Applied Crypto HarDENING WOLFGANG BrEyha, David Durvaux, TOBIAS Dussa, L. AarON Kaplan, Florian Mendel, Christian Mock, Manuel Koschuch, Adi Kriegisch, Ulrich Pöschl, Ramin Sabet, BerG San, Ralf Schlatterbeck, Thomas Schreck, AleXANDER Würstlein, AarON Zauner, Pepi Zawodsky (University OF Vienna, CERT.be, KIT-CERT, CERT.at, A-SIT/IAIK, CORetec.at, FH Campus Wien, VRVis, MilCERT Austria, A-Trust, Runtux.com, Friedrich-AleXANDER University Erlangen-NurEMBERg, azet.org, maclemon.at) NoVEMBER 10, 2016 Do NOT TALK UNENCRYPTED Applied Crypto HarDENING PAGE 2 OF 111 AcknoWLEDGEMENTS WE WOULD LIKE TO EXPRESS OUR THANKS TO THE FOLLOWING REVIEWERS AND PEOPLE WHO HAVE GENEROUSLY OffERED THEIR TIME AND INTEREST (in ALPHABETICAL ORder): BrOwn, Scott Pacher, Christoph Brulebois, Cyril Palfrader, Peter Dirksen-Thedens, Mathis Pape, TOBIAS (layout) DulaunoY, AleXANDRE Petukhova, Anna (Logo) Gühring Philipp Pichler, Patrick Grigg, IAN Riebesel, Nicolas Haslinger, Gunnar Roeckx, Kurt Huebl, AxEL Roesen, Jens Kovacic, Daniel Rublik, Martin Lenzhofer, Stefan Schüpany, Mathias Lorünser, Thomas Schwarz, René («DigNative») Maass, Max Seidl, Eva (PDF layout) Mehlmauer, Christian VAN Horenbeeck, Maarten Millauer, TOBIAS Wagner, Sebastian («sebix») Mirbach, AndrEAS Zangerl, AleXANDER O’Brien, Hugh The REVIEWERS DID REVIEW PARTS OF THE DOCUMENT IN THEIR AREA OF Expertise; ALL REMAINING ERRORS IN THIS DOCUMENT ARE THE SOLE RESPONSIBILITY OF THE PRIMARY authors. Applied Crypto HarDENING PAGE 3 OF 111 AbstrACT “Unfortunately, THE COMPUTER SECURITY AND CRYPTOLOGY COMMUNITIES HAVE DRIFTED APART OVER THE LAST 25 years. Security PEOPLE DON’T ALWAYS UNDERSTAND THE AVAILABLE CRYPTO tools, AND CRYPTO PEOPLE DON’T ALWAYS UNDERSTAND THE Real-world PRoblems.” — Ross Anderson IN [And08] This GUIDE AROSE OUT OF THE NEED FOR SYSTEM ADMINISTRATORS TO HAVE AN updated, solid, WELL Re- SEARCHED AND thought-thrOUGH GUIDE FOR CONfiGURING SSL, PGP, SSH AND OTHER CRYPTOGRAPHIC TOOLS IN THE post-SnoWDEN age. TRIGGERED BY THE NSA LEAKS IN THE SUMMER OF 2013, MANY SYSTEM admin- ISTRATORS AND IT SECURITY OffiCERS SAW THE NEED TO STRENGTHEN THEIR ENCRYPTION settings. This GUIDE IS SPECIfiCALLY WRITTEN FOR THESE SYSTEM ADMINISTRators. As Schneier NOTED IN [Sch13a], IT SEEMS THAT INTELLIGENCE AGENCIES AND ADVERSARIES ON THE INTERNET ARE NOT BREAKING SO MUCH THE MATHEMATICS OF ENCRYPTION PER se, BUT RATHER USE SOFTWARE AND HARDWARE weaknesses, SUBVERT STANDARDIZATION PRocesses, PLANT BACKdoors, RIG RANDOM NUMBER GENERATORS AND MOST OF ALL EXPLOIT CARELESS SETTINGS IN SERVER CONfiGURATIONS AND ENCRYPTION SYSTEMS TO LISTEN IN ON PRIVATE communications. WORST OF all, MOST COMMUNICATION ON THE INTERNET IS NOT ENCRYPTED AT ALL BY DEFAULT (for SMTP, OPPORTUNISTIC TLS WOULD BE A solution). This GUIDE CAN ONLY ADDRESS ONE ASPECT OF SECURING OUR INFORMATION systems: GETTING THE CRYPTO SETTINGS RIGHT TO THE BEST OF THE AUTHORS’ CURRENT KNOwledge. Other attacks, AS THE ABOVE mentioned, REQUIRE DIffERENT PROTECTION SCHEMES WHICH ARE NOT COVERED IN THIS guide. This GUIDE IS NOT AN INTRODUCTION TO CRYPTOGRAPHY. For BACKGROUND INFORMATION ON CRYPTOGRAPHY AND CRYPTOANALYSIS WE WOULD LIKE TO REFER THE READER TO THE REFERENCES IN APPENDIXB ANDC AT THE END OF THIS document. The FOCUS OF THIS GUIDE IS MERELY TO GIVE CURRENT BEST PRACTICES FOR CONfiGURING COMPLEX CIPHER SUITES AND RELATED PARAMETERS IN A . The GUIDE TRIES TO STAY AS CONCISE AS IS pos- COPY & paste-able MANNER SIBLE FOR SUCH A COMPLEX TOPIC AS CRYPTOGRAPHY. NaturALLY, IT CAN NOT BE complete. TherE ARE MANY EXCELLENT GUIDES [IS12, fSidIB13, ENI13] AND BEST PRACTICE DOCUMENTS AVAILABLE WHEN IT COMES TO CRYPTOGRAPHY. HoWEVER NONE OF THEM FOCUSES SPECIfiCALLY ON WHAT AN AVERAGE SYSTEM ADMINISTRATOR NEEDS FOR HARDENING HIS OR HER SYSTEMS’ CRYPTO settings. This GUIDE TRIES TO fiLL THIS gap. Contents 1. INTRODUCTION 7 1.1. Audience.............................................7 1.2. Related PUBLICATIONS......................................7 1.3. HoW TO READ THIS GUIDE.....................................7 1.4. Disclaimer AND SCOPE......................................8 1.5. Methods............................................. 10 2. PrACTICAL RECOMMENDATIONS 11 2.1. WEBSERVERS........................................... 11 2.1.1. Apache.......................................... 11 2.1.2. LIGHTTPD.......................................... 12 2.1.3. NGINX........................................... 14 2.1.4. CherOKEE......................................... 16 2.1.5. MS IIS........................................... 18 2.2. SSH................................................ 22 2.2.1. OpenSSH......................................... 22 2.2.2. Cisco ASA........................................ 24 2.2.3. Cisco IOS......................................... 25 2.3. Mail Servers........................................... 25 2.3.1. TLS USAGE IN MAIL SERVER PROTOCOLS.......................... 26 2.3.2. Recommended CONfiGURATION............................. 26 2.3.3. DoVECOT......................................... 27 2.3.4. cyrus-imapd....................................... 28 2.3.5. PostfiX.......................................... 30 2.3.6. Exim........................................... 32 2.3.7. Cisco ESA/IRonPort................................... 36 2.4. VPNs............................................... 39 2.4.1. IPsec........................................... 39 2.4.2. Check Point FireWall-1................................. 41 2.4.3. OpenVPN........................................ 45 2.4.4. PPTP........................................... 47 2.4.5. Cisco ASA........................................ 47 2.4.6. Openswan........................................ 49 2.4.7. TINC............................................ 51 2.5. PGP/GPG - PrETTY Good Privacy................................ 51 2.6. IPMI, ILO AND OTHER LIGHTS OUT MANAGEMENT SOLUTIONS................... 52 2.7. INSTANT Messaging Systems.................................. 52 2.7.1. GenerAL SERVER CONfiGURATION RECOMMENDATIONS.................. 52 2.7.2. EJABBERD......................................... 53 2.7.3. Chat PRIVACY - Off-the-RecorD Messaging (OTR).................. 56 2.7.4. Charybdis........................................ 57 2.7.5. SILC............................................ 57 2.8. Database Systems....................................... 57 2.8.1. OrACLE.......................................... 57 Applied Crypto HarDENING PAGE 5 OF 111 Contents Contents 2.8.2. MySQL.......................................... 58 2.8.3. DB2............................................ 59 2.8.4. PostgreSQL....................................... 59 2.9. INTERCEPTING PROXY SOLUTIONS AND REVERSE PROXIES..................... 60 2.9.1. Bluecoat......................................... 61 2.9.2. HAPrOXY......................................... 62 2.9.3. Pound.......................................... 64 2.9.4. STUNNEL.......................................... 65 2.10.KerberOS............................................. 66 2.10.1.OvervieW......................................... 66 2.10.2.IMPLEMENTATIONS.................................... 68 3. Theory 71 3.1. OvervieW............................................. 71 3.2. Cipher SUITES........................................... 71 3.2.1. ArCHITECTURAL OVERVIEW................................. 71 3.2.2. ForwarD SecrECY.................................... 73 3.2.3. Recommended CIPHER SUITES............................. 73 3.2.4. Compatibility...................................... 75 3.3. Random Number GenerATORS................................. 76 3.3.1. When RANDOM NUMBER GENERATORS FAIL....................... 76 3.3.2. Linux........................................... 77 3.3.3. Recommendations................................... 77 3.4. KeYLENGTHS............................................ 78 3.5. A NOTE ON Elliptic Curve CryptogrAPHY............................ 79 3.6. A NOTE ON SHA-1......................................... 80 3.7. A NOTE ON DiffiE Hellman KeY ExCHANGES.......................... 80 3.8. Public KeY INFRASTRUCTURES................................... 81 3.8.1. CertifiCATE Authorities................................. 81 3.8.2. HarDENING PKI ...................................... 83 3.8.3. CertifiCATION Authorization RecorDS......................... 83 3.9. TLS AND ITS SUPPORT MECHANISMS............................... 84 3.9.1. HTTP Strict TRANSPORT Security (HSTS)........................ 85 3.9.2. HTTP Public KeY Pinning (HPKP)........................... 87 A. TOOLS 93 A.1. SSL & TLS............................................. 93 A.2. KeY LENGTH............................................ 94 A.3. RNGs............................................... 94 A.4. Guides.............................................. 94 B. Links 95 C. Suggested Reading 96 D. Cipher Suite Name Cross-ReferENCE 97 E. Further RESEARCH 106 E.1. SoftwarE NOT COVERED BY THIS GUIDE.............................. 106 INDEX 111 Applied Crypto HarDENING PAGE 6 OF 111 1. INTRODUCTION 1.1. Audience Sysadmins. Sysadmins. Sysadmins. TheY ARE A FORce-multiplier. 1.2. Related PUBLICATIONS Ecrypt II [IS12], ENISA’S REPORT ON Algorithms, KEY SIZES AND PARAMETERS [ENI13] AND BSI’S TECHNISCHE Richtlinie TR-02102 [fSidIB13] ARE GREAT PUBLICATIONS WHICH ARE MORE IN DEPTH THAN THIS guide. HoWEver, THIS GUIDE HAS A DIffERENT APPRoach: IT FOCUSES ON FOR SYSTEM COPY & paste-able SETTINGS ADMINISTRators, EffECTIVELY BREAKING DOWN THE COMPLEXITY IN THE ABOVE MENTIONED REPORTS TO AN EASY TO USE FORMAT FOR