Class: TLSmap::App::Cipher

Inherits:
Object
  • Object
show all
Defined in:
lib/tls_map/app/cipher/cipher.rb

Overview

Manipulate cipher suite information

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(type, value, opts = {}) ⇒ Cipher

Initialize TLSmap::App::Cipher instance

Examples:

# Offline TLS data + online extended data
ci = TLSmap::App::Cipher.new(:iana, 'TLS_DH_anon_WITH_RC4_128_MD5')
# Online TLS data + online extended data
tm = TLSmap::App.new
ci = TLSmap::App::Cipher.new(:iana, 'TLS_DH_anon_WITH_RC4_128_MD5', tls_map: tm.tls_map)
# Offline TLS data + online extended data but more efficient for batch requesting
tmext = TLSmap::App::Extended.new
tmext.enhance_all
ci = TLSmap::App::Cipher.new(:iana, 'TLS_DH_anon_WITH_RC4_128_MD5', enhanced_data: tmext.enhanced_data)
# Offline TLS data + offline extended data (better performance but may be outdated)
cliext = TLSmap::CLI::Extended.new
ci = TLSmap::App::Cipher.new(:iana, 'TLS_DH_anon_WITH_RC4_128_MD5', enhanced_data: cliext.enhanced_data)

Parameters:

Options Hash (opts):

  • :tls_map (Hash)

    mapping of all TLS cipher suites returned by TLSmap::App#tls_map. (better performance for batch usage)

  • :enhanced_data (Hash)

    enhanced information of all cipher suites returned by Extended#enhanced_data. (better performance for batch usage)



84
85
86
87
88
89
90
91
92
93
94
95
96
 
# File 'lib/tls_map/app/cipher/cipher.rb', line 84

def initialize(type, value, opts = {}) # rubocop:disable Metrics/MethodLength
  res = if opts[:tls_map].nil?
          TLSmap::CLI.new.search(type, value)
        else
          TLSmap::App.search(opts[:tls_map], type, value)
        end
  @codepoint = res[:codepoint]
  @iana = res[:iana]
  @openssl = res[:openssl]
  @gnutls = res[:gnutls]
  @nss = res[:nss]
  @extended = opts.dig(:enhanced_data, @iana)
end

Instance Attribute Details

#codepointString (readonly)

Get the hexadecimal codepoint of the cipher suite

Returns:

  • (String)

    Hexadecimal codepoint



13
14
15
 
# File 'lib/tls_map/app/cipher/cipher.rb', line 13

def codepoint
  @codepoint
end

#extendedHash (readonly)

Get extended information

Examples:

ci = TLSmap::App::Cipher.new(:iana, 'TLS_RSA_WITH_SEED_CBC_SHA')
ci.extended
# =>
# {"protocol_version"=>"TLS",
#  "kex_algorithm"=>"RSA",
#  "auth_algorithm"=>"RSA",
#  "enc_algorithm"=>"SEED CBC",
#  "hash_algorithm"=>"SHA",
#  "security"=>"weak",
#  "tls_version"=>["TLS1.0", "TLS1.1", "TLS1.2"],
#  "vulns"=>
#   [{:severity=>1, :description=>"This key exchange algorithm does not support Perfect Forward Secrecy (PFS)
#   which is recommended, so attackers cannot decrypt the complete communication stream."},
#    {:severity=>1,
#     :description=>
#      "In 2013, researchers demonstrated a timing attack against several TLS implementations using the CBC
#      encryption algorithm (see [isg.rhul.ac.uk](http://www.isg.rhul.ac.uk/tls/Lucky13.html)). Additionally,
#      the CBC mode is vulnerable to plain-text attacks in TLS 1.0, SSL 3.0 and lower. A fix has been
#      introduced with TLS 1.2 in form of the GCM mode which is not vulnerable to the BEAST attack. GCM should
#      be preferred over CBC."},
#    {:severity=>1, :description=>"The Secure Hash Algorithm 1 has been proven to be insecure as of 2017 (see
#      [shattered.io](https://shattered.io))."}],
#  "url"=>"https://ciphersuite.info/cs/TLS_RSA_WITH_SEED_CBC_SHA/"}

Returns:

  • (Hash) 


58
59
60
61
 
# File 'lib/tls_map/app/cipher/cipher.rb', line 58

def extended
  fetch_extended
  @extended
end

#gnutlsString (readonly)

Get the GnuTLS name of the cipher suite

Returns:

  • (String)

    GnuTLS name



25
26
27
 
# File 'lib/tls_map/app/cipher/cipher.rb', line 25

def gnutls
  @gnutls
end

#ianaString (readonly)

Get the IANA name of the cipher suite

Returns:

  • (String)

    IANA name



17
18
19
 
# File 'lib/tls_map/app/cipher/cipher.rb', line 17

def iana
  @iana
end

#nssString (readonly)

Get the NSS name of the cipher suite

Returns:

  • (String)

    NSS name



29
30
31
 
# File 'lib/tls_map/app/cipher/cipher.rb', line 29

def nss
  @nss
end

#opensslString (readonly)

Get the OpenSSL name of the cipher suite

Returns:

  • (String)

    OpenSSL name



21
22
23
 
# File 'lib/tls_map/app/cipher/cipher.rb', line 21

def openssl
  @openssl
end

Instance Method Details

#insecure?Boolean

Is the security level defined to insecure?

Returns:

  • (Boolean) 


115
116
117
118
 
# File 'lib/tls_map/app/cipher/cipher.rb', line 115

def insecure?
  fetch_extended
  @extended['security'] == 'insecure'
end

#recommended?Boolean

Is the security level defined to recommended?

Returns:

  • (Boolean) 


129
130
131
132
 
# File 'lib/tls_map/app/cipher/cipher.rb', line 129

def recommended?
  fetch_extended
  @extended['security'] == 'recommended'
end

#secure?Boolean

Is the security level defined to secure?

Returns:

  • (Boolean) 


122
123
124
125
 
# File 'lib/tls_map/app/cipher/cipher.rb', line 122

def secure?
  fetch_extended
  @extended['security'] == 'secure'
end

#should_i_use?Boolean

Is the security level defined to secure or recommended? It will return false for weak and insecure cipher suites.

Returns:

  • (Boolean) 


137
138
139
 
# File 'lib/tls_map/app/cipher/cipher.rb', line 137

def should_i_use?
  recommended? || secure?
end

#vulnerable?Boolean

Is the cipher suite vulnerable?

Returns:

  • (Boolean)

    true if one (or more) vulnerability is declared



143
144
145
146
 
# File 'lib/tls_map/app/cipher/cipher.rb', line 143

def vulnerable?
  fetch_extended
  !@extended['vulns'].empty?
end

#weak?Boolean

Is the security level defined to weak?

Returns:

  • (Boolean) 


108
109
110
111
 
# File 'lib/tls_map/app/cipher/cipher.rb', line 108

def weak?
  fetch_extended
  @extended['security'] == 'weak'
end