Birthday Attacks against TLS Ciphers in Windows

Birthday attacks against Transport Layer Security (TLS) ciphers with 64bit block size Vulnerability (Sweet32)

IISCRYPTO

Our first "GoTo" for Cipher issues on Microsoft Windows is IISCrypto from Nartac Software, available here.

Using IISCrypto, you can switch on/off Ciphers, versions of TLS and many other settings within Windows, with the click of a button, also allowing, in the event of an issue, reversing your change.

You can click on the "Best Practice" button to apply the recommended changes, but you also need to ensure that 3DES is switched off.

NOTE: The grey box isn't set!

You will then need to reboot for the change to take effect

REGISTRY EDITING

If you are making registry changes we recommend exporting the key before any change, so you can import the key back if you make any errors.

Run REGEDIT as an administrator of the device.

Move to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL

Export the current key, Right Click on 00010002 and save it as a file

If anything goes wrong, from an admin command prompt you can then run

reg import {myexportedfile.reg}

Double Click "Functions"

You can now remove specific ciphers from here and save once completed.

In addition, we need to check the other keys for the Birthday Attack

Move to: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers

You now need to create a new subkey called "Triple DES 168"

You then create a new DWORD value called "Enabled" within the above subkey and see its data to "0" {that is Zero, creating a Zero 1x Zero, data value}

You will then need to reboot your device!

CHECK CIPHERS

You can use the following commands to check ciphers on your system:

List all Ciphers

Get-TlsCipherSuite

List only DES Ciphers

Get-TlsCipherSuite -Name "DES"

List 3DES Ciphers

Get-TlsCipherSuite -Name "3DES"

List IDEA Ciphers

Get-TlsCipherSuite -Name "IDEA"

List RC2 Cipher Suites

Get-TlsCipherSuite -Name "RC2"