Geraint Williams, Head of Technical Services at IT Governance, takes the lid off browser cryptography

Introduction

This October we saw a 2014 attack (POODLE) on a 1990s security protocol (SSLv3), which highlights the fact that, although we consider computing to be a fast-moving field, there are issues with ensuring compatibility with legacy applications and devices, which give rise to security issues. All e-commerce is conducted using secure HTTP (HTTPS), which uses secure sockets layer (SSL) or transport layer security (TLS). These are cryptographic protocols to provide protection. So, what is cryptography and what does it provide in terms of security?

Cryptography and encryption

Cryptography (the science of ciphers) and encryption (the process of transforming plaintext to cipher text) has been in the news for the last few years following revelations that the US’s NSA, through the NIST, weakened random number generator algorithms. Spy and intelligence agencies like the NSA have broken or bypassed encryption, and there have been various attacks on cryptography protocols, such as Heartbleed and POODLE.

Security is often considered the product of the security triad of confidentiality, integrity and availability. However, it also encompasses a number of other principles that include authorisation, identification and non-repudiation. Cryptography and encryption are some of the tools we can use to provide security.

Although encryption is the main control on confidentiality, and is used by corporate and government bodies to protect our personal data – including credit cards, sensitive data and intellectual property – cryptography is not widely understood.

Cryptography is all around us: we all use it every day while we browse the internet; we rely on it to protect the data we send and receive from secure sites. We know that we should look for the padlock symbol, but very few of us know what it means when it is displayed in a browser. The padlock means the server has been identified by a certificate trusted by one of the 80+ root certificates on your machine, and that encryption is being used. Although the strength of the encryption is not taken into account, it indicates that some form of encryption is deployed between the browser and the server.

SSL and TLS are the protocols used by HTTPS to provide the means of authenticating a server via digital certificates and the public key infrastructure. They are also used to encrypt the communication using a hybrid of symmetric algorithms that encode the data and asymmetric algorithms that ensure the key for the symmetric algorithm is on both the client and the server.

Identification issues

Identification is provided by digital certificates that demonstrate that the URL and the server delivering it are correctly matched… but that does not mean you are talking to the server you want! Think about www.it-governance.co.uk compared to www.itgovernance.co.uk: both can be identified by digital certificates, but only one is the genuine article. Scammers will set up secured sites with common misspellings in an attempt to mislead users. It has been known for a fake site to be rated more highly on search engines than the genuine site itself, enabling scammers to commit fraud against the unaware.

Ciphers and cipher suites

Ciphers (the algorithms used in the encryption process) on servers are graded by strength, which is based on the work factor required to break them. The lower the effort required to break the cipher, the weaker the cipher is rated. Generally, ciphers are classified as weak, medium or strong. In actuality, it is the cipher suites that are examined – these consist of the different algorithms used to create a secure tunnel. A secure tunnel is the named combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate the security settings for a network connection using the transport layer security (TLS) or secure sockets layer (SSL) network protocols.

Samples of cipher suites:

  • SSL_CK_RC4_128_WITH_MD5
  • SSL_CK_RC4_128_EXPORT40_WITH_MD5
  • SSL_CK_RC2_128_CBC_WITH_MD5
  • SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5
  • SSL_CK_IDEA_128_CBC_WITH_MD5
  • SSL_CK_DES_64_CBC_WITH_MD5
  • SSL_CK_DES_192_EDE3_CBC_WITH_MD5

Cipher suites can include a NULL cipher for encrypting data being transferred. Although in the dark ages of the early noughties a browser might have displayed a padlock despite the data being transmitted as plain text, modern browsers will display an error message about plaintext, but a padlock may still be displayed in some browsers.

Servers and clients have a range of cipher suites installed by default. The actual ones installed will depend on the type of machine, vendor and other criteria. As clients and servers alike do not know in advance which other machines they may connect to, they need a range of possible suites installed so there is a chance there is a common dominator between both machines.

Encryption issues

Ciphers cause an overhead in transmitting data (such as latency) due to the need to encrypt and decrypt data as it is transmitted and received. Additional headers and footers are often appended to units of data, thus decreasing the throughput of useful data over a constant-speed connection. As strong ciphers often mean introducing an increased latency, the weakest common denominator is often selected during the negotiation of common cipher suites to reduce the overhead effect. This, however, also reduces the work factor needed to break the encryption, opening the communication up to eavesdropping by attackers.

It is also possible to force servers to downgrade to weaker protocols and ciphers though version rollback and downgrade attacks. These attacks forces the server to use more vulnerable protocols and ciphers, which aids an attacker in compromising the communication using attacks such as POODLE.

This means that, in order to guarantee the use of strong ciphers, one end of the negotiation must only use strong ciphers. This actually requires the server to be configured to have only strong, non-vulnerable cipher suites installed.

Recommendations

The following actions are recommended to ensure a strongly protected server when using SSL/TLS encryption.

  • Weak or medium strength ciphers must not be used:
    • No NULL cipher suites, due to no encryption used.
    • No anonymous Diffie-Hellmann, due to not providing authentication.
  • Weak- or medium-strength protocols must be disabled:
    • SSLv2 must be disabled, due to known weaknesses in protocol design.
    • SSLv3 must be disabled, due to known weaknesses in protocol design.
  • Renegotiation must be properly configured:
    • Insecure renegotiation must be disabled, due to MiTM attacks.
    • Client-initiated renegotiation must be disabled, due to denial-of-service vulnerability.
  • 509 certificate key length must be strong:
    • If RSA or DSA is used, the key must be at least 2048 bits.
  • 509 certificates must be signed only with secure hashing algorithms:
    • Not signed using MD5 hash, due to known collision attacks on this hash.
  • Keys must be generated with proper entropy.
  • Secure renegotiation should be enabled.
  • MD5 should not be used, due to known collision attacks.
  • RC4 should not be used, due to crypto-analytical attacks.
  • Server should be protected from BEAST attack.
  • Server should be protected from CRIME attack; TLS compression must be disabled.
  • Server should support forward secrecy.

It is important to note that some old browsers such as IE 6 are not capable of supporting TLS, and if SSL is removed from the server these clients will not be able to connect.

green-papersU (1)