Ladies and Gentlemen! Gamers and Cryptoheads! Have you ever wondered which major gaming console has the best message encryption? Well, I’m going to reveal the clear winner in my own recent personal test.
This is a follow-up to one of my more popular SecurityWeek articles, “Paris Attacks: What Kind of Encryption Does the PlayStation 4 Use, Anyway?” If you recall, in the hours after the 2015 Paris attacks, there was a rumor that the terrorists were using PlayStations to communicate with each other. That turned out to be fake news (they were just using burner phones) but the rumor intrigued me. I sniffed my PS4 message traffic, analyzed it, and ultimately concluded the PS4 had not terrible consumer grade encryption. Sony has improved their message security since then, but by how much?
For the encryption smackdown, my colleague, Benjamin Guité, has all the modern consoles. He hooked both his PS4 and his Xbox One into a managed switch and tapped the message traffic between each console and their respective messaging servers. The PS4 appears to use an AWS-hosted messaging server, usntl.np.community.playstation.net, and the Xbox appears to use messenger.live.com as its server (which one would assume is hosted in Azure).
TLS Protocol Preference: Same
In 2015, the PS4 message servers preferred TLS 1.0 instead of the newer TLS 1.2 protocol. Today, both PlayStation and Xbox One consoles connect to their cloud-based messaging servers using TLS 1.2, as you’d expect.
Forward Secrecy Winner: Xbox One
Forward secrecy is the cryptographic technique used to secure a connection such that only the two endpoints can communicate securely; even if a third party has private key associated to the server, it cannot decrypt the ciphertext.
Forward secrecy has enjoyed massive popularity in the crypto community over the last three years and it is even required in the forthcoming TLS 1.3 protocol. Forward secrecy is noted by the use of a Diffie-Helman key exchange. In a Wireshark capture, you’ll see these as DHE or ECDHE.
Symmetric Key Winner: Xbox One
The PlayStation 4 system elects the cipher TLS_RSA_WITH_AES_128_CBC_SHA256. There’s nothing really wrong with 128-bit AES or 256-bit SHA, but the Xbox goes an extra step, using 256-bit AES and a 384-bit SHA. Most of the Internet has moved on from CBC ciphers to the faster and cooler counter-mode (_GCM_) ciphers, and one would expect the consoles to do the same in the future.
Certificate Winner: Xbox One
In 2015, PlayStation messaging servers were still using certificates with a SHA-1 signature. That’s a no-no today, and it’s good to see that Sony has upgraded since then. Their latest certificate has a SHA2 signature, just like Microsoft’s messaging server.
However, the Xbox messaging server supports OCSP stapling, which provides recent certificate revocation information to the console without the requirement of a separate connection. Whether or not the console actually uses that information is beyond me, but the fact that the server supports it is a huge plus. So, the winner for certificate support is Microsoft.
SSL Server Score Winner: Xbox One
The Qualys SSL Labs server test gives out letter grades indicating the relative security posture for SSL/TLS servers. The Sony servers, unfortunately, get a very low grade due their vulnerability to a CBC padding oracle attack, CVE-2016-2108.
Microsoft’s messaging servers, on the other hand, get a near-perfect letter grade, so the Xbox One is definitely the clear winner here. Microsoft has a long history with security, and their experience shows in their superior messaging encryption.
So, Kudos to Microsoft’s Xbox One console, which is the clear winner in this Encryption Smackdown!
Related Report: SSL/TLS Telemetry Report 2016