Tag Archives: SSL VPN

Juniper Secure Access: Understanding ECC Certificates

Understanding ECC Certificates

Public-key cryptography is a cryptographic system that requires a secret key and a public key that are mathematically linked with each other. One key encrypts the plain text while the other decrypts the cipher text. RSA is the most widely used public-key algorithm.

Elliptic Curve Cryptography (ECC) were introduced as an alternative to RSA in public key cryptography. One advantage of ECC over RSA is key size versus strength. For example, a security strength of 80 bits can be achieved through an ECC key size of 160 bits, whereas RSA requires a key size of 1024. With a 112-bit strength, the ECC key size is 224 bits and the RSA key size is 2048 bits.

The most popular signature scheme that uses elliptic curves is called the Elliptic Curve Digital Signature Algorithm (ECDSA). The most popular key agreement scheme is called Elliptic Curve Diffie-Hellman (ECDH). An ECDH exchange is a variant of the Diffie-Hellman (DH) protocol and is an integral part of the Suite B cryptography standards proposed by the National Security Agency (NSA) for protecting both classified and unclassified information.

About Suite B

The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. Because a single encryption algorithm cannot satisfy all of the needs of the national security community, NSA created a larger set of cryptographic algorithms, called Suite B, which can be used along with AES in systems used by national security users. In addition to AES, Suite B includes cryptographic algorithms for hashing, digital signatures, and key exchanges.

Per RFC 6460, to be Suite B TLS 1.2 compliant the server and client should negotiate with the following ciphers:

  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

RFC 6460 also lists a transitional Suite B profile for TLS 1.0 and TLS 1.1. Clients and servers that do not yet support Suite B TLS 1.2 should negotiate with the following ciphers:

  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

There is no special configuration to ensure that Secure Access Service and Access Control Service negotiates Suite B ciphers. However, the following general steps should be performed to enable Suite B compliance:

  • An ECC certificate signed by an ECC Root CA is associated with a network port.
    • A P-256 CSR is signed by either a P-256 or P-384 Root CA.
    • A P-384 CSR is be signed by a P-384 Root CA.
  • Manually enable only AES128 and/or AES256 custom ciphers.
Note: Secure Access Service and Access Control Service cannot be configured to allow only Suite B ciphers.

Using ECC Certificates with Secure Access Service and Access Control Service

ECC certificates are currently supported only on the MAG and virtual appliance platforms. As with RSA certificates, ECC certificates are associated with a network port. You can create multiple virtual ports on the server with each port supporting a specific certificate. For example, external virtual port 1 can use a 1024-bit RSA while external virtual port 2 uses ECC P-256 and external virtual port 3 uses ECC P-384. Only clients that support ECC cipher suites can connect to the web server on that network port.

When an Elliptic Curve Cryptography (ECC) certificate is associated with a network port, only clients that support ECC cipher suites can connect to the Web server on that network port.

Except for the key and certificate generation process, the use of ECC certificates is basically the same as using RSA certificates.

Published: 2013-11-15
Client Verification

Click the lock icon located at the end of the address bar and then click the View Certificate link

SSL

Click the Details tab and scroll down until you see the Public key field. In this example, the public key value is ECC (256 Bits) which matches the server port p3 certificate.

ECC cert

 

Juniper Secure Access: Using TCP Dump to View Cipher Information

juniper

Using TCP Dump to View Cipher Information

You can use the TCP Dump tool to view which cipher each client uses to connect to the server. TCP Dump is a packet analyzer that intercepts (sniffs) and displays TCP/IP and other packets transmitted or received between the server and clients.

Note: To permit debugging, it is recommended that the ECC certificate be replaced by an RSA certificate so that an RSA cipher suite gets selected and then the application data can be decoded.

To capture packet headers:

  1. Select Maintenance > Troubleshooting > Tools > TCP Dump.
  2. Select the interface, internal or external or both, you wish to sniff and then the VLAN port.
  3. Click Start Sniffing.The next time a user points a browser window to the server or logs in to the server, handshake information is obtained.
  4. Click Stop Sniffing when done.

To view the packet headers:

  1. Select Maintenance > Troubleshooting > Tools > TCP Dump.
  2. Under Dump file, select SSLDump from the file menu and the certificate to use. See Figure 1.

    Figure 1: Viewing the TCP Dump Output

    Viewing the TCP Dump Output

    The certificate names in the TCP Dump window are the same as the “Certificate issued to” names in the Device Certificates window. Select the certificate corresponding to the port you wish to view packet information. See Figure 2.

    Figure 2: Issued to Certificate on the Device Certificates Pages

    Issued to Certificate on the Device<br /><br />
Certificates Pages
  3. Click Get.

Portions of a TCP dump output follow.

The client starts a handshake with the server:

1 1  0.0007 (0.0007)  C>S  Handshake

The client then lists its supported cipher suites:

cipher suites
        TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
        TLS_ECDH_ECDSA_WITH_AES_256_SHA384
        TLS_ECDH_ECDSA_WITH_AES_256_SHA
        TLS_ECDH_ECDSA_WITH_DES_CBC3_SHA
			 ...

The server acknowledges the handshake:

1 2  0.0010 (0.0003)  S>C  Handshake

The server compares the cipher suites on the client with the ones on the server and picks the cipher suite that is preferred by the server based on SSL options:

cipherSuite         TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384

Example TCP Dump Output

New TCP connection #1: 10.64.8.3(46200) <-> 10.64.90.21(443)
1 1  0.0007 (0.0007)  C>S  Handshake
      ClientHello
        Version 3.3 
        cipher suites
        TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
        TLS_ECDH_ECDSA_WITH_AES_256_SHA384
        TLS_ECDH_ECDSA_WITH_AES_256_SHA
        TLS_ECDH_ECDSA_WITH_DES_CBC3_SHA
        TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA384
        TLS_ECDH_ECDSA_WITH_AES_128_SHA256
        TLS_ECDH_ECDSA_WITH_AES_128_SHA
        TLS_ECDH_ECDSA_WITH_RC4_SHA
        Unknown value 0xc001
        TLS_EMPTY_RENEGOTIATION_INFO_SCSV
        compression methods
                  NULL
        ClientHello Extensions [113]=
          00 6f 00 0b 00 04 03 00 01 02 00 0a 00 34 00 32 
          00 0e 00 0d 00 19 00 0b 00 0c 00 18 00 09 00 0a 
          00 16 00 17 00 08 00 06 00 07 00 14 00 15 00 04 
          00 05 00 12 00 13 00 01 00 02 00 03 00 0f 00 10 
          00 11 00 23 00 00 00 0d 00 22 00 20 06 01 06 02 
          06 03 05 01 05 02 05 03 04 01 04 02 04 03 03 01 
          03 02 03 03 02 01 02 02 02 03 01 01 00 0f 00 01 
          01 
1 2  0.0010 (0.0003)  S>C  Handshake
      ServerHello
        Version 3.3 
        session_id[32]=
          a3 07 40 6e 73 12 c2 4d f3 7d b9 77 f8 97 e1 94 
          fc 1b 51 6a 66 3c 99 d6 c7 7d 0e fa 29 2e d0 c4 
        cipherSuite         TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
        compressionMethod                   NULL
        ServerHello Extensions [20]=
          00 12 ff 01 00 01 00 00 0b 00 04 03 00 01 02 00 
          0f 00 01 01 
1 3  0.0010 (0.0000)  S>C  Handshake
      Certificate
1 4  0.0010 (0.0000)  S>C  Handshake
      ServerHelloDone
1 5  0.1413 (0.1403)  C>S  Handshake
      ClientKeyExchange
1 6  0.1413 (0.0000)  C>S  ChangeCipherSpec
1 7  0.1413 (0.0000)  C>S  Handshake
1 8  0.1464 (0.0051)  S>C  ChangeCipherSpec
1 9  0.1464 (0.0000)  S>C  Handshake
1 10 9.2389 (9.0924)  C>S  application_data
1 11 9.5828 (0.3438)  C>S  application_data
1 12 9.5833 (0.0004)  S>C  application_data
1    9.5833 (0.0000)  S>C  TCP FIN
1 13 9.5999 (0.0166)  C>S  Alert
1    9.5999 (0.0000)  C>S  TCP FIN

Published: 2014-01-17