Knowledge Base

Combined Elliptic-Curve and Post-Quantum 1 (CECPQ1)

The combined elliptic-curve and post-quantum 1^{[286][287][288]} is a post-quantum cryptography^[344][345] key exchange^[467] algorithm developed by Google, LLC^[54][55] to resist against quantum computing^[141] attacks. The Transport Layer Security^[164] combines X25519^[11], based on elliptic curve^[577][578] Curve25519^[219], and NewHope^{[455][456][457][458]} Elliptic-curve Diffie–Hellman^[490][491] algorithms. It provides forward secrecy^{[135][136][137][138]}, and does protect past sessions against future compromises. If long-term secret keys or passwords are compromised, encrypted communications and sessions recorded in the past cannot be retrieved and decrypted.

Always prefer cipher suites with PFS property over the non-PFS ones. Note that performance considerations implies preferring Ephemeral Elliptic-curve Diffie–Hellman^[91][92] over Ephemeral Diffie-Hellman^{[142][143][144][145]}. Consider the fact that combined elliptic-curve and post-quantum 1^{[286][287][288]} was succeeded by combined elliptic-curve and post-quantum 2^[564][565].

Rivest–Shamir–Adleman (RSA)

Rivest–Shamir–Adleman^[80][81][82] is a digital signature^{[231][232][233][234]} algorithm, which is considered secure, however there are known weaknesses^{[322][323][324][325][326]}.

ChaCha20

The stream cipher^[78][79] ChaCha20^{[181][182][183][184]} is a variant of the algorithm Salsa20^{[111][112][113]} is considered secure ^[316][317] and gives better performance for mobile devices.

Prefer stream cipher^[78][79] ChaCha20^{[181][182][183][184]} in case of mobile devices.

128

The symmetric key^{[193][194][195]} withkey size^[438] more than 128 bits as it is should be according to National Institute of Standards and Technology^[428][429] so it is not vulnerable to preimage attack^[215] and it cannreliably prove that message came from the stated sender (its authenticity) and has not been changed, so connection is not open for a man-in-the-middle attack^[414].

Remove the cipher suite from the list of cipher suites supported by your server.

POLY1305

message authentication code^{[128][129][130][131]} is a message authentication code based on universal hashing^{[301][302][303][304]} which is considered secure. It provides authenticated encryption^[563] which simultaneously assure the confidentiality^{[198][199][200]} and authenticity^{[201][202][203]} of data. Together with stream cipher^[78][79] ChaCha20ChaCha20-Poly1305^{[211][212][213]} gives better performance on mobile devices under the same conditions of security.

If your application or requirements specifically call for the use of a message authentication code^{[128][129][130][131]} that does not provide authenticated encryption^[563] prefer block cipher mode of operation^{[293][294][295][296][297]} (eg: counter with CBC-MAC^{[266][267][268]}, Galois/Counter Mode^{[65][66][67][68]} or message authentication code^{[128][129][130][131]} (eg: Poly1305^[289][290]) that proved authenticated encryption over the ones which does not provide it. In case of a hashed message authentication code^{[418][419][420][421][422][423][424]} prefer message authentication code^{[128][129][130][131]} based on Secure Hash Algorithm 2^[71][72][73] over the ones based on Secure Hash Algorithm 1^{[204][205][206]}.