List Info

Thread: ssl_supported_ciphers.nasl issues?
ssl_supported_ciphers.nasl issues?
country flaguser name
United States		 2007-04-04 13:44:10 
I was looking at the output of ssl_supported_ciphers.nasl
and noticed  
a couple of things... unless I'm not understanding something
in the  
plugin, which is possible.

First, the "Export Ciphers" category is pretty
useless now (I think),  
and only adds confusion to the output (I understand it's
still  
documented and technically exists, but it really has no
meaning). I'd  
recommend dropping it from the output.

Second, I think the cipher bit length checking in the code
did not  
match what was displayed in the output. For example, the
output said  
the category is:
      Medium Strength Ciphers (128-bit key)
but the code said:
      else if (nbits < 112) cat = MEDIUM_STRENGTH;

Patch below, if the changes are sane.

-Sullo

-- 

http://www.cirt.net/     
|     http://www.osvdb.org/


$ diff ssl_supported_ciphers.nasl
new_ssl_supported_ciphers.nasl
41c41
< Reconfigure the affected application if possible to
avoid use of
---
> If possible, reconfigure the affected application to
avoid using
76d75
<
92,93d90
< EXPORT_STRENGTH = ++cat;
< labels[cat] = "Export Ciphers";
95c92
< labels[cat] = "Low Strength Ciphers (excluding
export, < 128-bit key)";
---
> labels[cat] = "Low Strength Ciphers (< 128-bit
key)";
407,408c404
<     if (label =~ "|export") cat =
EXPORT_STRENGTH;
<     else if (label =~ "Enc=None") cat =
NULL_STRENGTH;
---
>     if (label =~ "Enc=None") cat =
NULL_STRENGTH;
418,419c414,415
<         else if (nbits < 56) cat = LOW_STRENGTH;
<         else if (nbits < 112) cat =
MEDIUM_STRENGTH;
---
>         else if (nbits < 128) cat = LOW_STRENGTH;
>         else if (nbits == 128) cat = MEDIUM_STRENGTH;

_______________________________________________
Plugins-writers mailing list
Plugins-writerslist.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: ssl_supported_ciphers.nasl issues?
country flaguser name
United States		 2007-04-05 07:54:31 
On 04/04/07 14:44, Sullo wrote:

> I was looking at the output of
ssl_supported_ciphers.nasl and noticed a 
> couple of things... unless I'm not understanding
something in the 
> plugin, which is possible.
> 
> First, the "Export Ciphers" category is
pretty useless now (I think), 
> and only adds confusion to the output (I understand
it's still 
> documented and technically exists, but it really has no
meaning). I'd 
> recommend dropping it from the output.

Good point. Done.

> Second, I think the cipher bit length checking in the
code did not match 
> what was displayed in the output. For example, the
output said the 
> category is:
>      Medium Strength Ciphers (128-bit key)
> but the code said:
>      else if (nbits < 112) cat = MEDIUM_STRENGTH;

Yes, you're right. I fixed the label to agree with the
actual cutoffs in 
the code.

George
-- 
thealltenablesecurity.com
_______________________________________________
Plugins-writers mailing list
Plugins-writerslist.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: ssl_supported_ciphers.nasl issues?
country flaguser name
United States		 2007-04-05 08:56:54 
Thanks George.

Quoting "George A. Theall" <thealltenablesecurity.com>:
>>     Medium Strength Ciphers (128-bit key)
>> but the code said:
>>     else if (nbits < 112) cat =
MEDIUM_STRENGTH;
>
> Yes, you're right. I fixed the label to agree with the
actual cutoffs
> in the code.

I'd still think the levels should change to:
labels[cat] = "Low Strength Ciphers (< 128-bit
key)";
labels[cat] = "Medium Strength Ciphers (128-bit
key)";
labels[cat] = "High Strength Ciphers (> 128-bit
key)";

rather than:
labels[cat] = "Low Strength Ciphers (< 56-bit
key)";
labels[cat] = "Medium Strength Ciphers (>= 56-bit
and < 112-bit key)";
labels[cat] = "High Strength Ciphers (>= 112-bit
key)";

 From the OpenSSL help page:
http://
www.openssl.org/docs/apps/ciphers.html
HIGH
``high'' encryption cipher suites. This currently means
those with key  
lengths larger than 128 bits, and some cipher suites with
128-bit keys.
MEDIUM
`medium'' encryption cipher suites, currently some of those
using 128  
bit encryption.
LOW
``low'' encryption cipher suites, currently those using 64
or 56 bit  
encryption algorithms but excluding export cipher suites.

Regards
Sullo

-- 

http://www.cirt.net/     
|     http://www.osvdb.org/
_______________________________________________
Plugins-writers mailing list
Plugins-writerslist.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
Re: ssl_supported_ciphers.nasl issues?
country flaguser name
France		 2007-04-05 10:23:37 
On Thu Apr 05 2007 at 15:56, Sullo wrote:

> I'd still think the levels should change to:
> labels[cat] = "Low Strength Ciphers (< 128-bit
key)";

I disagree. Rough estimations tell that breaking by brute
force a
80-bit long key is nearly impossible. 
Breaking DES in 48 hours is possible... If you have a
specialized
hardware which is much more expensive than a PC.

Breaking a 112 bit 3DES key by brute force is not much
easier than
breaking a 128 bit Blowfish key -- both are impossible
considering the
current technology.

> From the OpenSSL help page:
> http://
www.openssl.org/docs/apps/ciphers.html
> HIGH

I wonder how OpenSSL chose this scale.
The ISO15408 norm (Common Criteria) uses such a scale for
the
"strength of functions" and the
"vulnerability analysis". CEM (Common
Evaluation Methodology) gives a set of table to compute the
strength
of an attack. Using that, you'll find that DES is
"medium".

-- 
http://www.bigfoot.com/
~arboi		http://ma75.blogspot.com/
PGP key ID : 0x0BBABA91 - 0x1320924F0BBABA91
Fingerprint: 1048 B09B EEAF 20AA F645  2E1A 1320 924F 0BBA
BA91

_______________________________________________
Plugins-writers mailing list
Plugins-writerslist.nessus.org
http://mail.nessus.org/mailman/listinfo/plugins-writers
[1-4]

about | contact  Other archives ( Real Estate discussion Medical topics )