[Ach] A few more comments on the draft

Rainer Hoerbe rainer at hoerbe.at
Mon Dec 16 10:44:47 CET 2013

OpenSSL: While OpenSSL is widely deployed, it has a few ugly aspects, like poor error messages. In a side-note sysadmins could be encouraged not to ignore other options, e.g. NSS and cryptlib. More competition and flexibility in the cryptolib market should improve the quality over time.

Message-oriented crypto (SOAP etc.) would fit into the scope, wouldn't it?  Recommendations should include:
* Protection against XML Signature Wrapping Attacks (what you sign is what you see – often a developer concern, sometimes related to network components such as XML firewalls)
* Use counter mode to fix broken XML encryption, e.g. in SAML configurations.

In 10.1 there is a minor formal inconsistence in the definition of the MAC. The MAC-field contains the MAC algorithm, not the MAC. The the definition needs explanation, like adding following sentence:
"The filed in the cipher string states the algorithm to compute the MAC."

AES 128 is not considered a strong cipher? IMHO not including AES128 is not in a good balance with the typical RSA-2048 certificate, that is kind of 112-bit symmetric equivalent. I would recommend not only to include AES128 to better support embedded/low-power devices, but even give them priority over AES256.

10.3.2 /SSLv3. There is a slight inconsistency: The first bullet lists TLS 1.2, 1.1, 1.0, but not SSL3. The cipher string contains +SSLv3.
BTW, which clients still do not support TLS1.0?

10.3.2 "allow SHA-1". The threat is primarily in using certificates signed using SHA-1. Many root CAs still use SHA-1, e.g. the popular Startssl. It should be made clear there are vastly different risks whether an adversary would have to attack SHA-1 in a TLS-session or on the certificate.

12.2 SSH key distribution.
This would be a good place to warn people from using anonymous key exchange on the first access to a server. Sysadmins should act as if GCHQ would intercept any initial ssh connection to quickly root the target system.

Best regards
Rainer Hörbe

More information about the Ach mailing list