#### Choosing the right set of cipher algorithms for your users

# Cipher Suites

Preliminaries

This note describes the cipher algorithms that are available for use with the server, and how to configure custom cipher suites.

*This note reflects best practices for 2019*.

The server uses Transaction Layer Security (TLS) to encrypt communications to and from the user-agent. TLS is a protocol that uses a variety of algorithms at different stages of its life-cycle.

A *cipher suite* comprises a set of four algorithms that work together to handle these tasks:

- How secret keys are exchanged between the user-agent and the server;
- How certificates are authenticated;
- Which symmetric encryption algorithm is used and what its secret key length is;
- How the integrity of the encrypted stream is assured.

There are choices to be made regarding each of these algorithms, and the choice isn't entirely up to you: browsers have a say in it. When an older browser requests a resource from the server, it may not know about the strongest, safest, or fastest methods available on the server. Or about *your* needs for these.

Conversely, the server may have been commissioned a while ago, when today's more advanced ciphers used in newer browsers were not available. The matchup between what the browser can handle and what the server desires to use, is negotiated in the handshake portion of the TLS protocol.

In order to allow browsers and servers to communicate in this fluctuating system, both must employ multiple *cipher suites*.

### Nomenclature

A cipher suite is named using abbreviations for the constituent algorithms it employs. The abbreviations of the currently allowable algorithms (for TLS 1.2) are:

- Key exchange algorithm
**ECDHE**- Elliptic Curve Diffie-Hellman Ephemeral key exchange**DHE**- Diffie-Hellman Ephemeral key exchange**RSA**- Rivest–Shamir–Adleman key exchange † - Certificate authentication algorithm
**ECDSA**- Elliptic Curve Digital Signature Algorithm**RSA**- Rivest–Shamir–Adleman certificate authentication † - Symmetric encryption algorithm
**AES256**- Advanced Encryption Standard with 256-bit keys**AES192**- Advanced Encryption Standard with 192-bit keys**AES128**- Advanced Encryption Standard with 128-bit keys**AES-GCM**- AES Galois/Counter Mode**AES-CCM**- AES Counter with CBC-MAC**ChaCha20**- a.k.a. Salsa20 - HMAC integrity
**SHA384**- Secure Hashing Algorithm with 384-bit hash**SHA256**- Secure Hashing Algorithm with 256-bit hash**SHA**- Secure Hashing Algorithm with 160-bit hash

Cipher suites that use the Diffie-Hellman Ephemeral key exchange protocol rely on a set of parameters that you must generate. You can do that using the `openssl`

utility. For example, to create a 2048-bit parameter file use this command:

openssl dhparam -dsaparam -out /etc/rwserve/tls/diffie-hellman-2048.pem 2048

### Certificate Authentication Algorithm

There are two types of certificates that you can use: the older RSA type and the newer ECDSA type. The choice is made when you obtain the cert from the certificate authority.

The cipher suites labeled with `ECDHE-ECDSA-`

can only be used with the newer type.

### Assembling abbreviations into a cipher suite

The abbreviations enumerated above, are the only ones suitable for use over HTTP/2 using TLS version 1.2.

Combining all of the different algorithms into every possible combination yields 108 possible cipher names (3 × 2 × 6 × 3). Fortunately, only some of these combinations make sense. They are:

- ECDHE-ECDSA-AES256-GCM-SHA384
- ECDHE-ECDSA-CHACHA20-POLY1305
- ECDHE-ECDSA-AES256-CCM
- ECDHE-ECDSA-AES128-GCM-SHA256
- ECDHE-ECDSA-AES128-CCM
- ECDHE-ECDSA-AES128-SHA256
- ECDHE-ECDSA-AES256-SHA †
- ECDHE-ECDSA-AES128-SHA †
- ECDHE-RSA-AES256-GCM-SHA384
- ECDHE-RSA-CHACHA20-POLY1305
- ECDHE-RSA-AES128-GCM-SHA256
- ECDHE-RSA-AES128-SHA256
- ECDHE-RSA-AES256-SHA †
- ECDHE-RSA-AES128-SHA †
- AES256-GCM-SHA384
- AES256-CCM
- AES128-GCM-SHA256
- AES128-CCM
- AES256-SHA256
- AES128-SHA256
- AES256-SHA †
- AES128-SHA †
- DHE-RSA-AES256-GCM-SHA384
- DHE-RSA-CHACHA20-POLY1305
- DHE-RSA-AES256-CCM
- DHE-RSA-AES128-GCM-SHA256
- DHE-RSA-AES128-CCM
- DHE-RSA-AES256-SHA256
- DHE-RSA-AES128-SHA256
- DHE-RSA-AES256-SHA †
- DHE-RSA-AES128-SHA †

#### Elliptic Curve DHE using ECDSA

#### Elliptic Curve DHE using RSA

#### Advanced Encryption Standard

#### Diffie-Hellman Ephemeral

## Configuration

The server can support many different ciphers, allowing it to be deployed in permissive and stringent security contexts. Configuring the server to use a custom set of cipher suites is optional.

The `ciphers`

section is used to configure the server. It comprises a list of openssl cipher suite names, with one name per line, in top-to-bottom order of the *server's* preference. (Note that the browser has it's own order of preference which may override this.)

This section must be placed in the `server`

section, not a `host`

section.

If any of the cipher suites use the Diffie Hellman Ephemeral key exchange algorithm (the cipher suites beginning with `DHE-RSA-`

), you must also specify the location of a self-generated parameter file using a `diffie-hellman`

entry. Be sure to surround the parameter file name with GRAVE-ACCENTS.

## EBNF

SP | ::= | U+20 |

CR | ::= | U+0D |

SOLIDUS | ::= | U+2F |

ASTERISK | ::= | U+2A |

FULL-STOP | ::= | U+2E |

GRAVE-ACCENT | ::= | U+60 |

LEFT-CURLY-BRACKET | ::= | U+7B |

RIGHT-CURLY-BRACKET | ::= | U+7D |

absolute-path | ::= | GRAVE-ACCENT file-system-chars* GRAVE-ACCENT |

diffie-hellman | ::= | 'diffie-hellman' SP absolute-path CR |

ciphers-section | ::= | 'ciphers' SP LEFT-CURLY-BRACKET CR (openssl-cipher-name CR)* RIGHT-CURLY-BRACKET CR |

server-section | ::= | 'server' SP LEFT-CURLY-BRACKET CR diffie-hellman ciphers-section RIGHT-CURLY-BRACKET CR |

† Legal file system characters vary by platform

## Cookbook

## Example 1: Elliptic Curve DHE using ECDSA

server {

ip-address 8.16.32.64

port 443

cluster-size 2

ciphers {

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-ECDSA-CHACHA20-POLY1305

ECDHE-ECDSA-AES256-CCM

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES128-CCM

ECDHE-ECDSA-AES128-SHA256

ECDHE-ECDSA-AES256-SHA

ECDHE-ECDSA-AES128-SHA

}

}

## Example 2: Elliptic Curve DHE using RSA

server {

ip-address 8.16.32.64

port 443

cluster-size 2

ciphers {

ECDHE-RSA-AES256-GCM-SHA384

ECDHE-RSA-CHACHA20-POLY1305

ECDHE-RSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-SHA256

ECDHE-RSA-AES256-SHA

ECDHE-RSA-AES128-SHA

}

}

## Example 3: Advanced Encryption Standard

server {

ip-address 8.16.32.64

port 443

cluster-size 2

ciphers {

AES256-GCM-SHA384

AES256-CCM

AES128-GCM-SHA256

AES128-CCM

AES256-SHA256

AES128-SHA256

AES256-SHA

AES128-SHA

}

}

## Example 4: Diffie-Hellman Ephemeral

server {

ip-address 8.16.32.64

port 443

cluster-size 2

diffie-hellman `/etc/rwserve/tls/diffie-hellman-2048.pem`

ciphers {

DHE-RSA-AES256-GCM-SHA384

DHE-RSA-CHACHA20-POLY1305

DHE-RSA-AES256-CCM

DHE-RSA-AES128-GCM-SHA256

DHE-RSA-AES128-CCM

DHE-RSA-AES256-SHA256

DHE-RSA-AES128-SHA256

DHE-RSA-AES256-SHA †

DHE-RSA-AES128-SHA †

}

}

Review

Key points to remember:

- Cipher suites have different strengths, speed and safety.
- The server's default set of cipher suites can be overridden in the configuration file.
- Use this feature when today's "best" ciphers suites are discovered to have vulnerabilities.