search

richardhicks / aovpn

PowerShell scripts and sample ProfileXML files for configuring Windows 10 Always On VPN
MIT License
158 stars 83 forks source link

CBC Ciphers have been hacked in 2013 and are considered weak #13

Closed globeone closed 2 years ago

globeone commented 2 years ago

Cipher Block Chaining (CBC) was hacked back in 2013 and is now considered weak encryption.

For Windows this only leaves a few cipher suits using GCM. On Windows Server 2012, where none of the ECDSA ciphers are usable with standard Microsoft applications, so have to enable two RSA ciphers without perfect forward secrecy to still be able to remotely access the server with RDP. 

    'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521',
    'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384',
    'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P521',
    'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384',
    'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256'
    'TLS_RSA_WITH_AES_256_GCM_SHA384',
    'TLS_RSA_WITH_AES_128_GCM_SHA256'

For Windows 2016 and higher, there are only 4 secure ciphers left.

    'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384',
    'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256',
    'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384',
    'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256'

Windows Server 2022 should start to support TLS1.3, but it's not enabled by default.

from https://ciphersuite.info

Cipher Block Chaining: In 2013, researchers demonstrated a timing attack against several TLS implementations using the CBC encryption algorithm (see isg.rhul.ac.uk). Additionally, the CBC mode is vulnerable to plain-text attacks in TLS 1.0, SSL 3.0 and lower. A fix has been introduced with TLS 1.2 in form of the GCM mode which is not vulnerable to the BEAST attack. GCM should be preferred over CBC.

richardhicks commented 2 years ago

I originally left the CBC ciphers for backward compatibility. I seem to recall having an issue with a customer once where RDP wouldn't work. However, that was quite some time ago (and might have been Windows Server 2012 R2) so it's probably time to remove them from this script.

I will do some additional testing and remove them soon. :)

richardhicks commented 2 years ago

Removing CBC ciphers breaks Windows Update on Windows Server 2012 R2 servers. With that, I'm going to close this issue and leave the script as-is. However, if someone wants to investigate this further and suggest a fix for Windows Update with CBC ciphers disabled, I will gladly reopen this request and make the necessary changes.

My suggestion for administrators performing security hardening on Windows Server 2012 R2 is to migrate to a later version of Windows Server. If you must use Windows Server 2012 R2, consider installing an ECSA TLS certificate instead of an RSA certificate.

Thanks!