Shulou(Shulou.com)06/01 Report--

This article mainly explains "the deployment method of SSL and TLS". The content of the article is simple and clear, and it is easy to learn and understand. Please follow the editor's train of thought to study and learn "the deployment method of SSL and TLS".

In TLS, all security starts with the encrypted identity of the server, which requires a strong private key to prevent an attacker from impersonating attacks. It is also important to have a valid and powerful certificate that grants a private key to represent a specific hostname.

For most websites, the security provided by a 2048-bit RSA key is sufficient. Because RSA public key algorithm is widely used, it becomes the default choice of security. For a 2048-bit RSA key, it is possible to provide about 112bit keys. If you want more security, RSA keys don't scale well. For example, to get a 128-bit key, you need a 3072-bit RSA key, which is obviously slow. Elliptic curve digital signature algorithm ECDSA display provides you with better security and better performance. In the case of ECDSA256, the ECDSA key provides a 128-bit key.

How to protect the private key

(1) to generate a private key on a trusted computer with sufficient entropy.

(2) password protection should be set for the key from the beginning to prevent attacks when stored in the backup system. The private key password will not have much security in the actual operation, because the threat can retrieve the key from the process memory at any time. With hardware devices (hardware security modules or HSM), private keys can be protected even if the server is compromised, but these devices are expensive and are only suitable for organizations that have strict security requirements.

(3) after being attacked, revoke the old certificate and generate a new key.

(4) renew the certificate every year, and it is recommended that your equipment can perform this process automatically, so the certificate with a shorter life cycle is more secure in practice.

(5) except in special circumstances, whenever a new certificate is obtained, a corresponding new private key should be generated.

Ensure that the certificate covers the website used

Make sure your certificate covers the website you use and avoid invalid certificate warnings.

Even if you have only one domain name, you should make sure that the certificate is related to the www prefix, such as example.com and www.example.com. Each DNS name of a secure Web server should be configured with a valid certificate. Also, the fewer people who access the private key, the better.

Reliable CA to obtain certificates

When selecting CA, be aware of the following 5 aspects:

(1) the security status of all CA must be reviewed regularly.

(2) choose organizations with CA as the main business and provide various functional support

(3) the CA you choose should provide support for certificate revocation list (CRL) and online Certificate status Protocol (OCSP) revocation.

Use a powerful certificate signature algorithm

Certificate security depends on the strength of the private key used to sign the certificate and the strength of the hash function used in the signature. Most certificates used to rely on SHA1 hash functions, but this has now proved to be insecure. Therefore, the current trend is to transition to SHA256. By the end of 2016, SHA1 certificates will no longer be supported by the website.

Configuration of TLS server

Use the full certificate chain

Invalid certificate chains invalidate server certificates and cause browsers to issue security warnings, and in most SSL and TLS deployments, only server certificates require two or more certificates to establish a complete chain of trust.

Use security protocols

There are five protocols in the SSL/TLS series: SSL 2 Magi SSL 3 Magi TLS 1.0 Magi TLS 1.1 and TLS 1.2.

SSL2 and SSL3 are very obsolete and are not recommended. In theory, TLS 1.0 should not be used either, but it is often used in practice. So far, there are no security issues with TLS 1.1 and 1.2, but only 1.2 provides modern encryption algorithms.

So TLS 1.2 should be the main protocol used because it is the only version that provides modern authenticated encryption (also known as AEAD).

Select cipher suite

A cipher suite is a combination of algorithms used to negotiate security settings during a SSL/TLS handshake. After the ClientHello and ServerHello messages are exchanged, the client sends the cipher support suite for the priority list. The server then responds with the cipher suite selected from the list. The cipher suite consists of the following combinations:

Key Exchange algorithm (RSA,DH,ECDH,PSK)

Authentication algorithm (RSA,DSA)

Batch encryption algorithm (AES,Camellia,ARIA)

Message authentication code algorithm (SHA-256)

However, there are several outdated encryption primitives that must be banned:

(1) the anonymous Diffie-Hellman (ADH) suite does not provide authentication.

(2) the NULL cipher suite does not provide encryption.

(3) the exported cipher suite is not secure during connection negotiation, but it can also be used against servers with more powerful suites (FREAK attacks).

(4) packages with weak passwords (usually 40 and 56 bits) can be easily attacked.

(5) RC4 is not safe.

(6) 3DES runs slowly and is easy to attack.

In SSL 3 and later versions of the protocol, the client first submits a series of supported cipher suites, and the server selects a suite from the list for connection. However, not all servers can perform this operation, and some will always select the first supported suite from the client list, so the server's active selection of available cipher suites is critical to improve security.

Use forward secrecy

Forward security or forward secrecy (English: Forward Secrecy, abbreviation: FS), sometimes called Perfect Forward Secrecy, abbreviation: PFS, is the security attribute of communication protocols in cryptography, which means that the disclosure of a long-used master key will not lead to the disclosure of past session keys. [2] forward security can protect past communications from the threat of password or key exposure in the future. If the system has forward security, it can guarantee the security of historical communication when the master key is leaked, even if the system is attacked actively.

Use a powerful key exchange algorithm

To ensure the security of data transmission and storage, the transmitted data is usually encrypted and stored or transmitted. After receiving the data, the receiver decrypts the ciphertext and restores the plaintext. The commonly used encryption algorithms are symmetric key encryption algorithm and asymmetric key encryption algorithm. In secure data communication, both sides of the communication must have an encrypted key and a decrypted key respectively. Once the key of the communication is leaked or cracked, the information encrypted by it will be disclosed. Therefore, how to exchange or negotiate communication keys securely has become a crucial issue, so how to ensure the security of keys, especially the secure password exchange has become the core issue of secure information exchange in e-commerce.

In 2015, researchers found a SSL encryption security vulnerability LogJam,LogJam vulnerability will affect any server and all browsers that support DHE_EXPORT passwords, including new versions of IE, Chrome, Firefox, Safari, etc. They then estimated that academic hackers could crack 768-bit keys, while state-backed hackers could break 1024-bit keys. So for security reasons, if you deploy DHE, you need to configure at least a 2048-bit key.

Verification before correct deployment

Perhaps when deploying according to the method in this article, many software and hardware configurations have new versions. It is recommended that you first make a comprehensive evaluation of your SSL / TLS to ensure the security of the operation. It is recommended that you use this link for testing.

Considerations in the process of practical deployment

Avoid blindly pursuing excessive security

It is certainly not safe to use a password that is too short, but it is not necessarily safe to use a password that is too long, for example, it can lead to complex operations. For most websites, using RSA keys greater than 2048 bits and ECDSA keys stronger than 256bits waste CPU power consumption and may damage the user experience. Similarly, increasing the strength of temporary key exchange has little benefit for DHE of 2048 bits and ECDHE of 256bits, and there is no obvious benefit for using encryption higher than 128bit.

Using the session reuse mechanism

Because the asymmetric operation of SSL handshake, whether RSA or ECDHE, will consume performance, in order to improve the performance, for SSL connections that have previously shaken hands, the round time trip and operation of handshaking should be reduced as much as possible.

SSL provides different session multiplexing mechanisms in 2.

(1) session id session multiplexing

(2) session ticket session multiplexing, Session id session multiplexing has two disadvantages, one of which is that the server will pile up a large number of sessions, especially in actual use, the session aging time is configured for several hours, which takes up a lot of server memory.

Use WAN optimization

Wide area network optimization (WAN optimization), also known as wide area network acceleration (WAN acceleration), provides high-performance remote data access through optimization techniques to improve the performance of applications on the WAN.

Cache public content

When communicating over TLS, browsers may treat all traffic as sensitive data. In this way, they usually use memory to cache some resources, but once the browser is closed, everything may be lost. In order to achieve performance improvement and achieve long-term caching of certain resources, common resources, such as images, can be marked as public.

Enable OCSP Stapling

OCSP (Online Certificate Status Protocol) is usually provided by CA and is used to verify the validity of the certificate in real time online, so that the client can send a query request to the verification address of CA based on the OCSP information in the certificate to check whether the certificate is valid.

OCSP Stapling, as its name implies, leaves the work of querying the OCSP interface to the server. The server can not only query OCSP information directly, but also make only a few queries and cache the response. When a client initiates a TLS handshake request to the server, the server sends the OCSP information of the certificate to the client along with the certificate chain, thus avoiding the blocking problem caused by the client verification. Because OCSP responses cannot be forged, this process does not cause additional security problems.

Use fast encryption primitives

Use CPU that supports hardware-accelerated AES whenever possible, and if you really want to further improve performance, consider using ECDSA keys.

Encryption of HTTP

Encrypting the entire website, encryption may be one of the major security issues today, such as:

(1) websites without TLS

(2) sites with TLS but not TLS

(3) websites with mixed TLS and non-TLS content, sometimes even within the same page

(4) A website with incorrect programming will destroy TLS

Delete mixed content

Even if you encrypt the entire site, you may still retrieve unencrypted resources from third-party sites. Mixed content pages are pages that are transmitted through TLS but contain resources (for example, JavaScript files, images, CSS files) that are not transferred through TLS. Such pages are very insecure, and these unprotected JavaScript resources can be exploited by man-in-the-middle attacks, such as hijacking an entire user session.

Learn about third-party services

Most sites activate third-party services such as Google Analytics by downloading JavaScript code from another server. Sites that contain third-party code will create an implicit trust connection that effectively gives the other person complete control of your site. Although third-party connections may not be malicious, the vendors behind these services may be attacked.

Security Settings Cookie

In order to achieve security while maintaining performance, the website requires TLS, and all Cookie are explicitly marked as secure at the time of creation. Otherwise, it may be exploited by MITM attackers. It is recommended that you add encryption integrity verification to your Cookie.

Secure HTTP compression

CRIME attacks can decrypt some secure connections by exploiting vulnerabilities in the compression process. Disabling TLS compression prevents this attack. Also note that HTTP compression can be exploited by TIME and BREACH attacks. Unlike TLS compression, HTTP compression is required and cannot be turned off. Therefore, in order to resolve these attacks, changes to the application code are needed.

Configure strict Transport Security (HSTS) using HTTP

To activate HSTS protection, you can add a new response header to your site. After that, browsers that support HSTS will execute it. This is achieved by automatically converting all plaintext links to secure links.

It is recommended that you add support for HSTS, which is the most important guarantee for TLS security. For better security, consider using HSTS preloading to embed the HSTS configuration in your browser. As long as it is within the validity period, the browser will directly and forcefully initiate a HTTPS request.

Deploy content Security Policy (CSP)

Deal with sensitive content

As the use of cloud-based application platforms is increasing, in order for all sensitive content to be received only by the recipient, you must be careful with sensitive content.

Thank you for reading, the above is the content of "deployment methods of SSL and TLS". After the study of this article, I believe you have a deeper understanding of the deployment methods of SSL and TLS, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.