Birthday attacks against Transport Layer Security (TLS) ciphers with 64bit block size Vulnerability (Sweet32)
IISCRYPTO
Our first "GoTo" for Cipher issues on Microsoft Windows is IISCrypto from Nartac Software, available here.
Using IISCrypto, you can switch on/off Ciphers, versions of TLS and many other settings within Windows, with the click of a button, also allowing, in the event of an issue, reversing your change.
You can click on the "Best Practice" button to apply the recommended changes, but you also need to ensure that 3DES is switched off.
NOTE: The grey box isn't set!
You will then need to reboot for the change to take effect
REGISTRY EDITING
If you are making registry changes we recommend exporting the key before any change, so you can import the key back if you make any errors.
Run REGEDIT as an administrator of the device.
Move to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL
Export the current key, Right Click on 00010002 and save it as a file
If anything goes wrong, from an admin command prompt you can then run
reg import {myexportedfile.reg}
Double Click "Functions"
You can now remove specific ciphers from here and save once completed.
In addition, we need to check the other keys for the Birthday Attack
Move to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers
You now need to create a new subkey called "Triple DES 168"
You then create a new DWORD value called "Enabled" within the above subkey and see its data to "0" {that is Zero, creating a Zero 1x Zero, data value}
You will then need to reboot your device!
CHECK CIPHERS
You can use the following commands to check ciphers on your system:
List all Ciphers
Get-TlsCipherSuite
List only DES Ciphers
Get-TlsCipherSuite -Name "DES"
List 3DES Ciphers
Get-TlsCipherSuite -Name "3DES"
List IDEA Ciphers
Get-TlsCipherSuite -Name "IDEA"
List RC2 Cipher Suites
Get-TlsCipherSuite -Name "RC2"