Determining algorithm strength of current SSL cipher

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Determining algorithm strength of current SSL cipher

Victor Duchovni

For Postfix 2.3 I would like to be able to determine whether the actual
cipher negotiated for a session initialized with a lenient allowed cipher
list, is actually a member of a more strict cipher list.

The idea is to allow a-priori low security connections to be
opportunistically determined to be high security connections and then
with SASL allow the transmission of plain-text passwords rather instead
of requiring one-time challenge response protocols.

So the question is, how do I determine whether the current cipher is a
member of say "MEDIUM:HIGH" or "kEDH+MEDIUM+HIGH:!ADH:!DSS"?

Is this an appropriate user interface? Or should we instead just ask the
administrator to define a minimum secure-channel bit strength, which is
a more crude, but perhaps adequate control.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Determining algorithm strength of current SSL cipher

Kyle Hamilton
The cipher negotiated is a property of the SSL connection itself.

SSL_get_current_cipher() is probably what you're looking for:
http://www.openssl.org/docs/ssl/SSL_get_current_cipher.html for
documentation.

-Kyle H

On 2/7/06, Victor Duchovni <[hidden email]> wrote:

>
> For Postfix 2.3 I would like to be able to determine whether the actual
> cipher negotiated for a session initialized with a lenient allowed cipher
> list, is actually a member of a more strict cipher list.
>
> The idea is to allow a-priori low security connections to be
> opportunistically determined to be high security connections and then
> with SASL allow the transmission of plain-text passwords rather instead
> of requiring one-time challenge response protocols.
>
> So the question is, how do I determine whether the current cipher is a
> member of say "MEDIUM:HIGH" or "kEDH+MEDIUM+HIGH:!ADH:!DSS"?
>
> Is this an appropriate user interface? Or should we instead just ask the
> administrator to define a minimum secure-channel bit strength, which is
> a more crude, but perhaps adequate control.
>
> --
>         Viktor.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Determining algorithm strength of current SSL cipher

Victor Duchovni
On Tue, Feb 07, 2006 at 11:32:43PM -0700, Kyle Hamilton wrote:

> On 2/7/06, Victor Duchovni <[hidden email]> wrote:
> >
> > For Postfix 2.3 I would like to be able to determine whether the actual
> > cipher negotiated for a session initialized with a lenient allowed cipher
> > list, is actually a member of a more strict cipher list.
> >
> > The idea is to allow a-priori low security connections to be
> > opportunistically determined to be high security connections and then
> > with SASL allow the transmission of plain-text passwords rather instead
> > of requiring one-time challenge response protocols.
> >
> > So the question is, how do I determine whether the current cipher is a
> > member of say "MEDIUM:HIGH" or "kEDH+MEDIUM+HIGH:!ADH:!DSS"?
> >
> > Is this an appropriate user interface? Or should we instead just ask the
> > administrator to define a minimum secure-channel bit strength, which is
> > a more crude, but perhaps adequate control.
>
> The cipher negotiated is a property of the SSL connection itself.
>
> SSL_get_current_cipher() is probably what you're looking for:
> http://www.openssl.org/docs/ssl/SSL_get_current_cipher.html for
> documentation.
>

This part I know. It is less obvious how to determine whether the cipher
I have is a member of particular "family" after the fact (without
restricting the session to that family).

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Determining algorithm strength of current SSL cipher

Kyle Hamilton
Check the documentation for the various levels to see what each cipher
falls into.  Specifically, "LOW" is any 40 or 56-bit cipher, and 768
bytes or below RSA key.  MEDIUM is any 128 bit cipher (except AES) and
1024 bits or more of RSA key.  HIGH is any 256-bit cipher, any AES
cipher, and 2048+ bits of RSA key.  That's the general breakdown, as
far as I recall (from earlier discussions on this list).

-Kyle H

On 2/8/06, Victor Duchovni <[hidden email]> wrote:

> On Tue, Feb 07, 2006 at 11:32:43PM -0700, Kyle Hamilton wrote:
>
> > On 2/7/06, Victor Duchovni <[hidden email]> wrote:
> > >
> > > For Postfix 2.3 I would like to be able to determine whether the actual
> > > cipher negotiated for a session initialized with a lenient allowed cipher
> > > list, is actually a member of a more strict cipher list.
> > >
> > > The idea is to allow a-priori low security connections to be
> > > opportunistically determined to be high security connections and then
> > > with SASL allow the transmission of plain-text passwords rather instead
> > > of requiring one-time challenge response protocols.
> > >
> > > So the question is, how do I determine whether the current cipher is a
> > > member of say "MEDIUM:HIGH" or "kEDH+MEDIUM+HIGH:!ADH:!DSS"?
> > >
> > > Is this an appropriate user interface? Or should we instead just ask the
> > > administrator to define a minimum secure-channel bit strength, which is
> > > a more crude, but perhaps adequate control.
> >
> > The cipher negotiated is a property of the SSL connection itself.
> >
> > SSL_get_current_cipher() is probably what you're looking for:
> > http://www.openssl.org/docs/ssl/SSL_get_current_cipher.html for
> > documentation.
> >
>
> This part I know. It is less obvious how to determine whether the cipher
> I have is a member of particular "family" after the fact (without
> restricting the session to that family).
>
> --
>         Viktor.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [hidden email]
> Automated List Manager                           [hidden email]
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Determining algorithm strength of current SSL cipher

Victor Duchovni
On Wed, Feb 08, 2006 at 12:53:26PM -0700, Kyle Hamilton wrote:

> Check the documentation for the various levels to see what each cipher
> falls into.  Specifically, "LOW" is any 40 or 56-bit cipher, and 768
> bytes or below RSA key.  MEDIUM is any 128 bit cipher (except AES) and
> 1024 bits or more of RSA key.  HIGH is any 256-bit cipher, any AES
> cipher, and 2048+ bits of RSA key.  That's the general breakdown, as
> far as I recall (from earlier discussions on this list).
>

I am looking for supported API interfaces, not internal structure
details. I am asking how to check whether the current cipher is a member
of the cipher list for a given cipher rule string that the administrator
may specify as indicating a "secure-channel" encryption level.

$ openssl ciphers -v 'HIGH:MEDIUM:!ADH:!SSLv2:@STRENGTH'
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-RC4-SHA         SSLv3 Kx=DH       Au=DSS  Enc=RC4(128)  Mac=SHA1
KRB5-RC4-MD5            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=MD5
KRB5-RC4-SHA            SSLv3 Kx=KRB5     Au=KRB5 Enc=RC4(128)  Mac=SHA1
RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1
RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5
KRB5-DES-CBC3-MD5       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=MD5
KRB5-DES-CBC3-SHA       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=SHA1

Nothing here about RSA key lengths, just symmetic key sizes. Presumably
the asymmetric ciphers have appropriate minimum key lengths when used
with strong symmetric ciphers, but in any case, the question is how
to query for cipher list membership.

Some of the relevant functions are and

        SSL_set_cipher_list()
        SSL_get_cipher_list()

it looks like I could construct a dummy "SSL", apply the cipher spec
to it (rather than the SSL associated with the actual session, since
it is not clear what the consequences of changing its cipher list may
be), then look for the current cipher on the list.

Is there a better way? Is this a sensible interface, or would I be
better off just asking the administrator for a bit strength. I
would like an answer from someone is prepared to go beyond the
documentation. I have read it, and read much of the relevant code
also.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]