How to enforce strong SSL/TLS ciphers in IIS

Paladion
By Paladion

December 11, 2007

How can we ensure IIS uses only strong ciphers for SSL/TLS? Does the setting "Require 128-bit encryption" achieve that? What are strong ciphers, anyway? We'll try to answer these questions today.

First of all, does the IIS setting "Require 128-bit encryption" ensure strong ciphers?

require-128-bit-ssl.gif

Unfortunately, "No". This setting only ensures that 128-bit keys are used for encryption. But that's not the same as promising strong ciphers.

Let's step back for a minute. Remember SSL/TLS supports a range of algorithms? For symmetric encryption, it can use AES, 3DES, RC2, or RC4. For message integrity, it can use MD5 or SHA. For asymmetric encryption, the algorithm is RSA.

A cipher suite is a combination of algorithms. RSA_AES_SHA is an example of a cipher suite. FIPS has approved specific cipher suites as strong. These use AES or 3DES for encryption, and SHA for integrity. FIPS does not consider other cipher suites strong.

The setting "Require 128-bit encryption" enables all 128-bit encryption algorithms, including RC2 and RC4. It also enables suites that use MD5 for integrity. Since they are all unsafe, we need to disable them separately.

The Microsoft Knowledge Base article "How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll" describes how to enable just the FIPS 140 algorithms. Here's a summary:

 

1. Disable weak ciphers

 

  • Open the registry editor
  • Locate HKLMSYSTEMCurrentControlSetControlSecurityProviders
  • Set "Enabled" dword to "0x0" for the following registry keys:

SCHANNELCiphersRC4 128/128

SCHANNELCiphersRC2 128/128

SCHANNELCiphersRC4 64/128

SCHANNELCiphersRC4 56/128

SCHANNELCiphersRC2 56/128

SCHANNELCiphersRC4 40/128

SCHANNELCiphersRC2 40/128

SCHANNELCiphersNULL

SCHANNELHashesMD5

 

2. Enable strong ciphers

 

  • Open the registry editor
  • Locate HKLMSYSTEMCurrentControlSetControlSecurityProviders
  • Set "Enabled" dword to "0xffffffff" for the following registry keys

SCHANNELCiphersTriple DES 168/168

SCHANNELHashesSHA

SCHANNELKeyExchangeAlgorithmsPKCS

If the Enabled dword doesn't exist yet, please create the dword and set the value to "0x0" or "0xffffffff" as required.


Tags: Uncategorized

About

Paladion