Birthday attacks against TLS ciphers with 64bit (Sweet32)

Gangi Reddy 71 Reputation points
2021-07-22T15:54:22.563+00:00

How to disable below vulnerability for TLS1.2 in Windows 10?

QID: 38657
THREAT:
Legacy block ciphers having block size of 64 bits are vulnerable to a practical collision attack when used in CBC mode.
All versions of SSL/TLS
protocol support cipher suites which use DES, 3DES, IDEA or RC2 as the symmetric encryption cipher are affected.

IMPACT:
Remote attackers can obtain cleartext data via a birthday attack against a long-duration encrypted session.
SOLUTION:
Disable and stop using DES, 3DES, IDEA or RC2 ciphers.
More information can be found at Microsoft Windows TLS changes docs
(https://learn.microsoft.com/en-us/windows-server/security/tls/tls-schannel-ssp-changes-in-windows-10-and-windows-server) and Microsoft Transport
Layer Security (TLS) registry settings (https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings)

RESULTS:
CIPHER KEY-EXCHANGE AUTHENTICATION MAC ENCRYPTION(KEY-STRENGTH) GRADE
TLSv1.2 WITH 64-BIT CBC CIPHERS IS
SUPPORTED
DES-CBC3-SHA RSA RSA SHA1 3DES(168) MEDIUM

Windows 10 Security
Windows 10 Security
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Security: The precautions taken to guard against crime, attack, sabotage, espionage, or another threat.
2,924 questions
{count} vote

7 answers

Sort by: Most helpful
  1. Daisy Zhou 24,666 Reputation points Microsoft Vendor
    2021-07-23T07:15:13.663+00:00

    Hello @Gangi Reddy ,

    Thank you for posting here.

    We can check all TLS Cipher Suites by running command below.

    Get-TlsCipherSuite

    OR

    Get-TlsCipherSuite >C:\machinename.txt

    For example:
    117324-ci2.png

    Or you can check DES, 3DES, IDEA or RC2 cipher Suites as below.
    Get-TlsCipherSuite -Name "DES"
    Get-TlsCipherSuite -Name "3DES"
    Get-TlsCipherSuite -Name "IDEA"
    Get-TlsCipherSuite -Name "RC2"

    For example:
    117298-ci1.png

    You can disable certain specific ciphers by removing them from HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002

    117334-ci3.png

    Then restart the machine to see if it helps.

    For more information, please refer to the part "Enabling or Disabling additional cipher suites" in the following link.

    Managing SSL/TLS Protocols and Cipher Suites for AD FS
    https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs

    Hope the information above is helpful to you.

    Should you have any question or concern, please feel free to let us know.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    4 people found this answer helpful.

  2. Sankaran, Karthik 20 Reputation points
    2023-03-15T20:46:48.24+00:00

    We managed to fix this issue by following the recommendations from our Security team.
    No problem, the steps to fix it are as follows:

    1. Go to “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers”.
    2. Create Subkey “HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168”.
    3. Create DWORD value “Enabled” in the subkey and set its data to 0x0.

     

    End result should look like the following.

    image003

    I have tested it our lab environment for Windows 10 Pro (domain-joined workstation) and Windows Server 2019 (DC for child domain) and I can confirm it did not break Schannel-based RDP successive logins to the best of my knowledge.

     

    The vulnerability was also mitigated as per the following nmap scans that leveraged “ssl-enum-ciphers” script to test for Sweet32. Left being before the patch and right being after the patch.

    image004

    4 people found this answer helpful.

  3. Karol Kula 20 Reputation points
    2024-01-08T10:58:42.1333333+00:00

    To protect against this vulnerability you can use this mitigation script:

    $WeakCipherSuites = @(
        "DES",
        "IDEA",
        "RC"
    )
    
    Foreach($WeakCipherSuite in $WeakCipherSuites){
        $CipherSuites = Get-TlsCipherSuite -Name $WeakCipherSuite
    
        if($CipherSuites){
            Foreach($CipherSuite in $CipherSuites){
                Disable-TlsCipherSuite -Name $($CipherSuite.Name)
            }
        }
    }
    
    3 people found this answer helpful.
    0 comments No comments

  4. OngHongTeck 1 Reputation point
    2022-02-10T15:16:23.517+00:00

    Hi,

    Which cipher require to disable in order to remove the birthday attacks vulnerability issue ?

    0 comments No comments

  5. Sankaran, Karthik 20 Reputation points
    2023-02-25T11:30:11.26+00:00

    i had similar findings flagged against an Azure VM running Windows Server 2019 DC. I tried to remove this registry key manually, restart the server and ended up having issues with RDP to the server. not able to proceed, get the ERRCONNECT-FAILED (0x000000) or similar

    so is there something i need to ensure before removing this registry entry?

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.