NOW := $(shell date)
all:
- latex applied-crypto-hardening
+ pdflatex applied-crypto-hardening
# no bibtex citations atm
bibtex applied-crypto-hardening
#latex applied-crypto-hardening
- latex applied-crypto-hardening
+ pdflatex applied-crypto-hardening
#dvipdfm -z 9 applied-crypto-hardening
- dvipdf applied-crypto-hardening.dvi
+ #dvipdf applied-crypto-hardening.dvi
clean:
rm -f applied-crypto-hardening.aux applied-crypto-hardening.bbl applied-crypto-hardening.blg applied-crypto-hardening.dvi applied-crypto-hardening.log applied-crypto-hardening.pdf
-\documentclass{llncs}
-
-\usepackage{amsmath}
-\usepackage{amssymb}
-%\usepackage{psfrag}
-%\usepackage{graphicx}
-%\usepackage{color}
-%\usepackage{subfigure}
-%\usepackage[latin1]{inputenc} % Sonderzeichen, Umlaute
-\usepackage[utf8x]{inputenc} % Sonderzeichen, Umlaute
-\usepackage{hyperref}
-\usepackage{placeins}
-
+%%% LaTeX Template: Two column article
+%%%
+%%% Source: http://www.howtotex.com/
+%%% Feel free to distribute this template, but please keep to referal to http://www.howtotex.com/ here.
+%%% Date: February 2011
+
+%%% Preamble
+\documentclass[ DIV=calc,%
+ paper=a4,%
+ fontsize=9pt,%
+ onecolumn]{scrartcl} % KOMA-article class
+
+\usepackage{lipsum} % Package to create dummy text
+
+\usepackage[english]{babel} % English language/hyphenation
+\usepackage[protrusion=true,expansion=true]{microtype} % Better typography
+\usepackage{amsmath,amsfonts,amsthm} % Math packages
+\usepackage[pdftex]{graphicx} % Enable pdflatex
+%\usepackage[svgnames]{xcolor} % Enabling colors by their 'svgnames'
+\usepackage[hang, small,labelfont=bf,up,textfont=it,up]{caption} % Custom captions under/above floats
+\usepackage{epstopdf} % Converts .eps to .pdf
+\usepackage{subfig} % Subfigures
+\usepackage{booktabs} % Nicer tables
+\usepackage{fix-cm} % Custom fontsizes
+
+% custom changes:
\usepackage[usenames,dvipsnames,svgnames,table]{xcolor}
+\usepackage{placeins}
+\usepackage{hyperref}
\definecolor{green}{RGB}{32,113,10}
\definecolor{orange}{RGB}{251,111,16}
\definecolor{blue}{RGB}{0,28,128}
-\pagenumbering{arabic}
-\pagestyle{plain}
+%%% Custom sectioning (sectsty package)
+\usepackage{sectsty} % Custom sectioning (see below)
+\allsectionsfont{% % Change font of al section commands
+ \usefont{OT1}{phv}{b}{n}% % bch-b-n: CharterBT-Bold font
+ }
-\newcommand{\todo}[1]{\marginpar{\textbf{TODO!}}\parbox{\columnwidth}{\textbf{\textsc{\textcolor{red}{(TODO: #1)}}}}}
-% Auskommentieren:
-\newcommand{\ignorethis}[1]{}
-\newcommand{\needcite}{\todo{Need citation!}}
+\sectionfont{% % Change font of \section command
+ \usefont{OT1}{phv}{b}{n}% % bch-b-n: CharterBT-Bold font
+ }
-\begin{document}
+%%% Headers and footers
+\usepackage{fancyhdr} % Needed to define custom headers/footers
+ \pagestyle{fancy} % Enabling the custom headers/footers
+\usepackage{lastpage}
+
+% Header (empty)
+\lhead{}
+\chead{}
+\rhead{}
+% Footer (you may change this to your own needs)
+\lfoot{\footnotesize Applied Crypto Hardening \textbullet ~Draft}
+\cfoot{}
+\rfoot{\footnotesize page \thepage\ of \pageref{LastPage}} % "Page 1 of 2"
+\renewcommand{\headrulewidth}{0.0pt}
+\renewcommand{\footrulewidth}{0.4pt}
+
+
+
+%%% Creating an initial of the very first character of the content
+\usepackage{lettrine}
+\newcommand{\initial}[1]{%
+ \lettrine[lines=3,lhang=0.3,nindent=0em]{
+ \color{DarkGoldenrod}
+ {\textsf{#1}}}{}}
+
+
+
+%%% Title, author and date metadata
+\usepackage{titling} % For custom titles
+
+\newcommand{\HorRule}{\color{DarkGoldenrod}% % Creating a horizontal rule
+ \rule{\linewidth}{1pt}%
+ }
+
+\pretitle{\vspace{-30pt} \begin{flushleft} \HorRule
+ \fontsize{50}{50} \usefont{OT1}{phv}{b}{n} \color{DarkRed} \selectfont
+ }
\title{Applied Crypto Hardening}
+\posttitle{\par\end{flushleft}\vskip 0.5em}
+
+\preauthor{\begin{flushleft}
+ \large \lineskip 0.5em \usefont{OT1}{phv}{b}{sl} \color{DarkRed}}
-\author{ Manuel Koschuch\inst{1}, Adi Kriegisch\inst{2}, L. Aaron Kaplan\inst{3}, Tobias Dussa\inst{4}, Heiko Reese\inst{4}}
-\institute{
-FH Campus Wien
-\and
-VRVis
-\and
-CERT.at
-\and
-Karlsruhe Institute of Technology
-}
+\author{ Manuel Koschuch, Adi Kriegisch, L. Aaron Kaplan, Tobias Dussa, Heiko Reese}
+%\institute{
+%FH Campus Wien
+%\and
+%VRVis
+%\and
+%CERT.at
+%\and
+%Karlsruhe Institute of Technology
+%}
+\postauthor{\footnotesize \usefont{OT1}{phv}{m}{sl} \color{Black}
+ (FH Campus Wien, VRVis, CERT.at, Karlsruhe Institute of Technology)
+ \par\end{flushleft}\HorRule}
+\date{2013-11-03}
+
+
+
+%%% Begin document
+\begin{document}
\maketitle
+\thispagestyle{fancy} % Enabling the custom headers/footers for the first page
+% The first character should be within \initial{}
+%\initial{H}\textbf{ere is some sample text to show the initial in the introductory paragraph of this template article. The color and lineheight of the initial can be modified in the preamble of this document.}
+
\input{abstract}
\input{disclaimer}
--- /dev/null
+\documentclass{llncs}
+
+\usepackage{amsmath}
+\usepackage{amssymb}
+%\usepackage{psfrag}
+%\usepackage{graphicx}
+%\usepackage{color}
+%\usepackage{subfigure}
+%\usepackage[latin1]{inputenc} % Sonderzeichen, Umlaute
+\usepackage[utf8x]{inputenc} % Sonderzeichen, Umlaute
+\usepackage{hyperref}
+\usepackage{placeins}
+
+\usepackage[usenames,dvipsnames,svgnames,table]{xcolor}
+
+\definecolor{green}{RGB}{32,113,10}
+\definecolor{orange}{RGB}{251,111,16}
+\definecolor{red}{RGB}{247,56,0}
+\definecolor{blue}{RGB}{0,28,128}
+
+
+\pagenumbering{arabic}
+\pagestyle{plain}
+
+
+\newcommand{\todo}[1]{\marginpar{\textbf{TODO!}}\parbox{\columnwidth}{\textbf{\textsc{\textcolor{red}{(TODO: #1)}}}}}
+% Auskommentieren:
+\newcommand{\ignorethis}[1]{}
+\newcommand{\needcite}{\todo{Need citation!}}
+
+
+\begin{document}
+
+\title{Applied Crypto Hardening}
+
+\author{ Manuel Koschuch\inst{1}, Adi Kriegisch\inst{2}, L. Aaron Kaplan\inst{3}, Tobias Dussa\inst{4}, Heiko Reese\inst{4}}
+\institute{
+FH Campus Wien
+\and
+VRVis
+\and
+CERT.at
+\and
+Karlsruhe Institute of Technology
+}
+
+
+\maketitle
+
+\input{abstract}
+\input{disclaimer}
+\input{motivation}
+\input{methods}
+\input{overview_common_crypto_systems}
+\input{keylengths}
+\input{RNGs}
+\input{practical_settings}
+\input{PKIs}
+\input{tools}
+\input{further_research}
+\input{reviewers}
+
+\bibliography{applied-crypto-hardening}
+
+\end{document}
Nevertheless, ignoring the problem and keeping outdated settings for SSL, SSH, PGP is not an option. We the authors, need this document as much as the gentle reader needs it.
-Date: Sun Nov 3 21:47:55 CET 2013
-\section{How this document was produced}
+\section{Methods}
For many years, NIST was considered a reasonable choice for recommendations in
the field of cryptography. However, the NSA leaks of 2013 showed that even
We chose to collect the most well known facts about crypto-settings and let as
many trusted specialists as possible review these settings. The review process
-is done on a public mailing list. The document is offered (read-only) to a
-publicly available git server. However, write permissions to the document are
-only granted to trusted people, preferably outside of the U.S. Every write
+is done on a public mailing list. The document is available (read-only) to the
+public on a git server. However, write permissions to the document are only
+granted to trusted people, preferably outside of the U.S. Every write
operation to the document is logged via the "git" version control system. We
do not trust an unknown git server. The git server is hardened itself.
+
\subsection{SSL}
-At the time of this writing, SSL is defined in RFCs:
-
-\begin{itemize}
-\item RFC2246 - TLS1.0
-\item RFC3268 - AES
-\item RFC4132 - Camelia
-\item RFC4162 - SEED
-\item RFC4279 - PSK
-\item RFC4346 - TLS 1.1
-\item RFC4492 - ECC
-\item RFC4785 - PSK\_NULL
-\item RFC5246 - TLS 1.2
-\item RFC5288 - AES\_GCM
-\item RFC5289 - AES\_GCM\_SHA2\_ECC
-\item RFC5430 - Suite B
-\item RFC5487 - GCM\_PSK
-\item RFC5489 - ECDHE\_PSK
-\item RFC5932 - Camelia
-\item RFC6101 - SSL 3.0
-\item RFC6209 - ARIA
-\item RFC6367 - Camelia
-\item RFC6655 - AES\_CCM
-\item RFC7027 - Brainpool Curves
-\end{itemize}
+%%% NOTE: we do not need to list this all here, can move to an appendix
+%At the time of this writing, SSL is defined in RFCs:
+%
+%\begin{itemize}
+%\item RFC2246 - TLS1.0
+%\item RFC3268 - AES
+%\item RFC4132 - Camelia
+%\item RFC4162 - SEED
+%\item RFC4279 - PSK
+%\item RFC4346 - TLS 1.1
+%\item RFC4492 - ECC
+%\item RFC4785 - PSK\_NULL
+%\item RFC5246 - TLS 1.2
+%\item RFC5288 - AES\_GCM
+%\item RFC5289 - AES\_GCM\_SHA2\_ECC
+%\item RFC5430 - Suite B
+%\item RFC5487 - GCM\_PSK
+%\item RFC5489 - ECDHE\_PSK
+%\item RFC5932 - Camelia
+%\item RFC6101 - SSL 3.0
+%\item RFC6209 - ARIA
+%\item RFC6367 - Camelia
+%\item RFC6655 - AES\_CCM
+%\item RFC7027 - Brainpool Curves
+%\end{itemize}
\subsubsection{Overview of SSL Server settings}
The result of testing the cipher suites with these clients gives us the following result and a preference order.
Should a client not be able to use a specific cipher suite, it will fall back to the next possible entry as given by the ordering.
-\begin{table}
+\begin{table}[h]
+\small
\begin{tabular}{|l|l|l|l|l|}
\hline
Pref & Cipher Suite & ID & Browser \\ \hline
The same data again, specifying the OpenSSL name:
\begin{table}[h]
+\small
+\FloatBarrier
\begin{tabular}{|l|l|l|}
\hline
Cipher Suite & ID & OpenSSL Name \\ \hline
\end{table}
+
Based on this ordering, we can now define the corresponding settings for servers. We will start with the most common web servers
\subsubsection{Apache}
git.bettercrypto.org / ach-master.git / commitdiff