7.12 Ensure Only Cipher Suites That Provide Forward Secrecy Are Enabled

Information

In cryptography, _forward secrecy_ (FS), which is also known as _perfect forward secrecy_ (PFS), is a feature of specific key exchange protocols that give assurance that your session keys will not be compromised even if the private key of the server is compromised. Protocols such as RSA do not provide the forward secrecy, while the protocols 'ECDHE' (Elliptic-Curve Diffie-Hellman Ephemeral) and the 'DHE' (Diffie-Hellman Ephemeral) will provide forward secrecy. The 'ECDHE' is the stronger protocol and should be preferred, while the 'DHE' may be allowed for greater compatibility with older clients. The TLS ciphers should be configured to require either the 'ECDHE' or the 'DHE' ephemeral key exchange, while not allowing other cipher suites.

Rationale:

During the TLS handshake, after the initial client & server Hello, there is a pre-master secret generated, which is used to generate the master secret, and in turn generates the session key. When using protocols that do not provide forward secrecy, such as RSA, the pre-master secret is encrypted by the client with the server's public key and sent over the network. However, with protocols such as 'ECDHE' (Elliptic-Curve Diffie-Hellman Ephemeral) the pre-master secret is not sent over the wire, even in encrypted format. The key exchange arrives at the shared secret in the clear using ephemeral keys that are not stored or used again. With FS, each session has a unique key exchange, so that future sessions are protected.

Solution

Perform one of the following to implement the recommended state:
- Add or modify the following line in the Apache server level configuration and every virtual host that is SSL/TLS enabled:

SSLCipherSuite EECDH:EDH:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA

- The more recent versions of openssl (such as 1.0.2 and newer) will support the usage of 'ECDHE' as a synonym for EECDH and 'DHE' as a synonym for EDH in the cipher specification. The usage of 'ECDHE' and 'DHE' are preferred so that the specification matches the expected output. So the cipher specification could be:

SSLCipherSuite ECDHE:DHE:!NULL:!SSLv2:!RC4:!aNULL:!3DES:!IDEA

See Also

https://workbench.cisecurity.org/files/2378

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-8, CSCv6|14.2, CSCv7|14.4

Plugin: Unix

Control ID: dc07e0dad6445794d16362cfab6bf2aeb38f2492d09e9aa42972f5c34ff6a069