AnsweredAssumed Answered

Decrease in Key Exchange subscore after enabling ECDHE

Question asked by Tom Sellers on Aug 1, 2014
Latest reply on Aug 2, 2014 by Tom Sellers

I am developing enterprise wide TLS configuration standards.  My previous baseline site had an A- due to no Forward Secrecy.  Other than that, it had a score of 90 on all subscores, except for 'Certificate' where it had 100.  

 

The cipher suite list from the server was:

 

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_RC4_128_SHA

TLS_RSA_WITH_3DES_EDE_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_RC4_128_MD5

 

Most simulated clients were negotiating TLS_RSA_WITH_AES_128_CBC_SHA which doesn't have FS.

 

So I added ECDHE RSA ciphers, among others, and now most of the simulated clients negotiate TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA which DOES have FS.

In no case was any of the simulated clients negotiating cipher that was weaker than with the original suite listed above. However, when I check my scores the 'Key Exchange' subscore has dropped from 90 to 80.

 

Does changing the key exchange from RSA to ECDHE actually decrease the security/strength of the key exchange process?

 

Any input is appreciated.

 

Thanks,

Tom

 

 

Outcomes