Certain configurations have proven insecure. The following guidance provides configurations for acceptable protocols for all services that are protected by Transport Layer Security (TLS) as well as sensitive information protected by these services.
Any system which supports payment card processing must comply with higher requirements, per PCI guidance.
- 2048 bit or 4096 bit (in accordance with FIPS 140-2 §4.7.3)
- UAB has contracted with InCommon for TLS certificates for all of uab.edu. UAB systems using PKI should use these InCommon certificates. InCommon certificates can be ordered here.
- Self-signed certificates are not recommended, nor are the use of other Certificate Authorities (CA). If you need to use any of these, contact Enterprise Information Security with a request through AskIT.
- Wild card certificates should not be used. If you need to use a wild card certificate, contact Enterprise Information Security through AskIT.
- TLSv1.2 is modern and provides the safest encryption. The use of this protocol is strongly recommended.
- TLSv1.0 and TLSv1.1 are acceptable. TLSv1.0 should be phased out as soon as possible.
- SSLv2 and SSLv3 are not allowed for TLS encryption at UAB.
- You must use FIPS 140-2 where required by compliance.
- Use AES-256 or AES-128 for symmetric ciphers.
- Use RSA-2048 or RSA-4096 for non-elliptic curve public key cryptography.
- Use Diffie Hellman Ephemeral (DHE) or Elliptic Curve Diffie Hellman Ephemeral (ECDHE) for key exchange with forward screcy.
- Use SHA-2 rather than MD5 or SHA-1 for signatures, etc.
- You should use ciphers that provide greater or equal to 128 bits real security or 3DES.
- You should order ciphers by highest strength first.
- Export (low-strength) ciphers are not allowed.
- You should include ciphers that provide Perfect Forward Encryption.
- Cipher strength selection should prioritize between confidentiality and then performance.
- You should only use Transport Layer Security where it is required to protect information.
- You should not have mixed secure and not secure for Web applications. Use the single mediation model.
- Qualys SSL Labs: SSL/TLS Deployment Best Practices
- Open Web Application Security Project (OWASP): Transport Layer Protection Cheat Sheet
- FIPS 140-2 for Mere Mortals
- Elliptical Curve Cryptography
- Applied Crypto Hardening
- Recommendations for Secure Use of TLS and DTLS
- Tool for Configuring Microsoft IIS TLS Cryptography, NarTac Software
Recommended configuration for Apache 2
Make sure you add to the main 443 server, and there are no overriding statements in virtual hosts.
#SSLHonorCipherOrder not a valid command in Apache 2.0, only use in 2.2 and 2.4 – anything older than Apache 2.0 should be disconnected from the network.
SSLProtocol all -SSLv2 -SSLv3
#gives perfect forward secrecy but saw odd things on www with this, may revisit after older browsers diminish in use.
#SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW
Special thanks to Ed Harris for the recommendations for Apache 2.
The registry data files for Microsoft Windows Server versions 2003, 2008r2 and 2012r2 have been posted to the UAB IT software download site. These files contain registry settings configurations that have been tested and verified to conform to the UAB encryption standard. These files will assist system administrators in configuring their servers to meet that standard.
File MD5 Hashes
- 2003std.reg - E1A7F5FC9AA6B3AEC4B1D9F2ED1EECD8
- 2008r2.reg - 94CCC4AFD6D1E05A687B65EF382E5CFC
- 2012r2.reg - 94CCC4AFD6D1E05A687B65EF382E5CFC
Special thanks to Jim Clark and Patrick Gustin for the significant efforts to build and test these configurations.
- HIGH: Encryption suites with key lengths equal to or larger than 128 bits. Included in this definition is the 3DES (Triple DES (Data Encryption Standard)) encryption suite.
- MEDIUM: Encryption suites with key lengths that are less than 128 bit but not included in those categorized as “export”. Does not include 3DES.
- EXPORT (LOW): Encryption suites with key lengths that are 64 bit or less.
- Rivest, Shamir, and Adleman (RSA): RSA is one of the first practicable public-key cryptosystems and is widely used for secure data transmission.
- Diffie-Hellman (DH): DH is a specific method of securely exchanging cryptographic keys and was the first specific example of public-key cryptography as originally conceptualized by Ralph Merkle.
- Elliptic curve Diffie–Hellman (ECDH): An anonymous key agreement protocol that allows two parties, each having an elliptic curve public–private key pair, to establish a shared secret over an insecure channel.
- Transport Layer Security (TLS): Cryptographic protocols designed to provide communications security over a computer network. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key.
- AES128, AES256, AES: A specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology in 2001. AES is based on the Rijndael cipher developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen, who submitted a proposal to NIST during the AES selection process. Implementations are available using 128 bit AES or 256 bit AES.
- AESGCM: AES in Galois Counter Mode (GCM): These ciphersuites are only supported in TLS v1.2.
- 3DES: Triple DES is the common name for the Triple Data Encryption Algorithm symmetric-key block cipher, which applies the Data Encryption Standard cipher algorithm three times to each data block.
- DES: Once a predominant symmetric-key algorithm for the encryption of electronic data. It was highly influential in the advancement of modern cryptography in the academic world. Developed in the early 1970s at IBM and based on an earlier design by Horst Feistel. DES is now considered to be insecure for many applications. This is chiefly due to the 56-bit key size being too small.
- RC4: In cryptography, RC4 is the most widely used software stream cipher and is used in popular Internet protocols such as Transport Layer Security. While remarkable for its simplicity and speed in software, RC4 has weaknesses that argue against its use in new systems. It is especially vulnerable when the beginning of the output keystream is not discarded, or when nonrandom or related keys are used; some ways of using RC4 can lead to very insecure protocols such as WEP.RC2
- Pre-shared keys (PSK): Pre-shared key or PSK is a shared secret which was previously shared between the two parties using some secure channel before it needs to be used. To build a key from shared secret, the key derivation function should be used. Such systems almost always use symmetric key cryptographic algorithms.
- Certificate Authority (CA): A certificate authority or certification authority is an entity that issues digital certificates.
- Secure Sockets Layer (SSL): A protocol developed by Netscape for transmitting private documents via the Internet. SSL version 3.0 was released in 1996. As of 2014 the 3.0 version of SSL is considered insecure as it is vulnerable to the POODLE attack that affects all block ciphers in SSL; and RC4, the only non-block cipher supported by SSL 3.0, is also feasibly broken as used in SSL 3.0.
Windows 8 is not recommended for campus use at this time. However, if you have to support a Windows 8 portable device, it must be encrypted. At this time, BitLocker is available to accomplish this task on all Windows 8 portable devices that have a TPM chip and do not run on an ARM platform (such as a Windows 8 RT tablet). Windows 8 devices that run on an ARM platform or those that do not have TPM chips should not be used.
UAB Policy requires all laptop/portable devices owned by UAB or UAB businesses and all personal laptop/portable devices used for UAB business be encrypted. PGP, UAB’s current encryption tool, does not work on Windows 8 and Symantec has not yet set a support date for Windows 8.
BitLocker is an acceptable alternative to encrypt Windows 8 system drives in some circumstances. In the past, BitLocker has been recommended when PGP was incompatible with Windows 7 or specific BIOS versions. Systems that are currently encrypted with PGP should remain encrypted via PGP. UAB IT is currently researching BitLocker key management solutions and will issue further guidance as available, but in the mean time, BitLocker should be installed using the non-enterprise setup method below.
Non-Enterprise BitLocker Setup
Recommendations for using BitLocker
- Password set system BIOS
- TPM chip in the device
- You must take ownership of the TPM chip
- Before updating the BIOS, BitLocker must be suspended
- Escrow the key in some manner
- Professional/enterprise version of Windows
- Use a TPM + PIN authentication method
- System must be formatted NTFS with two volumes
Escrowing the key
With Windows 8, you may escrow the key in one of the following ways:
- Save the recovery key to a USB flash drive This method saves the recovery key to a USB flash drive. This option cannot be used with removable drives.
- Save the recovery key to a file This method saves the recovery key to a network drive or other location.
- Print the recovery key This method prints the recovery key, but it is not recommended.
It will be up to the department to maintain the escrow recovery keys.
(Click above for PDF)
(click above for PDF)
If you experience any issues with PGP, please report them to the help desk, AskIT, by email at AskIT@uab.edu" target="_blank">AskIT@uab.edu, or by phone at 205-996-5555. Please be sure to provide the following information:
- Error messages
- Computer make and model
- Internet connection type
- PGP installer version
- Estimated time of occurrence (if possible)
Common Solutions to Installation Issues
- Verify that you are an administrator of the system on which you are attempting to install PGP.
- Open your web browser and ensure that you have Internet connectivity by opening a website.
- Be sure that you have a current installation package for PGP Desktop. Visit www.uab.edu/it/software for the latest installation files.
- Ensure that you are using your BlazerID and strong password for the PGP Enrollment credentials.
Common Solutions to Password Related Issues
- Verify that Caps Lock is not on while authenticating.
- If you recently changed your account password, you may have to provide the old password until you log in to the system with your new password.
- If the previously mentioned steps do not resolve your issue, you should call the AskIT Help Desk to request a PGP recovery token for the system or portable device. A recovery token is a one-time password that will allow you to bypass PGP, but it will not bypass the operating system password; you are still required to log in.
Common Solutions to Boot/Startup Related Issues
- Ensure that a keyboard is connected to the system. Systems such as tablets without physical keyboards will not be able to authenticate on the PGP boot screen.
- Remove any CDs, DVDs or USB drives from the system. Many of these devices have features that allow them to start before the system hard drive.
- Does the system have multiple operating systems or Dell Media Direct? If so, then you will need to contact your support personnel to assist you with the recovery of your hard drive. Please note that PGP should never be installed on systems with multiple operating systems, as it will render the system inoperable.
- See the PGP Recovery documentation for further support.
Please Note: There is a known incompatibility with Sophos and FileVault on Mac OS X 10.5.x. If you are using FileVault please do not install Sophos Antivirus at this time.
Prior to enabling FileVault the following considerations should be observed:
Although FileVault has a very low failure rate; it is recommended that users create a backup of documents and files prior to enabling FileVault. This backup will provide a means of recovery in the event that anything should happen.
- Time Machine:
Under normal operation Time Machine will backup information in the user's Home folder while the user is logged in. Once FileVault is enabled however, Time Machine will back up a user's Home folder only after the user logs out and recovery of individual files becomes difficult. It is for this reason that Time Machine's backup potential is reduced and is not recommended for use with FileVault. If an alternate backup solution is required, iBackup provides a freeware solution that allows on-demand and scheduled backup and recovery of individual files while you are logged in. http://www.apple.com/downloads/macosx/system_disk_utilities/ibackup.html
- Free Space:
When FileVault is enabled the user's Home folder is copied (not moved) to a protected space and the original is not deleted until the end of the process. This means that prior to enabling FileVault, the free space on the hard drive should be equal to or greater than the size of the Home folder. This free space requirement is also necessary in the event that FileVault is disabled. If you do not have this amount of free space available, then it may be necessary to offload some of the files in your home directory to an external device before beginning the process and then migrate the files over to the protected Home file once the process is complete.
- Open your System Preferences panel and click Security (circled in red below).
- On the General tab, select the items below to ensure maximum security.
- On the Firewall tab, select "Allow only essential services" to prevent unauthorized users from accessing your computer remotely.
- On the FileVault tab, click the button labeled "Set Master Password".
- On this screen you will set a Master Password that can unlock FileVault protected accounts. This is a feature that is designed to provide recovery for accounts. Set this password as something you won't forget, but ensure that it is different from your user account password. Do not lose or forget this password; this password cannot be recovered or reset once it is set.
- You will now be prompted for the password affiliated with your current user account.
- After your password is accepted you will be prompted to confirm that you want to turn on FileVault. On this screen, be sure to check the option to "Use secure erase". Once you click "Turn On FileVault" the computer will not be accessible for 1-2 hours depending on hardware.
Jump to a Section:
- PGP Deployment Strategy
- How Different PGP Components Address Different Needs
- PGP In-Depth
- Troubleshooting Tips
- PGPWDE Command Line
PGP Deployment Strategy
- Create a resource account on the UAB domain under your OU (AskIT can assist you with this). You typically want this to represent your department and PGP (e.g. SOPH-PGP or SOM-PGP).
- Login to the laptop and add a PGP account.
- If the laptop is on the UAB domain, add the resource account to the administrators group and proceed through the installation documentation while using that account.
- If the laptop is on a different domain or no domain at all, you can create a new admin and install PGP with that account.
- When you are prompted to enroll with the PGP server, provide the resource or admin account credentials. This creates a recovery token that you can request to gain access to the machine (should you ever find yourself locked out of the system).
- When the installation is complete, you will need to add the user(s) to PGP with their normal login credentials and when the login, they will enter their BlazerID credentials in the enrollment screen (this generates a recovery token in case they ever have password issues).
- Remove the resource account from the administrators group at the end of the process. Removing admin rights from the PGP resource account ensures that if the password for either your domain admin account or PGP resource account is ever compromised, that the account only runs at a user level (additionally, compromised domain admin credentials don’t grant access to every encrypted laptop). To work on the system, you would have to input the PGP password, choose “Logout”, and then enter the admin account credentials.
How Different PGP Components Address Different Needs
PGP Whole Disk Encryption
Encrypts the whole hard drive or USB drive. Removable devices are not readable on a system unless PGP is installed. This option is most useful in cases where blanket encryption is needed.
PGP Virtual Disks
Creates a virtual drive (.pgd) that is only mountable on a system with PGP. A virtual disk can be added to portable drive to provide secure storage for sensitive information without forcing the entire drive to be encrypted. This gives the user the power to use the drive on systems without PGP, thus leaving flexibility intact and providing security for sensitive information because it cannot be accessed without PGP.
PGP Zip Archives
Creates a compressed and encrypted archive of files that in most cases can only be accessed on a system with PGP. If the user has PGP installed on a PC, then they are able to create “Self Decrypting Archives”. This particular archive type allows anyone with the passphrase to extract the secure contents of the file without having PGP installed. Self-decrypting archives are particularly useful when users need to move sensitive data and PGP may not be available at the destination.
During setup, the system must must have access to the Internet or the UAB campus network in order to authenticate on the key-server (the address is embedded in the installer and is later added to the Windows Registry or Mac User Preferences). When you come to the point in the installation that you enter a BlazerID or resources account as enrollment credentials, they are sent to the key-server which checks against LDAP. Once you have successfully authenticated, the server will send some configuration information to the client and also create an entry under your BlazerID that will include information about the computer you are encrypting.
Unless the BlazerID credentials are used to login to the system, they are only used to create a Whole Disk Recovery Token (WDRT) with the server; the user name and password for the local user are separate and aren’t sent to the server. Instead, an encrypted hash of the local password is cached in the PGP client once it’s used to login to Windows. So if you change a password, it will be updated only after it is used; not when the password is changed. This means that if the user chooses to restart immediately after changing their password, the old password must be used on the PGP Bootguard screen and the single sign-on feature (Windows) won’t log them in because Windows is expecting the new password. To prevent this situation from occurring, the user should probably choose to logout then login after a password change. The cached password should update immediately and the new password will work with the PGP Bootguard screen.
If multiple users plan to use a Windows system with PGP, ensure that all of the users set unique passwords. If multiple users have the same password, then PGP will assume that the last user to login is the one authenticating.
On a PC installation of PGP, single sign-on is used and accounts are verified. When you add a passphrase user to PGP, it will require that a strong password is used and that it matches the account password on the machine. If the user doesn’t exist or it has a blank password, you will receive an error message and the user will not be added. The relationship between PGP and Windows accounts is limited to those that exist and adding or removing a user in one location does not change the state of the other location. So if you remove a Windows user account, the entry will still exist and work in PGP but single sign-on will not be possible.
On a Mac installation of PGP, single sign-on is not used and the passphrase users in PGP are not tied to any operating system accounts. This is due to the fact that PGP writes to a preference file under the profile that installs PGP and does not add any important configuration info to the main preferences folder or user folders. Because the preferences are different for every user, when a user other than the one that installed PGP attempts to load the software, they are treated as if they are not licensed and that there is no known key-server. This is now corrected by an application and documentation that is added to installer file under “PGP-User Enrollment.app”.
So when you consider the behavior of PGP for Macs version 9.9 you could view each passphrase user as nothing more than a password that will get you past the PGP Bootguard screen.
If the policy (configuration) of your PGP client requires that the primary hard drive is encrypted, the process will begin once you have added a passphrase user and complete the configuration steps. Regardless of whether you start the encryption automatically or manually, the software first creates a Whole Disk Recovery Token on the server under your BlazerID, and then it installs the PGP Bootguard.
On a Windows system installing the Bootguard means that the software creates a backup of the MBR and then installs a PGPMBR in its place. This is the point where dual-boot systems normally break (the other components of PGP don’t cause this).
On an Intel-Mac, the Extensible Firmware Interface (EFI) normally hands off to the GUID Partition Table (GPT). But when a Mac is encrypted with PGP, the EFI is backed up and replaced by one that loads the encryption software. This is also the point where Bootcamp is broken.
From this point on, the PGP Bootguard screen is installed and a valid passphrase must be provided before the drive can be accessed. If the drive is removed or booted in an alternate method, the data can’t be accessed or read unless it is on a machine with PGP and a valid passphrase is used to unlock the device.
If you or a user is ever locked out of a machine for whatever reason, you can call AskIT and they can give you the recovery token for your username on that system. The recovery token is a string of 28 characters (dashes are optional) that will provide access beyond the PGP Bootguard screen but will not let you in the operating system. If you don’t have any passwords to the system that can grant you access as an administrator, then you should consider decrypting the drive with the proper PGP boot disk or from an encrypted workstation and then go through your normal recovery procedures. Once a recovery token is created, an entry is logged on the server and the system is flagged as needing a new WDRT. If you successfully login to the account that the WDRT was for, the client will then attempt to negotiate the creation of a new WDRT with the server (which requires a network connection to the server).
Update the System Time
If the system time is out of date, PGP may not be installed correctly. If you have already installed PGP before updating the system time so that it is automatically synchronized, you may receive error messages such as "This configured PGP install requires an enterprise license," or notice that PGP is not functioning properly. In order to resolve this issue you will need to update the system time and completely reinstall PGP. Follow the steps below to update system time on a Windows machine:
- Open the "Date and Time Properties" by double-clicking on it in the task bar, or by clicking on "Start," selecting "Control Panel" and choosing "Date and Time" (it may be under "Date, Time, Language and Regional options).
- Correct the date and time information, then click "OK" to save changes.
Correcting Networking Issues Caused by PGP
- Install PGP
- Go to C:\Windows\system32\PGPIspRollback.reg
- Right-click the file and choose Merge
- Restart the PC
Completely Resetting PGP (Windows)
CAUTION: DO NOT RESTART THE PC BETWEEN ANY STEPS
- Be sure that the computer is online and can connect to the Internet.
- Exit any running instance of PGP or PGP Services.
- Open regedit and go to HKLM\SOFTWARE\PGP Corporation\PGP. Change PGPSTAMP to be ovid=keys.it.uab.edu&admin=1
- Delete the following folders:
C:\Documents and Settings\All Users\Application Data\PGP Corporation
C:\Documents and Settings\%userprofile%\Application Data\PGP Corporation
C:\Documents and Settings\%userprofile%\Local Settings\Application Data\PGP Corporation
C:\Documents and Settings\%userprofile%\My Documents\PGP
- Restart PGP by clicking on Start->PGP->PGP Desktop. Be sure you enter your BlazerID credentials on the enrollment screen and select "New User".
Hard Drive Recovery
If you have the drive slaved to a working machine with the same version of PGP Desktop try the following:
- Open a CMD prompt.
- Go to: c:\Program Files\PGP Corporation\PGP Desktop\
- Run pgpwde -enum (this will list all the drives available on your machine, find the drive number for the encrypted drive, the first will be disk 0 (your boot drive) then disk 1, then disk 2 and so on)
- Once you have your disk number, try: pgpwde disk #(one u found) --recover (so if its disk 1 it would be: pgpwde --disk 1 --recover), the pgpwde will search your disk for a backup sector, if it finds one it will restore it.
- If it restores the sector, then do: pgpwde --disk # --decrypt --passphrase “enter within double-quotes”
- To determine whether the drive is still instrumented (MBR Swapped) run: pgpwde –status –disk #
- If the disk is instrumented, run: pgpwde --uninstrument --disk #
Verbose Logging on PGP
- Open the registry with regedit
- Browse to HKEY_CURRENT_USER->SOFTWARE->PGP CORPORATION->UNIVERSAL
- Create a new "KEY" in here called "Debug"
- Inside HKEY_CURRENT_USER->SOFTWARE->PGP CORPORATION->UNIVERSAL->Debug, create a DWORD value called "LoggingLevel"
- Give the "LoggingLevel" entry a HEX value of "3FFFF"
- Right click your pgptray icon and choose Exit PGP Services.
- Click Start->Programs->StartUp->pgptray.exe
- Open PGP Desktop and select Tools>View Log. Set “View Level” to Verbose.
- If the application is crashing prior to launch, click Start->Run and type "%appdata%"
- Once you have your Application Data folder up, open "PGP Corporation", then open "PGP".
- You should see "PGPlog.txt" with debug logging data in it.
PGPWDE Command Line
Many helpful commands can be issued to PGP from a command line which provides many opportunities for scripting and remote modification.
The PGP WDE command line utility is installed at C:\Program Files\PGP Corporation\PGP Desktop\pgpwde.exe on Windows machines and "pgpwde --help" will produce a basic listing of commands. For a more complete listing of commands and explanation see the PGP Windows Command Line Guide at: https://supportimg.pgp.com/guides/PGPwdeWinCmdline_991_usersguide_en.pdf
The PGP WDE command line utility on a Mac can be accessed by opening a terminal window and typing "pgpwde