During a routine audit a web server is flagged for allowing the use of weak ciphers. Which of the following should be disabled to mitigate this risk? (Select TWO).
A.
SSL 1.0
B.
RC4
C.
SSL 3.0
D.
AES
E.
DES
F.
TLS 1.0
Explanation:
TLS 1.0 and SSL 1.0 both have known vulnerabilities and have been replaced by later versions. Any systems running these ciphers should have them disabled.
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communications security over a
computer network. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to
exchange a symmetric key. This session key is then used to encrypt data flowing between the parties. This allows for data/message confidentiality, and message
authentication codes for message integrity and as a by-product, message authentication
Netscape developed the original SSL protocol. Version 1.0 was never publicly released because of serious security flaws in the protocol; version 2.0, released in
February 1995, “contained a number of security flaws which ultimately led to the design of SSL version 3.0”. TLS 1.0 was first defined in RFC 2246 in January 1999
as an upgrade of SSL Version 3.0. As stated in the RFC, “the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to
preclude interoperability between TLS 1.0 and SSL 3.0″. TLS 1.0 does include a means by which a TLS implementation can downgrade the connection to SSL 3.0,
thus weakening security.
TLS 1.1 and then TLS 1.2 were created to replace TLS 1.0.
Incorrect Answers:
B: In cryptography, RC4 is the most widely used software stream cipher and is used in popular Internet protocols such as Transport Layer Security (TLS). Whilst
some argue that RC4 does have a weakness, it is still commonly used today. SSL 1.0 and TLS 1.0 are considered to be weaker ciphers. Therefore, this answer is
incorrect.
C: Although TLS 1.2 has been created to replace SSL 3.0, SSL 3.0 is still commonly used today. SSL 1.0 and TLS 1.0 are considered to be weaker ciphers.
Therefore, this answer is incorrect.
D: AES (Advanced Encryption Standard) has been adopted by the U.S. government and is now used worldwide. It supersedes the Data Encryption Standard (DES)
which was published in 1977. The algorithm described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and decrypting the
data. AES is not considered to be a weak cipher.
Therefore, this answer is incorrect.
F: In cryptography, Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm symmetric-key block cipher, which applies the Data Encryption
Standard (DES) cipher algorithm three times to each data block. Although DES has been superseded by 3DES and AES, DES is still used today. SSL 1.0 and TLS
1.0 are considered to be weaker ciphers.Therefore, this answer is incorrect.
http://en.wikipedia.org/wiki/Transport_Layer_Security
http://en.wikipedia.org/wiki/Triple_DES