Imperfect Forward Secrecy

Me, myself & IT

Imperfect Forward Secrecy

Purpose
Reason
Dependencies
Validation
Implementation
Additional Updates
Background Information
Download
Installation: Automatic online installation; Manual offline installation
Update
Deinstallation

Purpose

The setup scripts NT6_PFS.INF (for Microsoft^® Windows^™ 7, Windows Server 2008 R2, Windows 8 and Windows Server 2012) and NT60_PFS.INF (for Windows Vista^® and Windows Server 2008) configure Windows’ SSL/TLS package SChannel to use Cipher Suites which provide ~~Perfect~~ Forward Secrecy per default.

The setup scripts also disable deprecated, insecure or weak cryptographic algorithms, ciphers, hashes and protocols, as recommended in the Security Advisories 2868725 and 3009008 or the MSKB articles 2868725 and 3009008 respectively.
Additionally the setup scripts disable the deprecated, insecure or weak protocols SSL v2.0, SSL v3.0 and TLS v1.0, and enable the protocols TLS v1.1 and TLS v1.2 in Internet Explorer.

The vulnerabilities are known as BEAST and POODLE; the CVE^® lists them as CVE-2011-3389, CVE-2014-3566 and CVE-2014-8730.

Reason

See the recommendations and notes in the MSKB articles 2643584, 2973337, 3009008, 3012774, 3117336, 4019276, the MSDN article HTTPS Security Improvements in Internet Explorer 7, and the TechNet article Introducing TLS v1.2.

Also see the IETF’s RFCs 5469, 6151, 6176, 7457, 7465, 7507, 7525, 7568, 8996 and 9325, plus the post Is SSL broken? – More about Security Bulletin MS12-006 (previously known as Security Advisory 2588513) on Microsoft’s Security Research and Defense Blog.

Dependencies

To enable the TLS cipher suites TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384 and TLS_RSA_WITH_AES_128_GCM_SHA256, the security update 2992611 alias MS14-066, its successor 3046049 alias MS15-031, or 3042058 has to be installed.

To enable the TLS cipher suites TLS_DHE_RSA_WITH_AES_128_CBC_SHA and TLS_DHE_RSA_WITH_AES_256_CBC_SHA, the update 3161639, which is part of the optional update 3172605, has to be installed.

To enable RSA/SHA512 and EDCSA/SHA512 signatures with TLS v1.2, the update 2973337 has to be installed.
For Windows 8 and Windows Server 2012 this update is included in the update 2975331; for Windows 8.1 and Windows Server 2012 R2 it is included in the update 2975719.
Note: Windows Vista and Windows Server 2008 don’t support TLS v1.2!

To enable TLS v1.2 on Windows Vista and Windows Server 2008, the update 4019276 has to be installed.

Validation

Visit How’s my SSL?, SSL Client Test or SSL Cipher Suite Details of Your Browser with Internet Explorer after the reboot following the installation of the setup script.

Implementation

The setup scripts modify the Registry entries of the SChannel package documented in the MSKB article 245030, change the order of the TLS Cipher Suites in the following Registry entry and request a reboot to make the new cipher order effective:

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002]
"Functions"=multi:…

Caveat: Windows’ CBS may overwrite this Registry entry every time an update for the SChannel package is installed!
When this happens just rerun the setup script to undo the damage!

Additional Updates

For further improvements of hashing algorithms and protocols see the Security Advisories 2949927 and 2977292 or the MSKB articles 2949927 and 2977292 respectively.

Background Information

On April 8, 2014 Microsoft published the update 2929781 for Windows 8.1 and Windows Server 2012 R2 which enables ~~Perfect~~ Forward Secrecy per default by reordering the supported TLS Cipher Suites.

Despite numerous requests from its customers, for example Better support for Perfect forward secrecy, Microsoft has but not published corresponding updates for Windows 8, Windows Server 2012, Windows 7, Windows Server 2008 R2, Windows Vista and Windows Server 2008, although these versions of Windows NT support ~~Perfect~~ Forward Secrecy too.

Note: Windows’ IPsec implementation supports ~~Perfect~~ Forward Secrecy since many years; see the MSKB articles 252735, 301284 and 816514 as well as the TechNet article Key exchange methods.

Download

The setup scripts NT6_PFS.INF and NT60_PFS.INF are packaged in the (compressed and digitally signed) cabinet file SCHANNEL.CAB.

Installation

Installation requires administrative privileges and access rights, plus a reboot to apply the modified configuration.

Automatic online installation

When visited with Internet Explorer, this web page will prompt to install (the contents of) the package using Internet Component Download.

Manual offline installation

Download the package SCHANNEL.CAB and verify its digital signature, then open it in Windows Explorer, extract its contents, right-click the extracted setup script NT6_PFS.INF or NT60_PFS.INF respectively to display its context menu and click Install to run the installation.

Note: InfDefaultInstall.exe, the application registered for the Install verb of *.inf files, requests administrative privileges.

Update

The setup scripts support the update from any previous version: just install the current version!

Deinstallation

Deinstallation requires administrative privileges and access rights, plus a reboot to apply the modified configuration.

Open the Control Panel and click the entry View installed updates underneath the Programs and Features or Programs category.
In Installed Updates select the entry 'Perfect Forward Secrecy' für 'Windows Vista/2008' or 'Perfect Forward Secrecy' für 'Windows 7/2008 R2/8.x/2012 [R2]' respectively underneath Systemkonfiguration and click the Uninstall menu entry.

Contact and Feedback

If you miss anything here, have additions, comments, corrections, criticism or questions, want to give feedback, hints or tipps, report broken links, bugs, deficiencies, errors, inaccuracies, misrepresentations, omissions, shortcomings, vulnerabilities or weaknesses, …: don’t hesitate to contact me and feel free to ask, comment, criticise, flame, notify or report!

Use the X.509 certificate to send S/MIME encrypted mail.

Note: email in weird format and without a proper sender name is likely to be discarded!

I dislike HTML (and even weirder formats too) in email, I prefer to receive plain text.
I also expect to see your full (real) name as sender, not your nickname.
I abhor top posts and expect inline quotes in replies.

Terms and Conditions

By using this site, you signify your agreement to these terms and conditions. If you do not agree to these terms and conditions, do not use this site!

The software and the documentation on this site are provided as is without any warranty, neither express nor implied.
In no event will the author be held liable for any damage(s) arising from the use of the software or the documentation.
Permission is granted to use the current version of the software and the current version of the documentation solely for personal private and non-commercial purposes.
An individuals use of the software or the documentation in his or her capacity or function as an agent, (independent) contractor, employee, member or officer of a business, corporation or organisation (commercial or non-commercial) does not qualify as personal private and non-commercial purpose.
Without written approval from the author the software or the documentation must not be used for a business, for commercial, corporate, governmental, military or organisational purposes of any kind, or in a commercial, corporate, governmental, military or organisational environment of any kind.
Redistribution of the software and the documentation is allowed only in unmodified form of its current version and free of charge.

Data Protection Declaration

This web page records no (personal) data and stores no cookies in the web browser.

The web service is operated and provided by

Telekom Deutschland GmbH
Business Center
D-64306 Darmstadt
Germany
<‍hosting‍@‍telekom‍.‍de‍>
+49 800 5252033

The web service provider stores a session cookie in the web browser and records every visit of this web site with the following data in an access log on their server(s):

the (pseudonymised) IP address;
the date and time of the request;
the URL of the requested web page or file;
the Referer and User-Agent HTTP headers sent by the web browser;
the result (success or failure) of the request;
the amount of data received and sent.