Knowledge Base

C

Authentication Method: pre-shared key authentication (PSK authentication)

Summary

Security

The pre-shared key[160] can ensure authenticity[75][76][77] of the communicating parties mutually based on symmetric key[185][186][187]s that are shared in advance among the parties. Combined with a key exchange[133] that has forward secrecy[127][128][129][130] property algorithm can protect against dictionary attack[58][59]s by passive eavesdroppers (but not active attackers). Pre-shared keys with low entropy[126], may caused by a weakness[171][172][173] of random number generator[168][169][170], can be easily broken in brute-force attack[54]. Leading client applications do not use this algorithm. Unless your application or requirements specifically call for their use, it is generally safer to avoid cipher suites that are not adopted and supported by a critical mass of the industry.

Suggestion

If your application or requirements specifically call for the use of algorithms which are not used by the leading client applications set the cipher suite order explicitly and cipher suites used by the leading client applications be preferred over the ones which do not used by them.

Evaluate your host!

Type a URL to analyze a service

Get a prompt and clear overview of your security configuration. Right now!

Config Snippets

You can fix your security setting with the following config snippets in various services. You simply copy-paste (or delete) them to get a better secirity and grade. Do not forget to re-check your modified settings above.

If you want to reveal your security weaknesses and monitor your services or supply chain sign up for our beta test.

i
NGINX
OpenSSL version: 0.9.8+ 
ssl_ciphers …:!PSK
i
Apache
OpenSSL version: 0.9.8+ 
SSLCipherSuite …:!PSK

Affected Cipher Suites

i

TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA TLS_DHE_PSK_WITH_AES_128_CBC_SHA TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 TLS_DHE_PSK_WITH_AES_128_CCM TLS_DHE_PSK_WITH_AES_128_CCM_8 TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 TLS_DHE_PSK_WITH_AES_256_CBC_SHA TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 TLS_DHE_PSK_WITH_AES_256_CCM TLS_DHE_PSK_WITH_AES_256_CCM_8 TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256 TLS_DHE_PSK_WITH_ESTREAM_SALSA20_SHA1 TLS_DHE_PSK_WITH_NULL_SHA TLS_DHE_PSK_WITH_NULL_SHA256 TLS_DHE_PSK_WITH_NULL_SHA384 TLS_DHE_PSK_WITH_RC4_128_SHA TLS_DHE_PSK_WITH_SALSA20_SHA1 TLS_ECDHE_PSK_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA256 TLS_ECDHE_PSK_WITH_AES_128_CCM_8_SHA256 TLS_ECDHE_PSK_WITH_AES_128_CCM_SHA256 TLS_ECDHE_PSK_WITH_AES_128_GCM_SHA256 TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA384 TLS_ECDHE_PSK_WITH_AES_256_GCM_SHA384 TLS_ECDHE_PSK_WITH_ARIA_128_CBC_SHA256 TLS_ECDHE_PSK_WITH_ARIA_256_CBC_SHA384 TLS_ECDHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 TLS_ECDHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256 TLS_ECDHE_PSK_WITH_ESTREAM_SALSA20_SHA1 TLS_ECDHE_PSK_WITH_NULL_SHA TLS_ECDHE_PSK_WITH_NULL_SHA256 TLS_ECDHE_PSK_WITH_NULL_SHA384 TLS_ECDHE_PSK_WITH_RC4_128_SHA TLS_ECDHE_PSK_WITH_SALSA20_SHA1 TLS_PSK_WITH_3DES_EDE_CBC_SHA TLS_PSK_WITH_AES_128_CBC_SHA TLS_PSK_WITH_AES_128_CBC_SHA256 TLS_PSK_WITH_AES_128_CCM TLS_PSK_WITH_AES_128_CCM_8 TLS_PSK_WITH_AES_128_GCM_SHA256 TLS_PSK_WITH_AES_256_CBC_SHA TLS_PSK_WITH_AES_256_CBC_SHA384 TLS_PSK_WITH_AES_256_CCM TLS_PSK_WITH_AES_256_CCM_8 TLS_PSK_WITH_AES_256_GCM_SHA384 TLS_PSK_WITH_ARIA_128_CBC_SHA256 TLS_PSK_WITH_ARIA_128_GCM_SHA256 TLS_PSK_WITH_ARIA_256_CBC_SHA384 TLS_PSK_WITH_ARIA_256_GCM_SHA384 TLS_PSK_WITH_CAMELLIA_128_CBC_SHA256 TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 TLS_PSK_WITH_CAMELLIA_256_CBC_SHA384 TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 TLS_PSK_WITH_CHACHA20_POLY1305_SHA256 TLS_PSK_WITH_ESTREAM_SALSA20_SHA1 TLS_PSK_WITH_NULL_SHA TLS_PSK_WITH_NULL_SHA256 TLS_PSK_WITH_NULL_SHA384 TLS_PSK_WITH_RC4_128_SHA TLS_PSK_WITH_SALSA20_SHA1 TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA TLS_RSA_PSK_WITH_AES_128_CBC_SHA TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 TLS_RSA_PSK_WITH_AES_256_CBC_SHA TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256 TLS_RSA_PSK_WITH_ESTREAM_SALSA20_SHA1 TLS_RSA_PSK_WITH_NULL_SHA TLS_RSA_PSK_WITH_NULL_SHA256 TLS_RSA_PSK_WITH_NULL_SHA384 TLS_RSA_PSK_WITH_RC4_128_SHA TLS_RSA_PSK_WITH_SALSA20_SHA1