Microsoft yesterday added four cryptographic cipher suites to its default priority ordering list in Windows, a move that brings Perfect Forward Secrecy to the operating system.
Update 3042058 is available for now only on the Microsoft Download Center, affording users the opportunity to test the ciphers before bringing them into their respective IT environments. The updates are available for Windows 7, 8 and 8.1 32- and 64-bit systems, as well as Windows Server 2008 R2 and Windows Server 2012 and 2012 R2 system.
“The update adds the following cryptographic cipher suites to the default list in all affected operating systems and includes improvements to the cipher suite priority ordering,” Microsoft said. The suites are:
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
Bringing Perfect Forward Secrecy to Windows is an important step forward, especially in context of the expressed desire of many large technology providers to encrypt everything in the wake of Snowden and NSA/GCHQ surveillance. PFS ensures that new private keys are negotiated for every session, meaning that if a key is ever compromised in the future, only that particular session will be at risk. In order to attack each session, each key would have to be attacked separately.
“PFS is definitely important when considering attackers with virtually unlimited resources to eavesdrop and crack encryption keys,” said Craig Young, a researcher at Tripwire.
While experts are generally applauding Microsoft’s foray into PFS, Microsoft is late to the party. Google, for example, has had the capability in its products for close to three years. Others, including Dropbox, Facebook, Twitter, and Tumbler, all support PFS and have done so for at least a year. Microsoft, however, last year did bring PFS to its web-based email service Outlook.com.
PFS, while a step forward, is not perfect. There is a performance hit, which Microsoft acknowledges in its advisory, because of its higher computing requirements. It urges Windows server administrators to test for jumps in resource consumption as connections encrypted with TLS/SSL scale up on the client and server side. Kenneth White, director of the Open Crypto Audit Project (OCAP) said Microsoft’s use of crypto suites such as DHE rather than ECDHE, for example, could exacerbate the performance issue.
“It’s an important milestone, but their choices are a little puzzling,” White said. “First, the Forward Secrecy suites (DHE) are ephemeral but they don’t use elliptic curves, and are actually one of the least efficient PFS suites. It’s also good to see the rollout of authenticated modes (AEAD, here GCM). So, this is certainly forward progress, but it would be nice to see efficient authenticated ephemeral Diffie-Hellman ECC suites on the near-term road map.”
White said the use of DHE rather than ECDHE, in some cases, causes between twofold and eightfold decrease in performance.
Kenneth White
“If the server has to work harder, the maximum number of simultaneous connections is significantly reduced,” White said. “Similarly, clients such as web browsers or API peers will have higher load using DHE.”
Experts have been harping on the fact that Perfect Forward Secrecy should be considered minimum crypto standard, especially with new applications. The same goes for HSTS, or HTTP Strict Transport Security, which is a security policy header that tells browsers to communicate only over HTTPS.
“Managing your crypto by removing old ciphers and in this case adding new ones is a good housekeeping move for Microsoft,” said Jon Rudolph, principal software engineer at Core Security. “Knowing your cipher suites is like knowing what you’re eating: it’s a fundamental building block of trust, and it pays to read the label.”
