[OWASP-cheat-sheets] ECDHE is better

Torsten Gigler torsten.gigler at owasp.org
Thu Jun 19 16:01:35 UTC 2014


Hi Jim,

Thank you for forwarding the feedback.

Yes DHE versus ECDHE a very interesting part of the latest discussion, 
how to set up Perfect Secrecy.
I have not found *any open Whitelist* saying this or that Elliptic Curve 
defined for TLS and used by server and client implementations is secure 
(as far as this can be proved today). I found only 4 Curves in 
http://safecurves.cr.yp.to, that were all 4 marked *not* to be safe! 
 From those marked to be safe, I did not find any that match to the 
definitions of TLS (RFC4492, Appendix A).

Do you see any possibility as OWASP to support researches on this, or to 
add Curves like Curve 25519 to the TLS standard?

As conclusion for the cheat sheet, I do think to favor a slower and more 
secure TLS Cipher over a faster and less secure one (ECDHE) as long as 
there do not appear any new inependantly approved Elliptic Curves. 
Additionally the disadvantage of the the speed is concerning only the 
TLS handshake . This happens only at the begin of a SSL/TLS connection 
and if necessary following renegotiation phases, *not* the Data 
Encryption itself.

I added a hint on this discussion, and a link to the Note about the CPU 
usage to the wiki:

"* Favor DHE over ECDHE (and monitor the CPU usage, see Notes below), 
ECDHE lacks now of really reliable Elliptic Curves, see discussion about 
secp{224,256,384,521}r1 and secp256k1, cf. [2] 
<http://safecurves.cr.yp.to>, [3] 
<https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html#c1675929>; 
One solution might be to use Edwards Curves 
<http://eprint.iacr.org/2007/286>. The most promising candidate is 
'Curve25519' 
<https://tools.ietf.org/html/draft-josefsson-tls-curve25519-05>, that is 
not yet defined for TLS, cf. IANA 
<http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8>
...
*Notes:**
...**Monitor the performance of your server, e.g. the TLS handshake with 
DHE hinders the CPU abt 2.4 times more than ECDHE, cf. Vincent Bernat, 
2011 
<http://vincent.bernat.im/en/blog/2011-ssl-perfect-forward-secrecy.html#some-benchmarks>."

Kind Regards
Torsten

PS: By the way: 'owap. org' does not support any ECDHE ciphers at the 
moment, the first 6 Ciphers for TLSv12 are DHE ones ;-)
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x0300009E, 
DHE-RSA-AES128-GCM-SHA256       , DHE_RSA_WITH_AES_128_GCM_SHA256
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x0300009F, 
DHE-RSA-AES256-GCM-SHA384       , DHE_RSA_WITH_AES_256_GCM_SHA384
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x03000067, 
DHE-RSA-AES128-SHA256           , DHE_RSA_WITH_AES_128_SHA256
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x03000033, 
DHE-RSA-AES128-SHA              , DHE_RSA_WITH_AES_128_SHA
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x0300006B, 
DHE-RSA-AES256-SHA256           , DHE_RSA_WITH_AES_256_SHA256
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x03000039, 
DHE-RSA-AES256-SHA              , DHE_RSA_WITH_AES_256_SHA
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x0300009C, 
AES128-GCM-SHA256               , RSA_WITH_AES_128_GCM_SHA256
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x0300009D, 
AES256-GCM-SHA384               , RSA_WITH_AES_256_GCM_SHA384
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x0300003C, 
AES128-SHA256                   , RSA_WITH_AES_128_SHA256
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x0300002F, 
AES128-SHA                      , RSA_WITH_AES_128_SHA
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x0300003D, 
AES256-SHA256                   , RSA_WITH_AES_256_SHA256
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x03000035, 
AES256-SHA                      , RSA_WITH_AES_256_SHA
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x03000005, 
RC4-SHA                         , RSA_RC4_128_SHA
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x03000088, 
DHE-RSA-CAMELLIA256-SHA         , DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x03000084, 
CAMELLIA256-SHA                 , RSA_WITH_CAMELLIA_256_CBC_SHA
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x03000045, 
DHE-RSA-CAMELLIA128-SHA         , DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
owasp.org,   443, TLSv12 (0x0303), no SNI, Server Order, 0x03000041, 
CAMELLIA128-SHA                 , RSA_WITH_CAMELLIA_128_CBC_SHA

If a commonly accepted cipher string is found, I'd suggest to set up 
owasp.org as a reference installation ....

Am 18.06.2014 10:33, schrieb Jim Manico:
> PS: ECDHE is _much_ faster and generally should be more secure.
>
> (From Ivan)
>
> --
> Jim Manico
> @Manicode
> (808) 652-3805
> _______________________________________________
> OWASP-cheat-sheets mailing list
> OWASP-cheat-sheets at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-cheat-sheets

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-cheat-sheets/attachments/20140619/b5bb8c0f/attachment.html>


More information about the OWASP-cheat-sheets mailing list