The NSA recommends replacing obsolete protocol configurations with ones that provide better encryption and authentication.
Using only TLS 1.2 and above is old news. It has been known for a while that TLS 1.0, TLS 1.1, SSL 2.0, and SSL 3.0 are highly exposed to cyber threats. But within the recommendation to use TLS 1.2 or TLS 1.3, the NSA publishes a reservation about several encryption algorithms in TLS 1.2 that are known to be weak. Using these obsolete configurations exposes users’ information to several attack techniques such as passive decryption and man-in-the-middle attacks.
This blog post will cover:
In its recommendation file, the NSA wishes to alert TLS users about getting the wrong sense of security when using obsolete TLS configurations. Updating TLS to version 1.2 and above is not enough. Users should also take into consideration their used cipher suites components, as some of them are obsolete.
There are two components that must be configured correctly in order to ensure secured traffic- cipher suites and key exchanges.
Obsolete cipher suites:
Cipher suites are a set of cryptographic algorithms that are used in the TLS transmission. The TLS client offers a set of cipher suites and the TLS server select which one will be used. TLS 1.2 cipher suites consist of an encryption algorithm, authenticated mechanism, a key exchange algorithm, and a key derivation mechanism. If any of these components are weak, the entire cipher suite mechanism is identified as obsolete.
Here’s a list of encryption algorithms in TLS 1.2 has known weaknesses and should not be used: NULL, RC2, RC4, DES, IDEA, and TDES/3DES.
TLS 1.3 removes the cipher suites that use these encryption algorithms, but you should note that implementations that support both TLS 1.3 and TLS 1.2 should be checked before usage.
Obsolete key exchange mechanisms:
Cipher suites that use key exchange mechanisms that are designated as EXPORT or ANON are considered as obsolete and should not be used. In addition, specific configurations should be implemented on other key exchange methods. TLS key exchange methods include RSA key transport and DH or ECDH key establishment. DH and ECDH can either use static or ephemeral mechanisms.
Here are NSA key exchange mechanisms recommendations:
- RSA key transport and ephemeral DH or ECDH should couple with RSA or ephemeral using at least 3072-bit keys.
- Key exchanges with ephemeral ECDH key only when using secp384r1 elliptic curve.
- For RSA key transport and DH or DHE key exchange, you should not use keys that are less than 2048 bits.
- Ephemeral CDH or ECDH using custom curves should not be used.
Detecting obsolete configurations:
NSA’s recommended detection strategy contains three stages:
Stage 1: identify clients and servers which are using old TLS versions. If a client offers or a server accept any old TLS or SSL version, traffic should be blocked immediately.
Stage 2: when TLS 1.2 is in use, you should detect whether the traffic is based on an obsolete cipher suite.
Stage 3: when TLS 1.2 or TLS 1.3 are in use with the right cipher suites, key exchange mechanisms should be investigated. If a weak key exchange method is detected, it should be blocked.
Configuring the server to use the correct versions and mechanisms is one thing, but the situation where the client is offering to use obsolete configurations must also be in mind.
When a client is offering to use both recommended and obsolete cipher suites, the server can choose to accept the recommended configuration. To make sure that the server accepts the right cipher suite, it should be configured to detect the obsolete ones and choose to use only the recommended ones. In addition, clients should be upgraded to use only the recommended TLS library so that they will offer only recommended versions and cipher suites. Using the right library will also prevent them from accepting sessions using weak key exchanges by servers.
In summary, using strong encryption for network traffic in data transit is essential for information security. But using an updated TLS version is not enough. Organizations must take into consideration the cipher suites and key exchange methods that are being used both by the server and the client. In addition, besides configuring correctly both the client and the server, detection methods must be implemented. This is especially important for preventing unsecured traffic that is generated by a component that is not under our control.