Knowledge Base

Rivest–Shamir–Adleman (RSA)

RSA^[320][321] key exchange is a key exchange^[467] that has no forward secrecy^{[135][136][137][138]}, and does not protect past sessions against future compromises. If long-term secret keys or passwords are compromised, encrypted communications and sessions recorded in the past can be retrieved and decrypted. Throughout its history RSA encryption has had many security flaws^{[310][311][312][313][314][315]} and was affected by variety of attack types: chosen-ciphertext attack^[557] (eg: Bleichenbacher's attack^[76][77], ROBOT attack^{[540][541][542][543]}), side-channel attack^{[106][107][108]} (eg: padding oracle attack^{[45][46][47][48]}, like Bleichenbacher's cat^{[337][338][339][340]}).

Always prefer cipher suites with PFS property over the non-PFS ones. Note that performance considerations implies preferring Ephemeral Elliptic-curve Diffie–Hellman^[91][92] over Ephemeral Diffie-Hellman^{[142][143][144][145]}.

Rivest–Shamir–Adleman (RSA)

Rivest–Shamir–Adleman^[80][81][82] is a digital signature^{[231][232][233][234]} algorithm, which is considered secure, however there are known weaknesses^{[322][323][324][325][326]}.

RC4-128

Encryption algorithm Rivest Cipher 4^{[459][460][461][462]} is a stream cipher^[78][79] that is more malleable^[158] than a block cipher^{[524][525][526][527]}. It has multiple vulnerabilities^{[27][28][29][30][31]} (eg: related-key attack^[53], distinguishing attack^[349], ...), so attacker can apply statistical analysis against it to recover the encrypted text.

Remove the cipher suite from the list of cipher suites supported by your server.

128

The symmetric key^{[193][194][195]} withkey size^[438] more than 128 bits as it is should be according to National Institute of Standards and Technology^[428][429] so it is not vulnerable to preimage attack^[215] and it cannreliably prove that message came from the stated sender (its authenticity) and has not been changed, so connection is not open for a man-in-the-middle attack^[414].

Remove the cipher suite from the list of cipher suites supported by your server.

MD5

message authentication code^{[128][129][130][131]} is a hashed message authentication code^{[418][419][420][421][422][423][424]} which is considered secure^[435][436], despite the fact that the underlaying cryptographic hash function^{[510][511][512][513]} (MD5^{[227][228][229]}) is considered insecure^[139][140] as it vulnerable to collision attack^[566] in practice and to preimage attack^[215] in theory.

Leading client applications do not use this type of message authentication code^{[128][129][130][131]}. Unless your application or requirements specifically call for their use, it is generally safer to avoid cipher suites that are not adopted and supported by a critical mass of the industry. If your application or requirements specifically call for the use of a message authentication code^{[128][129][130][131]} that does not provide authenticated encryption^[563] prefer block cipher mode of operation^{[293][294][295][296][297]} (eg: counter with CBC-MAC^{[266][267][268]}, Galois/Counter Mode^{[65][66][67][68]} or message authentication code^{[128][129][130][131]} (eg: Poly1305^[289][290]) that proved authenticated encryption over the ones which does not provide it. In case of a hashed message authentication code^{[418][419][420][421][422][423][424]} prefer message authentication code^{[128][129][130][131]} based on Secure Hash Algorithm 2^[71][72][73] over the ones based on MD5^{[227][228][229]}.