0

I can see that with openssl list-cipher-algorithms I can get a long list of ciphers that can be used to encrypt data. However, I know that not all methods are equally secure and some may even be outdated.

E.g. ECB may reveal patterns in data and DES is considered legacy. My question is, where can I find which of these are considered unsafe or not recommended to use? It seems like NIST may be a potential source, but I've not been fortunate enough to find anything.

So far, my searches haven't been able to answer this, so I would love to know if there was a resource somewhere that stated best practices.

The entire list that I am interrested in finding the results for:

AES-128-CBC
AES-128-CBC-HMAC-SHA1
AES-128-CFB
AES-128-CFB1
AES-128-CFB8
AES-128-CTR
AES-128-ECB // UNSAFE
AES-128-OFB
AES-128-XTS
AES-192-CBC
AES-192-CFB
AES-192-CFB1
AES-192-CFB8
AES-192-CTR
AES-192-ECB // UNSAFE
AES-192-OFB
AES-256-CBC
AES-256-CBC-HMAC-SHA1
AES-256-CFB
AES-256-CFB1
AES-256-CFB8
AES-256-CTR
AES-256-ECB // UNSAFE
AES-256-OFB
AES-256-XTS
AES128 => AES-128-CBC
AES192 => AES-192-CBC
AES256 => AES-256-CBC
BF => BF-CBC
BF-CBC
BF-CFB
BF-ECB
BF-OFB
CAMELLIA-128-CBC
CAMELLIA-128-CFB
CAMELLIA-128-CFB1
CAMELLIA-128-CFB8
CAMELLIA-128-ECB
CAMELLIA-128-OFB
CAMELLIA-192-CBC
CAMELLIA-192-CFB
CAMELLIA-192-CFB1
CAMELLIA-192-CFB8
CAMELLIA-192-ECB
CAMELLIA-192-OFB
CAMELLIA-256-CBC
CAMELLIA-256-CFB
CAMELLIA-256-CFB1
CAMELLIA-256-CFB8
CAMELLIA-256-ECB
CAMELLIA-256-OFB
CAMELLIA128 => CAMELLIA-128-CBC
CAMELLIA192 => CAMELLIA-192-CBC
CAMELLIA256 => CAMELLIA-256-CBC
CAST => CAST5-CBC
CAST-cbc => CAST5-CBC
CAST5-CBC
CAST5-CFB
CAST5-ECB
CAST5-OFB
ChaCha
DES => DES-CBC
DES-CBC
DES-CFB
DES-CFB1
DES-CFB8
DES-ECB
DES-EDE
DES-EDE-CBC
DES-EDE-CFB
DES-EDE-OFB
DES-EDE3
DES-EDE3-CBC
DES-EDE3-CFB
DES-EDE3-CFB1
DES-EDE3-CFB8
DES-EDE3-OFB
DES-OFB
DES3 => DES-EDE3-CBC
DESX => DESX-CBC
DESX-CBC
gost89
RC2 => RC2-CBC
RC2-40-CBC
RC2-64-CBC
RC2-CBC
RC2-CFB
RC2-ECB
RC2-OFB
RC4
RC4-40
RC4-HMAC-MD5
AES-128-CBC
AES-128-CBC-HMAC-SHA1
AES-128-CFB
AES-128-CFB1
AES-128-CFB8
AES-128-CTR
AES-128-ECB
id-aes128-GCM
AES-128-OFB
AES-128-XTS
AES-192-CBC
AES-192-CFB
AES-192-CFB1
AES-192-CFB8
AES-192-CTR
AES-192-ECB
id-aes192-GCM
AES-192-OFB
AES-256-CBC
AES-256-CBC-HMAC-SHA1
AES-256-CFB
AES-256-CFB1
AES-256-CFB8
AES-256-CTR
AES-256-ECB
id-aes256-GCM
AES-256-OFB
AES-256-XTS
aes128 => AES-128-CBC
aes192 => AES-192-CBC
aes256 => AES-256-CBC
bf => BF-CBC
BF-CBC
BF-CFB
BF-ECB
BF-OFB
blowfish => BF-CBC
CAMELLIA-128-CBC
CAMELLIA-128-CFB
CAMELLIA-128-CFB1
CAMELLIA-128-CFB8
CAMELLIA-128-ECB
CAMELLIA-128-OFB
CAMELLIA-192-CBC
CAMELLIA-192-CFB
CAMELLIA-192-CFB1
CAMELLIA-192-CFB8
CAMELLIA-192-ECB
CAMELLIA-192-OFB
CAMELLIA-256-CBC
CAMELLIA-256-CFB
CAMELLIA-256-CFB1
CAMELLIA-256-CFB8
CAMELLIA-256-ECB
CAMELLIA-256-OFB
camellia128 => CAMELLIA-128-CBC
camellia192 => CAMELLIA-192-CBC
camellia256 => CAMELLIA-256-CBC
cast => CAST5-CBC
cast-cbc => CAST5-CBC
CAST5-CBC
CAST5-CFB
CAST5-ECB
CAST5-OFB
ChaCha
des => DES-CBC
DES-CBC
DES-CFB
DES-CFB1
DES-CFB8
DES-ECB
DES-EDE
DES-EDE-CBC
DES-EDE-CFB
DES-EDE-OFB
DES-EDE3
DES-EDE3-CBC
DES-EDE3-CFB
DES-EDE3-CFB1
DES-EDE3-CFB8
DES-EDE3-OFB
DES-OFB
des3 => DES-EDE3-CBC
desx => DESX-CBC
DESX-CBC
gost89
gost89-cnt
gost89-ecb
id-aes128-GCM
id-aes192-GCM
id-aes256-GCM
rc2 => RC2-CBC
RC2-40-CBC
RC2-64-CBC
RC2-CBC
RC2-CFB
RC2-ECB
RC2-OFB
RC4
RC4-40
RC4-HMAC-MD5
Tikki
  • 3
  • 2
  • 3
    The easy answer is; use the TLS 1.3 cipher suites and forget the others. – kelalaka Mar 21 '22 at 12:53
  • Are you using openssl to run a server that accepts connections from clients over SSL/TLS? Or, are you using openssl to encrypt data offline? I believe the answer to your question will depend on your use case. – mti2935 Mar 21 '22 at 14:29
  • That's good to know :)! In this specific case, it's for encrypting data offline and not for communication with others. – Tikki Mar 21 '22 at 15:14

1 Answers1

1

From OpenSSL's website, the most secure ciphersuites are:

TLS_AES_256_GCM_SHA384
TLS_CHACHA20_POLY1305_SHA256
TLS_AES_128_GCM_SHA256
TLS_AES_128_CCM_8_SHA256
TLS_AES_128_CCM_SHA256

You should disable all other suites if you can. Those are the suites of the last version of TLS, 1.3. Indeed, more than just disabling the less secure ciphersuites, you should also disable old versions of TLS.

All credit for this answer should go to kelalaka's comment.

PS: Those ciphersuites are useful if you want to protect data in transit, using TLS. If you just want to encrypt data to store it somewhere, then you should avoid using OpenSSL. Libsodium is better suited to this task. Indeed, its documentation is easier to read and this library only offer the state-of-the-art configuration options.

If you are stuck with OpenSSL for encryption at rest, you can deduce good ciphers from the TLS 1.3 list above. They are: AES-256-GCM, AES-128-GCM, AES-128-CCM, and CHACHA20. Their correspondence with the output of openssl enc -ciphers is -aes-256-ctr, -aes-128-ctr and -chacha20. Please note that those ciphers do not provide any integrity protection. They should not be used alone, without an authentication tag (MAC).

A. Hersean
  • 10,046
  • 3
  • 28
  • 42
  • 1
    The question appears to be about *encryption* ciphers, not TLS ciphersuites. That is an entirely different thing. OpenSSL's encryption ciphers can be used standalone - not within the context of TLS. Within the context of TLS you only list TLSv1.3 ciphersuites. There are TLSv1.2 ciphersuites that are also considered secure. At least the "TLS_AES_128_CCM_8_SHA256" TLSv1.3 ciphersuite above is not enabled by default in OpenSSL and probably should not be used unless you know what you are doing. It has a reduced length tag which has security implications. – Matt Caswell Mar 21 '22 at 14:39
  • @MattCaswell Thanks for your pointing my oversight. I have completed my answer. I hope it now addresses your concerns. – A. Hersean Mar 21 '22 at 15:07