Knowledge Base

DHE (Diffie-Hellman Ephemeral)

Ephemeral Diffie-Hellman^{[405][406][407][408]} is a variant of Diffie-Hellman^{[99][100][101][102][103]} key exchange^[133] protocol that has forward secrecy^{[127][128][129][130]}, and does protect past sessions against future compromises. If long-term secret keys or passwords are compromised, encrypted communications and sessions recorded in the past cannot be retrieved and decrypted. However, there is a protocol flaw called D(HE)at attack^{[581][582][583][584][585]}, a denial-of-service attack^{[586][587][588][589][590]}, which can be exploited effectively when large key sizes are enabled.

Always prefer cipher suites with PFS property over the non-PFS ones. Note that performance considerations implies preferring Ephemeral Elliptic-curve Diffie–Hellman^[432][433] over Ephemeral Diffie-Hellman^{[405][406][407][408]} and D(HE)at attack^{[581][582][583][584][585]} implies using Diffie-Hellman ephemeral public key parameter^{[409][410][411]}s with a size greater or equal than 2048 bits but less or equal than 4096 bits.

RSA

Rivest–Shamir–Adleman^{[275][276][277]} is a digital signature^{[107][108][109][110]} algorithm, which is considered secure, however there are known weaknesses^{[278][279][280][281][282]}.

Salsa20

The stream cipher^[182][183] Salsa20^{[380][381][382]} is considered secure ^[383] and gives better performance for mobile devices.

Prefer stream cipher^[182][183] Salsa20^{[380][381][382]} and it's variants (eg: ChaCha20^{[324][325][326][327]}) in case of mobile devices.

256

The symmetric key^{[185][186][187]} withkey size^[184] more than 128 bits as it is should be according to National Institute of Standards and Technology^[470][471] so it is not vulnerable to preimage attack^[67] and it cannreliably prove that message came from the stated sender (its authenticity) and has not been changed, so connection is not open for a man-in-the-middle attack^[61].

Remove the cipher suite from the list of cipher suites supported by your server.

SHA-1

message authentication code^{[135][136][137][138]} is a hashed message authentication code^{[139][140][141][142][143][144][145]} which is considered secure^[462], despite the fact that the underlayingcryptographic hash function^{[94][95][96][97]} (Secure Hash Algorithm 1^{[202][203][204]}) is considered insecure^{[205][206][207][208][209][210][211]}.

If your application or requirements specifically call for the use of a message authentication code^{[135][136][137][138]} that does not provide authenticated encryption^[74] prefer block cipher mode of operation^{[82][83][84][85][86]} (eg: counter with CBC-MAC^[32][33][34], Galois/Counter Mode^{[46][47][48][49]} or message authentication code^{[135][136][137][138]} (eg: Poly1305^[458][459]) that proved authenticated encryption over the ones which does not provide it. In case of a hashed message authentication code^{[139][140][141][142][143][144][145]} prefer message authentication code^{[135][136][137][138]} based on Secure Hash Algorithm 2^{[212][213][214]} over the ones based on Secure Hash Algorithm 1^{[202][203][204]}.