Choosing the right cipher / alias crypto wars part twelve

Choosing the right cipher for your server.

The wanted options:

  • Only 256 bit
  • Only Mac AEAD[1]  since in TLS 1.3 that is only allowed.
  • Kx (Key exchange) and Au (Authentication) PSK (pre-shared key) is not an option for a webserver
  • DSS cipher is for key auth
  • Kx=DH without an EC ( Elliptic curves) is not secure enough
  • Kx=RSA is weak
  • AESCCM is also a Cipher Block Chaining (CBC)
  • Aria is for Secure Real-Time Transport Protocol (SRTP)
  • DHE-RSA-AES256-GCM-SHA384 and DHE-RSA-CHACHA20-POLY1305 have no EC (elliptic curves)
/opt/openssl/bin/openssl ciphers -v ALL:COMPLEMENTOFALL | grep -v "(128)" | grep "Mac=AEAD" | grep -v "Kx=PSK" | \
grep -v "Au=PSK" | grep -v "Kx=RSAPSK" | grep -v "Au=DSS" | grep -v "Kx=RSA" | grep -v "Enc=AESCCM" | \
grep -v "Enc=ARIAGCM" | grep -v "Au=None" | grep -v "Kx=DH"

The Output

TLS 1.3
TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256 TLSv1.3 Kx=any Au=any Enc=CHACHA20/POLY1305(256) Mac=AEAD

TLS 1.2
ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD

At last POLY over AES for speed, and ECDSA over RSA also for speed.

SSLCipherSuite SSL ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384
SSLCipherSuite TLSv1.3 TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384

This was done with the current latest OpenSSL version 1.1.1l

Only for the completeness, GCM is Galois/Counter Mode[2]

 

[1] https://de.wikipedia.org/wiki/Authenticated_Encryption
[2] https://en.wikipedia.org/wiki/Galois/Counter_Mode

Leave a Reply

Your email address will not be published. Required fields are marked *