SSL certificates and Ciphers
Fundamentals of On-Prem WAF - Part 2
When you're configuring your SSL certificates, it's important to understand which SSL ciphers are supported by your server and web application. The strength and configuration of supported ciphers will vary depending on the version of software deployed by the server and what hardware, operating system and CPU architecture is supporting the service.
In this blog, we will discuss some of the important points related to SSL certificates and ciphers. Also, we would give you step by step guide on how to add SSL keys. But before we dive into it, let’s take a closer look at what SSL certificates are and what Ciphers are.
What is an SSL certificate?
SSL or Secure Sockets Layer is a protocol that provides security to all the data transmitted between you and your website visitors. It ensures that all the information you send is encrypted and cannot be decrypted by anyone except the intended person.
An SSL certificate contains two parts: a public key and private key pair. The public key is shared with everyone who wants to access your website using HTTPS, while only those people who have access to your private key can decrypt any encrypted data sent through HTTPS.
SSL certificates – Imperva On-Prem WAF
Customers who are using encrypted data need to upload the server’s Public and Private SSL keys to Imperva On-Prem WAF to enable the decryption of these packets and analyze their content.
Once SSL keys have been uploaded to On-Prem WAF, it decrypts the packets, then inspects them for malicious or otherwise troublesome data.
If the data complies with the configured policies, it is forwarded to its destination.
If not, the packets are treated as defined by the policy, followed actions are taken and alerts are generated as configured.
Adding SSL keys
To add SSL Keys:
- In the Main workspace, select Setup > Sites.
- In the Sites Tree, expand the relevant site and server group, then click on the service you want to configure.
- In the Sites window, click the Definitions tab.
- Under Encryption Support, click New.
- Type a meaningful Name for the SSL Key.
- Select the radio button that determines the format of your SSL keys, then configure their details.
Supported formats include PEM and PKCS12.
- Click Upload. The relevant key files are uploaded to the Imperva WAF gateway.
- Click Save.
What are Ciphers?
Ciphers are encryption algorithms used in SSL certificates. They are used to encrypt and decrypt the data that is sent from your browser to the server. The cipher determines how strong or weak the encryption will be.
The strength of a cipher depends on two things: key length and algorithm type.
Key length is measured in bits or binary digits. A 128-bit key has twice as many bits as a 64-bit key and therefore can offer better protection than a 64-bit key. However, longer keys also take longer to transmit through the Internet and are more expensive (more expensive servers typically have larger keys).
The algorithm type refers to how the data is encrypted by using mathematical functions called algorithms. There are many different algorithms available for use in SSL certificates, but only some of them are considered secure enough for use in today's Internet environment.
There are several types of ciphers available today:
Symmetric Key Algorithm (SKA) - This includes the Data Encryption Standard (DES), Triple DES (3DES), Advanced Encryption Standard (AES), International Data Encryption Algorithm (IDEA), Blowfish, and Twofish. The most common SKA algorithm today is AES because it is fast and efficient with high security.
Asymmetric Key Algorithm (AKA) - This includes RSA and Elliptic Curve Cryptography (ECC). ECC has a shorter key length than RSA, which means that it has less memory requirements than RSA but at the expense of speed and efficiency.
SSL Cipher – Imperva On-Prem WAF
Imperva On-Prem WAF supports a number of ciphers to enable the decryption and inspection of encrypted packets. There is a table list of the ciphers supported (in docs.imperva.com)
For both SSL and TLS, the Diffie-Hellman (DHE) ciphers are:
- Supported only in Reverse Proxy modes, not in bridge or sniffing deployment modes (this will be elaborated in the next posts in this series)
- By default configured for 1024-bit encryption, but can be configured for 512-bit encryption.
Since DHE ciphers are specifically designed to prevent man-in-the-middle (MITM) attacks, by regularly renegotiating the key, Imperva WAF in bridge mode cannot properly decrypt the stream which is required to perform the inspection.
If you need to configure SSL and TLS ciphers in Imperva On-Prem WAF, be sure you know the supported cipher technologies and configuration options. You can easily test if the cipher is accepted by using OpenSSL command-line tool.
Encrypting data ensures that cybercriminals do not have easy access to data they can use to their advantage. SSL encryption is becoming the standard and, as such, your company must consider encryption today. The Imperva On-Prem WAF can help protect against SQL injection, cross-site scripting, buffer overflows and input validation attacks.
Fundamentals of On-Premise WAF - Blog Series Pt1