Cryptographic Strength of SSL/TLS Servers: Current and Recent Practices

IBM Research

© 2007 IBM Corporation

Cryptographic Strength of SSL/TLS Servers: Current and Recent Practices

Homin K. Lee, Tal Malkin, Erich Nahum

Columbia University and IBM Research

IBM Research

© 2007 IBM Corporation2

Motivation

Many Web services (e.g. e-commerce, online banking) require secure servers

Web security is handled by the Secure Socket Layer (SSL) protocol

SSL relies on cryptographic algorithms

A Web service is only truly secure if it uses current best practices in cryptography

A weak SSL configuration may indicate a poorly maintained site

What crypto is actually used by SSL servers?

IBM Research


Talk Outline

Motivation

Brief review of SSL

Methodology

Results

Summary and Conclusions

Future Work

IBM Research


What is SSL/TLS?

https

ssl/tls

tcp

ip

ethernet

SSL/TLS is a network protocol

– SSL: Secure Socket Layer

– TLS: Transport Layer Security

Provides end-to-end security:

– Authentication of server & client

– Encryption/integrity of data

History:

– Netscape developed versions 1,2

– SSL v3 TLS 1.0 (IETF RFC 2246)

– TLS 1.1 RFC out; 1.2 in draft

IBM Research


What Security Does SSL Provide?

Authentication:

– Person you’re speaking with is who they say they are, prevent masquerading

– RSA, Digital Signature Standard (DSS)

Key Exchange:

– Two parties who have never met mutually agree on a shared secret

– RSA, Diffie-Hellman

Secrecy/Privacy/Confidentiality

– Only 2 relevant parties understand messages, prevent eavesdropping

– Encrypt using symmetric key ciphers

– E.g., RC2, RC4, DES, 3-DES, AES, NULL(!)

Integrity:

– Message you get/send is the same one they/you sent, detect tampering

– Use one-way hash functions: MD5, SHA-1

IBM Research


Key Part of the SSL/TLS Handshake

Client HELLO message:

– Nonce (random + time)

– Cipher suites

Server HELLO response:

– Nonce

– Chosen cipher suite

Server Certificate

Client verifies certificate

client server

ClientHello

time

ServerHello

verifycertificate

generatenonce &ciphers

generatenonce &chooseoptions

SSL Option Negotiation

TLS1-RSA-EDH-AES256-SHA1;TLS1-DSS-EDH-3DES-MD5;SSL3-RSA-RSA-RC4128-MD5;SSL2-RSA-RSA-DES56-MD5;etc.

TLS1-RSA-EDH-AES256-SHA1

Certificate

IBM Research


Talk Outline

Motivation

Brief review of SSL

Methodology

Results


Future Work

IBM Research


client server

ClientHello

time

ServerHello

verifycertificate

generatenonce &ciphers

generatenonce &chooseoptions

How to Discover Support

SSL2-RSA-RSA-DES56-MD5;

SSL2-RSA-RSA-DES56-MD5

Certificate

For each cyphersuite j

– Make connection to server

– Advertise only one cyphersuite j

– Log success of first part of handshake

– Terminate connection

IBM Research


What is PSST?

PSST: The Probing SSL Scanning Tool– Leverages code from openssl & httperf

– Modifications to use algorithm

Uses a list of over 19,000 SSL servers– Culled from TBIT site, Web100, NLANR, etc.

Run algorithm over each server– Takes roughly 3 days

– Runs in 11/2006, 6/2006, 08/2005, 02/2005

Wait for angry phone calls/email

But none come!

IBM Research


Talk Outline

Motivation

Brief review of SSL

Methodology

Results


Future Work

IBM Research


Questions We’re Asking

What versions of SSL/TLS are out there?

What kinds of key exchange and site authentication?

How strong are the public keys?

What types of bulk transfer authentication?

What kinds of symmetric key encryption?

How strong are the symmetric keys?

Do sites choose the best crypto possible?

How has behavior changed over time?

IBM Research


SSL/TLS Protocol Version

SSL 2.0 has many flaws:

– Vulnerable to man-in-the-middle attacks

– Uses MD5 exclusively

– Uses a weak MAC

– Uses same key for authentication and encryption

SSL Type

Number

Percent

SSL 2.0 16,587 85.37 %

SSL 3.0 19,025 97.92 %

TLS1 19,111 98.36 %

IBM Research


SSL/TLS Protocol Breakdown

SSL 2.0

SSL 3.0

TLS Number Percent

24 0.12 %

146 0.75 %

148 0.76 %

211 1.09 %

169 0.87 %

2,485 12.79 %

16,246 83.62 %

IBM Research


Key Exchange & Authentication

KeyEx + Auth Number Percentage

EDH + DSS 4 0.02 %

EDH + RSA 11,185 57.57 %

RSA + RSA 19,401 99.86 %

EDH, DSS, and RSA give comparable levels of security for equal key sizes.

IBM Research


Public Key Sizes

512 bits factored in 1999

NIST, RSA, NESSIE: Public key sizes should be at least 1024 bits for the recommended 80-bit level of security.

Old export laws used to forbid sizes greater than 512 bits.

Key Size

Number

Percent

512 765 3.94 %

768 275 1.42 %

1024 17,166 88.35 %

1280 1 0.01 %

2048 1,192 6.14 %

4096 36 0.19 %

IBM Research


Hash Functions

MAC Number Percentage

MD5 19,201 98.83 %

SHA-1 19,326 99.47 %

MD5 has a family of collisions

– Only option for SSL 2.0, but 79 servers use SSL 3.0 or TLS and only support MD5

SHA-1 is also recently in trouble

SHA-256, SHA-512 are also available

IBM Research


Symmetric Key Encryption

Cipher Number Percent

AES 11,107 57.17 %

DES 19,168 98.66 %

RC2 17,931 92.29 %

RC4 19,241 99.03 %

Nearly all servers support DES, RC2, and RC4

Over 50% of the servers support the new AES standard

IBM Research


DES


DES-40 12,930 66.55 %

DES-56 12,102 62.29 %

DES-64 18,162 93.48 %

3-DES 18,943 97.50 %


DES-40 25 0.13 %

DES-56 35 0.18 %

DES-64 165 0.85 %

3-DES 18,943 97.50 %

Maximum

DES strength

DES support

IBM Research



RC2-40 17,546 90.31 %

RC2-56 7,360 37.88 %

RC2-128

16,278 83.78 %Cipher Number Percent

RC2-40 790 4.07 %

RC2-56 863 4.44 %

RC2-128

16,278 83.78 %

Maximum RC2 Strength

RC2 Support

RC2

IBM Research



RC4-40 17,827 91.75 %

RC4-56 12,173 62.65 %

RC4-64 11,030 56.77 %

RC4-128 19,154 98.58 %Cipher Number Percent

RC4-40 48 0.25 %

RC4-56 38 0.20 %

RC4-64 1 0.01 %

RC4-128

19,154 98.58 %

Maximum RC4 strength

RC4 Support

RC4

IBM Research


AES

AES-128 AES-256 Number

Percentage

154 0.79 %

10,709 55.12 %

244 1.26 %

AES support

IBM Research


Default Choice of Full Cipher Suite

Cipher Suite Number Percent

AES-256 SHA-1

10,135 53.69 %

RC4-128 MD5

5,611 29.72 %

3-DES SHA-1 2,837 15.02 %

RC4-128 SHA-1

259 1.37 %

3-DES MD5 12 0.06 %

RC4-40 MD5 9 0.05 %

AES-128 SHA-1

6 0.03 %

RC4-56 MD5 3 0.02 %

DES-64 SHA-1

3 0.02 %

DES-56 SHA-1

2 0.01 %

IBM Research


Really Bad Choices

Bad Decision Num Percent

Support AES, choose something weaker

657 6.00 %

Support SSL3, choose SSL2 3 0.01 %

Choose weaker public key than available

4 0.01 %

IBM Research


Changes in SSL Version Support over Time

SSL Type

02 / 2005

08 / 2005

06 / 2006

11 / 2006

SSL 2.0 94.49 93.23 87.95 85.37

SSL 3.0 97.96 98.30 98.16 97.92

TLS 1.0 97.51 98.32 98.28 98.36

Situation is improving, but not quickly enough

SSL Version Support (Percentage)

IBM Research


Changes in Cipher Support over Time

Cipher02 /

200508 /

200506 /

200611 /

2006

AES 41.26 48.29 55.18 57.17

DES 99.13 99.28 98.81 98.66

Weak DES

97.32 97.00 94.63 93.48

RC2 96.52 96.20 93.63 92.29

RC4 99.50 99.57 99.18 99.03Cipher Support (Percentage)

IBM Research


Changes in Public Key Size over Time

Key Size02 /

200508 /

200506 /

200611 /

2006

512 5.01 5.32 4.17 3.94

768 1.93 1.84 1.54 1.42

1024 88.46 87.80 88.33 88.35

1048 0.01 0.01 0.00 0.00

1280 0.00 0.00 0.01 0.01

1536 0.01 0.00 0.00 0.00

1568 0.01 0.01 0.01 0.00

2048 4.51 4.96 5.91 6.14

4096 0.12 0.15 0.17 0.19Key Size Support (Percentage)

IBM Research


Most servers support reasonable cryptography– 57% support the new AES standard– 95% have strong public keys

Most servers also support weak cryptography– E.g., SSL2, 40-bit & 64 bit RC2/RC4/DES– Clients should not be allowed to use them

• e.g., Firefox changing to disable SSL2 Some servers have serious weaknesses

– 5% of servers support breakable public keys– 24 servers only support SSL2– 8% support only weak RC2– 87 support only weak RC4– 225 support only weak DES


IBM Research


We see some sites that make bad choices

– Choose RC4 or DES over AES

– Choose weaker symmetric keys than are supported

– Choose SSL2 over SSL3

We also see some strange birds

– A few that do not support RSA

– Some bizarre public key sizes (1048,1568,2560)

– A few sites that support AES-128 or 256 but not both

– Sites with inconsistent choices (behind a L4/L7 switch)

Summary and Conclusions (cont)

IBM Research


Future Work

Shorter term:

– Categorize servers by industry

– Categorize server strengths

– Check certificates (expired, self-signed, revoked)

Longer Term:

– Scan random (or routable) IPs rather than list

– Measure SSH server crypto strength

– Measure crypto used by clients

IBM Research


Security Is Limited By The Weakest Link

IBM Research


Q&A

Thank you!

IBM Research

© 2007 IBM Corporation

Backup

IBM Research


Related Work

Murray 2001 Study (USENIX Security 2001)– Tested 8081 servers– Found many more weak SSL sites (using 2001 defs)– Didn’t study choice of cipher, AES, etc.

NetCraft, SecuritySpace– Both sell subscription service testing SSL sites– Look at coarser-grain information (“strong”, “weak”)– SecuritySpace checks self-signed certificates (~9%)

Other Scanning Tools– E.g., IBM’s NSA, NMAP, ssh-scan (Michigan)– Look at different class of vulnerabilities (open ports, SSH version,

etc.)

IBM Research


Default Choice of Symmetric Encryption

Most sites choose wisely


AES 10,141 53.72 %

DES 2,845 15.12 %

RC2 0 0.00 %

RC4 5,882 31.16 %

IBM Research


Key Strengths

Bits of security

40 56 64 80 112 128 256

Private Key RC2, RC4, DES

RC2, RC4, DES

RC4, DES

3DES

RC2, RC4,

AES

AES

Public Key

Length (bits)

1024

2048 3072

15360

NIST suggests that the 80-bit level will be appropriate until 2015, and the 112- bit level until 2035.

Documents

Cryptographic Strength of SSL/TLS Servers: Current and Recent Practices