Transcription of Cipher Suites: Best Practices and Pitfalls - F5
1 PRESENTED BY: Cipher Suite Practices and Pitfalls : An Overview of Cipher Suite Configuration and Pitfalls on BIG- A Cipher suite is a named combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate the security settings for a network connection using the Transport Layer Security (TLS) / Secure Sockets Layer (SSL) network protocol. WikipediaWhen we talk about configuring cipherson BIG-IP we re really talking about configuring Cipher suites. More specifically the configured list of Cipher suites is a menu of options available to be negotiated.
2 Each Cipher suite specifies the key exchange algorithm, authentication algorithm, Cipher , Cipher mode, and MAC that will be recommend reading K15194: Overview of the BIG-IP SSL/TLS Cipher suitefor more s consider this Cipher suite:ECDHE-RSA-AES256-GCM-SHA384 Key Exchange Algorithm: ECDHE (Elliptic Curve Diffie-Hellman Ephemeral)Authentication Algorithm: RSAC ipher: AES256 (aka AES with a 256-bit key) Cipher Mode: GCM (Galois/Counter Mode)MAC: SHA384 (aka SHA-2 (Secure Hash Algorithm 2) with 384-bit hash)This is arguably the strongest Cipher suite we have on BIG-IP at this about this Cipher suite:AES128-SHAKey Exchange Algorithm: RSA (Implied) When it isn t specified, presume Algorithm: RSA(Implied) When it isn t specified, presume : AES128 (aka AES with a 128-bit key) Cipher Mode: CBC ( Cipher Block Chaining) (Implied) When it isn t specified, presume : SHA1 (Secure Hash Algorithm 1; SHA-1 always produces a 160-bit hash.)
3 This is to illustrate that the Cipher suite may not always explicitly specify every parameter, but they re still there. There are default values that are fairly safe to presume when not otherwise specified. If an algorithm isn t specified, it is RSA. That s a safe bet. And if a Cipher mode isn t specified it is CBC. Always CBC. Note that allciphers supported on BIG-IP are CBC mode exceptfor AES-GCM and RC4. stress this as it has been a recurring source of presentation is really about Cipher suite configuration and ciphers, and not the SSL/TLS protocol, so I won t dive too deeply here.
4 As a quick review of the difference between asymmetric key (aka public key) cryptography and symmetric key cryptography: With the asymmetric key you have two keys Kpublicand Kprivate. Since you can openly share the public key there is no need to pre-share keys with anyone. The downside is these algorithms are computationally expensive. Key lengths for a common algorithm such as RSA are at least 1024-bit, and 2048-bit is really the minimally acceptable these key has only Kprivate. Both ends use the same key, which poses the problem of key distribution.
5 The advantage is higher performance; common key sizes are 128-bit or uses both systems the Key Exchange Algorithm is the public key system used to exchange the symmetric key. Examples: ECDHE, DHE, RSA, ECDH, ADHThis is sometimes grouped in with the Key Exchange Algorithm written as ECDHE_RSA for example. But we ll consider it as a separate is the algorithm used in the SSL/TLS handshake for the server to sign (using the server s private key) elements sent to the client in the negotiation. The client can authenticate them using the server s public include: RSA, ECDSA, DSS (aka DSA), and Anonymous.
6 Anonymous means noauthentication; this is generally bad. Using an ADH Cipher suite will cause this. More on this later when we talk about that when RSA is used for the key exchange authentication is inherent to the scheme so there really isn t a separate authentication step. In cryptography, a Cipher (or cypher) is an algorithm for performing encryption or decryption a series of well-defined steps that can be followed as a procedure. An alternative, less common term is encipherment. To encipher or encode is to convert information into Cipher or code.
7 In common parlance, ' Cipher ' is synonymous with 'code', as they are both a set of steps that encrypt a message; however, the concepts are distinct in cryptography, especially classical cryptography. WikipediaExamples: DES (Data Encryption Standard), 3 DES (Triple DES), AES (Advanced Encryption Standard), RC4 (Rivest Cipher 4), Camellia, RC6, RC2, Blowfish, Twofish, IDEA, SEED, GOST, Rijndael, Serpent, MARS, a little cryptography humor see: RFC2410: The NULL Encryption Algorithm and Its Use With of the secrecy in encryption comes from the key that is used.
8 Obtain the key and you can unlock the ciphertext. The Cipher itself the algorithm, source code, etc. not only canbe, but shouldbe, openly available. History is full of examples of private cryptosystems failing due to weaknesses missed by their creators, while the most trusted ciphers were created via open processes (AES for example).Keys are of varying lengths and, generally speaking, the longer the key the more secure the encryption. DES only had 56-bits of key data, and thus is considered insecure. We label 3 DES as 168-bit, but it is really only equivalent to 112-bit strength.
9 (More on this at the end if there is time.) Newer ciphers, such as AES, often offer options 128-bits, 192-bits, or 256-bits of , a 256-bit key is far more than twice as strong as a 128-bit key. It is 2128vs. mode is the mode of operation used by the Cipher when encrypting plaintext into ciphertext, or decrypting ciphertext into plaintext. The most common mode is CBC Cipher Block Chaining. In Cipher block chaining the ciphertext from block n feeds into the process for block n+1 the blocks are chained together. To steal an image from Wikipedia: # I said earlier, allciphers on BIG-IP are CBC mode exceptfor RC4 (the lone stream Cipher , disabled by default starting in ) and AES-GCM.
10 AES-GCM was first introduced in , and it is onlyavailable for stands for Galois/Counter Mode, a more advanced mode of operation than CBC. In GCM the blocks are not chained together. GCM runs in an Authenticated Encryption with Associated Data (AEAD) mode which eliminates the separate per-message hashing step, therefore it can achieve much higher performance on a given HW platform than CBC. It is also immune to classes of attack that have harried CBC, such as padding (BEAST, Lucky 13, etc.)The main drawback to AES-GCM is that it was only added in the revision, so any older clients which don t support cannot use Galois: A hash function is any function that can be used to map data of arbitrary size to data of fixed size.
