Fork me on GitHub

BetterCrypto⋅org

Applied Crypto Hardening

News

#31C3

During the 31st CCC congress, the german newspaper Der Spiegel released some documents on attempts to break and/or weaken TLS/SSL. This will be a good reason for us to review the BetterCrypto recommendations fully. Stay tuned.

The Poodle killed it

The POODLE attack pretty much killed SSLv3 which we did not recommend very much anyway anymore. Our bettercrypto guide generally does not recommend SSLv3 for Webservers. You will find in our guide that we generally always excluded SSLv3: 


SSLProtocol All -SSLv2 -SSLv3

SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\
	EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:\
	+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:\
	!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
If you look at the settings above, you will find that the SSLProtocol disables SSLv3, however the Cipherstring on first sight seems to enable it again. This is however not the case! The abbreviation +SSLv3 in the SSLCipherSuite string simply enables certain cipher combinations. It does not enable SSLv3!

Hack.lu 2014

Aaron (K.), azet and David will be holding a bettercrypto talk at hack.lu 2014.

Overview

This whitepaper arose out of the need for system administrators to have an updated, solid, well researched and thought-through guide for configuring SSL, PGP, SSH and other cryptographic tools in the post-Snowden age. Triggered by the NSA leaks in the summer of 2013, many system administrators and IT security specialists saw the need to strengthen their encryption settings. This guide is specifically written for these system administrators.

Initiated by Aaron Kaplan (CERT.at) and Adi Kriegisch (VRVis), a group of specialists, cryptographers and sysadmins from CERTs, academia and the private sector joined forces to write such a concise, short guide.

This project aims at creating a simple, copy & paste-able HOWTO for secure crypto settings of the most common services (webservers, mail, ssh, etc.). It is completely open sourced, every step in the creation of this guide is public, discussed on a public mailing list and any changes to the text are documented in a publicly readable version control system.

Older news

RIPE meeting

Aaron (K.) presented the bettercrypto project at the RIPE meeting 68 in Warsaw on Tue, 13th of May. The slides can be found here.

Linuxwochen

Aaron (azet) presented the bettercrypto project at the Vienna Linuxwochen. In addition, Berg held a bettercrypto workshop there as well! His workshop notes are on github aswell.

Ohai #30C3!

To all people at the CCC: We need your help! Good open source cryptography is essential to security. Correctly implementing this is often a complex riddle. This project aims to provide an open source guide to applied crypto hardening.
So what can you do?

  1. Read our paper
  2. Review it
  3. Test it and implement it
  4. Give us your feedback on the mailing list
  5. Send us patches or pull requests
Thank you for your help and knowledge. Solid reviews by multiple eyes is the key.

Download the 30C3 Lightningtalk PDF.