ,ifindoubt.(Comparedtothetheorysection,E ECDHinApacheandECDHEinOpenSSLaresynonyms 1)TestedwithVersions , , , , ,CentOSLinux7(Core) /etc/ssl/ /etc/ssl/ #SSLC ertificateChainFile /etc/apache2 #SSLCAC ertificateFile /etc/apache2 All -SSLv2 -SSLv3 SSLH onorCipherOrder OnSSLC ompression off# Add six earth month HSTS header for all always set Strict-Transport-Security "max-age=15768000"# If you want to protect all subdomains, use the following header# ALL subdomains HAVE TO support HTTPS if you use this!# Strict-Transport-Security: "max-age=15768000 ; includeSubDomains"# HTTP Public Key Pinning (HPKP) for 90 days (60*60*24*90=7776000)# At least use one Backup-Key and/or add whole CA, think of always set Public-Key-Pins "pin-sha256=\"YOUR_HASH=\"; pin-sha256=\"\\YOUR_BACKUP_HASH=\"; max-age=7776000; report-uri=\" \""SSLC ipherSuite'EDH+CAMELLIA:EDH+aRSA:EECDH+a RSA+AESGCM:EECDH+aRSA+SHA256:EECDH\\:+CA MELLIA128:+AES128:+SSLv3:!

8 ANULL:!eNULL:!LOW:!3 DES:!MD5:!EXP:!PSK:!DSS:!\\RC4:!SEED:!ID EA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SH A' :SSLconfigurationforanApachevhost[config uration/Webservers/Apache/default-ssl] :<VirtualHost *:80>Redirect permanent / https://SERVER_NAME/</VirtualHost> :httpsauto-redirectvhost[configuration/W ebservers/Apache/hsts-vhost]References Apache2 DocsonSSLandTLS: ( ) ( ) , $SERVER["socket"] == " :443" { = "enable" = "disable" = "disable" = "/etc/ " = "/etc/ssl/ " = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM :EECDH+aRSA+SHA256:\\EECDH:+CAMELLIA128: +AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3 DES:!MD5:!EXP:!PSK:!\\DSS:!RC4:!SEED:!ID EA:!}

9 ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA" = "enable" = ( "Strict-Transport-Security" => "max-age\\=15768000") # six months# use this only if all subdomains support HTTPS!# = ( "Strict-Transport-Security" => "max-age\\=15768000; includeSubDomains")} :SSLconfigurationforlighttpd[configurati on/Webservers/ ] ,ellipticcurve"prime256v1"(also"secp256r 1")willbeused, , # use group16 dh = "/etc/lighttpd/ " = "secp384r1" :SSLEC/DHconfigurationforlighttpd[config uration/Webservers/ ] ,youmightwanttoautomaticallyredirecthttp ://traffictowardhttps://.Itisalsorecomme ndedtosettheenvironmentvariableHTTPS,sot hePHPapplicationsrunbythewebservercaneas ilydetectthatHTTPS isinuse.

10 $HTTP["scheme"] == "http" {# capture vhost name with regex condition -> %0 in redirect pattern# must be the most inner block to the redirect rule$HTTP["host"] =~ ".*" { = (".*" => "https://%0$0")}# Set the environment variable = ( "HTTPS" => "on")} :httpsauto-redirectconfiguration[configu ration/Webservers/ ] ,thesupportedciphersdependontheusedOpenS SL-version(atruntime).ECDHE hastobeavailableinOpenSSLatcompile-time, (ifnot,it sactive). , HTTPS redirection: LighttpdDocsSSL: (HowtomitigateBEAST attack) SSLC ompressiondisabledbydefault: + + ( ) on;ssl_protocols TLSv1 ; # not possible to do exclusivessl_ciphers'EDH+CAMELLIA:EDH+aR SA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:E ECDH:+\\CAMELLIA128:+AES128:+SSLv3:!