Purpose
This document will help users understand how to configure a firewall that runs ASA code to use Elliptic Curve certificates and Elliptic Curve cipher suites. Elliptical curve ciphers use much shorter key lengths than the RSA keys that we have traditionally used. We understand elliptical curve keys with short key lengths provide similar strength as RSA keys with a much longer length.
Symmetric Key length (bits) | RSA Key length (bits) | ECC Key length (bits) |
| 80 | 1024 | 160 |
| 112 | 2048 | 224 |
| 128 | 3072 | 256 |
| 192 | 7680 | 284 |
| 256 | 15360 | 521 |
The reduction in CPU time to work with the larger keys is optimal due to the reduction in CPU usage and the subsequent reduction in power.
RSA public key algorithms are not considered legacy as of yet. It is likely that they will be in the next several years. In practice, RSA key pairs are becoming less efficient each year as computing power increases. Elliptic curve cryptography is a newer alternative to public-key cryptography. Elliptic curves are very efficient and offer the same level of security over much shorter prime fields and therefore the performance of ECC is significantly better than RSA public-key cryptography. ECC is considered Next Generation Encryption by the US National Security Agency.
Support
- In ASA OS 9.17(1), the ASA removed support for Clientless SSL VPN.
- In ASA OS 9.13(1), the ASA depreciated support for Diffie Hellman Groups 2, 5 and 24 as these are considered insecure. This version also made Diffie Hellman Group 14 the default for SSL.
- In ASA OS 9.12(1), the ASA stopped supporting Diffie Hellman Group 1 for SSL, IKEv1, IKEv2 & IPSec. This version also removed the TLSv1 cipher NULL-SHA.
- In ASA OS 9.10(1), released around Oct 2019, the ASA started supporting DTLS v1.2 and new cipher suites. This version also removed some DTLS cipher suites when the ASA is configured in FIPS mode and the appliance is an FPR2100.
- In ASA OS 9.4(1), released March 22, 2015, the ASA started supporting several new cipher suites.
- In ASA OS 9.3(2), released December 18, 2014, the ASA started supporting Transport Layer Security version 1.2.
- In ASA OS 9.0(1), released on October 29, 2012, the ASA started supporting using ECDSA key pairs for generating certificates.
- AnyConnect v4.x is required, Apex or Plus license.
Both 9.4(1) and 9.3(2) require Next Generation ASA. They will not run on older ASA models like the ASA 5505, 5510, 5520 or 5540.
Assure you do not have anyconnect-essentials configured under webvpn. AnyConnect Essentials license does not support these ciphers and isn't in use when the Apex or Plus AnyConnect 4 license is installed.
Understanding Cipher Suites
You can view all the ssl cipher suites that the ASA supports by typing
show ssl ciphers
Each cipher suite has several parts. These are a key exchange and establishment algorithm, a bulk encryption algorithm, a message authentication code algorithm and a pseudorandom function.
Let’s look at this cipher suite as an example.
ECDHE-ECDSA-AES256-GCM-SHA384
In the cipher suite listed above
The key exchange algorithm is ECDHE-ECDSA.
The bulk encryption algorithm is AES256-GCM.
The message authentication code is SHA384.
ECDHE is an asymmetric algorithm used for key establishment.
ECDSA is an asymmetric algorithm used for digital signatures.
AES256-GCM is a symmetric block or bulk cipher used to protect the ‘data’.
SHA384 is a hash function used to assure the data’s integrity by the receiving party.
The ASA supports lots of other cipher suites and we will not discuss those here.
Configuring
There are several things we need to do here
- We need to create an ECDSA key pair on the ASA.
- We need to create an CSR and submit that to a 3rd party certificate provider
- Install the certificate we receive from the 3rd party provider.
- Configure the ASA to only support elliptic curve ciphers.
Step 1 & 2.
Creating a SHA-2 CSR using ECDHA
See this other document I wrote for this procedure.
https://supportforums.cisco.com/document/12929911/creating-sha-2-certificate-signing-request-using-ecdhe
Step 3.
Install the Identity Certificate and Intermediate Certificate you receive from the 3rd party provider.
Authenticate the CA
crypto ca authenticate my-trustpoint.lab-asa.xxxx.com
Install the Identity Certificate
crypto ca import my-trustpoint.lab-asa.xxxx.com
Step 4.
I chose to only support TLSv1.2. I did this because all modern OS’s and browsers support TLSv1.2. I also chose to only support elliptical curve cipher suites. All modern OS’s and browsers support elliptic curve ciphers. If you need to provide support to Windows XP or Mac OS X 10.5 or earlier you cannot exclusively use elliptic curve ciphers.
Force the minimum version of TLS to be 1.2
ssl server-version tlsv1.2
Force TLSv1.2 to only support elliptical curve sipher suites
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256"
Force strong Diffie Hellman key exchange
ssl dh-group group24
ssl ecdh-group group20
Conclusion
At this point, it is my feeling that the ASA is configured to use the strongest encryption key exchange and encryption that is possible.
You can test this by going to an SSL testing website like Qualys SSL Labs and testing your site. At the time of this writing (March 2016) my ASA is receiving an A- grade score with the above settings.
Qualys SSL Labs
References
- Cipher Suite
- GlobalSign ECC
- ASA Release Notes
- Next Generation Cryptography
- NSA Suite B Cryptography
Please, help me make this document better. Please comment! Please rate. Thank you.
