Remediating weak cipher suite issues - ToddMaxey/Technical-Documentation GitHub Wiki

Remediating weak cipher suite issues

The basic premise requires the removal of the offending cipher suite(s) from consideration.

Cipher suites play a crucial role in ensuring secure communications, but some are beset by vulnerabilities arising from outdated or weak encryption algorithms, among other factors. Here is a comprehensive list detailing some vulnerabilities associated with weak cipher suites such as DES (Data Encryption Standard), categorized by the encryption standard, associated Common Vulnerabilities and Exposures (CVE) identifiers, and their commonly recognized nomenclatures.

| Cipher Suite | CVE Identifier | Common Name of the Vulnerability |

|--------------|----------------|----------------------------------|

| DES-CBC3-SHA | CVE-2016-2183 | Sweet32 |

| DES | CVE-1999-0517 | IPSEC weak encryption attack |

| DES | CVE-1999-0385 | SSH CRC-32 attack |

| DES | CVE-1999-0552 | SSH Insertion attack |

| DES | CVE-2008-5161 | OpenSSL Multiple Weak Ciphers |

| 3DES | CVE-2016-2183 | Sweet32 |

| 3DES | CVE-2019-1563 | Padding Oracle Attack |

| 3DES | CVE-2020-1968 | ROBOT Attack |

| MD5-based | CVE-2004-2761 | Collision Attack |

| RC4 | CVE-2013-2566 | RC4 Bar Mitzvah |

| RC4 | CVE-2015-2808 | RC4 NOMORE |

Explanations

Sweet32 (CVE-2016-2183): An issue where the usage of 64-bit block ciphers (such as 3DES and DES) in CBC mode allows an attacker to perform a birthday attack to decrypt traffic.
IPSEC weak encryption attack (CVE-1999-0517): This issue arises when IPSEC utilizes DES for encryption, which is considered weak and is susceptible to brute-force attacks.
SSH CRC-32 attack (CVE-1999-0385) and SSH Insertion attack (CVE-1999-0552): These are vulnerabilities specific to SSH protocol when it uses DES, allowing unauthorized information disclosure and tampering.
OpenSSL Multiple Weak Ciphers (CVE-2008-5161): A vulnerability affecting OpenSSL when multiple weak ciphers like DES are enabled.
Padding Oracle Attack (CVE-2019-1563): Specific to 3DES, this attack allows for the decryption of SSL/TLS traffic.
ROBOT Attack (CVE-2020-1968): Affecting RSA encryption with 3DES, it allows an attacker to perform adaptive-chosen ciphertext attacks.
Collision Attack (CVE-2004-2761): A vulnerability in MD5 hash function, often used in conjunction with weak ciphers.
RC4 Bar Mitzvah (CVE-2013-2566) and RC4 NOMORE (CVE-2015-2808): These vulnerabilities pertain to the RC4 cipher and allow for plaintext recovery.

Resolutions

The following cipher suite lists have the following properties:

Strong Key Length

Supports SCH_USE_STRONG_CRYPTO for .Net

Supports >= TLS 1.2

Key size 128 bit and 256 bit

Enabling and ordering Cipher suites

It is recommended to use the Policy SSL Cipher Suite Order policy. The policy location is under Computer Configuration/Administrative Templates/Network/SSL Configuration Settings/SSL Cipher Suite Order. This policy sets the registry value of "Functions" with the ordered cipher suite comma delimited string.

This registry setting can be used manually for testing and for Server Core machines where a GPO cannot be used. To use insert your ordered comma delimited cipher suite list between the double quotes for VALUE.

PowerShell Example: (Windows 11 better security)


$CipherSuiteRankedList = "TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" 

$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002\" 

New-ItemProperty –Path $RegPath -Name Functions -PropertyType STRING -value $CipherSuiteRankedList -Force

#Ordered comma delimited Cipher suite Strings suitable to be applied to SSL Cipher Suite Order policy either locally, through GPO or directly applied via registry update.

Windows 11


TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256


- Windows 11 better security 

TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256


- Server 2022 

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256


- Server 2022 better security 

TLS_AES_256_GCM_SHA384,TLS_AES_128_GCM_SHA256,TLS_CHACHA20_POLY1305_SHA256


- Windows 10 V1903, V1909, V2004 

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384


- Windows 10 V1903, V1909, V2004 better security 

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256


- Server 2019 & Windows 10 V1809 

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384


- Server 2019 & Windows 10 V1809 better security 

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256


- Server 2016 & Windows 10 V1607 

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256


- Server 2016 & Windows 10 V1607 better security 

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256


- Server 2012 R2 & Windows 8.1 

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P521,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521


- Server 2012 R2 & Windows 8.1 better security 

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

#PowerShell commands to set registry settings for .Net v2 and v4 to use SystemDefaultTlsVersions and SchUseStrongCrypto


$paths = @( 

    "HKLM:\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v2.0.50727", 

    "HKLM:\SOFTWARE\Microsoft.NETFramework\v2.0.50727", 

    "HKLM:\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v4.0.30319", 

    "HKLM:\SOFTWARE\Microsoft.NETFramework\v4.0.30319" 

) 

  

foreach ($path in $paths) { 

    New-ItemProperty -Path $path -Name "SystemDefaultTlsVersions" -PropertyType "DWORD" -Value "00000001" -Force 

    New-ItemProperty -Path $path -Name "SchUseStrongCrypto" -PropertyType "DWORD" -Value "00000001" -Force 

}

This script iterates through each registry path and sets SystemDefaultTlsVersions and SchUseStrongCrypto properties with a DWORD value of 00000001, using -Force to ensure the properties are created or overwritten if they already exist.

Create WMI Filters for the Group Policy Objects (GPO)

Current (12/2023) list of weak or insecure cryptographic elements

Not all elements listed are used with the Microsoft platform.

Comprehensive Analysis of Cipher Suite Elements

Note about Perfect Forward Secrecy (PFS): PFS is a property of secure communication protocols where session keys cannot be compromised even if the long-term secret keys are compromised. This means that past communications cannot be decrypted even if a hacker obtains the private key used to encrypt them.

RSA Key Exchange:
- RSA, while secure for digital signatures, is less desirable for key exchange in SSL/TLS. It does not support forward secrecy, meaning if the RSA private key is compromised, past communications could be decrypted. Modern practices favor key exchange mechanisms like ECDHE or DHE, which provide forward secrecy.
Data Encryption Standard (DES):
- Withdrawn by NIST in 2005 due to short key lengths (56-bit effectively) making it vulnerable to brute-force attacks.
Triple DES (3DES):
- To be deprecated after 2023 by NIST due to vulnerabilities like Sweet32 and the existence of more secure alternatives like AES【22†source】.
Cipher Block Chaining (CBC):
- Vulnerable in TLS 1.0 and SSL 3.0 to plaintext attacks. GCM mode in TLS 1.2 is preferred due to its immunity to the BEAST attack.
Anonymous (ANON) Key Exchange:
- Vulnerable to man-in-the-middle attacks as it lacks authentication of the communicating parties.
NULL Authentication and Encryption:
- Provides no integrity or confidentiality, respectively, as it implies no encryption or authentication is used.
Rivest Cipher 4 (RC4):
- Prohibited in TLS by the IETF and considered insecure due to vulnerabilities in its algorithm【source】.
Message Digest 5 (MD5):
- Message Digest 5 (MD5), has been widely recognized as insecure due to its vulnerability to collision attacks, where two different inputs can produce the same hash output. This weakness undermines the integrity and non-repudiation properties that hashing functions are supposed to provide.
ShangMi 3 (SM3) and ShangMi 4 (SM4):
- Chinese algorithms with unproven security, their use is not recommended by the IETF【source】.
Diffie-Hellman (DH) and Elliptic Curve Diffie-Hellman (ECDH):
- Diffie-Hellman (DH) and Elliptic Curve Diffie-Hellman (ECDH) are key exchange mechanisms. Their non-ephemeral versions do not support Perfect Forward Secrecy (PFS). The lack of PFS in non-ephemeral DH and ECDH is a security limitation, as it allows the decryption of past communications if the private key is compromised.
Kerberos 5 (KRB5):
- As a non-ephemeral key exchange mechanism, it does not support PFS, posing limitations in secure communications.
Rivest Cipher 2 (RC2):
- Considered insecure due to vulnerabilities related to related-key attacks.
Anonymous (ANON) key exchange is vulnerable to Man in the Middle attacks.
NULL Authentication uses no authentication and does not provide integrity.
NULL Encryption uses no encryption at all which does not provide any confidentiality.

Conclusion

The evolution of cryptographic practices in SSL/TLS reflects a continuous effort to enhance security and adapt to emerging threats. The gradual deprecation of older algorithms like DES and 3DES, the shift away from vulnerable cipher modes like CBC, and concerns over algorithms without forward secrecy underscore the need for robust, future-proof cryptographic practices. The preference for ephemeral key exchange mechanisms, stronger hashing algorithms like SHA-256, and the move towards more secure encryption standards like AES, align with this goal. It is vital for organizations and systems to stay updated with these cryptographic advancements to ensure the security and integrity of their communications.

Addition Notes:

Windows TLS stack (SChannel) never supported non-ephemeral (EC)DH.

The only non-Perfect Forward Secrecy (PFS) cipher suites supported in schannel are TLS_RSA.

Elliptic Curve Ephemeral (DHE) and Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) which includes (ECDHE-RSA, and ECDHE-ECDSA) supports Perfect Forward Secrecy (PFS)

Digital Signature Standard (DSS) is a digital signature algorithm, which is considered secure but does not have a wide adoption.