Cipher suites Architectural overview

A cipher suite is a standardized collection of key exchange algorithms, encryption algorithms (ciphers) and Message authentication codes (MAC) algorithm that provides authenticated encryption schemes. It consists of the following components:

Key exchange protocol

“An (interactive) key exchange protocol is a method whereby parties who do not share any secret information can generate a shared, secret key by communicating over a public channel. The main property guaranteed here is that an eavesdropping adversary who sees all the messages sent over the communication line does not learn anything about the resulting secret key.” [KL08]

• Example: DHE

Authentication

The client authenticates the server by its certificate. Optionally the server may authenticate the client certificate.

• Example: RSA

Cipher

The cipher is used to encrypt the message stream. It also contains the key size and mode used by the suite.

• Example: AES256

Message authentication code (MAC)

A MAC ensures that the message has not been tampered with (integrity).

• Examples: SHA256

Authenticated Encryption with Associated Data (AEAD)

AEAD is a class of authenticated encryption block-cipher modes which take care of encryption as well as authentication (e.g. GCM, CCM mode).

• Example: AES256-GCM

Composition of a typical cipher string

• DHE – RSA – AES256 – SHA256

Forward Secrecy

Forward Secrecy or Perfect Forward Secrecy is a property of a cipher suite that ensures confidentiality even if the server key has been compromised. Thus if traffic has been recorded it can not be decrypted even if an adversary has got hold of the server key 1 2 3.

Recommended cipher suites

In principle system administrators who want to improve their communication security have to make a difficult decision between effectively locking out some users and keeping high cipher suite security while supporting as many users as possible. The website https://www.ssllabs.com/ gives administrators and security engineers a tool to test their setup and compare compatibility with clients. The authors made use of ssllabs.com to arrive at a set of cipher suites which we will recommend throughout this document.

Configuration A: Strong ciphers, fewer clients

At the time of writing, our recommendation is to use the following set of strong cipher suites which may be useful in an environment where one does not depend on many, different clients and where compatibility is not a big issue. An example of such an environment might be machineto-machine communication or corporate deployments where software that is to be used can be defined without restrictions.

We arrived at this set of cipher suites by selecting

• TLS 1.2
• Perfect forward secrecy / ephemeral Diffie Hellman
• strong MACs (SHA-2) or
• GCM as Authenticated Encryption scheme

This results in the OpenSSL string=

• EDH+aRSA+AES256:EECDH+aRSA+AES256:!SSLv3’

Compatibility

At the time of this writing only Win 7 and Win 8.1 crypto stack, OpenSSL ≥ 1.0.1e, Safari 6 / iOS 6.0.1 and Safari 7 / OS X 10.9 are covered by that cipher string.

Recommended cipher suites

Configuration A ciphers

ID OpenSSL Name Version KeyEx Auth Cipher MAC

• 0x009F DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH RSA AESGCM(256) AEAD
• 0x006B DHE-RSA-AES256-SHA256 TLSv1.2 DH RSA AES(256) (CBC) SHA256
• 0xC030 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH RSA AESGCM(256) AEAD
• 0xC028 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH RSA AES(256) (CBC) SHA384

Configuration B: Weaker ciphers but better compatibility

source: https://bettercrypto.org/static/applied-crypto-hardening.pdf