Restrict cryptographic algorithms and protocols – Windows Server | Microsoft Docs

Sat, 05 Mar 2022 04:51:58 +0000harvestmoonfriends

This text describes the way to prohibit using sure cryptographic algorithms and protocols within the nftgamef.com file. This info additionally applies to unbiased software program vendor (ISV) functions which are written for the Microsoft Cryptographic API (CAPI).

Applies to: Home windows Server 2003 Authentic KB quantity: 245030

Abstract

The next cryptographic service suppliers (CSPs) which are included with Home windows NT 4.0 Service Pack 6 have been awarded the certificates for FIPS-140-1 crypto validation.

• Microsoft Base Cryptographic Supplier (Rsabase.dll)
• Microsoft Enhanced Cryptographic Supplier (Rsaenh.dll) (non-export model)

Microsoft TLS/SSL Safety Supplier, the nftgamef.com file, makes use of the CSPs which are listed right here to conduct safe communications over SSL or TLS in its assist for Web Explorer and Web Data Companies (IIS).

You may change the nftgamef.com file to assist Cipher Suite 1 and a couple of. Nonetheless, this system should additionally assist Cipher Suite 1 and a couple of. Cipher Suites 1 and a couple of will not be supported in IIS 4.0 and 5.0.

This text comprises the required info to configure the TLS/SSL Safety Supplier for Home windows NT 4.0 Service Pack 6 and later variations. You should utilize the Home windows registry to regulate using particular SSL 3.0 or TLS 1.0 cipher suites with respect to the cryptographic algorithms which are supported by the Base Cryptographic Supplier or the Enhanced Cryptographic Supplier.

Cipher suites

Each SSL 3.0 and TLS 1.0 (RFC2246) with INTERNET-DRAFT 56-bit Export Cipher Suites For TLS nftgamef.com present choices to make use of completely different cipher suites. Every cipher suite determines the important thing alternate, authentication, encryption, and MAC algorithms which are utilized in an SSL/TLS session. While you use RSA as each key alternate and authentication algorithms, the time period RSA seems just one time within the corresponding cipher suite definitions.

The Home windows NT 4.0 Service Pack 6 Microsoft TLS/SSL Safety Supplier helps the next SSL 3.0-defined CipherSuite whenever you use the Base Cryptographic Supplier or the Enhanced Cryptographic Supplier:

SSL 3.0 Cipher suite SSL_RSA_EXPORT_WITH_RC4_40_MD5 { 0x00,0x03 } SSL_RSA_WITH_RC4_128_MD5 { 0x00,0x04 } SSL_RSA_WITH_RC4_128_SHA { 0x00,0x05 } SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5 { 0x00,0x06 } SSL_RSA_WITH_DES_CBC_SHA { 0x00,0x09 } SSL_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A } SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA { 0x00,0x62 } SSL_RSA_EXPORT1024_WITH_RC4_56_SHA { 0x00,0x64 }

Home windows NT 4.0 Service Pack 6 Microsoft TLS/SSL Safety Supplier additionally helps the next TLS 1.0-defined CipherSuite whenever you use the Base Cryptographic Supplier or Enhanced Cryptographic Supplier:

TLS 1.0 Cipher suite TLS_RSA_EXPORT_WITH_RC4_40_MD5 { 0x00,0x03 } TLS_RSA_WITH_RC4_128_MD5 { 0x00,0x04 } TLS_RSA_WITH_RC4_128_SHA { 0x00,0x05 } TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 { 0x00,0x06 } TLS_RSA_WITH_DES_CBC_SHA { 0x00,0x09 } TLS_RSA_WITH_3DES_EDE_CBC_SHA { 0x00,0x0A } TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA { 0x00,0x62 } TLS_RSA_EXPORT1024_WITH_RC4_56_SHA { 0x00,0x64 }

Schannel-specific registry keys

SCHANNEL key

Begin Registry Editor (Regedt32.exe), after which find the next registry key: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSecurityProvidersSCHANNEL

SCHANNELProtocols subkey

To allow the system to make use of the protocols that won’t be negotiated by default (comparable to TLS 1.1 and TLS 1.2), change the DWORD worth knowledge of the DisabledByDefault worth to 0x0 within the following registry keys underneath the Protocols key:

• SCHANNELProtocolsTLS 1.1Client
• SCHANNELProtocolsTLS 1.1Server
• SCHANNELProtocolsTLS 1.2Client
• SCHANNELProtocolsTLS 1.2Server

SCHANNELCiphers subkey

The Ciphers registry key underneath the SCHANNEL key’s used to regulate using symmetric algorithms comparable to DES and RC4. The next are legitimate registry keys underneath the Ciphers key.

Create the SCHANNEL Ciphers subkey within the format: SCHANNEL(VALUE)(VALUE/VALUE)

RC4 128/128

Ciphers subkey: SCHANNELCiphersRC4 128/128

This subkey refers to 128-bit RC4.

To permit this cipher algorithm, change the DWORD worth knowledge of the Enabled worth to 0xffffffff. Or, change the DWORD worth knowledge to 0x0. If you don’t configure the Enabled worth, the default is enabled. This registry key doesn’t apply to an exportable server that doesn’t have an SGC certificates.

Disabling this algorithm successfully disallows the next values:

• SSL_RSA_WITH_RC4_128_MD5
• SSL_RSA_WITH_RC4_128_SHA
• TLS_RSA_WITH_RC4_128_MD5
• TLS_RSA_WITH_RC4_128_SHA

Triple DES 168

Ciphers subkey: SCHANNELCiphersTriple DES 168

This registry key refers to 168-bit Triple DES as laid out in ANSI X9.52 and Draft FIPS 46-3. This registry key doesn’t apply to the export model.

To permit this cipher algorithm, change the DWORD worth knowledge of the Enabled worth to 0xffffffff. Or, change the DWORD knowledge to 0x0. If you don’t configure the Enabled worth, the default is enabled.

Disabling this algorithm successfully disallows the next values:

• SSL_RSA_WITH_3DES_EDE_CBC_SHA

• SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

• TLS_RSA_WITH_3DES_EDE_CBC_SHA

• TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA

RC2 128/128

Ciphers subkey: SCHANNELCiphersRC2 128/128

This registry key refers to 128-bit RC2. It doesn’t apply to the export model.

To permit this cipher algorithm, change the DWORD worth knowledge of the Enabled worth to 0xffffffff. In any other case, change the DWORD worth knowledge to 0x0. If you don’t configure the Enabled worth, the default is enabled.

RC4 64/128

Ciphers subkey: SCHANNELCiphersRC4 64/128

This registry key refers to 64-bit RC4. It doesn’t apply to the export model (however is utilized in Microsoft Cash).

To permit this cipher algorithm, change the DWORD worth knowledge of the Enabled worth to 0xffffffff. In any other case, change the DWORD worth knowledge to 0x0. If you don’t configure the Enabled worth, the default is enabled.

RC4 56/128

Ciphers subkey: SCHANNELCiphersRC4 56/128

This registry key refers to 56-bit RC4.

To permit this cipher algorithm, change the DWORD worth knowledge of the Enabled worth to 0xffffffff. In any other case, change the DWORD worth knowledge to 0x0. If you don’t configure the Enabled worth, the default is enabled.

Disabling this algorithm successfully disallows the next worth:

• TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

RC2 56/128

Ciphers subkey: SCHANNELCiphersRC2 56/128

This registry key refers to 56-bit RC2.

To permit this cipher algorithm, change the DWORD worth knowledge of the Enabled worth to 0xffffffff. In any other case, change the DWORD worth knowledge to 0x0. If you don’t configure the Enabled worth, the default is enabled.

DES 56

Ciphers subkey: SCHANNELCiphersDES 56/56

This registry key refers to 56-bit DES as laid out in FIPS 46-2. Its implementation within the nftgamef.com and nftgamef.com recordsdata is validated underneath the FIPS 140-1 Cryptographic Module Validation Program.

To permit this cipher algorithm, change the DWORD worth knowledge of the Enabled worth to 0xffffffff. In any other case, change the DWORD worth knowledge to 0x0. If you don’t configure the Enabled worth, the default is enabled.

Disabling this algorithm successfully disallows the next values:

• SSL_RSA_WITH_DES_CBC_SHA
• TLS_RSA_WITH_DES_CBC_SHA

RC4 40/128

Ciphers subkey: SCHANNELCiphersRC4 40/128

This registry key refers to 40-bit RC4.

To permit this cipher algorithm, change the DWORD worth knowledge of the Enabled worth to 0xffffffff. In any other case, change the DWORD worth knowledge to 0x0. If you don’t configure the Enabled worth, the default is enabled.

Disabling this algorithm successfully disallows the next values:

• SSL_RSA_EXPORT_WITH_RC4_40_MD5
• TLS_RSA_EXPORT_WITH_RC4_40_MD5

RC2 40/128

Ciphers subkey: SCHANNELCiphersRC2 40/128

This registry key refers to 40-bit RC2.

To permit this cipher algorithm, change the DWORD worth knowledge of the Enabled worth to 0xffffffff. In any other case, change the DWORD worth knowledge to 0x0. If you don’t configure the Enabled worth, the default is enabled.

Disabling this algorithm successfully disallows the next values:

• SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
• TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

NULL

Ciphers subkey: SCHANNELCiphersNULL

This registry key means no encryption. By default, it’s turned off.

To show off encryption (disallow all cipher algorithms), change the DWORD worth knowledge of the Enabled worth to 0xffffffff. In any other case, change the DWORD worth knowledge to 0x0.

Hashes

Ciphers subkey: SCHANNEL/Hashes

The Hashes registry key underneath the SCHANNEL key’s used to regulate using hashing algorithms comparable to SHA-1 and MD5. The next are legitimate registry keys underneath the Hashes key.

MD5

Ciphers subkey: SCHANNELHashesMD5

To permit this hashing algorithm, change the DWORD worth knowledge of the Enabled worth to the default worth 0xffffffff. In any other case, change the DWORD worth knowledge to 0x0.

Disabling this algorithm successfully disallows the next values:

• SSL_RSA_EXPORT_WITH_RC4_40_MD5
• SSL_RSA_WITH_RC4_128_MD5
• SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
• TLS_RSA_EXPORT_WITH_RC4_40_MD5
• TLS_RSA_WITH_RC4_128_MD5
• TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5

SHA

Ciphers subkey: SCHANNELHashesSHA

This registry key refers to Safe Hash Algorithm (SHA-1), as laid out in FIPS 180-1. Its implementation within the nftgamef.com and nftgamef.com recordsdata is validated underneath the FIPS 140-1 Cryptographic Module Validation Program.

To permit this hashing algorithm, change the DWORD worth knowledge of the Enabled worth to the default worth 0xffffffff. In any other case, change the DWORD worth knowledge to 0x0.

Disabling this algorithm successfully disallows the next values:

• SSL_RSA_WITH_RC4_128_SHA
• SSL_RSA_WITH_DES_CBC_SHA
• SSL_RSA_WITH_3DES_EDE_CBC_SHA
• SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
• SSL_RSA_EXPORT1024_WITH_RC4_56_SHA
• TLS_RSA_WITH_RC4_128_SHA
• TLS_RSA_WITH_DES_CBC_SHA
• TLS_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
• TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

KeyExchangeAlgorithms

Ciphers subkey: SCHANNEL/KeyExchangeAlgorithms

The KeyExchangeAlgorithms registry key underneath the SCHANNEL key’s used to regulate using key alternate algorithms comparable to RSA. The next are legitimate registry keys underneath the KeyExchangeAlgorithms key.

PKCS

Ciphers subkey: SCHANNELKeyExchangeAlgorithmsPKCS

This registry key refers back to the RSA as the important thing alternate and authentication algorithms.

To permit RSA, change the DWORD worth knowledge of the Enabled worth to the default worth 0xffffffff. In any other case, change the DWORD knowledge to 0x0.

Disabling RSA successfully disallows all RSA-based SSL and TLS cipher suites supported by the Home windows NT4 SP6 Microsoft TLS/SSL Safety Supplier.

FIPS 140-1 cipher suites

You could wish to use solely these SSL 3.0 or TLS 1.0 cipher suites that correspond to FIPS 46-3 or FIPS 46-2 and FIPS 180-1 algorithms offered by the Microsoft Base or Enhanced Cryptographic Supplier.

On this article, we confer with them as FIPS 140-1 cipher suites. Particularly, they’re as follows:

• SSL_RSA_WITH_DES_CBC_SHA
• SSL_RSA_WITH_3DES_EDE_CBC_SHA
• SSL_RSA_EXPORT1024_WITH_DES_CBC_SHA
• TLS_RSA_WITH_DES_CBC_SHA
• TLS_RSA_WITH_3DES_EDE_CBC_SHA
• TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA

To make use of solely FIPS 140-1 cipher suites as outlined right here and supported by Home windows NT 4.0 Service Pack 6 Microsoft TLS/SSL Safety Supplier with the Base Cryptographic Supplier or the Enhanced Cryptographic Supplier, configure the DWORD worth knowledge of the Enabled worth within the following registry keys to 0x0:

• SCHANNELCiphersRC4 128/128
• SCHANNELCiphersRC2 128/128
• SCHANNELCiphersRC4 64/128
• SCHANNELCiphersRC4 56/128
• SCHANNELCiphersRC2 56/128
• SCHANNELCiphersRC4 40/128
• SCHANNELCiphersRC2 40/128
• SCHANNELCiphersNULL
• SCHANNELHashesMD5

And configure the DWORD worth knowledge of the Enabled worth within the following registry keys to 0xffffffff:

• SCHANNELCiphersDES 56/56
• SCHANNELCiphersTriple DES 168/168 (not relevant in export model)
• SCHANNELHashesSHA
• SCHANNELKeyExchangeAlgorithmsPKCS

Grasp secret computation by utilizing FIPS 140-1 cipher suites

The procedures for utilizing the FIPS 140-1 cipher suites in SSL 3.0 differ from the procedures for utilizing the FIPS 140-1 cipher suites in TLS 1.0.

In SSL 3.0, the next is the definition master_secret computation:

In TLS 1.0, the next is the definition master_secret computation:

the place:

Choosing the choice to make use of solely FIPS 140-1 cipher suites in TLS 1.0:

Due to this distinction, clients could wish to prohibit using SSL 3.0 although the allowed set of cipher suites is proscribed to solely the subset of FIPS 140-1 cipher suites. In that case, change the DWORD worth knowledge of the Enabled worth to 0x0 within the following registry keys underneath the Protocols key:

• SCHANNELProtocolsSSL 3.0Client
• SCHANNELProtocolsSSL 3.0Server

Examples of registry recordsdata

Two examples of registry file content material for configuration are offered on this part of the article. They’re nftgamef.com and nftgamef.com.

In a pc that’s working Home windows NT 4.0 Service Pack 6 with the exportable nftgamef.com and nftgamef.com recordsdata, run nftgamef.com to guarantee that solely TLS 1.0 FIPS cipher suites are utilized by the pc.

In a pc that’s working Home windows NT 4.0 Service Pack 6 that features the non-exportable nftgamef.com and nftgamef.com recordsdata, run nftgamef.com to guarantee that solely TLS 1.0 FIPS cipher suites are utilized by the pc.

For the nftgamef.com file to acknowledge any adjustments underneath the SCHANNEL registry key, you could restart the pc.

To return the registry settings to default, delete the SCHANNEL registry key and every part underneath it. If these registry keys will not be current, the nftgamef.com rebuilds the keys whenever you restart the pc.