Re: [wpkops] NIST 800-52
Gary Gapinski <gapinski@nasa.gov> Tue, 13 May 2014 17:27 UTC
Return-Path: <gapinski@nasa.gov>
X-Original-To: wpkops@ietfa.amsl.com
Delivered-To: wpkops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 81F951A014E for <wpkops@ietfa.amsl.com>; Tue, 13 May 2014 10:27:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.071
X-Spam-Level:
X-Spam-Status: No, score=0.071 tagged_above=-999 required=5 tests=[BAYES_40=-0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.723, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S9v_GsBprUda for <wpkops@ietfa.amsl.com>; Tue, 13 May 2014 10:27:04 -0700 (PDT)
Received: from ndjsnpf02.ndc.nasa.gov (ndjsnpf02.ndc.nasa.gov [IPv6:2001:4d0:a302:1100::102]) by ietfa.amsl.com (Postfix) with ESMTP id 93C101A0104 for <wpkops@ietf.org>; Tue, 13 May 2014 10:27:04 -0700 (PDT)
Received: from ndjsppt102.ndc.nasa.gov (ndjsppt102.ndc.nasa.gov [198.117.1.196]) by ndjsnpf02.ndc.nasa.gov (Postfix) with ESMTP id 4A568A8031 for <wpkops@ietf.org>; Tue, 13 May 2014 12:26:58 -0500 (CDT)
Received: from NDJSCHT104.ndc.nasa.gov (ndjscht104-pub.ndc.nasa.gov [198.117.1.204]) by ndjsppt102.ndc.nasa.gov (8.14.5/8.14.5) with ESMTP id s4DHQwJ4006958 for <wpkops@ietf.org>; Tue, 13 May 2014 12:26:58 -0500
Received: from [139.88.188.52] (139.88.188.52) by smtp01.ndc.nasa.gov (198.117.1.204) with Microsoft SMTP Server (TLS) id 14.3.174.1; Tue, 13 May 2014 12:26:57 -0500
Message-ID: <537255CC.5030509@nasa.gov>
Date: Tue, 13 May 2014 13:26:36 -0400
From: Gary Gapinski <gapinski@nasa.gov>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: wpkops@ietf.org
References: <002d01cf6ec2$fa251a00$ee6f4e00$@digicert.com>
In-Reply-To: <002d01cf6ec2$fa251a00$ee6f4e00$@digicert.com>
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 8bit
X-Originating-IP: [139.88.188.52]
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.11.96, 1.0.14, 0.0.0000 definitions=2014-05-13_06:2014-05-13,2014-05-13,1970-01-01 signatures=0
Archived-At: http://mailarchive.ietf.org/arch/msg/wpkops/RglYnqRM1tTzR-HQxZprkHKp0f8
Subject: Re: [wpkops] NIST 800-52
X-BeenThere: wpkops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <wpkops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wpkops>, <mailto:wpkops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/wpkops/>
List-Post: <mailto:wpkops@ietf.org>
List-Help: <mailto:wpkops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wpkops>, <mailto:wpkops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 May 2014 17:27:07 -0000
I think this is what was mentioned recently –
http://dx.doi.org/10.6028/NIST.SP.800-52r1" rel="nofollow">http://dx.doi.org/10.6028/NIST.SP.800-52r1
In addition to the excerpts following, I'll note that
- §3.2.2 allows each agency to decide on what to do if CRL or OCSP processing has a problem
- §3.4 mandates some extensions
- §3.5.1 mandates client certificate validation
- the above are recapitulated in §3.9
- §4 is overall symmetric with §3
- §4.5 allows considerable latitude chasing cross-trusts (such
as tracing a path to a Netherlands CA for one of our certs)
- §4.5.1 mandates name constraints and punts to Appendix D
- §4.5.4 puts some onus on the user
The only practical way to ensure that servers and clients act in
accordance with these requirements is to field test servers and
clients. I do not expect to have comprehensive specimens available
soon.
These requirements will be non-trivial to implement in our
infrastructure.
Regards,
Gary
PS: I may be wrong about excluding DSS ciphers below
Here's some initial observations excerpted from several recent emails…
§3.1 essentially says TLS 1.1 or 1.2 only for government-only applications; for citizen or business-facing applications TLS 1.1 shall be used, TLS 1.2 should be used, and SSL 3.0 shall not be used.
§4.1 says no SSL 3.0 for clients, and that TLS 1.1 shall be supported, and TLS 1.2 should be supported.
§4.2.2 says revocation checking (via OSCP or CRL) is mandatory. This essentially means OCSP will be mandatory (and should be correct), as Mozilla and others are getting out of the CRL checking business.
§4.3.1 is consonant with §3.3.1.
§4 as well as other parts of the document levy requirements which will require more effort than has been previously expended. E.g., §4.5.2 mandates centralized trust anchor management.
There's a lot more to be discussed at a subsequent time, but here's my take on ciphers.
I went through §3.3.1 and came up with the following. The last field on each line is the OpenSSL name for the cipher.
The text is at odds with tables 3-2 and 3-3 (and §3.9.2.3). I think this is an error in the document.
### SP800-52r1: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf" rel="nofollow">http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf ### TLS # text shall TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA # text shall TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA # text should TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA # text should TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ECDHE-ECDSA-DES-CBC3-SHA # text should TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE-ECDSA-AES128-SHA # text should TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDHE-RSA-DES-CBC3-SHA # text should TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE-RSA-AES128-SHA ### TLS1.2 # text shall TLS_RSA_WITH_AES_128_GCM_SHA256 AES128-GCM-SHA256 # text should TLS_RSA_WITH_AES_256_GCM_SHA384 AES256-GCM-SHA384 # text should TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE-ECDSA-AES128-SHA256 # text should TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 # text should TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 # text should TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDHE-RSA-AES128-SHA256 # text should TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDHE-RSA-AES128-GCM-SHA256 ### Table 3-2 RSA # 3-2 shall TLS_RSA_WITH_3DES_EDE_CBC_SHA DES-CBC3-SHA # 3-2 shall TLS_RSA_WITH_AES_128_CBC_SHA AES128-SHA # 3-2 should TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA # 3-2 should TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ECDHE-ECDSA-DES-CBC3-SHA # 3-2 should TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDHE-RSA-DES-CBC3-SHA # 3-2 should TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDHE-RSA-AES128-SHA # 3-2 may TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDHE-RSA-AES256-SHA ### Table 3-3 TLS 1.2 RSA # 3-3 shall TLS_RSA_WITH_AES_128_GCM_SHA256 AES128-GCM-SHA256 # 3-3 should TLS_RSA_WITH_AES_256_GCM_SHA384 AES256-GCM-SHA384 # 3-3 should TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE-ECDSA-AES128-SHA256 # 3-3 should TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 # 3-3 may TLS_RSA_WITH_AES_128_CBC_SHA256 AES128-SHA256 # 3-3 may TLS_RSA_WITH_AES_256_CBC_SHA256 AES256-SHA256 # 3-3 may TLS_RSA_WITH_AES_128_CCM ? # 3-3 may TLS_RSA_WITH_AES_256_CCM ? ### Table 3-4 ECDSA # 3-4 should TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA ECDHE-ECDSA-DES-CBC3-SHA # 3-4 should TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA ECDHE-ECDSA-AES128-SHA # 3-4 may TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA ECDHE-ECDSA-AES256-SHA ### Table 3-5 TLS 1.2 ECDSA # 3-5 should TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 ECDHE-ECDSA-AES128-SHA256 # 3-5 should TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 # 3-5 should TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 # 3-5 may TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 ### Table 3-6 DSA # 3-6 may TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA DHE-DSS-DES-CBC3-SHA # 3-6 may TLS_DHE_DSS_WITH_AES_128_CBC_SHA DHE-DSS-AES128-SHA # 3-6 may TLS_DHE_DSS_WITH_AES_256_CBC_SHA DHE-DSS-AES256-SHA ### Table 3-7 TLS 1.2 DSA # 3-7 may TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 DHE-DSS-AES128-SHA256 # 3-7 may TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 DHE-DSS-AES256-SHA256 # 3-7 may TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 DHE-DSS-AES128-GCM-SHA256 # 3-7 may TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 DHE-DSS-AES256-GCM-SHA384 ### Table 3-8 DH # 3-8 may TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA Not implemented. # 3-8 may TLS_DH_DSS_WITH_AES_128_CBC_SHA DH-DSS-AES128-SHA # 3-8 may TLS_DH_DSS_WITH_AES_256_CBC_SHA DH-DSS-AES256-SHA ### Table 3-9 TLS 1.2 DH # 3-9 may TLS_DH_DSS_WITH_AES_128_CBC_SHA256 DH-DSS-AES128-SHA256 # 3-9 may TLS_DH_DSS_WITH_AES_256_CBC_SHA256 DH-DSS-AES256-SHA256 # 3-9 may TLS_DH_DSS_WITH_AES_128_GCM_SHA256 DH-DSS-AES128-GCM-SHA256 # 3-9 may TLS_DH_DSS_WITH_AES_256_GCM_SHA384 DH-DSS-AES256-GCM-SHA384 ### Table 3-10 ECDH # 3-10 may TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA ECDH-ECDSA-DES-CBC3-SHA # 3-10 may TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA ECDH-ECDSA-AES128-SHA # 3-10 may TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA ECDH-ECDSA-AES256-SHA ### Table 3-11 TLS 1.2 ECDH # 3-11 may TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 ECDH-ECDSA-AES128-SHA256 # 3-11 may TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 ECDH-ECDSA-AES256-SHA384 # 3-11 may TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 ECDH-ECDSA-AES128-GCM-SHA256 # 3-11 may TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 ECDH-ECDSA-AES256-GCM-SHA384 ### Suite name to OpenSSL name cheat sheet at https://www.openssl.org/docs/apps/ciphers.html" rel="nofollow">https://www.openssl.org/docs/apps/ciphers.htmlOn page 15 is found
The cipher suites in these tables include the cipher suites that shall and should be supported (as described above), and may be supported. Only cipher suites that are composed of Approved algorithms are acceptable and are listed in this section. Cipher suites that do not appear in this section or Appendix C shall not be used.As Appendix C is PSK ciphers those can be ignored. This means that the only ciphers that can be used are as follows:
- TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
- TLS_DH_DSS_WITH_AES_128_CBC_SHA
- TLS_DH_DSS_WITH_AES_128_CBC_SHA256
- TLS_DH_DSS_WITH_AES_128_GCM_SHA256
- TLS_DH_DSS_WITH_AES_256_CBC_SHA
- TLS_DH_DSS_WITH_AES_256_CBC_SHA256
- TLS_DH_DSS_WITH_AES_256_GCM_SHA384
- TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
- TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_128_CCM
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA256
- TLS_RSA_WITH_AES_256_CCM
- TLS_RSA_WITH_AES_256_GCM_SHA384
Note that there are no TLS_DHE_RSA ciphers. Contrast https://www.ssllabs.com/ssltest/viewClient.html?name=Chrome&version=33&platform=Win%207" rel="nofollow">Chrome|https://www.ssllabs.com/ssltest/viewClient.html?name=IE&version=11&platform=Win%208.1" rel="nofollow">IE11|https://www.ssllabs.com/ssltest/viewClient.html?name=Firefox&version=27&platform=Win%208" rel="nofollow">Firefox|https://www.ssllabs.com/ssltest/viewClient.html?name=Safari&version=7&platform=OS%20X%2010.9" rel="nofollow">Safari|https://www.ssllabs.com/ssltest/viewClient.html?name=Android&version=4.4.2" rel="nofollow">Android|https://www.ssllabs.com/ssltest/viewClient.html?name=Safari&version=7&platform=iOS%207.1" rel="nofollow">iOS ciphers. Those are TLS1.2 capable (most others are not). They of course handle more than just FIPS and more than SP800-52r1 by default.
If that set is then restricted to "shall" ciphers and all others which afford PFS, the result is
- TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA
- TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
- TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA
- TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
- TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
The Apache HTTP Server config entry for my suggested ciphers is
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA
Java 7 will require a non-default deployment.properties setting to enable TLS 1.2 (TLS 1.2 is disabled by default on clients). Java 8 uses TLS 1.2 by default. Java 6 lacks TLS 1.2 and thus is unsuitable for use (as is anything else that cannot do TLS 1.2).
My Thunderbird v24.5.0 appears to be set by default for SSL 3.0 and TLS 1.0 (security.tls.version.min;0, security.tls.version.max;1) — I'll start testing in a TLS 1.(2|1) environment. All the ciphers (and I'm unsure all are represented) must be individually tweaked.
Per SP 800-52r1, all services and clients will require explicit TLS 1.2 preference, cipher suite restriction, SSL 3.0 exclusion, certificate validation via OCSP (as CRL support is waning and will be troublesome after the Heartbleed revocapocalypse), trust anchor grooming, FIPS 140 validation, and more. This is normative at this time; the 2015-01-01 date is a deadline for a TLS 1.2 adoption plan (not TLS 1.2 mandatory as mentioned here and elsewhere).
- [wpkops] NIST 800-52 Ben Wilson
- Re: [wpkops] NIST 800-52 Gary Gapinski