From 40915311bced302d5ccc1bbee6f03f9a52d2ed73 Mon Sep 17 00:00:00 2001 From: Ryan Parman Date: Wed, 11 Dec 2024 13:29:54 -0700 Subject: [PATCH] docs: More content. --- .markdownlint.base.jsonc | 1 + content/learning/recommended-cipher-suites.md | 52 +++++++++++++++++++ content/learning/tls/3des.md | 2 +- content/learning/tls/_index.md | 3 +- content/learning/tls/aes.md | 2 +- content/learning/tls/anon.md | 2 +- content/learning/tls/aria.md | 2 +- content/learning/tls/cbc.md | 2 +- content/learning/tls/des.md | 2 +- content/learning/tls/dh.md | 4 +- content/learning/tls/dhe.md | 4 +- content/learning/tls/dss.md | 7 ++- content/learning/tls/ecdsa.md | 43 +++++++++++---- content/learning/tls/export.md | 2 +- content/learning/tls/null.md | 2 +- content/learning/tls/rc2.md | 2 +- content/learning/tls/rc4.md | 2 +- content/learning/tls/rsa-kex.md | 2 +- content/learning/tls/rsa-sig.md | 2 +- content/learning/vulns/goldendoodle.md | 40 ++++++++++++++ themes/dst2024 | 2 +- 21 files changed, 150 insertions(+), 30 deletions(-) create mode 100644 content/learning/recommended-cipher-suites.md create mode 100644 content/learning/vulns/goldendoodle.md diff --git a/.markdownlint.base.jsonc b/.markdownlint.base.jsonc index b4f983e..ccdbeed 100644 --- a/.markdownlint.base.jsonc +++ b/.markdownlint.base.jsonc @@ -119,6 +119,7 @@ "picture", "pre", "source", + "span", "summary", "ul" ] diff --git a/content/learning/recommended-cipher-suites.md b/content/learning/recommended-cipher-suites.md new file mode 100644 index 0000000..aa597a9 --- /dev/null +++ b/content/learning/recommended-cipher-suites.md @@ -0,0 +1,52 @@ +--- +title: Recommended Cipher Suites +description: Reduce the attack surface of your website by enabling secure handshakes +layout: learn-single + +--- + +## Summary + +

The 2010s were a terrible decade for TLS security.

+ +In [TLS Vulnerabilities]({{% relref "vulns" %}}), we list a number of known vulnerabilities in cipher suites — most of which were discovered between 2010–2019. This triggered the need to radically shift how we approach security on the web. + +Rather than continuing to allow access to older cipher suites with outdated security in order to allow older clients and web browsers to connect, the lessons from the 2010s taught us that it's the _future or bust_. + +## Recommended settings + +### TLS versions + +* ✅ TLS 1.3 + TLS 1.2. + +* ❌ TLS 1.1, TLS 1.0, SSLv3, and SSLv2. + +### TLS 1.3 cipher suites + +In order to simplify configuration and increase security, **TLS 1.3** has three cipher suites which are meant to be non-configurable. + +1. TLS_AES_128_GCM_SHA256 + +1. TLS_AES_256_GCM_SHA384 + +1. TLS_CHACHA20_POLY1305_SHA256 + +### TLS 1.2 cipher suites + +#### Recommended + +**TLS 1.2** carried-forward the habit of allowing administrators to configure which cipher suites to support, which led to _several_ security vulnerabilies being exposed during the 2010s. + +As a result, these are the only cipher suites with no known vulnerabilities left, and are likely to work with most server software. + +1. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + +1. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + +1. TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 + +These are equivalent to the cipher suite identifiers used in **TLS 1.3**. The only difference being that they specify the key exchange (`ECDHE`) and the authenticating signing mechanism (`ECDSA`). + +#### Tolerable + +The following cipher suites are also **secure**, however they aren't **recommended** diff --git a/content/learning/tls/3des.md b/content/learning/tls/3des.md index 73f70c1..03e6ba7 100644 --- a/content/learning/tls/3des.md +++ b/content/learning/tls/3des.md @@ -1,6 +1,6 @@ --- title: Triple Data Encryption Standard (3DES) -description: Vulnerable encryption algorithm +description: ❌ Vulnerable encryption algorithm layout: learn-single tls_part: encryption-algo diff --git a/content/learning/tls/_index.md b/content/learning/tls/_index.md index e08849f..f01d35a 100644 --- a/content/learning/tls/_index.md +++ b/content/learning/tls/_index.md @@ -1,7 +1,6 @@ --- title: TLS and Cipher Suites -description: ... -# layout: learn-single +description: '@TODO' layout: list good_better_best: diff --git a/content/learning/tls/aes.md b/content/learning/tls/aes.md index e2ba45e..dd673c1 100644 --- a/content/learning/tls/aes.md +++ b/content/learning/tls/aes.md @@ -1,6 +1,6 @@ --- title: Advanced Encryption Standard (AES) -description: Secure encryption algorithm +description: ✅ Secure encryption algorithm layout: learn-single tls_part: encryption-algo diff --git a/content/learning/tls/anon.md b/content/learning/tls/anon.md index 418e335..0501a86 100644 --- a/content/learning/tls/anon.md +++ b/content/learning/tls/anon.md @@ -1,6 +1,6 @@ --- title: Anonymous Key Exchanges (anon) -description: Vulnerable key exchange +description: ❌ Vulnerable key exchange layout: learn-single tls_part: key-exchange diff --git a/content/learning/tls/aria.md b/content/learning/tls/aria.md index e56e679..90073e2 100644 --- a/content/learning/tls/aria.md +++ b/content/learning/tls/aria.md @@ -1,6 +1,6 @@ --- title: ARIA -description: Secure encryption algorithm (non-standard) +description: ✅ Secure encryption algorithm (non-standard) layout: learn-single tls_part: encryption-algo diff --git a/content/learning/tls/cbc.md b/content/learning/tls/cbc.md index 43ad312..c803895 100644 --- a/content/learning/tls/cbc.md +++ b/content/learning/tls/cbc.md @@ -1,6 +1,6 @@ --- title: Cipher Block Chaining (CBC) -description: Vulnerable encryption algorithm +description: ❌ Vulnerable encryption algorithm layout: learn-single tls_part: encryption-algo diff --git a/content/learning/tls/des.md b/content/learning/tls/des.md index 125b651..80c3363 100644 --- a/content/learning/tls/des.md +++ b/content/learning/tls/des.md @@ -1,6 +1,6 @@ --- title: Data Encryption Standard (DES) -description: Vulnerable encryption algorithm +description: ❌ Vulnerable encryption algorithm layout: learn-single tls_part: encryption-algo diff --git a/content/learning/tls/dh.md b/content/learning/tls/dh.md index 9dfd490..cf51853 100644 --- a/content/learning/tls/dh.md +++ b/content/learning/tls/dh.md @@ -1,6 +1,6 @@ --- title: Diffie-Hellman (DH) -description: Vulnerable key exchange +description: ❌ Vulnerable key exchange layout: learn-single tls_part: key-exchange @@ -38,7 +38,7 @@ The newer [elliptic-curve][ECC] (ECDHE) key exchange algorithms are more secure | Ephemeral | _No_ | | Related tech | [PGP] | -¹ While not strictly "cracked", research has shown that the hacking agencies of nation-states can afford the compute resources required to crack these types of encrypted messages — up through 1024-bit keys. 2048-bit keys are, at present, still strong enough to make cracking mathematically impossible (pre-Quantum computing) +¹ While not strictly "cracked", research has shown that the hacking agencies of nation-states can afford the compute resources required to crack these types of encrypted messages — up through 1024-bit keys. 2048-bit keys are, at present, still strong enough to make cracking mathematically impossible (pre-Quantum computing). [Diffie-Hellman]: https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange [ECC]: https://en.wikipedia.org/wiki/Elliptic-curve_cryptography diff --git a/content/learning/tls/dhe.md b/content/learning/tls/dhe.md index 4e2c8ea..9ca4abf 100644 --- a/content/learning/tls/dhe.md +++ b/content/learning/tls/dhe.md @@ -1,6 +1,6 @@ --- title: Diffie-Hellman, Ephemeral (DHE) -description: Vulnerable key exchange +description: ❌ Vulnerable key exchange layout: learn-single tls_part: key-exchange @@ -39,7 +39,7 @@ The newer [elliptic-curve][ECC] (ECDHE) key exchange algorithms are more secure | Ephemeral | _Yes_ | | Related tech | [PGP] | -¹ While not strictly "cracked", research has shown that the hacking agencies of nation-states can afford the compute resources required to crack these types of encrypted messages — up through 1024-bit keys. 2048-bit keys are, at present, still strong enough to make cracking mathematically impossible (pre-Quantum computing) +¹ While not strictly "cracked", research has shown that the hacking agencies of nation-states can afford the compute resources required to crack these types of encrypted messages — up through 1024-bit keys. 2048-bit keys are, at present, still strong enough to make cracking mathematically impossible (pre-Quantum computing). [Diffie-Hellman]: https://en.wikipedia.org/wiki/Diffie–Hellman_key_exchange [ECC]: https://en.wikipedia.org/wiki/Elliptic-curve_cryptography diff --git a/content/learning/tls/dss.md b/content/learning/tls/dss.md index 35cb8fc..d484868 100644 --- a/content/learning/tls/dss.md +++ b/content/learning/tls/dss.md @@ -1,6 +1,6 @@ --- title: Digital Signature Standard (DSS) -description: Deprecated authentication signing +description: 👎 Deprecated authentication signing layout: learn-single tls_part: auth-sig @@ -9,7 +9,9 @@ tls_part: auth-sig ## Summary -The [DSS] standard (including the [DSA] signature algorithm) signing method was developed by the [NSA], proposed by U.S. NIST in 1991, then [became a _Federal Information Processing Standard_ (FIPS) in 1994][FIPS-186]. In 2023, U.S. NIST announced that they were deprecating the _Digital Signing Algorithm_. +The [Digital Signature Standard][DSS] (DSS) is an overarching [U.S. federal standard][FIPS-186] which evolves over time. _One part_ of that standard is the [Digital Signature Algorithm][DSA] (DSA). + +The _Digital Signature Algorithm_ signing method was developed by the [NSA], proposed by U.S. NIST in 1991, then [became a _Federal Information Processing Standard_ (FIPS) in 1994][FIPS-186]. In 2023, U.S. NIST [announced] that they were deprecating the _Digital Signing Algorithm_ in favor of [ECDSA]({{% relref "ECDSA" %}}) and `EdDSA`. Any cipher suite with `DSS` in the name should be avoided. `ECDSA` signing should be strongly preferred. @@ -22,6 +24,7 @@ Any cipher suite with `DSS` in the name should be avoided. `ECDSA` signing shoul | Deprecated | 2023 | | Related tech | [FIPS-186] | +[announced]: https://www.nist.gov/news-events/news/2023/02/nist-revises-digital-signature-standard-dss-and-publishes-guideline [DSA]: https://en.wikipedia.org/wiki/Digital_Signature_Algorithm [DSS]: https://en.wikipedia.org/wiki/Digital_Signature_Standard [FIPS-186]: https://csrc.nist.gov/pubs/fips/186-5/final diff --git a/content/learning/tls/ecdsa.md b/content/learning/tls/ecdsa.md index 7b87157..3bf9236 100644 --- a/content/learning/tls/ecdsa.md +++ b/content/learning/tls/ecdsa.md @@ -1,25 +1,50 @@ --- title: Elliptic Curve Digital Signature Algorithm (ECDSA) -description: Secure authentication signing +description: ✅ Secure authentication signing layout: learn-single tls_part: auth-sig +learn_more: + - text: 'ECDSA: The digital signature algorithm of a better internet' + url: https://blog.cloudflare.com/ecdsa-the-digital-signature-algorithm-of-a-better-internet/ + source: Cloudflare + + - text: 'Standards for Efficient Cryptography: Elliptic Curve Cryptography' + url: https://www.secg.org/sec1-v2.pdf + source: Standards for Efficient Cryptography Group + + - text: 'A Brief History of the U.S. Trying to Add Backdoors Into Encrypted Data' + url: https://www.atlasobscura.com/articles/a-brief-history-of-the-nsa-attempting-to-insert-backdoors-into-encrypted-data + source: Atlas Obscura + --- ## Summary -[ECDSA] is a digital signature algorithm using elliptic curve cryptography, offering a more secure alternative to traditional [DSA]({{% relref "DSS" %}}). It involves key generation, signature creation, and verification, with a focus on the importance of randomness in the signing process. While ECDSA offers security advantages, vulnerabilities in implementation, such as static random number generation, have been exploited in real-world attacks. +[ECDSA] is a digital signature algorithm using elliptic curve cryptography, offering a more secure alternative to traditional [DSA]({{% relref "DSS" %}}). It involves key generation, signature creation, and verification, with a focus on the importance of randomness in the signing process. + +It is based on the underlying mathematical concepts of [Elliptic-curve cryptography][ECC]. + +## Concerns + +While ECDSA offers security advantages, vulnerabilities in poor implementations (such as static random number generation) have been exploited in real-world attacks (e.g., jailbreaking Sony’s PlayStation 3). + +There have been political concerns about the trustworthiness of U.S. NIST-produced curves, after revelations were made that [the NSA willingly inserts backdoors into software][backdoors], hardware components and published standards. -@TODO +Well-known cryptographers (including [Bruce Schneier]) have expressed doubts about [how the NIST curves were designed][P-curves], and voluntary tainting [has already been proven][tainting] in the past. Nevertheless, a proof that the named NIST curves exploit a rare weakness is missing yet. ## Information -| Field | Value | -|--------------|------------------------| -| Kind | Authentication signing | -| Invented | 1991 | -| Deprecated | 2023 | -| Related tech | | +| Field | Value | +|------------|------------------------| +| Kind | Authentication signing | +| Proposed | 1992 | +| Deprecated | - | +[backdoors]: https://www.theguardian.com/us-news/2015/feb/23/nsa-director-defends-backdoors-into-technology-companies +[Bruce Schneier]: https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html +[ECC]: https://en.wikipedia.org/wiki/Elliptic-curve_cryptography [ECDSA]: https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm +[P-curves]: https://safecurves.cr.yp.to/rigid.html +[tainting]: https://www.scientificamerican.com/article/nsa-nist-encryption-scandal/ diff --git a/content/learning/tls/export.md b/content/learning/tls/export.md index 16c085d..38c33d7 100644 --- a/content/learning/tls/export.md +++ b/content/learning/tls/export.md @@ -1,6 +1,6 @@ --- title: Export-grade encryption (EXPORT) -description: Vulnerable encryption algorithms +description: ❌ Vulnerable encryption algorithms layout: learn-single tls_part: encryption-algo diff --git a/content/learning/tls/null.md b/content/learning/tls/null.md index 1d11454..609cc2f 100644 --- a/content/learning/tls/null.md +++ b/content/learning/tls/null.md @@ -1,6 +1,6 @@ --- title: 'NULL algorithm' -# description: Vulnerable key exchange +# description: ❌ Vulnerable key exchange layout: learn-single --- diff --git a/content/learning/tls/rc2.md b/content/learning/tls/rc2.md index 7c2820d..ef2132a 100644 --- a/content/learning/tls/rc2.md +++ b/content/learning/tls/rc2.md @@ -1,6 +1,6 @@ --- title: Rivest Cipher 2 (RC2) -description: Vulnerable encryption algorithm +description: ❌ Vulnerable encryption algorithm layout: learn-single tls_part: encryption-algo diff --git a/content/learning/tls/rc4.md b/content/learning/tls/rc4.md index 904055d..84d87be 100644 --- a/content/learning/tls/rc4.md +++ b/content/learning/tls/rc4.md @@ -1,6 +1,6 @@ --- title: Rivest Cipher 4 (RC4) -description: Vulnerable encryption algorithm +description: ❌ Vulnerable encryption algorithm layout: learn-single tls_part: encryption-algo diff --git a/content/learning/tls/rsa-kex.md b/content/learning/tls/rsa-kex.md index 0772990..01e8756 100644 --- a/content/learning/tls/rsa-kex.md +++ b/content/learning/tls/rsa-kex.md @@ -1,6 +1,6 @@ --- title: RSA (Key Exchange) -description: Vulnerable key exchange +description: ❌ Vulnerable key exchange layout: learn-single tls_part: key-exchange diff --git a/content/learning/tls/rsa-sig.md b/content/learning/tls/rsa-sig.md index e1cdafc..53c77e9 100644 --- a/content/learning/tls/rsa-sig.md +++ b/content/learning/tls/rsa-sig.md @@ -1,6 +1,6 @@ --- title: RSA (Authentication Signing) -description: Secure authentication signing +description: ✅ Secure authentication signing layout: learn-single tls_part: auth-sig diff --git a/content/learning/vulns/goldendoodle.md b/content/learning/vulns/goldendoodle.md new file mode 100644 index 0000000..2b7672e --- /dev/null +++ b/content/learning/vulns/goldendoodle.md @@ -0,0 +1,40 @@ +--- +title: GOLDENDOODLE +description: +layout: vuln + +year: 2019 +classes: + - Data leakage + +learn_more: + - text: 'Introducing Zombie POODLE and GOLDENDOODLE' + url: https://www.tripwire.com/state-of-security/zombie-poodle-goldendoodle + source: Tripwire + + - text: 'TLS CBC Padding Oracles in 2019' + url: https://www.tripwire.com/state-of-security/tls-cbc-padding-oracles + source: Tripwire + + - text: 'TLS CBC Padding Oracle Checker' + url: https://github.com/Tripwire/padcheck + source: GitHub + +--- + +## Overview + +The [GOLDENDOODLE] attack is a type of TLS CBC padding oracle vulnerability (like [POODLE]({{% relref "POODLE" %}})). + +GOLDENDOODLE can be used to hijack authenticated TLS sessions if the server reveals the padding validity of application data records in such a way that a Man-in-the-Middle (MITM) attacker can recognize well-formed padding independently of a valid Message Authentication Code (MAC). + +The best way to avoid this vulnerability is to _only_ allow TLS 1.2 (with recommended cipher suites) and TLS 1.3. + +## Information + +| Field | Value | +|--------------------------|---------------------| +| Vulnerability discovered | {{% param-year %}} | +| Vulnerability class | {{% param-class %}} | + +[GOLDENDOODLE]: https://www.tripwire.com/state-of-security/goldendoodle-attack diff --git a/themes/dst2024 b/themes/dst2024 index a7d994b..c5ca9f7 160000 --- a/themes/dst2024 +++ b/themes/dst2024 @@ -1 +1 @@ -Subproject commit a7d994bccd503b30f9af7e569a3a81ed90e94adc +Subproject commit c5ca9f7b119c138b39375f2f9cc2ebcb29ee4136