Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32)

Question

Dear All.

i have a question about Birthday attacks vulnerability.

we already disabled 3DES in the past.
however, still detected.
we have no solution.

can anyone share a solution how can we remediate this topic?

]1

Thank you.
Best regards.

Answer 1

Hello @Bang, Mirae (807-Extern-Mirae)

Thank you for your heads up on this.

On my humble opinion, you might try to get this done by modifying the Windows registry value and then double-check your change made.

https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/restrict-cryptographic-algorithms-protocols-schannel

Looking forward to your feedback,

Best Regards,

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer 2

Hello BangMirae807ExternMirae-9981,

Thank you for posting here.

Hope the information provided by BangMirae807ExternMirae-9981 is helpful.

Here I add some information.

From the screenshot you provided, I did not see you have DES cipher. Based on "however, still detected." How did you detect it/them?

Here I can see DES cipher in my lab.

You can remove the DES ciphers if needed through registry as below.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002

Reference
Managing SSL/TLS Protocols and Cipher Suites for AD FS
https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs

Note: For system security, please back up the registry before modifying the registry.

Best Regards,
Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.

Answer 3

Hello,
Based Upon the information provided.
To do this, add 2 Registry Keys to the SCHANNEL Section of the registry.

As registry file

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
"Enabled"=dword:00000000

or from command line
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168" /v Enabled /d 0 /t REG_DWORD /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168" /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 16

Check This also:
https://social.technet.microsoft.com/Forums/ie/en-US/7a143f27-da47-4d3c-9eb2-6736f8896129/disabling-3des-breaks-rdp-to-server-2008-r2

----------------------------------------------------------------------------------------------------------------------------------------------------

--If the reply is helpful, please Upvote and Accept as answer--

Answer 4

Hi.

Do we need to edit HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002 and delete below to deal with the Sweet32?

TLS_RSA_WITH_NULL_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

Are those without number are below 128bit block size which are recommended to be removed?

Also, any one know how we can alter that regkey via powershell so we do not need to physically log in to a device and edit?

Thanks.