Weak SSLTLS Key Exchange in Windows
Security

Weak SSL/TLS Key Exchange in Windows

In this article will discuss about Weak SSL/TLS Key Exchange vulnerability in windows server operating system.

The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are implemented by Schannel, an Internet Security Support Provider (SSP).

 

Diffie-Hellman (DH) Algorithm is a key-exchange protocol for two parties communicating over a public channel, enabling them to establish a secret without having it transmitted over the Internet. Using symmetric cryptography, the two parties are able to encrypt and decrypt their communication or data using a public key.

During the SSL/TLS handshake, the Cipher Suite is used to negotiate security settings.

 

Cipher suites are named combinations of:

  • Key Exchange Algorithms: RSA, Diffie-Hellman, Elliptic Curve Diffie-Hellman Ephemeral, Diffie-Hellman Ephemeral, Elliptic Curve Diffie-Hellman Ephemeral, pre-shared key
  • Authentication/Digital Signature Algorithms: RSA algorithm (Rivest-Shamir-Adleman) Elliptic Curve Digital Signature Algorithm, Digital Signatures Algorithm
  • Bulk Encryption Algorithms (Advanced Encryption Standard, Camellia, ARIA)
  • Message Authentication Code Algorithms (SHA-256, POLY1305)

 

Weak SSL/TLS Ciphers

TLS uses the Diffie-Hellman key exchange as one of its encryption cipher suites.

The protocols Secure Socket Layer and Transport Layer Security are used to provide security between web browsers and web servers. The primary distinction between Secure Socket Layer and Transport Layer Security is that in SSL (Secure Socket Layer), the message digest is used to generate a master secret, and it provides the basic security services of authentication and confidentiality. TLS (Transport Layer Security) uses a pseudo-random function to generate a master secret.

In windows server 2012r2 operating system found severity 4 vulnerability called Weak SSL/TLS Key Exchange since it is using 1024-week Diffie-Hellman key exchange Algorithm. Below are the details

THREAT:

Key exchanges that are cryptographically weaker than recommended are supported by the SSL (Secure Socket Layer)/ TLS (Transport Layer Security) server. For Diffie Hellman and RSA key exchanges, key exchanges should provide at least 224 bits of security, which translates to a minimum key size of 2048 bits.

IMPACT:
As a result, the effect is an attacker with enough computational power could recover the session key and decrypt the session content.

SOLUTION:
For Diffie Hellman and RSA key exchanges, the SSL (Secure Socket Layer) /TLS (Transport Layer Security) server configuration should only allow strong key exchanges and key exchanges should provide at least 224 bits of security.

 

In every window operating system by default SCHANNEL inbuilt feature is existing to protect the machine from cyber-attack.

 

SSL/TLS key exchange

Weak SSL/TLS Key Exchange when a TLS client connects to a TLS server, the client negotiates a mutually available encryption suite to use. The client lists its available cipher suites, the server responds, and the client chooses the most secure, mutually available one.

Login into windows machine search for Windows Registry and run as administrator.

Weak SSL/TLS Key Exchange

minimum key size of 2048 bits for Diffie Hellman

 

Below is path to add  diffi-hellman key in Windows Registry.

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman

 

Create a new DWORD (32-bit) Value and add below parameters

Value name :  ServerMinKeyBitLength

Value date : 00000800

Base  :  Hexadecimal

It is recommended that you reboot your machine after performing the above changes.

In other hand you could disable TLS 1.0 and TLS 1.1 vulnerabilities in windows.

Conclusion:

Diffie Hellman and RSA key exchanges has been added to KEY-SIZE 2048 at the operating system level. Weak SSL/TLS Key Exchange issue has been fixed successfully. Please let me know if you have any question about Weak SSL/TLS Key Exchange topic.

Next PostDisable TLS 1.0 and TLS 1.1 on Windows Server Previous PostUnable to Login into vCenter Server with AD credentials

Leave a Reply

Your email address will not be published. Required fields are marked *