0

How can one determine the encryption algorithm type (e.g. AES, DES, 3DES, etc.) that is used by a certificate in Windows (10, 2012-2019)? Is it obvious, and I'm just not seeing it in the certificate details?

Mike
  • 1
  • 1
  • 4
    Certificates use public key algorithms (RSA, DSA) and Servers use them to exchange keys for use with symmetric algorithms (AES, DES, 3DES). So you won't see a symmetric key algorithm associated with a certificate. – gowenfawr Dec 10 '19 at 01:03
  • @gowenfawr Thank you very much. Here's what I'm trying to determine: we run a vulnerability scan against our servers. It flagged a few certs we use are using 3DES symmetric encryption method, which is a weak encryption algorithm. It is unclear how this was determined, so I am hoping to be able to see if there is a way to determine this my own without having to run a scan every time to find out. Do you know if there is a way within Windows to do this, or can I use OpenSSL to determine this somehow? – Mike Dec 10 '19 at 16:02
  • If you scan your server and it reports weak ciphers, that has to do with the server cipher suite configuration, not the certificate. Under Windows there are various ways to manage your TLS cipher suites (see https://docs.microsoft.com/en-us/windows-server/security/tls/manage-tls) – gowenfawr Dec 10 '19 at 16:09
  • You can use OpenSSL to test whether an individual cipher is enabled or not as described in [this answer](https://security.stackexchange.com/a/46202/3365). If the server is on the Internet, [SSL Labs](https://www.ssllabs.com/ssltest/) can show you. And tools like [sslscan](https://github.com/rbsec/sslscan) will automate some for you as well. – gowenfawr Dec 10 '19 at 16:10

1 Answers1

1

we run a vulnerability scan against our servers. It flagged a few certs we use are using 3DES symmetric encryption method, which is a weak encryption algorithm. It is unclear how this was determined, so I am hoping to be able to see if there is a way to determine this my own without having to run a scan every time to find out

Is TLS, the server has a list of cipher suites that it is willing to use when speaking to the client. This is completely independent of the Certificate. The vulnerability scanner connects multiple times, each time asking to use a single cipher, and determines which ciphers are or are not in the allowed cipher suite.

You will want to alter your server configuration so that it removes weak ciphers from its cipher suite. Windows offers a number of ways to manipulate its cipher suites.

The best way to test is to repeat what the vulnerability scanner did. You can do this for a single cipher using OpenSSL. You can test the full suite with a single command using the sslscan tool. And if your server is on the Internet, SSL Labs will test your cipher suite and other aspects of your server configuration as well.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • Nit: below 1.3 not _completely_ independent; see https://security.stackexchange.com/questions/127542/can-we-restrict-cipher-suites-using-server-certificate (and in 1.3 there is no 3DES, or DES or RC4, at all). But the data cipher is definitely not _specified_ in or by the certificate. – dave_thompson_085 Dec 11 '19 at 02:24