question

GangiReddy-3804 avatar image
0 Votes"
GangiReddy-3804 asked OngHongTeck-8841 answered

Birthday attacks against TLS ciphers with 64bit (Sweet32)

How to disable below vulnerability for TLS1.2 in Windows 10?

QID: 38657
THREAT:
Legacy block ciphers having block size of 64 bits are vulnerable to a practical collision attack when used in CBC mode.
All versions of SSL/TLS
protocol support cipher suites which use DES, 3DES, IDEA or RC2 as the symmetric encryption cipher are affected.

IMPACT:
Remote attackers can obtain cleartext data via a birthday attack against a long-duration encrypted session.
SOLUTION:
Disable and stop using DES, 3DES, IDEA or RC2 ciphers.
More information can be found at Microsoft Windows TLS changes docs
(https://docs.microsoft.com/en-us/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) and Microsoft Transport
Layer Security (TLS) registry settings (https://docs.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings)


RESULTS:
CIPHER KEY-EXCHANGE AUTHENTICATION MAC ENCRYPTION(KEY-STRENGTH) GRADE
TLSv1.2 WITH 64-BIT CBC CIPHERS IS
SUPPORTED
DES-CBC3-SHA RSA RSA SHA1 3DES(168) MEDIUM

windows-10-security
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @GangiReddy-3804,
How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Hello @GangiReddy-3804,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered DaisyZhou-MSFT edited

Hello @GangiReddy-3804,

Thank you for posting here.

We can check all TLS Cipher Suites by running command below.

Get-TlsCipherSuite

OR

Get-TlsCipherSuite >C:\machinename.txt

For example:
117324-ci2.png

Or you can check DES, 3DES, IDEA or RC2 cipher Suites as below.
Get-TlsCipherSuite -Name "DES"
Get-TlsCipherSuite -Name "3DES"
Get-TlsCipherSuite -Name "IDEA"
Get-TlsCipherSuite -Name "RC2"

For example:
117298-ci1.png


You can disable certain specific ciphers by removing them from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002

117334-ci3.png

Then restart the machine to see if it helps.


For more information, please refer to the part "Enabling or Disabling additional cipher suites" in the following link.

Managing SSL/TLS Protocols and Cipher Suites for AD FS
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs


Hope the information above is helpful to you.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou

============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.







ci2.png (11.5 KiB)
ci1.png (16.4 KiB)
ci3.png (52.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

OngHongTeck-8841 avatar image
0 Votes"
OngHongTeck-8841 answered

Hi,

Which cipher require to disable in order to remove the birthday attacks vulnerability issue ?

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.