Skip to content

[2016-09-01 08:00:00 UTC] YubiCloud cipher changes and statistics

2016-08-30

In the past, the TLS configuration for YubiCloud has differed slightly between each api*.yubico.com machine, due to different web server, SSL/TLS libraries and operating system versions.

When deciding which TLS cipher suites to support, and their preferred order, we typically follow Mozilla TLS guidelines. However, these are only a rough guide, and sometimes we have to make slight changes to support different client configurations.

YubiCloud has a certain requirement where a wide array of clients has to be supported, some of which are using very old software.

A little bit over a year ago, while upgrading from Ubuntu 12.04 to newer LTS releases, we ran into a problem with some of our Java-based clients. The issue was that we had DH key-exchange enabled with a minimum prime bit length of 1024, but the newer Apache HTTP Server bundled with Ubuntu, only support >= 2048-bit primes.

These clients abort the TLS negotiation and hence fail to establish a connection with YubiCloud.

In the rush to solve this issue, we disabled DH ciphers on api.yubico.com and api3.yubico.com, so that these clients could communicate with some of the YubiCloud machines using RSA+AES. This allowed such clients to stop trying to negotiate DH (where they would fail due to large primes) and fallback to the next preferred cipher suite of RSA+AES (which, unlike DH, does not support Perfect Forward Secrecy).

This Summer, we have been working on standardizing the TLS configuration across the YubiCloud. To start with, we looked at what cipher suites were actually being used by clients.

We realized that roughly 95% of our clients negotiate TLS sessions using ECDH. The rest use a mixture of DH and RSA. The ones using RSA for key exchange typically fall into using AES or 3DES as the encryption algorithm.

To have the same TLS cipher suite (and preference order) across all api*.yubico.com machines, we needed to make a decision on whether to support DH key-exchange with a minimum of 2048-bit primes, or disable it completely, hence leaving new clients to use ECDH exclusively and old clients to use RSA+AES.

Considering that less than 1% of our clients use DH, we decided to drop it. Such clients that want PFS should consider upgrading their TLS stack to support ECDH.

Up until now, DH has been disabled on all api* machines except for api4.yubico.com. On September 1st, 2016, we will disable DH completely across YubiCloud. The TLS configuration will hence be as follows:

~$ openssl ciphers "EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES" | tr ':' '\n'
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
ECDHE-ECDSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
ECDHE-ECDSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
ECDHE-RSA-DES-CBC3-SHA
ECDHE-ECDSA-DES-CBC3-SHA
DES-CBC3-SHA

Clients using DH should automatically have their TLS negotiation to fallback to RSA+AES (one of the AES128* or AES256* suites). We have observed this behavior while switching off DH on api 1, 2, 3 and 5.

We highly recommend to upgrade your software to support ECDH.

Some statistics showing cipher suite usage across the YubiCloud are displayed below. This data represents OTP verification requests using TLS between 2016-08-15 and 2016-08-28 (inclusive).

Cipher suite usage for each YubiCloud api*.yubico.com machine:

API 1:

87.01% ECDHE-RSA-AES128-GCM-SHA256
 7.09% ECDHE-RSA-AES128-SHA
 3.30% ECDHE-RSA-AES128-SHA256
 1.72% AES128-SHA
 0.47% DES-CBC3-SHA
 0.38% AES128-SHA256
 0.04% AES128-GCM-SHA256
 0.00% ECDHE-RSA-AES256-SHA

API 2:

65.79% ECDHE-RSA-AES128-GCM-SHA256
26.44% ECDHE-RSA-AES128-SHA
 4.72% AES128-SHA
 1.98% DES-CBC3-SHA
 0.57% ECDHE-RSA-AES128-SHA256
 0.45% AES128-SHA256
 0.04% AES128-GCM-SHA256

API 3:

78.73% ECDHE-RSA-AES128-GCM-SHA256
16.22% ECDHE-RSA-AES128-SHA
 3.20% AES128-SHA
 1.18% DES-CBC3-SHA
 0.39% AES128-SHA256
 0.24% ECDHE-RSA-AES128-SHA256
 0.04% AES128-GCM-SHA256

API 4:

62.29% ECDHE-RSA-AES128-GCM-SHA256
31.33% ECDHE-RSA-AES128-SHA
 3.02% DHE-RSA-AES128-SHA
 2.06% DES-CBC3-SHA
 0.79% DHE-RSA-AES128-SHA256
 0.49% DHE-RSA-AES128-GCM-SHA256
 0.02% ECDHE-RSA-AES128-SHA256
 0.00% AES128-SHA

API 5:

63.00% ECDHE-RSA-AES128-GCM-SHA256
27.04% ECDHE-RSA-AES128-SHA
 5.94% AES128-SHA
 2.22% ECDHE-RSA-AES128-SHA256
 1.09% DES-CBC3-SHA
 0.68% AES128-SHA256
 0.04% AES128-GCM-SHA256

Global cipher suite usage across the YubiCloud:

78.35% ECDHE-RSA-AES128-GCM-SHA256
15.21% ECDHE-RSA-AES128-SHA
 2.64% AES128-SHA
 2.03% ECDHE-RSA-AES128-SHA256
 0.98% DES-CBC3-SHA
 0.39% AES128-SHA256
 0.26% DHE-RSA-AES128-SHA
 0.07% DHE-RSA-AES128-SHA256
 0.04% DHE-RSA-AES128-GCM-SHA256
 0.03% AES128-GCM-SHA256
 0.00% ECDHE-RSA-AES256-SHA

Cipher suite usage grouped by key exchange algorithm (and encryption where applicable), for each YubiCloud api*.yubico.com machine:

API 1:

97.40% ECDH
 2.13% RSA-AES
 0.47% RSA-3DES

API 2:

92.79% ECDH
 5.22% RSA-AES
 1.98% RSA-3DES

API 3:

95.18% ECDH
 3.63% RSA-AES
 1.18% RSA-3DES

API 4:

93.64% ECDH
 4.30% DH
 0.00% RSA-AES
 2.06% RSA-3DES

API 5:

92.26% ECDH
 6.65% RSA-AES
 1.09% RSA-3DES

Cipher suite usage grouped by key exchange algorithm (and encryption where applicable), globally across the YubiCloud:

95.59% ECDH
 3.06% RSA-AES
 0.98% RSA-3DES
 0.37% DH

It is worth noting that some connections use 3DES. These are most likely Windows XP machines which did not have any Service Pack installed, otherwise AES support would have been added.

Interestingly enough, Windows XP machines are not something that you want anywhere near close to the Internet, considering that Microsoft is no longer providing security patches and it was originally released 15+ years ago.

For astute readers wondering if 3DES should be disabled, our server preference declares that 3DES cipher suites are the least preferred ones, meaning that newer clients will always use a more modern cipher suite.

Comments are closed.