Knowledge Base

RSA (Rivest-Shamir-Adleman)

RSA^[443][444] key exchange is a key exchange^[133] that has no forward secrecy^{[127][128][129][130]}, and does not protect past sessions against future compromises. If long-term secret keys or passwords are compromised, encrypted communications and sessions recorded in the past can be retrieved and decrypted. Throughout its history RSA encryption has had many security flaws^{[445][446][447][448][449][450]} and was affected by variety of attack types: chosen-ciphertext attack^[55] (eg: Bleichenbacher's attack^[1][2], ROBOT attack^{[18][19][20][21]}), side-channel attack^[69][70][71] (eg: padding oracle attack^{[63][64][65][66]}, like Bleichenbacher's cat^[3][4][5][6]).

Always prefer cipher suites with PFS property over the non-PFS ones. Note that performance considerations implies preferring Ephemeral Elliptic-curve Diffie–Hellman^[432][433] over Ephemeral Diffie-Hellman^{[405][406][407][408]}.

RSA

Rivest–Shamir–Adleman^{[275][276][277]} is a digital signature^{[107][108][109][110]} algorithm, which is considered secure, however there are known weaknesses^{[278][279][280][281][282]}.

RC4-56

Encryption algorithm Rivest Cipher 4^{[370][371][372][373]} is a stream cipher^[182][183] that is more malleable^[134] than a block cipher^{[78][79][80][81]}. It has multiple vulnerabilities^{[375][376][377][378][379]} (eg: related-key attack^[68], distinguishing attack^[60], ...), so attacker can apply statistical analysis against it to recover the encrypted text.

Remove the cipher suite from the list of cipher suites supported by your server.

56

Any symmetric key^{[185][186][187]} with key size^[184] less than 128 bits are disallowed by National Institute of Standards and Technology^[470][471] as it is vulnerable to preimage attack^[67] in theory. It cannot reliably prove that message came from the stated sender (its authenticity) and has not been changed, so connection is open for a man-in-the-middle attack^[61].

Remove the cipher suite from the list of cipher suites supported by your server.

SHA-1

message authentication code^{[135][136][137][138]} is a hashed message authentication code^{[139][140][141][142][143][144][145]} which is considered secure^[462], despite the fact that the underlayingcryptographic hash function^{[94][95][96][97]} (Secure Hash Algorithm 1^{[202][203][204]}) is considered insecure^{[205][206][207][208][209][210][211]}.

If your application or requirements specifically call for the use of a message authentication code^{[135][136][137][138]} that does not provide authenticated encryption^[74] prefer block cipher mode of operation^{[82][83][84][85][86]} (eg: counter with CBC-MAC^[32][33][34], Galois/Counter Mode^{[46][47][48][49]} or message authentication code^{[135][136][137][138]} (eg: Poly1305^[458][459]) that proved authenticated encryption over the ones which does not provide it. In case of a hashed message authentication code^{[139][140][141][142][143][144][145]} prefer message authentication code^{[135][136][137][138]} based on Secure Hash Algorithm 2^{[212][213][214]} over the ones based on Secure Hash Algorithm 1^{[202][203][204]}.