sha2

The cryptopocalipse is near(er)!

That’s at least what NIST, CNSS and NSA think.

The primary reason for deploying cryptographic systems is to protect secrets. When the system carries information with a very long life (like locations of nuclear silos or evidence for marital infidelity) you need to stop using it well before it is broken. That means the usable life of a crypto-system is shorter than the time it remains unbroken.

Suite B is a set of cryptographic algorithms in very specific configurations that was originally published in 2005. Implementations certified by NIST in the FIPS program were allowed for protection of SECRET and TOP SECRET information depending on specific key sizes used. In practice SECRET was equivalent to 128 bit level of security, so SHA-256 signatures, AES-128 and P-256 curve, TOP SECRET required 192 bit level of security with SHA-384 signatures, P-384 curve and AES-256 for encryption.

They now claim that quantum computers are much closer than we think (less than 10 years time frame) and as such the keys used for protection of secure information need to be increased in short term (significantly in case of ECC) and research of quantum resistant algorithms is now a priority.

New recommendations

That means we get a new set of recommendations.

To summarise:

If you’re using TLS or IPsec with Pre-Shared Keys (PSK) with AES-256 encryption, you’ll most likely be fine.

If you were planning deployment of ECC in near future, you should just increase key sizes of existing RSA and DH systems and prepare for deployment of quantum resistant crypto in near future instead.

For RSA and finite-field DH (a new addition to Suite B but very old crypto systems by their own right) the recommended minimum is 3072 bit parameters. That is not particularly surprising, as that is the ENISA as well as NIST recommendation for 128 bit level of security.

What is a bit surprising is that they have changed the minimum hash size from 256 to 384 bit.

For ECC systems the P-256 curve was degraded to be secure enough only to protect unclassified information, so it was put together with 2048 bit RSA or DH. The minimum now is P-384 curve.

So now the table with equivalent systems looks like this:

 LoS RSA key size DH key size ECC key size Hash AES key size
112 bit 2048 bit 2048 bit 256 bit SHA-256 128 bit
128 bit 3072 bit 3072 bit 384 bit SHA-384 256 bit

What does that mean?

Most commercial systems don’t need to perform key rotation and reconfiguration of their systems just yet, as the vast majority of them (nearly 90%) still use just 2048 bit RSA for authentication. What that does mean is that the recent migration to ECC (like ECDHE key exchange and ECDSA certificates) didn’t bring increase in security, just in speed of key exchange. So if you’re an admin, that means you don’t need to do much, at least not until other groups of people don’t do their part.

Software vendors need to make their software actually negotiate the curve used for ECDHE key exchange. Situation in which 86% of servers that can do ECDHE can do it only with P-256 is… unhealthy. The strongest mutually supported algorithms should be negotiated automatically and by default. That means stronger signatures on ECDHE and DHE key exchanges, bigger curves selected for ECDHE and bigger parameters selected for DHE (at least as soon as draft-ietf-tls-negotiated-ff-dhe-10 becomes a standard).

Finally, we need quantum computing resistant cryptography. It would be also quite nice if we didn’t have to wait 15 or even 10 years before it reaches 74% of web servers market because of patent litigation fears.

RC4 Only servers fall below 1% – June 2014 scan results

Another month, another set of results. This month’s big news is the percent of servers that support only RC4 ciphers has fallen below the 1% mark!

Note that this set is compared to the just now published results of SNI-enabled scan from last month not the results published a month ago!

The general choice of block ciphers haven’t changed much, AES-GCM has grown a bit (by 1.2%), the cipher of choice for the Internet is still AES (at over 93%).

Percent of servers with misconfigured cipher suites haven’t changed much, AECDH have grown by little bit (by 0.19%).

Number of servers that support PFS is steadily growing, with DHE gaining nearly 0.5% and ECDHE gaining 1.2%. Number of servers that prefer the weak 1024 bit DH parameters has also fallen by over 0.5%. So not only we’re getting new properly configured servers but also older ones are updated to support the more secure and faster ECDHE with 256bit curves!

Unfortunately, it looks like the sudden increase of SHA-256 signed certificates is over and we’re back to the steady, slow increase. This month it has grown by 0.9%.

The kind of keys that are being signed haven’t changed significantly. 2048bit RSA is still the key size of choice for over 95% of server admins.

Also, the number of servers that support only SSLv3 has fallen below 1% mark, it’s at 0.993% now. Unfortunately, the number of servers that support TLSv1.2 has increased only by 1.65%.

SSL/TLS survey of 350949 websites from Alexa's top 1 million
Stats only from connections that did provide valid certificates
(or anonymous DH from servers that do also have valid certificate installed)


Supported Ciphers         Count     Percent
-------------------------+---------+-------
3DES                      305304    86.9938
3DES Only                 137       0.039
AES                       329405    93.8612
AES Only                  923       0.263
AES-CBC Only              616       0.1755
AES-GCM                   137654    39.2234
AES-GCM Only              3         0.0009
CAMELLIA                  141331    40.2711
CHACHA20                  16443     4.6853
RC4                       311666    88.8066
RC4 Only                  3458      0.9853
RC4 Preferred             65353     18.6218
RC4 forced in TLS1.1+     43096     12.2798
z:ADH-AES128-GCM-SHA256   320       0.0912
z:ADH-AES128-SHA          1336      0.3807
z:ADH-AES128-SHA256       299       0.0852
z:ADH-AES256-GCM-SHA384   305       0.0869
z:ADH-AES256-SHA          1338      0.3813
z:ADH-AES256-SHA256       302       0.0861
z:ADH-CAMELLIA128-SHA     706       0.2012 
z:ADH-CAMELLIA256-SHA     713       0.2032
z:ADH-DES-CBC-SHA         740       0.2109 
z:ADH-DES-CBC3-SHA        1405      0.4003
z:ADH-RC4-MD5             1268      0.3613
z:ADH-SEED-SHA            392       0.1117
z:AECDH-AES128-SHA        10114     2.8819
z:AECDH-AES256-SHA        10117     2.8828
z:AECDH-DES-CBC3-SHA      10087     2.8742
z:AECDH-NULL-SHA          16        0.0046
z:AECDH-RC4-SHA           9668      2.7548
z:DES-CBC-SHA             67043     19.1033
z:DHE-RSA-SEED-SHA        58392     16.6383
z:ECDHE-RSA-NULL-SHA      19        0.0054
z:EDH-RSA-DES-CBC-SHA     52382     14.9258
z:EXP-ADH-DES-CBC-SHA     453       0.1291
z:EXP-ADH-RC4-MD5         456       0.1299
z:EXP-DES-CBC-SHA         55024     15.6786
z:EXP-EDH-RSA-DES-CBC-SHA 37222     10.6061
z:EXP-RC2-CBC-MD5         52973     15.0942
z:IDEA-CBC-SHA            62257     17.7396
z:NULL-MD5                333       0.0949
z:NULL-SHA                330       0.094
z:NULL-SHA256             18        0.0051
z:SEED-SHA                72273     20.5936

Supported Handshakes      Count     Percent
-------------------------+---------+-------
ADH                       1461      0.4163
AECDH                     10145     2.8907
DHE                       170916    48.7011
ECDH                      1         0.0003
ECDHE                     158213    45.0815
ECDHE and DHE             54584     15.5533
RSA                       350676    99.9222

Supported PFS             Count     Percent  PFS Percent
-------------------------+---------+--------+-----------
DH,1024bits               158684    45.2157  92.8433
DH,2048bits               10821     3.0834   6.3312
DH,2226bits               2         0.0006   0.0012
DH,3072bits               5         0.0014   0.0029
DH,3246bits               2         0.0006   0.0012
DH,3248bits               2         0.0006   0.0012
DH,4096bits               538       0.1533   0.3148
DH,512bits                37361     10.6457  21.8593
DH,768bits                720       0.2052   0.4213
ECDH,B-163,163bits        18        0.0051   0.0114
ECDH,B-571,570bits        347       0.0989   0.2193
ECDH,P-224,224bits        5         0.0014   0.0032
ECDH,P-256,256bits        157058    44.7524  99.27
ECDH,P-384,384bits        184       0.0524   0.1163
ECDH,P-521,521bits        683       0.1946   0.4317
Prefer DH,1024bits        103305    29.4359  60.442
Prefer DH,2048bits        2429      0.6921   1.4212
Prefer DH,4096bits        36        0.0103   0.0211
Prefer DH,512bits         2         0.0006   0.0012
Prefer DH,768bits         83        0.0237   0.0486
Prefer ECDH,B-163,163bits 18        0.0051   0.0114
Prefer ECDH,B-571,570bits 270       0.0769   0.1707
Prefer ECDH,P-224,224bits 3         0.0009   0.0019
Prefer ECDH,P-256,256bits 114187    32.5366  72.173
Prefer ECDH,P-384,384bits 120       0.0342   0.0758
Prefer ECDH,P-521,521bits 636       0.1812   0.402
Prefer PFS                221089    62.9975  0
Support PFS               274545    78.2293  0

TLS session ticket hint   Count     Percent 
-------------------------+---------+--------
5                         1         0.0003   
5 only                    1         0.0003   
10                        2         0.0006   
10 only                   2         0.0006   
30                        1         0.0003   
30 only                   1         0.0003   
42                        1         0.0003   
42 only                   1         0.0003   
60                        12        0.0034   
60 only                   7         0.002    
120                       2         0.0006   
120 only                  2         0.0006   
128                       1         0.0003   
128 only                  1         0.0003   
180                       21        0.006    
180 only                  21        0.006    
300                       125932    35.8833  
300 only                  110959    31.6168  
420                       8         0.0023   
420 only                  7         0.002    
480                       5         0.0014   
480 only                  5         0.0014   
600                       4723      1.3458   
600 only                  4590      1.3079   
900                       151       0.043    
900 only                  125       0.0356   
960                       1         0.0003   
960 only                  1         0.0003   
1200                      52        0.0148   
1200 only                 51        0.0145   
1500                      7         0.002    
1500 only                 7         0.002    
1800                      97        0.0276   
1800 only                 93        0.0265   
2400                      1         0.0003   
2400 only                 1         0.0003   
3000                      3         0.0009   
3000 only                 2         0.0006   
3600                      162       0.0462   
3600 only                 158       0.045    
5400                      1         0.0003   
6000                      1         0.0003   
6000 only                 1         0.0003   
7200                      10307     2.9369   
7200 only                 1565      0.4459   
10800                     5         0.0014   
10800 only                2         0.0006   
14400                     675       0.1923   
14400 only                675       0.1923   
18000                     3         0.0009   
18000 only                1         0.0003   
21600                     23        0.0066   
21600 only                23        0.0066   
28800                     5         0.0014   
28800 only                5         0.0014   
30720                     1         0.0003   
30720 only                1         0.0003   
36000                     521       0.1485   
36000 only                519       0.1479   
43200                     6485      1.8478   
43200 only                6481      1.8467   
64800                     8656      2.4665   
64800 only                8651      2.465    
86000                     30        0.0085   
86000 only                30        0.0085   
86400                     4061      1.1571   
86400 only                4060      1.1569   
100800                    16457     4.6893   
100800 only               13        0.0037   
115200                    1         0.0003   
115200 only               1         0.0003   
129600                    6         0.0017   
129600 only               6         0.0017   
864000                    6         0.0017   
864000 only               6         0.0017   
None                      212871    60.6558  
None only                 172526    49.1598  

Certificate sig alg     Count     Percent 
-------------------------+---------+--------
None                      11549     3.2908   
ecdsa-with-SHA256         1         0.0003   
sha1WithRSAEncryption     308984    88.0424  
sha256WithRSAEncryption   41971     11.9593  

Certificate key size    Count     Percent 
-------------------------+---------+--------
ECDSA 256                 9203      2.6223   
ECDSA 384                 2         0.0006   
RSA 1024                  1881      0.536    
RSA 2028                  1         0.0003   
RSA 2047                  2         0.0006   
RSA 2048                  336774    95.961   
RSA 2056                  3         0.0009   
RSA 2058                  1         0.0003   
RSA 2060                  1         0.0003   
RSA 2064                  1         0.0003   
RSA 2080                  2         0.0006   
RSA 2084                  4         0.0011   
RSA 2408                  1         0.0003   
RSA 2432                  58        0.0165   
RSA 2536                  1         0.0003   
RSA 2612                  1         0.0003   
RSA 3050                  1         0.0003   
RSA 3072                  31        0.0088   
RSA 3073                  1         0.0003   
RSA 3248                  4         0.0011   
RSA 3600                  1         0.0003   
RSA 4042                  1         0.0003   
RSA 4046                  2         0.0006   
RSA 4048                  2         0.0006   
RSA 4086                  1         0.0003   
RSA 4092                  2         0.0006   
RSA 4096                  12167     3.4669   
RSA 4098                  2         0.0006   
RSA 4192                  1         0.0003   
RSA 8192                  1         0.0003   
RSA/ECDSA Dual Stack      9197      2.6206

OCSP stapling             Count     Percent 
-------------------------+---------+--------
Supported                 52153     14.8606  
Unsupported               298796    85.1394  

Supported Protocols       Count     Percent
-------------------------+---------+-------
SSL2                      1         0.0003
SSL3                      346615    98.7651
SSL3 Only                 3485      0.993
SSL3 or TLS1 Only         145785    41.5402
TLS1                      346981    98.8694
TLS1 Only                 1030      0.2935
TLS1.1                    190351    54.2389
TLS1.1 Only               5         0.0014
TLS1.1 or up Only         29        0.0083
TLS1.2                    201166    57.3206
TLS1.2 Only               14        0.004
TLS1.2, 1.0 but not 1.1   14702     4.1892

Scan performed between 10th and 24th June 2014.