AnsweredAssumed Answered

Recommended cipher suite for TLS v1.1+ clients?

Question asked by Michał Staruch on Jan 30, 2015
Latest reply on Jun 12, 2015 by Lily Wilson

Hi there.

 

First thing is AESGCM. I've noticed in quite a few places that AESGCM comes first on recommended cipher priority list for HTTPS servers. I am not cipher expert, but I've observed two things:

1. Lack of support for AES256-GCM in browsers as of today, resulting in capping at AES128-GCM.

2. Weakness of AES128-GCM described in "Cycling Attacks on GCM, GHASH and Other Polynomial MACs and Hashes" publication by Markku-Juhani O. Saarinen (available here: http://eprint.iacr.org/2011/202). Key part is "We performed an exhaustive experiment that found many AES-128 keys that produce H with order below n 2≈96.".


Currently Qualys recommended settings (https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy) result in most browsers picking AES128 in GCM mode over AES256 in CBC, while reports like ECRYPT II (part related to algorithms and keysizes is available here: http://www.ecrypt.eu.org/documents/D.SPA.20.pdf) suggest to avoid AES-GCM for protocols like TLS.


Another thing is that TLS 1.3 (draft here: https://tools.ietf.org/html/draft-ietf-tls-tls13-03) proposed to ban non-AEAD ciphers, which would lock most browsers to AES128-GCM if they stayed at currently supported cipher list.


Then we have ECDSA vs aRSA. Documents like "Applied Crypto Hardening" (draft available here: https://bettercrypto.org/static/applied-crypto-hardening.pdf) always prioritize aRSA and explicitly disable ECDSA whenever possible. Time to time we hear about flawed ECDSA implementations (Sony PS3, Android SecureRandom, OpenSSL prior to 1.0.0e), and I never heard about any serious RSA issue, so I guess it's right decision, too.


So, to summarize my concerns:

Q1: Should AESGCM stay on top of cipher priority list for TLS v1.1 and v1.2?

Q2: Should ECDSA have higher priority than aRSA?

Q3: What cipher suite would you recommend to use in 2015 for HTTPS server, assuming we want to support only TLS v1.1 and TLS v1.2 clients?

Q4: What cipher suite would you recommend for TLS v1.3, when it's available. Is there any 256-bit AEAD cipher we could expect to be supported in browsers, without any known flaws?

 

I would appreciate opinions of cipher experts, especially those living in free countries (out of NSA reach).

Outcomes