44r0n7/privacy.sexy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

win: add script to increase RSA key exchange #165

Browse Source 
Add script to increase RSA key exchange to 2048-bit for ISS

Co-authored-by: undergroundwires <git@undergroundwires.dev>
This commit is contained in:
Brice Dobson
2022-10-04 14:22:22 -04:00
committed by undergroundwires
parent c1c2f2925f
commit a2e092190d
1 changed files with 21 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/application/collections/windows.yaml
View File

@@ -2668,6 +2668,27 @@ actions:
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "ServerMinKeyBitLength" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "ServerMinKeyBitLength" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "ClientMinKeyBitLength" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "ClientMinKeyBitLength" /f
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "Enabled" /f reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman" /v "Enabled" /f
-
name: Increase RSA key exchange to 2048-bit
docs: |-
In 2012, Microsoft began transitioning minimum RSA key length across various applications from 1024 to 2048 bits.
1024-Bit key exchange algorithms are still supported in Windows despite being considered deprecated for some time.
NIST 800-131A Rev. 2 cites RSA Key Agreement and Key Transport schemes with len(n) < 2048 are disallowed. Generally,
RSA 2048-bit+ key exchange algorithms are widely supported. While supported cipher suites remain a roundabout way to
address supported key exchange algorithms, these can also be specified independently (although there are still constraints
based on negotiated cipher suite) and provide a supplemental baseline to enforce using strong cryptography.
This script works by creating the non-default key and value called PKCS at
`HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\` with a name of `ClientMinKeyBitLength`
and value of `0x00000800` (2048). The revert deletes the `ClientMinKeyBitLength` value.
See also:
- [Transport Layer Security (TLS) registry settings | learn.microsoft.com](https://learn.microsoft.com/en-us/windows-server/security/tls/tls-registry-settings#keyexchangealgorithm---client-rsa-key-sizes)
- [Pull request by bricedobson | undergroundwires/privacy.sexy | GitHub.com](https://github.com/undergroundwires/privacy.sexy/pull/165)
code: |-
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS" /f /v ClientMinKeyBitLength /t REG_DWORD /d 0x00000800
revertCode: |-
reg delete "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS" /v "ClientMinKeyBitLength" /f
- -
name: Disable RC2 cipher name: Disable RC2 cipher
code: |- code: |-