[OWASP-cheat-sheets] Transport Layer Protection Cheat Sheet: Strong Protocols and Ciphers for TLS/SSL

Jim Manico jim.manico at owasp.org
Tue Jun 10 04:09:14 UTC 2014

Did this get answered David?

Jim Manico
(808) 652-3805

On Jun 7, 2014, at 6:49 AM, David Holmes <d.holmes at f5.com> wrote:


Overall, very nice work!

I was a little surprised about the promotion of DHE over ECDHE ciphers. Has
the crypto community as a whole already demoted EC ciphers? While some
curves have been found to be suboptimal, is that enough to eschew the CPU
savings ECDHE is supposed to offer?

*From:* owasp-cheat-sheets-bounces at lists.owasp.org [
mailto:owasp-cheat-sheets-bounces at lists.owasp.org
<owasp-cheat-sheets-bounces at lists.owasp.org>] *On Behalf Of *Jim Manico
*Sent:* Friday, June 06, 2014 9:46 PM
*To:* Torsten Gigler; owasp-cheat-sheets at lists.owasp.org
*Subject:* Re: [OWASP-cheat-sheets] Transport Layer Protection Cheat Sheet:
Strong Protocols and Ciphers for TLS/SSL

Please go ahead and just edit that directly, I trust you – anything else
you can do to update the TLS Cheatsheet , please go for it!

I’ll review when you are done.




*From:* owasp-cheat-sheets-bounces at lists.owasp.org [mailto:
owasp-cheat-sheets-bounces at lists.owasp.org] *On Behalf Of *Torsten Gigler
*Sent:* Tuesday, June 03, 2014 4:50 AM
*To:* owasp-cheat-sheets at lists.owasp.org
*Subject:* [OWASP-cheat-sheets] Transport Layer Protection Cheat Sheet:
Strong Protocols and Ciphers for TLS/SSL


during the last months, I have done some researches about how to find a
good Protocol and Cipher Policy for TLS/SSL.

The resuls are documented in Top 10 Developer Edition, in German

I'd like to discuss them here and add them in the Transport Layer
Protection Cheat Sheet.

Do you have any comments. Should I add my input in a new 'DRAFT:'-Copy of
the document before transfering it to the Cheat Sheet?

Perhaps you find more points that should be updated.

Kind Regards


* Only Support Strong Cryptographic Ciphers:*

* use the very latest recommendations, they may be volantile these days
* Secure length for cryptographic keys and parameters (like DH-parameter)
>=2048 bits or equivalent Elliptic Curves

Example for a Policy to get a Whitelist for recommenderd Ciphers:
* Activate to set the Cipher Order by the Server
* Highest Priority for Ciphers that support 'Forward Secrecy'
* Favor DHE over ECDHE, ECDHE lacks now of really reliable Elliptic Curves,
cf. http://safecurves.cr.yp.to;
* Use RSA-Keys (no DSA/DSS, cf. https://projectbullrun.org/dual-ec/tls.html)
* Favor GCM over CBC regardless of the cipher size
* Priorize the ciphers by the sizes of the Cipher and the MAC
* Disable weak ciphers without diabling latency browsers and bots that have
to be supported (find the best compromise), actually the cipher
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) does this job.
* Ciphers should be usable for DH-Pamameters >= 2048 bits, without blocking
latency browsers (The cipher ‘DHE-RSA-AES128-SHA’ is suppressed as some
browsers like to use it but are not capable to cope with DH-Params > 1024

* Define a Cipher String that works with different Versions of your
encryption tool, like openssl,
* Verify your cipher string
  ° with an autit-tool, like OWASP 'O-Saft'
  ° listing it manually with your encryption software, e.g. openssl ciphers
-v <cipher-string> (the result may differ by version), e.g.: openssl
ciphers -v
#add optionally
protect older Versions of OpenSSL

* This results in this recommended Cpihers and their Order:

0x00,0x9F - DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA
Enc=AESGCM(256) Mac=AEAD

0x00,0x9E - DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA
Enc=AESGCM(128) Mac=AEAD

0x00,0x6B - DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA
Enc=AES(256)  Mac=SHA256

0x00,0x39 - DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA
Enc=AES(256)  Mac=SHA1

0x00,0x67 - DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA
Enc=AES(128)  Mac=SHA256

0xC0,0x30 - ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA
Enc=AESGCM(256) Mac=AEAD

0xC0,0x2F - ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA
Enc=AESGCM(128) Mac=AEAD

0xC0,0x28 - ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA
Enc=AES(256)  Mac=SHA384

0xC0,0x14 - ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA
Enc=AES(256)  Mac=SHA1

0xC0,0x27 - ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA
Enc=AES(128)  Mac=SHA256

0xC0,0x13 - ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA
Enc=AES(128)  Mac=SHA1

0x00,0x9D - AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA
Enc=AESGCM(256) Mac=AEAD

0x00,0x9C - AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA
Enc=AESGCM(128) Mac=AEAD

0x00,0x35 - AES256-SHA              SSLv3 Kx=RSA      Au=RSA
Enc=AES(256)  Mac=SHA1

0x00,0x2F - AES128-SHA              SSLv3 Kx=RSA      Au=RSA
Enc=AES(128)  Mac=SHA1

0x00,0x0A - DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA
Enc=3DES(168) Mac=SHA1

- According to my researches the most common browsers should be
supported with this setting, too.
- Monitor the performance of your server, e.g. the TLS handshake with
DHE hinders the CPU abt 2.4 times than ECDHE (cf. [Vincent Bernat,
2011] <http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html#some-benchmarks>)

*On additional Point:*
I'd like to launch also a discussion if we should find references to good
practices that are not dependant on Documents from NIST.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cheat-sheets/attachments/20140609/69ba8d4c/attachment.html>

More information about the OWASP-cheat-sheets mailing list