Share via

Birthday attacks against TLS ciphers with 64bit (Sweet32)

Gangi Reddy 76 Reputation points
2021-07-22T15:54:22.563+00:00

How to disable below vulnerability for TLS1.2 in Windows 10?

QID: 38657
THREAT:
Legacy block ciphers having block size of 64 bits are vulnerable to a practical collision attack when used in CBC mode.
All versions of SSL/TLS
protocol support cipher suites which use DES, 3DES, IDEA or RC2 as the symmetric encryption cipher are affected.

IMPACT:
Remote attackers can obtain cleartext data via a birthday attack against a long-duration encrypted session.
SOLUTION:
Disable and stop using DES, 3DES, IDEA or RC2 ciphers.
More information can be found at Microsoft Windows TLS changes docs
(https://learn.microsoft.com/en-us/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) and Microsoft Transport
Layer Security (TLS) registry settings (https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings)

RESULTS:
CIPHER KEY-EXCHANGE AUTHENTICATION MAC ENCRYPTION(KEY-STRENGTH) GRADE
TLSv1.2 WITH 64-BIT CBC CIPHERS IS
SUPPORTED
DES-CBC3-SHA RSA RSA SHA1 3DES(168) MEDIUM

Windows for business | Windows Client for IT Pros | Devices and deployment | Configure application groups

5 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sankaran, Karthik 30 Reputation points
    2023-03-15T20:46:48.24+00:00

    We managed to fix this issue by following the recommendations from our Security team.
    No problem, the steps to fix it are as follows:

    1. Go to “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers”.
    2. Create Subkey “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168”.
    3. Create DWORD value “Enabled” in the subkey and set its data to 0x0.

     

    End result should look like the following.

    image003

    I have tested it our lab environment for Windows 10 Pro (domain-joined workstation) and Windows Server 2019 (DC for child domain) and I can confirm it did not break Schannel-based RDP successive logins to the best of my knowledge.

     

    The vulnerability was also mitigated as per the following nmap scans that leveraged “ssl-enum-ciphers” script to test for Sweet32. Left being before the patch and right being after the patch.

    image004

    6 people found this answer helpful.
  2. Anonymous
    2021-07-23T07:15:13.663+00:00

    Hello @Gangi Reddy ,

    Thank you for posting here.

    We can check all TLS Cipher Suites by running command below.

    Get-TlsCipherSuite

    OR

    Get-TlsCipherSuite >C:\machinename.txt

    For example:
    117324-ci2.png

    Or you can check DES, 3DES, IDEA or RC2 cipher Suites as below.
    Get-TlsCipherSuite -Name "DES"
    Get-TlsCipherSuite -Name "3DES"
    Get-TlsCipherSuite -Name "IDEA"
    Get-TlsCipherSuite -Name "RC2"

    For example:
    117298-ci1.png

    You can disable certain specific ciphers by removing them from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002

    117334-ci3.png

    Then restart the machine to see if it helps.

    For more information, please refer to the part "Enabling or Disabling additional cipher suites" in the following link.

    Managing SSL/TLS Protocols and Cipher Suites for AD FS
    https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs

    Hope the information above is helpful to you.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    4 people found this answer helpful.
  3. Karol Kula 20 Reputation points
    2024-01-08T10:58:42.1333333+00:00

    To protect against this vulnerability you can use this mitigation script:

    $WeakCipherSuites = @(
    "DES",
    "IDEA",
    "RC"
)

Foreach($WeakCipherSuite in $WeakCipherSuites){
    $CipherSuites = Get-TlsCipherSuite -Name $WeakCipherSuite

    if($CipherSuites){
        Foreach($CipherSuite in $CipherSuites){
            Disable-TlsCipherSuite -Name $($CipherSuite.Name)
        }
    }
}

    3 people found this answer helpful.
    0 comments
  4. KTC_Church 21 Reputation points
    2023-03-15T20:40:17.0033333+00:00

    Or use IIS Crypto to manage cipher suites: https://www.nartac.com/Products/IISCrypto/Download

  5. Sankaran, Karthik 30 Reputation points
    2023-02-25T11:30:11.26+00:00

    i had similar findings flagged against an Azure VM running Windows Server 2019 DC. I tried to remove this registry key manually, restart the server and ended up having issues with RDP to the server. not able to proceed, get the ERRCONNECT-FAILED (0x000000) or similar

    so is there something i need to ensure before removing this registry entry?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.