IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [cipher-selection]

For questions about the step of the SSL/TLS handshake where the cipher is negotiated between the client and the server. This tag could also be used for questions about which ciphers to support in your application / configuration.

198 questions
12
votes
2 answers

Forward secrecy for kids

In the Scouts, it is popular to use secret codes to write messages (which are simple ciphers). I want to introduce Forward secrecy to the kids so they can use it with these ciphers. So, if the competing team found a ciphered message and decoded it…
ScoutHelper
  • 131
  • 2
11
votes
2 answers

TLS_RSA_WITH_3DES_EDE_CBC_SHA reported as 112 bits

I am no expert in this area but after some searching I am not too sure about the solution. An external vendor doing a pentration test on our server reported that we have TLS_RSA_WITH_3DES_EDE_CBC_SHA with 112 bits enabled and reported that as a…
aqwert
  • 213
  • 1
  • 2
  • 7
10
votes
1 answer

DHE_DSS vs. DHE_RSA

I have been studying to learn about various cipher suites and their performance; I'm wondering about the difference between DHE_DSS_AES256_CBC ciphersuites and DHE_RSA_AES256_CBC ciphersuites. I gathered that DSS is efficient when compared with RSA.…
chris
  • 101
  • 1
  • 4
8
votes
3 answers

How do browsers negotiate SSL/TLS connection parameters?

For the purpose of this question, let assume that an SSL/TLS connection has 4 parameters: protocol, symmetric encryption method, asymmetric encryption method, MAC. During the negotiation of SSL parameters, a browser tries to achieve the best…
boleslaw.smialy
  • 1,627
  • 2
  • 15
  • 25
8
votes
1 answer

How to disable cipher RC4 in ubuntu 12.04

I have been doing Network Scan for our box and Ncircle reported SSL Server support RC4 ciphers for SSLv3. Based on that I did a search and I plan to add to /etc/apache/conf.d/security the following: SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite…
black sensei
  • 233
  • 1
  • 2
  • 8
8
votes
1 answer

What block ciphers and algorithms are now safe?

I work for a large non-US based international organisation. Regarding the recent leaks about the NSA breaking most encryption on the internet, we now know the US and UK governments are actively involved in weakening encryption standards and…
jcnrm
  • 89
  • 1
  • 4
8
votes
3 answers

What are the 'P' values in some cipher string?

Most of the cipher strings I see are in the format: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 However, I've come across workstations with…
user58446
  • 513
  • 6
  • 13
8
votes
1 answer

SSH ciphers, MAC and key-exchange (and pen-tests thereof)

At work we've been trying to move our external-facing services away from a policy of inclusivity (where we tried to accept as many people as possible) to a more security-focused setup. The first step was pen-testing some of our core web…
jimbobmcgee
  • 408
  • 1
  • 4
  • 12
7
votes
1 answer

JSSE recommended cipher suites

In the wake of POODLE I am reviewing the configuration of a number of Tomcat servers running on the JSSE connector. In order to work out what ciphers JSSE supported I wrote a little snippet that emitted all the available ciphers, the result…
Boris the Spider
  • 172
  • 3
  • 9
7
votes
1 answer

Is possible that a TLS server send more than one certificate to the client for the same site?

What I'm trying to archive is enable ECDSA and DSS ciphers in my site, but at the same time not depend just of self signed certificates, so I could sent to my client more than one certificate and them could select ECDSA and DSS over RSA if they can…
user30395
7
votes
2 answers

Picking cipher suites for HTTPS

I'm trying to work out the best approach to choosing which cipher suites to provide, and what the issues might be. It's my understanding that during the SSL handshake, the client will (normally) choose the most secure algorithms which are supported…
symcbean
  • 18,278
  • 39
  • 73
7
votes
1 answer

Is the order of cipher suites related to the client's preferences ?

I am wondering if the order in which the cipher suites appear (from top to bottom) in the ClientHello message, and the client preference are relevant. So for example in the picture I have attached, is TLS_RSA_WITH_RC4_128_MD5 the most preferred…
Irene Ant
  • 659
  • 7
  • 19
7
votes
1 answer

Openssl ciphers list sorting and removing

I was playing with a ciphers app to create example list of suites. Looking at the website (https://openssl.org/docs/manmaster/apps/ciphers.html) if I run one of the examples there: openssl ciphers -v '3DES:+RSA' I supposed to get a list of 3DES…
Daniel Gruszczyk
  • 173
  • 1
  • 5
6
votes
3 answers

Cipher used for request data encryption used by browser

Please note that this is not about how SSL communication happens between browser (I researched and understood it) and client but other aspects. Using Digicert's SSL mechanism explanation I have understood how the data is encrypted between browsers…
hagrawal
  • 205
  • 2
  • 11
6
votes
1 answer

How to change personal cipher/digest preferences of existing OpenPGP key in GnuPG?

The OpenPGP key contains a list of personal algorithm preferences (the meaning of the numbers can be decoded in RFC 4880): # gpg -a --export "foo@example.com" | gpg --list-packets | fgrep 'pref-' hashed subpkt 11 len 5 (pref-sym-algos: 9 8 7 3…
Martin Vegter
  • 1,826
  • 4
  • 27
  • 39
1
2
3
13 14