Choosing the right set of cipher algorithms for your users

Cipher Suites

Preliminaries

This note describes the cipher algorithms that are available for use with the server, and how to configure custom cipher suites.

This note reflects best practices for 2019.

The server uses Transaction Layer Security (TLS) to encrypt communications to and from the user-agent. TLS is a protocol that uses a variety of algorithms at different stages of its life-cycle.

A cipher suite comprises a set of four algorithms that work together to handle these tasks:

  1. How secret keys are exchanged between the user-agent and the server;
  2. How certificates are authenticated;
  3. Which symmetric encryption algorithm is used and what its secret key length is;
  4. How the integrity of the encrypted stream is assured.

There are choices to be made regarding each of these algorithms, and the choice isn't entirely up to you: browsers have a say in it. When an older browser requests a resource from the server, it may not know about the strongest, safest, or fastest methods available on the server. Or about your needs for these.

Conversely, the server may have been commissioned a while ago, when today's more advanced ciphers used in newer browsers were not available. The matchup between what the browser can handle and what the server desires to use, is negotiated in the handshake portion of the TLS protocol.

In order to allow browsers and servers to communicate in this fluctuating system, both must employ multiple cipher suites.

Nomenclature

A cipher suite is named using abbreviations for the constituent algorithms it employs. The abbreviations of the currently allowable algorithms (for TLS 1.2) are:

  1. Key exchange algorithm

    ECDHE - Elliptic Curve Diffie-Hellman Ephemeral key exchange

    DHE - Diffie-Hellman Ephemeral key exchange

    RSA - Rivest–Shamir–Adleman key exchange †

  2. Certificate authentication algorithm

    ECDSA - Elliptic Curve Digital Signature Algorithm

    RSA - Rivest–Shamir–Adleman certificate authentication †

  3. Symmetric encryption algorithm

    AES256 - Advanced Encryption Standard with 256-bit keys

    AES192 - Advanced Encryption Standard with 192-bit keys

    AES128 - Advanced Encryption Standard with 128-bit keys

    AES-GCM - AES Galois/Counter Mode

    AES-CCM - AES Counter with CBC-MAC

    ChaCha20 - a.k.a. Salsa20

  4. HMAC integrity

    SHA384 - Secure Hashing Algorithm with 384-bit hash

    SHA256 - Secure Hashing Algorithm with 256-bit hash

    SHA - Secure Hashing Algorithm with 160-bit hash

† Cipher suites that employ RSA for certificate authentication do not have to specify a separate key exchange algorithm.

Cipher suites that use the Diffie-Hellman Ephemeral key exchange protocol rely on a set of parameters that you must generate. You can do that using the openssl utility. For example, to create a 2048-bit parameter file use this command:

openssl dhparam -dsaparam -out /etc/rwserve/tls/diffie-hellman-2048.pem 2048

Certificate Authentication Algorithm

There are two types of certificates that you can use: the older RSA type and the newer ECDSA type. The choice is made when you obtain the cert from the certificate authority.

The cipher suites labeled with ECDHE-ECDSA- can only be used with the newer type.

Assembling abbreviations into a cipher suite

The abbreviations enumerated above, are the only ones suitable for use over HTTP/2 using TLS version 1.2.

Combining all of the different algorithms into every possible combination yields 108 possible cipher names (3 × 2 × 6 × 3). Fortunately, only some of these combinations make sense. They are:

    Elliptic Curve DHE using ECDSA

  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-ECDSA-CHACHA20-POLY1305
  • ECDHE-ECDSA-AES256-CCM
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES128-CCM
  • ECDHE-ECDSA-AES128-SHA256
  • ECDHE-ECDSA-AES256-SHA †
  • ECDHE-ECDSA-AES128-SHA †

  • Elliptic Curve DHE using RSA

  • ECDHE-RSA-AES256-GCM-SHA384
  • ECDHE-RSA-CHACHA20-POLY1305
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-SHA256
  • ECDHE-RSA-AES256-SHA †
  • ECDHE-RSA-AES128-SHA †

  • Advanced Encryption Standard

  • AES256-GCM-SHA384
  • AES256-CCM
  • AES128-GCM-SHA256
  • AES128-CCM
  • AES256-SHA256
  • AES128-SHA256
  • AES256-SHA †
  • AES128-SHA †

  • Diffie-Hellman Ephemeral

  • DHE-RSA-AES256-GCM-SHA384
  • DHE-RSA-CHACHA20-POLY1305
  • DHE-RSA-AES256-CCM
  • DHE-RSA-AES128-GCM-SHA256
  • DHE-RSA-AES128-CCM
  • DHE-RSA-AES256-SHA256
  • DHE-RSA-AES128-SHA256
  • DHE-RSA-AES256-SHA †
  • DHE-RSA-AES128-SHA †
† The cipher suites using 160-bit SHA are only included for backward compatibility with older clients using TLS 1.1 and SSL3

Configuration

The server can support many different ciphers, allowing it to be deployed in permissive and stringent security contexts. Configuring the server to use a custom set of cipher suites is optional.

The ciphers section is used to configure the server. It comprises a list of openssl cipher suite names, with one name per line, in top-to-bottom order of the server's preference. (Note that the browser has it's own order of preference which may override this.)

This section must be placed in the server section, not a host section.

If any of the cipher suites use the Diffie Hellman Ephemeral key exchange algorithm (the cipher suites beginning with DHE-RSA-), you must also specify the location of a self-generated parameter file using a diffie-hellman entry. Be sure to surround the parameter file name with GRAVE-ACCENTS.

EBNF

SP ::= U+20
CR ::= U+0D
SOLIDUS ::= U+2F
ASTERISK ::= U+2A
FULL-STOP ::= U+2E
GRAVE-ACCENT ::= U+60
LEFT-CURLY-BRACKET ::= U+7B
RIGHT-CURLY-BRACKET ::= U+7D
absolute-path ::= GRAVE-ACCENT file-system-chars* GRAVE-ACCENT
diffie-hellman ::= 'diffie-hellman' SP absolute-path CR
ciphers-section ::= 'ciphers' SP LEFT-CURLY-BRACKET CR
(openssl-cipher-name CR)*
RIGHT-CURLY-BRACKET CR
server-section ::= 'server' SP LEFT-CURLY-BRACKET CR
diffie-hellman
ciphers-section
RIGHT-CURLY-BRACKET CR

† Legal file system characters vary by platform

Cookbook

Example 1: Elliptic Curve DHE using ECDSA
server {
ip-address 8.16.32.64
port 443
cluster-size 2

ciphers {
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-ECDSA-CHACHA20-POLY1305
ECDHE-ECDSA-AES256-CCM
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-CCM
ECDHE-ECDSA-AES128-SHA256
ECDHE-ECDSA-AES256-SHA
ECDHE-ECDSA-AES128-SHA
}
}
Example 2: Elliptic Curve DHE using RSA
server {
ip-address 8.16.32.64
port 443
cluster-size 2

ciphers {
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-CHACHA20-POLY1305
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES256-SHA
ECDHE-RSA-AES128-SHA
}
}
Example 3: Advanced Encryption Standard
server {
ip-address 8.16.32.64
port 443
cluster-size 2

ciphers {
AES256-GCM-SHA384
AES256-CCM
AES128-GCM-SHA256
AES128-CCM
AES256-SHA256
AES128-SHA256
AES256-SHA
AES128-SHA
}
}
Example 4: Diffie-Hellman Ephemeral
server {
ip-address 8.16.32.64
port 443
cluster-size 2

diffie-hellman `/etc/rwserve/tls/diffie-hellman-2048.pem`
ciphers {
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-CHACHA20-POLY1305
DHE-RSA-AES256-CCM
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-CCM
DHE-RSA-AES256-SHA256
DHE-RSA-AES128-SHA256
DHE-RSA-AES256-SHA †
DHE-RSA-AES128-SHA †
}
}

Review

Key points to remember:

  • Cipher suites have different strengths, speed and safety.
  • The server's default set of cipher suites can be overridden in the configuration file.
  • Use this feature when today's "best" ciphers suites are discovered to have vulnerabilities.

Choosing the right set of cipher algorithms for your users