Cipher Suite Selection

Note

TL;DR: this is our official cipher suite list string, which we will use in all our services: kEECDH+aRSA+AES128:kEDH+aRSA+AES128:+SSLv3

The quest for the perfect Cipher Suite list is an endless one, simply because there is no perfect solution.

For our private servers for mostly personal use and presumably limited public interest or commercial goals, we have the luxury to enforce a more secure, but less compatible set of cipher suites.

Note

Windows XP clients using Internet Explorer will not be able to connect to any of your servers.

Following is the composition of our Cipher suite list using the the OpenSSL ciphers (1SSL) command. The command displays as a list of all cipher suites available with the current selection parameters.

$ openssl ciphers -v '<Selection Parameters>' | column -t

Key Exchange

Perfect Forward Secrecy

All our encrypted communications is to be established using Perfect Forward Secrecy.

In todays OpenSSL the available ciphers suites who are able to provide forward secrecy are the ones who use Diffie-Hellman key exchange.

To list those, you can use …

kEECDH
kEDH
kEECDH:kEDH

as selection parameter with the OpenSSL ciphers command and you will get a list of 65 available cipher suites on my [1] system.

Note that we place the EC variant first, as it uses smaller keys and is faster.

Key Authentication

The private keys to our certificates can either be RSA or ECDSA keys or both.

One can select all ciphers suites who use ECDSA or RSA key authentication with the “aECDSA” and “aRSA” selection parameter. Since ECDSA is faster, has smaller keys, but with equal or better security it is put first thus given a higher selection priority.

This will list 43 available cipher suites.

ECDSA Key Authentication

ECDSA keys can only by exchanged over ECDH. So we can skip the non-working combination of DH key exchange with ECDSA keys.

kEECDH+aECDSA
kEDH
kEECDH+aECDSA:kEDH

The list shrinks to 52 ciphers suites.

RSA Key Authentication

RSA keys on the other hand can be exchanged over ECDH and DH.

Priorities:

  1. We still prioritize ECDH key exchange over DH key exchange.
  2. After that we prioritize ECDSA keys over RSA keys.
kEECDH+aECDSA
kEECDH+aRSA
kEDH+aRSA
kEECDH+aECDSA:kEECDH+aRSA:kEDH+aRSA

The list shrinks to 40 ciphers suites.

Encryption

Looking at the current selection, there are many encryption schemes who we clearly don’t want to use. Like RC4, 3DES, DES or some with weak export-grade or no encryption at all.

We therefore confine this further by using Chacha20 and AES exclusively.

ChaCha20 Encryption with Poly1305

kEECDH+aECDSA+CHACHA20
kEECDH+aRSA+CHACHA20
kEDH+aRSA+CHACHA20
kEECDH+aECDSA+CHACHA20:kEECDH+aRSA+CHACHA20:kEDH+aRSA+CHACHA20

Only 3 ciphers suites match, but more will be added.

AES Encryption

AES is the most widely trusted encryption standard, supported on all platforms and client software, and as big plus, modern CPUs include hardware acceleration for AES with the Advanced Encryption Standard Instruction Set.

Note

To check if your CPU has built-in hardware acceleration for AES encryption use the following command: grep aes /proc/cpuinfo

Priorities:

  1. ChaCha20 over AES encryption
  2. ECDH key exchange over DH key exchange.
  3. ECDSA keys over RSA keys.
kEECDH+aECDSA+CHACHA20
kEECDH+aRSA+CHACHA20
kEDH+aRSA+CHACHA20
kEECDH+aECDSA+AES
kEECDH+aRSA+AES
kEDH+aRSA+AES
kEECDH+aECDSA+CHACHA20:kEECDH+aRSA+CHACHA20:kEDH+aRSA+CHACHA20:kEECDH+aECDSA+AES:kEECDH+aRSA+AES:kEDH+aRSA+AES

OpenSSL lists 29 cipher suites when used with the “AES” parameter. Combined with our earlier selections.

AES and Message Authentication (MAC)

AES-GCM vs. AES-CBC vs. AES-CCM

Priorities:

  1. ChaCha20 over AES encryption
  2. AES-GCM over AES-CBC encryption
  3. No AES-CCM encryption
  4. ECDH key exchange over DH key exchange.
  5. ECDSA keys over RSA keys.
kEECDH+aECDSA+CHACHA20
kEECDH+aRSA+CHACHA20
kEDH+aRSA+CHACHA20
kEECDH+aECDSA+AESGCM
kEECDH+aRSA+AESGCM
kEDH+aRSA+AESGCM
kEECDH+aECDSA+AES
kEECDH+aRSA+AES
kEDH+aRSA+AES
-AESCCM
kEECDH+aECDSA+CHACHA20:kEECDH+aRSA+CHACHA20:kEDH+aRSA+CHACHA20:kEECDH+aECDSA+AESGCM:kEECDH+aRSA+AESGCM:kEDH+aRSA+AESGCM:kEECDH+aECDSA+AES:kEECDH+aRSA+AES:kEDH+aRSA+AES:-AESCCM

The list now contains the same 29 cipher suites, just their ordering changed.

AES Encryption Strength

Priorities:

  1. ChaCha20 over AES encryption
  2. AES-GCM over AES-CBC encryption
  3. No AES-CCM encryption
  4. 128-bit only AES encryption
  5. ECDH key exchange over DH key exchange.
  6. ECDSA keys over RSA keys.
kEECDH+aECDSA+CHACHA20
kEECDH+aRSA+CHACHA20
kEDH+aRSA+CHACHA20
kEECDH+aECDSA+AESGCM
kEECDH+aRSA+AESGCM
kEDH+aRSA+AESGCM
kEECDH+aECDSA+AES
kEECDH+aRSA+AES
kEDH+aRSA+AES
-AESCCM
-AES256
kEECDH+aECDSA+CHACHA20:kEECDH+aRSA+CHACHA20:kEDH+aRSA+CHACHA20:kEECDH+aECDSA+AESGCM:kEECDH+aRSA+AESGCM:kEDH+aRSA+AESGCM:kEECDH+aECDSA+AES:kEECDH+aRSA+AES:kEDH+aRSA+AES:-AESCCM:-AES256

Number of matching cipher suites: 12. And they are all suitable. With this list we already get top scores on test-sites like SSLlabs.

AES Priorities

However there is still some small room for improvement. Some cipher suites in our selection use SHA-1 for message authentication (HMAC).

While SHA-1 is not considered broken or harmful for this specific use, its use is no longer recommended. However if we exclude it, we loose compatibility with a lot of client platforms and software. This would include:

  • Android devices less then version 4.4 (before December 2013)
  • Bing search engine
  • Firefox browsers less then version 25 (before December 2013)
  • Google search engine
  • Internet Explorer less then version 11
  • Java less then version 8
  • OpenSSL 0.9.8 (only version 1.0.1)
  • OS X less then version 10.9.
  • Safari Browsers up to version 6
  • Windows less then version 8 and Windows Mobile less then version 10
  • Yahoo search engine

So unless you are sure that any of the above list will not be connecting to any of your servers, we need to support it.

But we can push it to the end of our list, so that it will only be used, when all other options failed already.

Priorities:

  1. ChaCha20 over AES encryption
  2. AES-GCM over AES-CBC encryption
  3. No AES-CCM encryption
  4. 128-bit only AES encryption
  5. AES encryption with SHA1 MAC only as last resort.
  6. ECDH key exchange over DH key exchange.
  7. ECDSA keys over RSA keys.
kEECDH+aECDSA+CHACHA20
kEECDH+aRSA+CHACHA20
kEDH+aRSA+CHACHA20
kEECDH+aECDSA+AESGCM
kEECDH+aRSA+AESGCM
kEDH+aRSA+AESGCM
kEECDH+aECDSA+AES
kEECDH+aRSA+AES
kEDH+aRSA+AES
-AESCCM
-AES256
+SSLv3
kEECDH+aECDSA+CHACHA20:kEECDH+aRSA+CHACHA20:kEDH+aRSA+CHACHA20:kEECDH+aECDSA+AESGCM:kEECDH+aRSA+AESGCM:kEDH+aRSA+AESGCM:kEECDH+aECDSA+AES:kEECDH+aRSA+AES:kEDH+aRSA+AES:-AESCCM:-AES256:+SSLv3

This give the same list of 12 cipher suites, but the ones using SHA-1 moved to the bottom.

Encryption Strength

And yet still I have one more point to make.

As already mentioned the selected AES cipher suites use either 128-bit or 256-bit encryption. Thats OK for most, some would even be tempted to use only 256-bit (only to discover that not even the newest Firefox browser would work anymore).

If we trust 128-bit encryption, and recent findings predict 128-bit encryption to be strong enough for another 30 years or so, then why use 256-bit then?

Symmetric Encryption Key Size

RSA Key Size Safe until
20 bits Year 1928
40 bits Year 1958
56 bits Year 1982
112 bits Year 2020
128 bits Year 2030
256 bits Year 2030+

Bigger is not always better. The time for a handshake between server and client increases dramatically with 256-bit encryption compared to 128-bit. And lets not forget the mobile devices, who may not have a CPU with AES-NI besides being weaker and smaller on the hardware-side.

So to only select the 29 different 128-bit variants out of the 58 suites with AES encryption, one can use “AES128” instead of just “AES” as selection parameter:

kEECDH+aRSA+AES128:kEDH+aRSA+AES128:+SSLv3

That gives a list of 6 remaining cipher suites, as shown below:

$ openssl ciphers -v 'kEECDH+aRSA+AES128:kEDH+aRSA+AES128:+SSLv3' | column -t
1. ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(128) Mac=AEAD
2. ECDHE-RSA-AES128-SHA256     TLSv1.2 Kx=ECDH Au=RSA Enc=AES(128)    Mac=SHA256
3. DHE-RSA-AES128-GCM-SHA256   TLSv1.2 Kx=DH   Au=RSA Enc=AESGCM(128) Mac=AEAD
4. DHE-RSA-AES128-SHA256       TLSv1.2 Kx=DH   Au=RSA Enc=AES(128)    Mac=SHA256
5. ECDHE-RSA-AES128-SHA        SSLv3   Kx=ECDH Au=RSA Enc=AES(128)    Mac=SHA1
6. DHE-RSA-AES128-SHA          SSLv3   Kx=DH   Au=RSA Enc=AES(128)    Mac=SHA1

The same ciphers list in RFC Strings Format as shown on the Qualys SSL test website:

1. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH 256 bits (eq. 3072 bits RSA)       FS  128
2. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH 256 bits (eq. 3072 bits RSA)       FS  128
3. TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)       DH 1024 bits (p: 128, g: 1, Ys: 128)    FS  128
4. TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)       DH 1024 bits (p: 128, g: 1, Ys: 128)    FS  128
5. TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)      ECDH 256 bits (eq. 3072 bits RSA)       FS  128
6. TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)          DH 1024 bits (p: 128, g: 1, Ys: 128)    FS  128

Footnotes

[1]The number of suites supporting particular features varies between versions of OpenSSL.