Professional Documents
Culture Documents
and Algorithms
How
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Agenda
• A Brief Introduction
• Hash and HMAC's
• Symmetric Encryption
• MODP: Multiplicative Group of Integers Modulo P
• ECC: Elliptic Curve Cryptography
• Performances and Security
• Practical Applications; IKEv2, SSL and PKI
• Attacks, Weaknesses & Self-Inflicted Pain
• Conclusion and Recommendations
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introduction
Before we start…
How many mathematicians
does it take
to screw in
a light bulb ?
i.π
-e
-ei.π = - (cos (π) + i.sin (π))
= - (-1 + i.0)
=--1
=1
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Cryptographic Mechanisms
Encryption Signatures
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Key Strength
Strong
Weak
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Attacker Strength
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Algorithms Never Get Stronger
SHA-1
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Conclusion: Strength needs to increase
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Prevalent
AES-128-CBC
DH-1024 RSA-1024
SHA-1
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Next Generation Encryption
ECDSA-
128-bit ±30 years AES-128-GCM ECDH-P256 SHA-256
P256
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
NGE higher security levels
ECDSA-
Long term AES-256-GCM ECDH-P521 SHA-512
P521
AES-192- ECDSA-
“Foreseeable future” GCM
ECDH-P384
P384
SHA-384
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Next Generation Encryption
Authenticated
AES-GCM
Encryption
Authentication HMAC-SHA-2
Hashing SHA-2
Entropy SP800-90
TLSv1.2, IKEv2,
Protocols
IPsec, MACSec
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Hashes and HMAC’s
Focus on SHA-2
What is a Cryptographic Hash Function
Hash
Legitimate Message
Function
Hash Fixed length output
Any Length Easy & Fast Fixed Length
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
The Merkle–Damgård Construction
IV F F F ... F Fin H
Data …
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
MD-5 vs SHA-2 – Hash Functions
MD-5 SHA-2
(60 rounds) (64-80 rounds)
Reference: Wikipedia
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Rough Hash Algorithms Comparison
Algorithm/variant Output Max msg Collisions
size size found
MD-5 128 264-1 yes
SHA-1 160 264-1 yes (hard)
SHA-256 256 264-1 no
SHA-2 SHA-384 512 2128-1 no
SHA-512 512 2128-1 no
Not IKE
Reference: Wikipedia, RFC4868 BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Using a Hash or an HMAC
Alice Bob
Must send a message m
Goal: data does not get corrupted in transit
h, m Computes h'=HASH(m)
Computes h=HASH(m) Checks h' = h
If yes message is valid
Attacker could modify m if no message was damaged
and recompute h Collision Resistance
Share pre-shared key k with Bob Share pre-shared key k with Alice
Must send a message m
Goal: Bob assured data comes from Alice
hmac, m
Computes hmac=HASH(m|k) Computes h'=HASH(m|k)
Checks h' = h
Attacker CAN NOT modify If yes message is valid
m and recompute h if no message was damaged
Unforgeability
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Applied hashing: Blockchain & bitcoin & …
Blockchain
class Block(object):
Block # 1 def __init__(self, hashPrevBlock, payload):
Block #2 self.hashPrevBlock = hashPrevBlock
(genesis block) self.payload = payload
self.timestamp = datetime.now()
self.Nonce = self.mine()
Timestamp Timestamp
Payload Payload def hash(self, Nonce=None):
Nonce Nonce
hashPrevBlock = None hashPrevBlock = H(#1) def mine(self):
def verify(self):
Timestamp
Payload
Nonce
hashPrevBlock = H(#3)
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Mining
def mine(self):
# let's calculate hash until we have "0000" at the beginning
for nonce in range(1, 10000000):
attempt = self.hash(nonce)
if attempt.startswith("0000"): # Mathematical challenge (find hash that starts with x-number of 0’s
logger.debug("We found matching hash and we are setting it as Nonce: " + attempt)
self.Nonce = attempt
return self.Nonce
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Symmetric Encryption Algorithms:
One Time Pad & AES
One Time Pad
• A Pad is a truly random sequence of numbers
M 1 0 0 1 1 0 1 1 1 …
Pad 0 1 1 0 0 0 1 0 1 …
Cypher 1 1 1 1 1 0 0 1 0 …
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
One Time Pad - example
H E L L O message
7 4 11 11 14
+ 23 12 2 10 11 key
= 30 16 13 21 25 m+k
mod 26 4 16 13 21 25 (m+k) mod 26
E Q N V Z ciphertext
E Q N V Z ciphertext
4 16 13 21 25
- 23 12 2 10 11 key
= -19 4 11 11 14 c-k
mod 26 7 4 11 11 14 (c-k) mod 26
H E L L O message
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Issue 1 – Key Length
H E L L O message
7 4 11 11 14
+ 23 12 2 10 11 key Key must have the same
size as message… Key
= 30 16 13 21 25 m+k exchange is a problem!
mod 26 4 16 13 21 25 (m+k) mod 26
E Q N V Z ciphertext
Select Carefully…
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
Issue 2 – Key Re-use & Known Plain Text Attack
H E L L O message Assumption #1: Attacker
knows some plain text
7 4 11 11 14 (e.g. injection, guess,…)
+ 23 12 2 10 11 key
= 30 16 13 21 25 m+k
mod 26 4 16 13 21 25 (m+k) mod 26
E Q N V Z ciphertext Assumption #2: Attacker
can wiretap ciphertext
H E L L O known message
4 16 13 21 25 ciphertext
- 7 4 11 11 14 known message
= -3 12 2 10 11 c-m Conclusion: Attacker can
mod 26 4 12 2 10 11 (c - m) mod 26 compute the key easily
= KEY
DO NOT REUSE KEY !!
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
AES – The Advanced Encryption Standard
• The block size is large (128 bits standardized)
• The key size is large (128, 192 or 256 bits)
• AES operates on full bytes (faster on general purpose CPU’s)
• National Institute of Standards and Technology:
• “A machine that cracks 56 bits DES in 1 seconds takes 149 trillions years to crack 128-
bits AES”
• Summary:
• AES is faster and more secure than DES or 3-DES
• AES is easier to implement than DES on tight hardware
• IS THIS TRUE ?
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
AES: Individual Rounds
Input
Note: Last Round Is Slightly Different from the Rest of the Sub
Rounds (no Mix Columns) Bytes
Shift
Input
Rows
Key 1
Round 0
Mix
Key 2
Round 1 Columns
Key
Schedule
Output
Output
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Block Cipher Mode of Operation (ECB, CBC, counter)
ECB CBC CTR
m= 1 2 3 1 4 m= 1 2 3 1 4 m= 1 2 3 1 4 IV IV IV+1 IV+2 IV+3 IV+4
DRBG seeded by IV
ENC
ENC
ENC
ENC
ENC
ENC
ENC
ENC
ENC
ENC
ENC
ENC
ENC
ENC
ENC
IV
6 5 4 3 9
One Time Pad
m= 1 2 3 1 4 depends on IV
Make IV unique to
c= 1 2 3 1 4 c= 5 9 1 5 3 c= 7 2 6 0 8 c= 5 6 3 9 7 ensure unique pad
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Fed from Initialization
Vector
AES GCM
AES Based PRNG
generate pad…
One Time Pad Secure CTR DRBG
Algorithm
Weak but
fast HMAC
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
RSA
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Modular Arithmetic 0
0
• Modulo is like a clock 0
1 1 1
0 1 2 3 4 5 6 7 8 9 10 11… mod 4 3 3 3
2
2
2
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Encryption with Modular Arithmetic
Alice Bob
Must send a private message m Selects three numbers n, d & e
n & e are public, d is secret
Takes n & e from Bob e, d are chosen such as ed ≡ 1 mod n
c
(we assume m < n)
Computes c = me mod n Computes m' = cd mod n
Attacker can not guess m m' = cd mod n
just knowing c, n and e = (me)d mod n
= med mod n
= m1 mod n
To decrypt, the attacker would =m
need to compute m= d√ m' mod n Bob has reversed the operation !!
RSA Problem Bob knows d but nobody else…
We have an encryption scheme
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Signature with Modular Arithmetic
Alice Bob
Selects three numbers n, d & e
n & e are public, d is secret
Attacker can not guess d e, d are chosen such as ed ≡ 1 mod n
just knowing m, n and e
Must send a signed message m
Takes n & e from Bob
c, m
Computes c = md mod n
(we assume m < n)
Computes m' = ce mod n
m' = ce mod n To forge the signature, the
= (md)e mod n attacker would need to compute
= mde mod n d = loge(m') mod n
= m1 mod n Discrete Logarithm Problem
= m mod n
=m Now how can we find such e, d and n ?
Bob must have sent the c,m
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Regular Exponentiation – Use Dichotomy to Reverse
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
MODP Exponentiation – dichotomy is broken
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Where Quantum Computers Come In
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
About Prime Numbers
• A number is prime if it can be divided by one or itself
picture: Khan Academy
• A number is composite is it can be divided by 2 or more prime numbers
• Factorization is a hard problem. Best algorithm yields
• Fundamental Theorem of Arithmetic: a given number has a single factorization
• Euclid's theorems: there are infinitely many primes
• prime density (ratio of primes per composite up to x) is 1/ln(x)
• density drops off rapidly in the beginning but very slowly after a few powers of 10
• π(x) = x/ln(x) : number of primes < x
• Euler's φ(n) function or Euleur's totient
• # of integers in [1,n] that are relatively prime to n: |k ∈ [1,n] | GCD(k,n) = 1|
• Property: n1, n2, GCD(n1,n2)=1 φ(n1*n2)= φ(n1)* φ(n2) – Totient is multiplicative
• if x is prime φ(n) = n-1 since 1…n-1 coprime with n and n divisible by itself
• Euler's theorem: mφ(n) ≡ 1 (mod n) if m and n are co-prime.
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
RSA keys – finding e,d,n | med ≡ m (mod n)
• Choose two distinct prime numbers p, q and hide them forever!
• n = p.q n is hard to factor if p & q are very large
• φ(n) = n-(p+q-1)
• p & q are prime φ(p)=p-1 φ(q)=q-1 m – arbitrary message
• φ(n) = φ(pq) = φ(p) φ(q) = (p-1)(q-1) = n-(p+q-1) n – the modulus
• Final steps Euler theorem… e – the public key
• 1k = 1 (mφ(n))k ≡ 1k (mod n) mkφ(n) ≡ 1 (mod n) d – the private key
• 1m = m m mkφ(n) ≡ m (mod n) mkφ(n)+1 ≡ m (mod n)
• we look for e,d,n such that med ≡ mkφ(n)+1 ≡ m (mod n) ed = k φ(n) +1
k φ(n)+1 k (n − (p+q−1)) +1
• d= =
e e
• Select e, small integer and k such that GCD(d, φ(n)) = 1 (i.e. d & φ(n) are co-prime)
• e is usually 3 or 65537
• adjust k to make d an integer
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
DH –Diffie-Hellman
Alice Bob
The group definition
Select a generator g and a modulus p
Pick a random number a Apub, (g, p)
Keep a secret!!
Compute Apub = ga mod p
Attacker can not guess a
Attacker can not guess b
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
DH is sensitive to a Man-in-the-Middle Attack
Alice Mallet Bob
Apub = ga mod p I’m Bob I’m Alice Bpub = gb mod p
Apub Mpub
Mpub = gm mod p
Mpub Bpub
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
ECC
Elliptic Curve Cryptography
What is an elliptic curve ?
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
O
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
The scalar multiplication n*P
O
R'
R
2P
3P
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
0
0
mod 4 3 3 3
• Remember… modulo arithmetic
• Galois Field = Finite Field 2
2
2
• Let E be an elliptic curve defined over a finite field Fm (modulo m):
• E(Fm):{∞} U {(x,y) in FmxFm | y2=x3+ax+b , a,b in Fm}
• E(Fm) is the set of points whose coordinates belong to FmxFm and satisfy the equation + point at infinity
• The set along group operations (+, x) seen before form an Abelian Group under multiplication a field.
• For cryptography, m should be a prime number
• It seems (seemed ?) more computationally efficient if m = 2k-1 yielding the notation F2k
• Multiplication supposed to be more efficient very important for ECDH and ECDS
• In this case, the Koblitz curve is used: y2 + xy = x3 + ax2 + 1 where a=0 or a=1
• For cryptography, k should be a prime number
• m should remain a prime – it would be called a Mersenne Prime
• There is debate about the actual security and efficiency of these curves!
• The order of a group G is the cardinality of that group written ord(G) or |G|.
• The order of a point P in a group G is the value n such that n*P = O written ord(p) or |p|
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Example Curve
E(F11): y2 = x3 + x +2
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Example on F31 – Complexity Increases
m = 25-1 = 31
E(F31): y2 = x3 + x +2
|E(F31)| = 24
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
The same on F127 – Complexity Further Increases
3*P = 2*P+P
|E(F127)| = 136
7*P
6*P
Let P be [40,62]
8*P
Easy to compute on Fm
n*P
Difficult problem :
Knowing E&P, what is n
for this point ?
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
ECDH – Elliptic Curve Diffie-Hellman
Alice The curve definition f Bob
and point P
Select a curve f and a point P on the curve
Pick a random number a Apub, (P, f(x), m)
Keep a secret!!
Compute Apub = a*P
Attacker can not guess a
Attacker can not guess b
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
P-256 from "NIST routines"
• Where
• p is the prime modulus
• G is the generator (base point) of the curve
• n is the order of G. i.e n*G=O
• a, b are the coefficient of y2 + xy = x3 + ax + b (mod p)
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Cryptographic Curves, Public and Private Keys
• To define a public/private key pair, Alice…
• Selects a Curve
• C=(p, a, b, G, n, h) or C=(m, f(x), a, b, G, n, h)
• Picks an integer kA ∈ [1, n-1] – this is her private key
• Compute QA = kA * G – this is her public key
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Performance and Security
Comparisons
Security Level of Symmetric Crypto Algorithms
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
ECDH Gains in Security
The Table Below Shows the Comparable Key Lengths Required in DH/RSA as
Compared to ECC Based DH to Secure a Symmetric Key of a Given Length
80 163 1024
112 233 2048
128 283 3072
192 409 7680
256 571 15360
Reference: draft-ietf-ipsec-ike-ecc-groups-05.txt with Further Reference Contained Therein
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Rough Performance Comparison
Very rough comparison – orders of magnitude only (*)
128 bits 128 116MBps 130MBps - - - 4096 bits 136 /s 8.5K /s k283 1.6K /s 1K /s
192 bits 192 98.5 MBps 109 MBps - - - 7680 bits - - k409 723 /s 568 /s
256 bits 256 85 MBps 94 MBps - - - 15360 bits - - k571 348 /s 249 /s
Optimizations...
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
See Performances for Yourself 😀
• openssl speed aes
• openssl speed des-cbc
• openssl speed des-ede3 3-DES (Encrypt-Decrypt-Encrypt)
• openssl speed rsa
• openssl speed ecdsa
• openssl speed dh does not exist 🤔
• openssl speed ecdh
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Practical Use...
The Crypto Angle
Certificates – Just an example…
Version: 3 (0x2)
Serial Number: 302543474681041022 (0x432d9aff179d07e)
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Google Inc, CN=Google Internet Authority G2
Validity
Not Before: Dec 10 17:52:51 2015 GMT
Not After : Mar 9 00:00:00 2016 GMT
Subject: C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com
SHA-256 Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey If r is an unknown secret integer (private key), this big number is r*G mod p.
Public-Key: (256 bit)
pub:
04:b5:64:5b:fa:48:ed:b7:f5:57:ba:24:d4:cc:b0:d8:74:5d:a3:6f:90:6a:37:e6:df:d8:6f:46:71:6a:
09:e8:e3:64:b6:28:31:20:b4:9d:24:7f:6b:81:09:4b:b1:7d:3b:98:68:b5:4a:02:28:fe:b7:40:46:65: 5b:f6:9d:a0:38
ASN1 OID: prime256v1
This is a "named curve"
NIST CURVE: P-256 NIST Routines defines (p, a, b, G, n)
X509v3 extensions: [SKIPPED]
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 71
IKEv2
Initiator Responder
Proposed Security Suites, Ni, ga mod p (KEi)
KDF(gab, Nonces)SKEYSEED
SK_d, SK_ai, SK_ar, SK_ei, IDi, Certificate Chain, Auth,
SK_er, SK_pi, SK_pr TSi, TSr, Sai2
KDF(gab, Nonces)SKEYSEED
IDr, Auth, TSi, TSr, Sar2 SK_d, SK_ai, SK_ar, SK_ei,
SK_er, SK_pi, SK_pr
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Hash DRBG for Key Derivation and Authentication
prf+ (K,S) = T1 | T2 | T3 | T4 | ...
where:
T1 = prf (K, S | 0x01)
T2 = prf (K, T1 | S | 0x02)
Hash DRBG prf+: T3 = prf (K, T2 | S | 0x03)
T4 = prf (K, T3 | S | 0x04)
...
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
IPsec: ESP packet format IPsec HMAC and Encryption keys independent of IKE sessions keys.
Sequence Number
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
SSL/TLS with Pre-Master Secret (no DH)
Client Server
PreMaster = DecServerPub(…)
Change Cipher Spec
KDF(PreMaster, randoms)
kmc, kms, ke
Client finished: PRF (dialog)
traffic
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
SSL/TLS with Ephemeral Diffie-Hellman
Client Server
PreMaster = gab
Master = PRF(PreMaster, randoms)
Kcm, Ksm, Kce, Kse, …
gb mod p
traffic
While TLS offers and recommends regular rekey, tickets span for the lifetime of the
application [Blackhat.com US-13-Daigniere-TLS-Secrets-Slides]
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
TLS Key Derivation and Authentication
P_hash(secret, seed) = HMAC_hash (secret, A(1) + seed) +
HMAC_hash (secret, A(2) + seed) +…
A() is defined as
Hash DRBG prf: A(0) = seed
A(i) = HMAC_hash(secret, A(i-1))
the conversation
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Recommendations and Conclusion
Reassurance
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Recommendations
• Protocols
• IKEv2 is cool – use it if you can (not always possible)
• Keep an eye on TLS1.3 for improvements
• Public Key Infrastructure (PKI)
• Prefer ECDSA (> 256) or RSA (modulus size >> 1024 ; 1536 or 2048 preferred)
• SHA-256-HMAC or better is a must
• Key Exchange
• Use PFS
• Prefer ECDH 263 bits for mid term security (~15 years) or MODP 3184 bits for 15+ years
• If MODP, use DH group >> 1024 (1536 or 2048 preferred).
• IKEv2: group 5 (~1500 bits) or better
• TLS 1.2: FIX YOUR SERVERS!! https://weakdh.org/sysadmin.html
• Upgrade to TLS 1.3 whenever possible (still draft)
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
Reputedly Safe Elliptic Curves
source: http://safecurves.cr.yp.to
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
Some Random Software… FlexVPN (IOS)
Keypair for certificates
crypto key generate ec keysize 256
crypto key generate rsa 1536 (or better)
IKEv2 Profile
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Some Random Software… WSA
See BRKSEC-3006 – Tobias Mayer on TLS Decryption using the Web Security Appliance
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
Some Random Software… OpenSSH
/etc/ssh/ssh_config
KexAlgorithms curve25519-sha256@libssh.org
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Some Random Software… Apache (mod_ssl)
/etc/dovecot.conf
SSLProtocol all -SSLv2 -SSLv3
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-
GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-
SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-
SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-
AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-
SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-
GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-
SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-
SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder on
Regenerate DH Parameters
#regenerates every week ssl_dh_parameters_length = 2048
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
A Short Bibliography
• NIST SP 800-90A : Recommendations for Random Number Generation Using Deterministic Random Bit Generators
• NIST SP 800-38D : Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC
• NIST SP 800-56A (R2): Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography (i.e. DH, ECDH + key derivation methods)
• NIST 800-131Ar1: Transitions: Recommendations fro Transitioning the Use of Cryptographic Algorithms and Key Lengths
• NIST FIPS 140-2: Security Requirements for Cryptographic Modules
• NIST FIPS 186-4: Digital Signature Standard (DSS) (DSA, RSA (PKCS#1), ECDSA,…)
• NIST FIPS 180-4: Secure Hash Standard (SHA-1, SHA-256,…, SHA-512)
• NIST Routines: https://www.nsa.gov/ia/_files/nist-routines.pdf (Curve P-192, P-224, P-256 etc.)
• Safe Curves: http://safecurves.cr.yp.to
• Transcript Collision Attacks: Breaking authentication in TLS, IKE and SSH: http://www.mitls.org/downloads/transcript-collisions.pdf
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Call to Action
• Visit the World of Solutions for
• Cisco Campus – (speaker to add relevant demos/areas to visit)
• Walk in Labs – (speaker to add relevant walk in labs)
• Technical Solution Clinics
• Meet the Engineer (Speaker to specify when they will be available for meetings)
• Lunch and Learn Topics
• DevNet zone related sessions
BRKSEC-3005 © 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Complete Your Online
Session Evaluation
• Give us your feedback to be
entered into a Daily Survey
Drawing. A daily winner will receive
a $750 gift card.
• Complete your session surveys
through the Cisco Live mobile app
or on www.CiscoLive.com/us.
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public
Thank you