Vavada - это ΠΎΠ½Π»Π°ΠΉΠ½-ΠΊΠ°Π·ΠΈΠ½ΠΎ, ΠΏΡ€Π΅Π΄ΠΎΡΡ‚Π°Π²Π»ΡΡŽΡ‰Π΅Π΅ ΡˆΠΈΡ€ΠΎΠΊΠΈΠΉ Π²Ρ‹Π±ΠΎΡ€ Π°Π·Π°Ρ€Ρ‚Π½Ρ‹Ρ… ΠΈΠ³Ρ€, Π²ΠΊΠ»ΡŽΡ‡Π°Ρ слоты, Ρ€ΡƒΠ»Π΅Ρ‚ΠΊΡƒ, блэкдТСк ΠΈ Π΄Ρ€ΡƒΠ³ΠΈΠ΅. Vavada ΠΏΡ€ΠΈΠ²Π»Π΅ΠΊΠ°Π΅Ρ‚ ΠΈΠ³Ρ€ΠΎΠΊΠΎΠ² Ρ€Π°Π·Π½ΠΎΠΎΠ±Ρ€Π°Π·Π½Ρ‹ΠΌΠΈ бонусами ΠΈ акциями.

I don’t know if it’s PCI compliance fever season or what, but I’ve been asked a lot about “weak SSL ciphers” lately. Mostly, having to do with “what the heck are those anyway?” If you don’t have a decent grasp of SSL, start with my previous article on SSL. If you think you do, stay with me for a bit πŸ™‚

Let’s start with what ciphers are. Ciphers are the algorithms used to do some kind of cryptography – either encryption or hashing. Well known ciphers you’ve probably heard of are RSA, 3DES, AES, Blowfish, and SHA1. SSL Ciphers are the set of ciphers that are used for all parts of the SSL negotiation – and remember there are several used in one SSL session: both asymmetric and symmetric, and hashing. If you have OpenSSL installed, you can see all of the Ciphers that OpenSSL supports by typing openssl ciphers -v (the -v gives you details that are helpful). You’ll get back a list that looks something like this (except a lot longer):
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1

What each of those lines tells you is what the name of the cipher is (according to OpenSSL), the SSL version that it exists in, the Key Exchange algorithm (Kx), the Authentication (Au) algorithm, the Encryption (Enc) algorithm, and the Hash (Mac) being used. You can see where the cipher naming scheme comes in…

You don’t want any of these ciphers to be “weak”. So you’re really looking at 4 ciphers at a time to determine if the cipher is “weak”. What makes a cipher “weak”? Any algorithm (or key length) that has been determined to be easily breakable through either a flaw or brute force. Examples of weak ciphers would be: EDH-RSA-DES-CBC-SHA which uses 56-bit DES for encryption. Some people claim that MD5 is now a weak cipher. Either way, your organization probably has a list of approved and non-approved algorithms, and you’ll want to compare that list to what SSL supports.

You can use openssl s_client to see what algorithms your server is supporting (rather than just what openssl supports).

In the future, how to configure various web servers to support only the ciphers you want.

2 thoughts on “SSL Ciphers, what are those?

  1. Ben says:

    More simply put, in the context of PCI DSS the QSAs are specifically looking to make sure that only SSLv3 and TSLv1 are enable. Some older web server implementations still support SSLv2 by default, which is verboten. SSLv1 and SSLv2 are broken protocols that are explicitly barred. Beyond that, QSAs will also typically look for key size to help determine strength. 128 bits is the minimum requirement, making both 3DES and AES ok. Hash algorithms /might/ be evaluated, but that seems less likely since it’s still very difficult to prove definitively that a use case is a weak point. Specific chaining modes, on the other hand, like what you described above, may be evaluated, depending on the crypto-savvy of a given assessor.

  2. LonerVamp says:

    Poking at and reporting on weaker SSL versions and ciphers is a small pet peeve of mine about security audits. As far as I know, there has been nothing but theoretical speculation about attacking these weaknesses. I used to use it as a way to figure out how thorough auditors were being. I would accept lower SSL and cipher requests with a page that said, “We don’t support this.” Automated scanners call this a successful find because I simply answered, but never bother to interrogate the findings.

    That is until someone non-technical with a far higher pay grade than me decided not to understand the details and just eliminate the finding altogether from reports.

    …which is a wholly other pet peeve about security in business… πŸ™‚

Comments are closed.