Finding the right ciphers with 256 bit alias crypto wars part nine

Finding a good cipher for your web server is not an easy task. openssl ciphers -v ALL:COMPLEMENTOFALL lists all the available ciphers on your system.
What we don’t want

  • SSLv3 that is no longer secure.
  • 128 bit encryption is too weak
  • no encrytion cipther ;)
  • DSS cipher for key auth
  • DHE-RSA-AES256-SHA is no longer secure
  • TLSv1 no longer secure
  • PSK ( pre shared key) cipher
  • CAMELLIA
  • CBC cipher because of the BEAST attack
  • RSA because of FREAK and SMACK and ROBOT
  • Au=None
  • AESCCM it is also a Cipher Block Chaining (CBC)

That gives us:

openssl ciphers -v ALL:COMPLEMENTOFALL | grep -v "SSLv3" | grep -v "(128)" | grep -v "Enc=None" | \
 grep -v "Au=DSS" | grep -v "DHE-RSA-AES256-SHA" | grep -v "TLSv1 " | grep -v "Au=PSK" | grep -v "Kx=RSAPSK" | \
 grep -v "CAMELLIA" | grep -v "CBC" | grep -v "Au=RSA" | grep -v "Au=None" | grep -v "Enc=AESCCM"

now choose your poison.

2 thoughts on “Finding the right ciphers with 256 bit alias crypto wars part nine

  1. Why is CCM bad? Does using CBC as a primitive cause it to inherit some of CBC’s problems somehow, despite being AEAD?

  2. AESCCM / Authenticated Encryption with Associated Data (AEAD) (+ Counter with CBC-MAC) is an operation mode of CBC and it has the same problems.

Leave a Reply

Your email address will not be published. Required fields are marked *