Knowledge Base

RSA (Rivest-Shamir-Adleman)

RSA^[443][444] key exchange is a key exchange^[133] that has no forward secrecy^{[127][128][129][130]}, and does not protect past sessions against future compromises. If long-term secret keys or passwords are compromised, encrypted communications and sessions recorded in the past can be retrieved and decrypted. Throughout its history RSA encryption has had many security flaws^{[445][446][447][448][449][450]} and was affected by variety of attack types: chosen-ciphertext attack^[55] (eg: Bleichenbacher's attack^[1][2], ROBOT attack^{[18][19][20][21]}), side-channel attack^[69][70][71] (eg: padding oracle attack^{[63][64][65][66]}, like Bleichenbacher's cat^[3][4][5][6]).

Always prefer cipher suites with PFS property over the non-PFS ones. Note that performance considerations implies preferring Ephemeral Elliptic-curve Diffie–Hellman^[432][433] over Ephemeral Diffie-Hellman^{[405][406][407][408]}.

RSA

Rivest–Shamir–Adleman^{[275][276][277]} is a digital signature^{[107][108][109][110]} algorithm, which is considered secure, however there are known weaknesses^{[278][279][280][281][282]}.

eSTREAM Salsa20

The stream cipher^[182][183] Salsa20^{[380][381][382]} is considered secure ^[383] and gives better performance for mobile devices.

Prefer stream cipher^[182][183] Salsa20^{[380][381][382]} and it's variants (eg: ChaCha20^{[324][325][326][327]}) in case of mobile devices.

256

The symmetric key^{[185][186][187]} withkey size^[184] more than 128 bits as it is should be according to National Institute of Standards and Technology^[470][471] so it is not vulnerable to preimage attack^[67] and it cannreliably prove that message came from the stated sender (its authenticity) and has not been changed, so connection is not open for a man-in-the-middle attack^[61].

Remove the cipher suite from the list of cipher suites supported by your server.

SHA-1

message authentication code^{[135][136][137][138]} is a hashed message authentication code^{[139][140][141][142][143][144][145]} which is considered secure^[462], despite the fact that the underlayingcryptographic hash function^{[94][95][96][97]} (Secure Hash Algorithm 1^{[202][203][204]}) is considered insecure^{[205][206][207][208][209][210][211]}.

If your application or requirements specifically call for the use of a message authentication code^{[135][136][137][138]} that does not provide authenticated encryption^[74] prefer block cipher mode of operation^{[82][83][84][85][86]} (eg: counter with CBC-MAC^[32][33][34], Galois/Counter Mode^{[46][47][48][49]} or message authentication code^{[135][136][137][138]} (eg: Poly1305^[458][459]) that proved authenticated encryption over the ones which does not provide it. In case of a hashed message authentication code^{[139][140][141][142][143][144][145]} prefer message authentication code^{[135][136][137][138]} based on Secure Hash Algorithm 2^{[212][213][214]} over the ones based on Secure Hash Algorithm 1^{[202][203][204]}.