Windows Security. TLS – Part 2 (Remove CBC Ciphers)

Overview of Cipher-Block Chaining (CBC) ciphers

Cipher-Block Chaining (CBC) mode is a commonly used mode of operation for symmetric encryption algorithms. While it offers some advantages, it also harbours known vulnerabilities that can be exploited by attackers to compromise the security of your data.

CBC ciphers are not specific to a version of SSL or TLS and are enabled by default on Windows Server TLS v1.2. 

Windows Server uses It is recommended that you disable CBC ciphers and GCM ciphers are used instead. Potential issues of disabling CBC Ciphers generally relate to older hardware and legacy applications.

Types of Vulnerabilities

Padding Oracle Attacks (Poodle and Beast). These attacks exploit the way CBC uses padding to ensure predictable sizes. Manipulating the ciphertext can allow attackers to progressively decrypt parts of the message.

Initialisation Vector (IV) Reuse. CBC relies on a unique IV for each block of data. Reusing the same IV can leak information about the plaintext, potentially revealing data.

Sid-Channel Attacks. These attacks exploit physical leaks during encryption/decryption processes to gain information about the plaintext. They are not specific to CBC, but they can be more effective due to it’s dependence on previous blocks.

Concerns about CBC

Complexity of Implementation. Securely implementing CBC can be challenging, as even small bugs can introduce vulnerabilities.

Newer and Safer Alternatives. Other cipher suites such as GCM offer stronger security guarantees and are generally recommended for new applications.


Current Status

Many organisations such as Qualys SSL Labs, Microsoft etc consider CBC ciphers to be weak and discourage their use.

Major browsers have deprecated or disabled support for vulnerable CBC ciphers.

CBC ciphers should be avoided and instead use GCM where possible.

How to Check if CBC Ciphers are in use.

1. PowerShell

				
					Get-TlsCipherSuite -Name CBC
				
			

2. NMAP

				
					nmap --script ssl-enum-ciphers 192.168.200.4
				
			
NMAP CBC Ciphers

 

3. IISCRYPTO

CBC Ciphers IISCRYPTO

How to Remove CBC Ciphers

1. Group Policy

  • Create new or edit existing GPO
  • Expand Computer Configuration > Policies > Administrative Templates ? Network > SSL Configuraiton Settings
  • Enable the policy SSL Cipher Suite Order
  • Provide a list of cipher suites to use which excludes CBC ciphers.
 
 
 

2. PowerShell

The command Disable-TlsCipherSuite can be used to remove specific CBC ciphers.

				
					Disable-TlsCipherSuite -Name "TLS_RSA_WITH_AES_128_CBC_SHA"
				
			

 

3. IISCRYPTO

Manually uncheck the CBC ciphers which you want to remove and click Apply

 

4. Modify registry keys (not advised)

Start registry editor and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers.

Locate the keys for the CBC ciphers and set the Enabled DWORD value to 0

 

 

Send Us A Message

More Posts

Reporting Cyber Incidents

The UK landscape for cyber incident reporting is complex, demanding vigilance from organisations of all sizes. This article looks into the key regulations and timeframes

Firewall in OVH

Firewall for Dedicated Servers in OVH Cloud Overview of default firewall setup in OVH This is a guide on how to setup a Linux based