aeris
/
cryptcheck
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
Browse Source

Readme

master
Aeris 4 years ago
parent
92424828e1
commit
51216b0f0f
1 changed files with 111 additions and 0 deletions
Split View Show Diff Stats
  1. 111
    0
      README.md

+ 111
- 0
README.md View File 

@@ -0,0 +1,111 @@
1 
+# Introduction
2 
+CryptCheck is a Ruby toolbox that help anybody to check for cryptography security
3 
+level and best practices compliance.
4 
+
5 
+CryptCheck is released under
6 
+[AGPLv3+](https://www.gnu.org/licenses/agpl-3.0.en.html) license.
7 
+
8 
+# Preliminary warning
9 
+**/!\ This tool use custom weak builds of OpenSSL library and OpenSSL Ruby extension /!\**.
10 
+
11 
+Those builds are cryptographically weaken to be able to test for (very) weak and
12 
+today totally deprecated ciphers.
13 
+
14 
+Don’t deploy it on production machine to avoid any security troubles, or use VM
15 
+to isolate them !
16 
+
17 
+# Setup
18 
+## Ruby
19 
+You need a fully operationnal Ruby stack.
20 
+Because of the warning above, don’t use your system Ruby.
21 
+
22 
+I recommend to use [RBEnv](https://github.com/sstephenson/rbenv) and it
23 
+[Ruby-build](https://github.com/sstephenson/ruby-build) plugin to build a new
24 
+ruby environment instead of your system one.
25 
+
26 
+Currently supported Ruby stack is v2.2.2.
27 
+
28 
+## OpenSSL library and Ruby extension
29 
+To be able to test for (very) weak ciphers and to have access to DH parameters,
30 
+CryptCheck need custom build of OpenSSL library and patched build of OpenSSL Ruby
31 
+extension.
32 
+
33 
+
34 
+Once you have cloned CryptCheck repository, just run `make` inside to
35 
+build the needed libraries.
36 
+
37 
+If `make` fails with the following error :
38 
+```
39 
+make: *** No rule to make target 'lib/libssl.so.1.0.0', needed by 'libs'.  Stop.
40 
+```
41 
+just run again `make` (if you understand this problem, contact me !).
42 
+
43 
+The built libraries (*libcrypto.so*, *libssl.so* and *openssl.so*) are located
44 
+under the *lib* directory.<br/>
45 
+CryptCheck use *LD_LIBRARY_PATH* and Ruby load path hack to inject those weaken
46 
+libraries instead of the system ones.
47 
+
48 
+## Ruby dependencies
49 
+CryptCheck relies on few Ruby libraries, managed with [Bundler](http://bundler.io/).
50 
+
51 
+To fetch and install them, just run `bundle install`.
52 
+
53 
+# Usage
54 
+Simply run the corresponding runner of what you want to test :
55 
+
56 
+ * HTTPS : ```bin/check_https example.org```
57 
+ * XMPP : ```bin/check_xmpp example.org```
58 
+ * SMTP : ```bin/check_smtp example.org```
59 
+
60 
+If you want more information of what is going on under the hood, run the command
61 
+with debug enabled, like ```bin/check_https example.org debug```
62 
+
63 
+## Understanding results
64 
+Rank goes from "A+" (perfect) to "F" (very weak).<br/>
65 
+"M" means your certificate and your hostname mismatch.<br/>
66 
+"T" means your certificate is not issued by a valid root certificate authority.
67 
+
68 
+Only a perfect setup gets a perfect score and a "A" rank :).<br/>
69 
+"A" score is based on [RFC 7525](https://tools.ietf.org/html/rfc7525) recommandations.
70 
+
71 
+ * Protocol
72 
+   * SSL (v2 and v3) are totally [deprecated](https://tools.ietf.org/html/rfc7568)
73 
+     now, because of very serious known vulnerabilities
74 
+     ([Poodle](https://www.openssl.org/~bodo/ssl-poodle.pdf)…).
75 
+     Using one of them cap your rank to "F".
76 
+   * TLSv1 and TLSv1.1 suffer of the
77 
+     [Poodle TLS](https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls)
78 
+     vulnerability.
79 
+   * TLSv1.2 is the only remaining protocol with no known vulnerabilities, so if
80 
+     you don’t support it, your rank is cap to "B".
81 
+ * Key size
82 
+   * If you use certificate key less than 2048 bits, your rank is cap to "B".
83 
+ * Ciphers
84 
+   * Very weak ciphers, including MD5 hash, anonymous DH parameters, NULL ciphers
85 
+     (yes, it exits…), export ciphers ([Freak](https://freakattack.com/)) or weak
86 
+     ciphers (RC4, DES…) cap your rank to "F".
87 
+   * 3DES is considered weak and must be avoided, using it cap your score to "C".
88 
+
89 
+ * Score
90 
+   * Protocol score is based on the **weakest** protocol you support :<br/>
91 
+     SSLv2 = 0, SSLv3 = 20, TLSv1 = 60, TLSv1.1 = 80, TLSv1.2 = 100.
92 
+   * Key score is based on your certificate key size :<br/>
93 
+     <512 = 10, <1024 = 20, <2048 = 50, <4096 = 90, ≥4096 = 100.
94 
+   * Cipher score is based on the **weakest** cipher you support :<br/>
95 
+     0 = 0, <112 = 10, <128 = 50, <256 = 90, ≥256 = 100.
96 
+   * Overall score is based on the other scores :<br/>
97 
+     overall = 0.3 * protocol + 0.3 * key + 0.4 * cipher
98 
+
99 
+ * Best practices
100 
+   * PFS : you gain this flag when you support **only**
101 
+     [perfect forward secrecy](https://en.wikipedia.org/wiki/Forward_secrecy)
102 
+     ciphers (DHE or ECDHE)
103 
+   * HSTS : you gain this flag when you protect yourself with
104 
+     [HTTP Strict Transport Security](https://tools.ietf.org/html/rfc6797).
105 
+   * Long HSTS : you gain this flag when you support HSTS with a duration of at
106 
+     least 6 monthes.
107 
+
108 
+ * Rank
109 
+   * Rank is based on your overall score and above caps :<br/>
110 
+     <20 = F, <35 = E, <50 = D, <65 = C, <80 = B, ≥80 = A.
111 
+   * If you get an "A" and you have all the best practices above, you get "A+".

Write Preview
Loading…
Cancel
Save