3

I have a requirement to disable in the windows 7 computers of the company the support for static key cipher suites.

I have searched and found that this registry key, holds the allowed cipher suites, in a value called Functions.

HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002

I have searched about how to identify the static suites in order to remove them from the list. but I haven't found anything.

My question is what I need to search in the ciphers string, to remove the support for static keys.

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA25,.....

Z.T.
  • 7,768
  • 1
  • 20
  • 35
kimo pryvt
  • 469
  • 4
  • 6
  • 12
  • Static cipher suites are suites that do not provide [forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy). Maybe it is easier to enable [cipher suites that are recommended](http://security.stackexchange.com/questions/76993/now-that-it-is-2015-what-ssl-tls-cipher-suites-should-be-used-in-a-high-securit) instead of disabling bad ones. – Sjoerd Sep 13 '16 at 12:36

2 Answers2

1

As stated earlier by Sjoerd 'Static cipher suites are suites that do NOT provide forward secrecy'. So our objective is to limit ciphers suites to those which do have forward secrecy feature.

Forward Secrecy is provided by the ephemeral aspect of DHE (Diffie-Hellman Ephemeral) and ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) ciphers. Ephemeral DH uses a distinct key for each exchange vs. one key for entire session used with fixed DH.

The perfect forward secrecy offered by DHE comes at a price: more computation. The ECDHE variants uses elliptic curve cryptography to reduce this computational cost.

The list provided by Roger Martínez Hernández above includes only those cipher suites that have DHE or ECDHE in them. So the list is good. An easy way to implement this is to use IIS Crypto 3.0 and select or check only these ciphers from the "Cipher Suites" section.

Jay Kulsh
  • 11
  • 2
  • Your answer is useful content, @JayKulsh. But I am not sure, if it is an answer to the question (on the top). Are you sure that you wanted to react that question? It is a requirement here. – peterh Aug 13 '19 at 20:32
  • It is answer to the original question. It was already stated by Sjoerd that "Static cipher suites are suites that do not provide forward secrecy. " Let me add this line to my answer to make this obvious. – Jay Kulsh Aug 13 '19 at 21:33
0

I hope this can help you so far:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384 TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

If you are going to introduce them in a line separe it by commas (,) there should not be spaces

Roger Martínez Hernández
  • 1
  • 4
    Welcome on the site! How did you get the list? How could the OP disable exactly these? I would suggest to give these details, it would hugely improve your answer. – peterh May 11 '19 at 18:13