Cipher Suite Selection

Warning

Following are recommendations valid in August 2018, using OpenSSL 1.1.0g under Ubuntu 18.04 LTS ‘Bionic Beaver’.

Note

TL;DR: This is our official cipher suite list string, which we will use in most of our services:

kEECDH+aECDSA+CHACHA20:kEECDH+aRSA+CHACHA20:kEDH+aRSA+CHACHA20:kEECDH+aECDSA+AESGCM:kEECDH+aRSA+AESGCM:kEDH+aRSA+AESGCM:kEECDH+aECDSA+AES:kEECDH+aRSA+AES:kEDH+aRSA+AES:-AESCCM:-AES256:+SHA1

The quest for the perfect Cipher Suite list is an endless one, simply because there is no perfect solution.

For our private servers for mostly personal use and presumably limited public interest or commercial goals, we have the luxury to enforce a more secure, but less compatible set of cipher suites.

Note

Windows XP clients using Internet Explorer will not be able to connect to any of your servers.

Following is the composition of our Cipher suite list using the the OpenSSL ciphers (1SSL) command. The command displays as a list of all cipher suites available with the current selection parameters.

$ openssl ciphers -v '<Selection Parameters>' | column -t

Key Exchange

Perfect Forward Secrecy

All our encrypted communications is to be established using Perfect Forward Secrecy.

In todays OpenSSL the available ciphers suites who are able to provide forward secrecy are the ones who use Diffie-Hellman key exchange.

Also we place the EC variant first, as it uses smaller keys and is faster.

Priorities:

  1. ECDH key-exchange over DH key-exchange

To list those, you can use …

kEECDH
kEDH
kEECDH:kEDH

as selection parameter with the OpenSSL ciphers command and you will get a list of 65 available cipher suites on my [1] system:

$ openssl -v 'kEECDH:kEDH'  | column -t

Key Authentication

The private keys to our certificates can either be RSA or ECDSA keys or both.

One can select all ciphers suites who use ECDSA or RSA key authentication with the “aECDSA” and “aRSA” selection parameter. Since ECDSA is faster, has smaller keys, but with equal or better security it is put first thus given a higher selection priority.

This will list 43 available cipher suites.

ECDSA Key Authentication

ECDSA keys can only by exchanged over ECDH. So we can skip the non-working combination of DH key exchange with ECDSA keys.

kEECDH+aECDSA
kEDH
kEECDH+aECDSA:kEDH

The list shrinks to 52 ciphers suites.

RSA Key Authentication

RSA keys on the other hand can be exchanged over ECDH and DH.

Priorities:

  1. ECDH key-exchange over DH key-exchange
  2. ECDSA keys over RSA keys
kEECDH+aECDSA
kEECDH+aRSA
kEDH+aRSA
kEECDH+aECDSA:kEECDH+aRSA:kEDH+aRSA

The list shrinks to 40 ciphers suites.

Encryption

Looking at the current selection, there are many encryption schemes who we clearly don’t want to use. Like RC4, 3DES, DES or some with weak export-grade or no encryption at all.

We therefore confine this further by using Chacha20 and AES exclusively.

ChaCha20 Encryption with Poly1305

kEECDH+aECDSA+CHACHA20
kEECDH+aRSA+CHACHA20
kEDH+aRSA+CHACHA20
kEECDH+aECDSA+CHACHA20:kEECDH+aRSA+CHACHA20:kEDH+aRSA+CHACHA20

Only 3 ciphers suites match, but more will be added.

AES Encryption

AES is the most widely trusted encryption standard, supported on all platforms and client software, and as big plus, modern CPUs include hardware acceleration for AES with the Advanced Encryption Standard Instruction Set.

Note

To check if your CPU has built-in hardware acceleration for AES encryption use the following command: grep aes /proc/cpuinfo

Priorities:

  1. ChaCha20 over AES encryption
  2. ECDH key exchange over DH key exchange.
  3. ECDSA keys over RSA keys.
kEECDH+aECDSA+CHACHA20
kEECDH+aRSA+CHACHA20
kEDH+aRSA+CHACHA20
kEECDH+aECDSA+AES
kEECDH+aRSA+AES
kEDH+aRSA+AES
kEECDH+aECDSA+CHACHA20:kEECDH+aRSA+CHACHA20:kEDH+aRSA+CHACHA20:kEECDH+aECDSA+AES:kEECDH+aRSA+AES:kEDH+aRSA+AES

OpenSSL lists 29 cipher suites when used with the “AES” parameter. Combined with our earlier selections.

AES and Message Authentication (MAC)

AES-GCM vs. AES-CBC vs. AES-CCM

Priorities:

  1. ChaCha20 over AES encryption
  2. GCM over CBC message authentication
  3. ECDH key exchange over DH key exchange.
  4. ECDSA keys over RSA keys.
  5. No CCM message authentication
kEECDH+aECDSA+CHACHA20
kEECDH+aRSA+CHACHA20
kEDH+aRSA+CHACHA20
kEECDH+aECDSA+AESGCM
kEECDH+aRSA+AESGCM
kEDH+aRSA+AESGCM
kEECDH+aECDSA+AES
kEECDH+aRSA+AES
kEDH+aRSA+AES
-AESCCM
kEECDH+aECDSA+CHACHA20:kEECDH+aRSA+CHACHA20:kEDH+aRSA+CHACHA20:kEECDH+aECDSA+AESGCM:kEECDH+aRSA+AESGCM:kEDH+aRSA+AESGCM:kEECDH+aECDSA+AES:kEECDH+aRSA+AES:kEDH+aRSA+AES:-AESCCM

The list now contains the 21 cipher suites, with CCM MACs removed.

AES Encryption Strength

As already mentioned the selected AES cipher suites use either 128-bit or 256-bit encryption. Thats OK for most, some would even be tempted to use only 256-bit (only to discover that not even the newest Firefox browser would work anymore).

If we trust 128-bit encryption, and recent findings predict 128-bit encryption to be strong enough for another 30 years or so, then why use 256-bit then?

Symmetric Encryption Key Size

RSA Key Size Safe until
20 bits Year 1928
40 bits Year 1958
56 bits Year 1982
112 bits Year 2020
128 bits Year 2030
256 bits Year 2030+

Bigger is not always better. The time for a handshake between server and client increases dramatically with 256-bit encryption compared to 128-bit. And lets not forget the mobile devices, who may not have a CPU with AES-NI besides being weaker and smaller on the hardware-side.

So to only select the 29 different 128-bit variants out of the 58 suites with AES encryption, one can add “-AES256 ” add the end to remove all the 256-bit AES variants:

Priorities:

  1. ChaCha20 over AES encryption
  2. GCM over CBC message authentication
  3. ECDH key exchange over DH key exchange.
  4. ECDSA keys over RSA keys.
  5. No CCM message authentication
  6. No 256-bit AES encryption
kEECDH+aECDSA+CHACHA20
kEECDH+aRSA+CHACHA20
kEDH+aRSA+CHACHA20
kEECDH+aECDSA+AESGCM
kEECDH+aRSA+AESGCM
kEDH+aRSA+AESGCM
kEECDH+aECDSA+AES
kEECDH+aRSA+AES
kEDH+aRSA+AES
-AESCCM
-AES256
kEECDH+aECDSA+CHACHA20:kEECDH+aRSA+CHACHA20:kEDH+aRSA+CHACHA20:kEECDH+aECDSA+AESGCM:kEECDH+aRSA+AESGCM:kEDH+aRSA+AESGCM:kEECDH+aECDSA+AES:kEECDH+aRSA+AES:kEDH+aRSA+AES:-AESCCM:-AES256

Number of matching cipher suites: 12. And they are all suitable. With this list we already get top scores on test-sites like SSLlabs.

AES Priorities

However there is still some small room for improvement. Some cipher suites in our selection use SHA-1 for message authentication (HMAC).

While SHA-1 is not considered broken or harmful for this specific use, its use is no longer recommended. However if we exclude it, we loose compatibility with a lot of client platforms and software. This would include:

  • Android devices less then version 4.4 (before December 2013)
  • Bing search engine
  • Firefox browsers less then version 25 (before December 2013)
  • Google search engine
  • Internet Explorer less then version 11
  • Java less then version 8
  • OpenSSL 0.9.8 (only version 1.0.1)
  • OS X less then version 10.9.
  • Safari Browsers up to version 6
  • Windows less then version 8 and Windows Mobile less then version 10
  • Yahoo search engine

So unless you are sure that any of the above list will not be connecting to any of your servers, we need to support it.

But we can push it to the end of our list, so that it will only be used, when all other options failed already.

Priorities:

  1. ChaCha20 over AES encryption
  2. GCM over CBC message authentication
  3. ECDH key exchange over DH key exchange
  4. ECDSA keys over RSA keys.
  5. No CCM message authentication
  6. No 256-bit AES encryption
  7. SHA1 message authentication only as a last resort
kEECDH+aECDSA+CHACHA20
kEECDH+aRSA+CHACHA20
kEDH+aRSA+CHACHA20
kEECDH+aECDSA+AESGCM
kEECDH+aRSA+AESGCM
kEDH+aRSA+AESGCM
kEECDH+aECDSA+AES
kEECDH+aRSA+AES
kEDH+aRSA+AES
-AESCCM
-AES256
+SHA1
kEECDH+aECDSA+CHACHA20:kEECDH+aRSA+CHACHA20:kEDH+aRSA+CHACHA20:kEECDH+aECDSA+AESGCM:kEECDH+aRSA+AESGCM:kEDH+aRSA+AESGCM:kEECDH+aECDSA+AES:kEECDH+aRSA+AES:kEDH+aRSA+AES:-AESCCM:-AES256:+SHA1

This give the same list of 12 cipher suites, but the ones using SHA-1 moved to the bottom.

$ openssl ciphers -v 'kEECDH+aECDSA+CHACHA20:kEECDH+aRSA+CHACHA20:kEDH+aRSA+CHACHA20:kEECDH+aECDSA+AESGCM:kEECDH+aRSA+AESGCM:kEDH+aRSA+AESGCM:kEECDH+aECDSA+AES:kEECDH+aRSA+AES:kEDH+aRSA+AES:-AESCCM:-AES256:+SHA1' | column -t
ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=CHACHA20/POLY1305(256)  Mac=AEAD
ECDHE-RSA-CHACHA20-POLY1305    TLSv1.2  Kx=ECDH  Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD
DHE-RSA-CHACHA20-POLY1305      TLSv1.2  Kx=DH    Au=RSA    Enc=CHACHA20/POLY1305(256)  Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256  TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AESGCM(128)             Mac=AEAD
ECDHE-RSA-AES128-GCM-SHA256    TLSv1.2  Kx=ECDH  Au=RSA    Enc=AESGCM(128)             Mac=AEAD
DHE-RSA-AES128-GCM-SHA256      TLSv1.2  Kx=DH    Au=RSA    Enc=AESGCM(128)             Mac=AEAD
ECDHE-ECDSA-AES128-SHA256      TLSv1.2  Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA256
ECDHE-RSA-AES128-SHA256        TLSv1.2  Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA256
DHE-RSA-AES128-SHA256          TLSv1.2  Kx=DH    Au=RSA    Enc=AES(128)                Mac=SHA256
ECDHE-ECDSA-AES128-SHA         TLSv1    Kx=ECDH  Au=ECDSA  Enc=AES(128)                Mac=SHA1
ECDHE-RSA-AES128-SHA           TLSv1    Kx=ECDH  Au=RSA    Enc=AES(128)                Mac=SHA1
DHE-RSA-AES128-SHA             SSLv3    Kx=DH    Au=RSA    Enc=AES(128)                Mac=SHA1

I admit, this is a very long string (189 characters to select 12 cipher suites out of 125). If you are sure that you will only use either one of RSA or ECDSA type keys, we can narrow it down a bit.

RSA Keys Only

Priorities:

  1. RSA keys only
  2. ChaCha20 over AES encryption
  3. GCM over CBC message authentication
  4. ECDH key exchange over DH key exchange
  5. No CCM message authentication
  6. No 256-bit AES encryption
  7. SHA1 message authentication as a last resort
kEECDH+aRSA+CHACHA20
kEDH+aRSA+CHACHA20
kEECDH+aRSA+AESGCM
kEDH+aRSA+AESGCM
kEECDH+aRSA+AES
kEDH+aRSA+AES
-AESCCM
-AES256
+SHA1
kEECDH+aRSA+CHACHA20:kEDH+aRSA+CHACHA20:kEECDH+aRSA+AESGCM:kEDH+aRSA+AESGCM:kEECDH+aRSA+AES:kEDH+aRSA+AES:-AESCCM:-AES256:+SHA1

This 127 character string should list 8 cipher suites.

ECDSA Keys Only

Priorities:

  1. ECDSA keys only
  2. ChaCha20 over AES encryption
  3. GCM over CBC message authentication
  4. ECDH key exchange over DH key exchange
  5. No CCM message authentication
  6. No 256-bit AES encryption
  7. SHA1 message authentication only as a last resort
kEECDH+aECDSA+CHACHA20
kEECDH+aECDSA+AESGCM
kEECDH+aECDSA+AES
-AESCCM
-AES256
+SHA1
kEECDH+aECDSA+CHACHA20:kEECDH+aECDSA+AESGCM:kEECDH+aECDSA+AES:-AESCCM:-AES256:+SHA1

This 83 character string should list 4 cipher suites.

Footnotes

[1]The number of suites supporting particular features varies between versions of OpenSSL.