SSL v2.0 and weak cipher suite – Netscape legacy


SSL v.2.0 and weak cipher suites are legacy socket layer security, developed by Netscape, circa 1995 (SSL 1.0 was also developed by Netscape, in 1994, but never released). According to Netscape, it was designed to protect any higher level protocol built on sockets, such as telnet, ftp, or HTTP. SSL v3.0 was developed in 1996 and still around these days.
 
Citrix products, such Netscaler security appliances commonly used in enterprise level environments don’t support SSL v2.0 since version 6.1, back in 2006 due to the known security issues presented.

=======

When you shop online or sign up for a membership that requires sensitive information such as a credit card number or Social Security number, most websites use encryption so that this data can’t be viewed by an unauthorized eavesdropper

 

Definition

  • SSL stands for Secure Sockets Layer. It is a type of encryption, a method of communication that is protected by scrambling information in a way that can only be read with a unique key.

SSL 2.0

  • SSL 2.0 is an outdated version of this encryption that has been replaced with SSL 3.0 and TLS (Transport Layer Security). Version 1.0 was never actually released to the public.

SSL 3.0

  • SSL 2.0 had several holes in its security model that could be exploited by someone sitting in between the sender and recipient of the data. This is known as a “Man-in-the-Middle attack.” In the initial “handshake” between the origin and the destination, an exploiter could lower the encryption from 128 bits to 40 bits, making it much easier to crack.

SSL 3.0 Problems

  • That was one of many problems with SSL 2.0. SSL 3.0 changed its handshake model so that it could be done at any time during the data transfer. It also allowed for multiple certificates to be sent back and forth (which are verified by third parties like VeriSign to ensure that the holder of that certificate is legitimate).

SSL 2.0 Connections

  • If you encounter a webpage where you need to enter sensitive personal information, check what type of security it’s using. If for some reason it’s only using SSL 2.0, you may not want to enter that information. It may be that you are also using an older Internet browser that does not support SSL 3.0 or you have not set it to use that level of encryption.

source: E-how

====

Weak ciphers and protocols can be disabled on your Microsoft Internet Information Server (IIS). Weak SSL Protocols Ciphers are often enabled by default on Microsoft IIS servers. If you accept credit cards on your site, chances are you must comply with PCI which states that you must only allow Strong cryptography and security protocols. (source: Foundeo.com

==============

For some reason, Windows Server 2008 using IIS 7 allows SSL 2.0 by default. Unfortunately, this means you will fail a  PCI Compliance scan by default. To properly secure your server and ensure that you pass your PCI-DSS scans, you will need to disable SSL 2.0 and disable weak ciphers. In order to disable SSL 2.0 in IIS 7 and make sure that the stronger SSL 3.0 or TLS 1.0 is used, follow these instructions:

  1. Click Start, click Run, type regedit, and then click OK.
  2. In Registry Editor, locate the following registry key/folder:HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0
  3. Right-click on the SSL 2.0 folder and select New and then click Key. Name the new folder Server.
  4. Inside the Server folder, click the Edit menu, select New, and click DWORD (32-bit) Value.
  5. Enter Enabled as the name and hit Enter.
  6. Ensure that it shows 0x00000000 (0) under the Data column (it should by default). If it doesn’t, right-click and select Modify and enter 0 as the Value data.
  7. Restart the computer.

Note:

Disable Weak Ciphers In IIS 7.0

In addition to disabling SSL 2.0, you can disable some weak ciphers by editing the registry in the same way. The link below has list of registry keys that you can copy and paste to disable weak ciphers in IIS 7.0. The registry location is:

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\

e.g.: [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]

“Enabled”=dword:00000000

otjre possible entries are:

NULL
RC2 40/128
RC2 56/128
RC4 40/128
RC4 56/128
RC4 64/128

Also two other possible entries are:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
“Enabled”=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
“Enabled”=dword:00000000

source: SSL Shopper

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols that provide communication security over the Internet.[1] TLS and SSL encrypt the segments of network connections at the Application Layer for the Transport Layer, using asymmetric cryptography for key exchange, symmetric encryption for confidentiality and message authentication codes for message integrity.

Several versions of the protocols are in widespread use in applications such as web browsing, electronic mail, Internet faxing, instant messaging and voice-over-IP (VoIP).

TLS is an IETF standards track protocol, last updated in RFC 5246 and is based on the earlier SSL specifications developed by NetscapeCommunications

source: wikipedia.org

More from wikipedia:

Network Socket:

A network socket is an endpoint of an inter-process communication flow across a computer network. Today, most communication between computers is based on the Internet Protocol; therefore most network sockets are Internet sockets.

A socket API is an application programming interface (API), usually provided by the operating system, that allows application programs to control and use network sockets. Internet socket APIs are usually based on the Berkeley sockets standard.

A socket address is the combination of an IP address and a port number, much like one end of a telephone connection is the combination of a phone number and a particular extension. Based on this address, internet sockets deliver incoming data packets to the appropriate application process or thread. (source: Network socket )

========

A. Introduction to, and history of, SSL

SSL, Secure Sockets Layer, is a protocol designed and implemented by Netscape Communications. Netscape claims it is designed to work, as the name implies, at the socket layer, to protect any higher level protocol built on sockets, such as telnet, ftp, or HTTP. As such, it is ignorant of the details of higher level protocols, and what is being transported. A free reference version of SSL, SSLRef, is available from Netscape. Many of the functions provided by SSL are part of the newly defined IPv6.

SSL provides for encryption of a session, authentication of a server, and optionally a client, and message authentication. The SSL Handshake Protocol and the application protocol both operate on top of the SSL Record Protocol, a simple means of encapsulating authentication information. SSL-Record Layer works on TCP or some other reliable transport mechanism. Session establishment takes from 5 to 8 messages, depending on options used. SSL relies on the existence of a key certification mechanism for the authentication of a server. SSL does not provide for renegotiation of keys within a session. (This is not a problem in HTTP, but might be with other protocols.) A multitude of ciphers and secure hashes are supported, including some explicitly weakened to comply with export restrictions.

source: Homeport.org

===============

SSL version 2 was designed in 1994 by Netscape to provide data confidentially for the World Wide Web (WWW). SSL requires Transmission Control Protocol (TCP). User Datagram Protocol (UDP)) applications cannot use SSL.

This version supports:

  • Rivest-Shamir-Adelman (RSA) public key algorithm
  • Rivest’s Cipher 2 (RC2), RC4, Data Encryption Standard (DES), and Triple-Data Encryption Standard (3DES) encryption algorithms
  • Message Digest Algorithm 5 (MD5).

SSL version 2 is not recommended due to known security issues.

source: Public Library, IBM

=========

Netscaler helps companies build enterpise cloud networks, providing elasticity, expandability and simplicity
Provides service andapplication delivery
Provides high speed load balancing and content switching
Provides HTTP compression and content caching
Provides SSL acceleration, application flow visibility and application firewall
All these features combines into a single platform

source: Citrix

===============

What is a Cipher Suite?

A cipher suite is a set of ciphers used in the privacy, authentication, and integrity of data passed between a server and client in an SSL session.  Any given session uses one cipher, which is negotiated in the handshake.  The components of the cipher are

  • Key Exchange Algorithm (RSA or DH) – symmetric (same key for encryption/decryption) or asymmetric (shared public key for encryption, protected private key for decryption)
  • Authentication Algorithm (RSA or DSS.  Note that with RSA, Key Exchange and Authentication are combined) – Used for authenticating the server and/or client.  X.509 certificates in the case of SSL.
  • Encryption Algorithm (DES, 3DES, AES, RC4) – Used to encrypt the message payload
  • Message Authentication Code (MAC) Digest Algorithm (MD5, SHA-1) – Used for message integrity

source: Jason Rahm

===

More history of SSL:

SSL 1.0 was developed by Netscape, but never released. The first public version, SSL 2.0, was released in 1994, which was found to have substantial security flaws. In response, SSL 3.0 was developed and released in 1996 (over a decade ago). The IETF used this as the basis for TLS 1.0, which is similar but not compatible. TLS 1.1 and 1.2 (the later of which, AFIK, hasn’t yet been ratified) are both relatively minor updates, though there are some security enhancements.

In short, one major update (2.0 to 3.0) in 18 years of availability

by BrianF

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: