Crypto Cipher Suite Comparison

Comparison of the different components of the Cryptographic Cipher Suites

Components

As detailed in my post on Cryptographic Cipher Suites each of the suites has a Protocol, a Key Exchange algorithm, a Signature Authentication algorithm, an Encryption algorithm, and a Message Authentication algorithm.
Here we are going to compare these different components and highlight the cipher suites currently considered strong*.

* currently only means at the time of this writting - a flaw could be found in the algorithm or in the implementation of the algorithm at any time, so do additional research to confirm the current strength of the cipher suite. You’ve been warned…

One last point - I am going to restrict the list of suites to those supported by Windows 10/Windows Server v1903 - because it is the most recent one that they have published a list for (I believe the same list applies to v1909, but I haven’t confirmed this), and because it is the area of computers where I spend the most time working with ciphers.

The List

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_NULL_SHA256
TLS_RSA_WITH_NULL_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
TLS_DHE_DSS_WITH_AES_256_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_DES_CBC_SHA
TLS_DHE_DSS_WITH_DES_CBC_SHA
TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA No TLS 1.2, TLS 1.1, TLS 1.0, SSL 3.0
TLS_RSA_WITH_NULL_MD5
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA
TLS_RSA_EXPORT_WITH_RC4_40_MD5
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA
TLS_PSK_WITH_AES_256_GCM_SHA384
TLS_PSK_WITH_AES_128_GCM_SHA256
TLS_PSK_WITH_AES_256_CBC_SHA384
TLS_PSK_WITH_AES_128_CBC_SHA256
TLS_PSK_WITH_NULL_SHA384
TLS_PSK_WITH_NULL_SHA256

Source

Protocol

This one is simple, they all start with TLS, there is no alternate listed. So, nothing to see here, move along, move along.

Key Exchange

There are 4 Key Exchange options:

ECHDE
DHE
RSA
PSK

These are short for:
ECHDE - Elliptic Curve Diffie-Hellman Ephemeral - Diffie-Hellman algorithm with Elliptical Curves and an Ephemeral key
DHE - Diffie-Hellman Ephemeral - Diffie-Hellman algorithm with Ephermeral key
RSA - Rivest Shamir Adleman - RSA algorithm
PSK - Pre-Shared Key - a pre-shared key

Elliptic curve cryptogrophy is a relatively newer form, so may not be supported by all devices - however, it benefits from using a smaller key size because the mathmatics are such that reversing the algorith is exceedingly costly - computationally.

Ephemeral keys allow for Perfect Forward Secrecy - this is good, but I’m not going to go into it here.

Diffie-Hellman and RSA were both invented in the 1970s, I believe Diffie-Hellman is considered to be a stronger algorithm (I may be wrong about this, I don’t have any specific sources), but RSA is more widely used.

PSK is only available for applications on Windows to use - so this won’t be used by IIS or a web browser on the computer (generally); I’ve included it here for completeness.

Signature Authentication

There are 3 Signature Authentication algoriths:

ECDSA
RSA
DSS

ECDSA - Elliptic Curve Digital Signature Algorith - The Digital Signature Algorithm, part of the NIST FIPS, using an Elliptic Curve
RSA - Rivest Shamir Adleman - RSA algorimth, as above
DSS - Digital Signature Standard - Defined by NIST as part of FIPS

DSA and DSS are part of the NIST FIPS suite of algorithms.
RSA is the other option. There are technically two “export” options on this list, but they intentially weak, so let’s just pretend they aren’t there, and never use them…

Encryption

There are 4 different Encryption algorithms available - in order of strength they are:

AES  
3DES  
RC4  
DES

There is also NULL - but that would be no encryption - so it should not be used.
DES, 3DES and RC4 are legacy and should be avoided.
Leaving only AES.

There are 4 different options for AES.
AES 256 GCM
AES 128 GCM
AES 256 CBC
AES 128 CBC

CBC - Cipher Block Chaining - this suffers from weaknesses that can be exploited and should be avoided.
GCM - Galois/Counter mode - addresses the weaknesses in CBC and is also faster to generate.
The options of 128 or 256 are the key size used in the encryption, larger keys are better, but some devices might not be able to calculate the larger keys quickly. GCM 128 is quite strong, 256 is stronger, but might slow down applications on some older devices.

Message Authentication

There are two options for Message authentication - SHA and MD5.

MD5 is considered insecure and should be avoided.
SHA means SHA-1 (Secure Hashing Algorithm version 1), while SHA256 and SHA384 are both SHA-2 (version 2), with either a 256 or 384 bit hash. Longer hashes are better, but take more CPU resources to compute. SHA-1 is considered insecure, and is no longer used for SSL Certificates - but because it only generates a 160 bit hash, it might be fine for your use case.

What is Strong*

Well - for starters, it really depends on what you are securing and what you need. If you have just had a security audit run against your internal systems and the report says you need to clean up the suites on your internal webserver, then you need to determine what algorithms are supported by your clients - older OSes may not support newer options - and if their hardware will be able to compute the longer hashes/encrypted messages.

That said - the strongest options is probably:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

But, you don’t want to restrict your systems to just one cipher suite, you will need to configure a few suites, in order of preference (usually). So these are the ones that are I would suggest you have enabled:
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

If you need to take a look at additonal cipher suites - look them up on CipherSuite.info and see what rating they provide (Recommended, Secure, Weak or Insecure).

comments powered by Disqus