Click to get Security Testing Quote

Plynt Blog

How to enforce strong SSL/TLS ciphers in IIS

by Roshen Chandran  | 11 Dec 2007

How can we ensure IIS uses only strong ciphers for SSL/TLS? Does the setting “Require 128-bit encryption” achieve that? What are strong ciphers, anyway? We’ll try to answer these questions today.

First of all, does the IIS settingRequire 128-bit encryption” ensure strong ciphers?

require-128-bit-ssl.gif

Unfortunately, “No”. This setting only ensures that 128-bit keys are used for encryption. But that’s not the same as promising strong ciphers.

Let’s step back for a minute. Remember SSL/TLS supports a range of algorithms? For symmetric encryption, it can use AES, 3DES, RC2, or RC4. For message integrity, it can use MD5 or SHA. For asymmetric encryption, the algorithm is RSA.

A cipher suite is a combination of algorithms. RSA_AES_SHA is an example of a cipher suite. FIPS has approved specific cipher suites as strong. These use AES or 3DES for encryption, and SHA for integrity. FIPS does not consider other cipher suites strong.

The setting “Require 128-bit encryption” enables all 128-bit encryption algorithms, including RC2 and RC4. It also enables suites that use MD5 for integrity. Since they are all unsafe, we need to disable them separately.

The Microsoft Knowledge Base article “How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll” describes how to enable just the FIPS 140 algorithms. Here’s a summary:

1. Disable weak ciphers
  • Open the registry editor
  • Locate HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
  • Set “Enabled” dword to “0x0” for the following registry keys:

SCHANNEL\Ciphers\RC4 128/128
SCHANNEL\Ciphers\RC2 128/128
SCHANNEL\Ciphers\RC4 64/128
SCHANNEL\Ciphers\RC4 56/128
SCHANNEL\Ciphers\RC2 56/128
SCHANNEL\Ciphers\RC4 40/128
SCHANNEL\Ciphers\RC2 40/128
SCHANNEL\Ciphers\NULL
SCHANNEL\Hashes\MD5

2. Enable strong ciphers
  • Open the registry editor
  • Locate HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders
  • Set “Enabled” dword to “0xffffffff” for the following registry keys

SCHANNEL\Ciphers\Triple DES 168/168
SCHANNEL\Hashes\SHA
SCHANNEL\KeyExchangeAlgorithms\PKCS
If the Enabled dword doesn’t exist yet, please create the dword and set the value to “0x0” or “0xffffffff” as required.



Discussion is open — Add yours.