11

There are a lot of cipher suites defined in the in the specifications itself of TLS 1.0, 1.1 and 1.2. And furthermore, there exist RFCs which add even more cipher suites to a specific version (e.g. RFC 4492 for ECC or RFC 4132 for Camelia).

Is there an official organization like for example NIST or BSI Germany that has a list which cipher suites are considered to be safe? Or are all cipher suites offered by a specific TLS version safe to use?

Hendrik Brummermann
  • 27,158
  • 6
  • 80
  • 121
Peter
  • 111
  • 1
  • 1
  • 3

2 Answers2

9

NIST maintains "Special Publication SP 800-52" for guidance with regards to TLS usage. On April 2014 was published SP 800-52 Revision 1.

There are a lot of combinations of options, which cannot be readily shortened into an answer; you have to read the document to see what NIST really wants. See sections 3.9 (for servers) and 4.9 (for clients) for summaries of the NIST recommendations. Some highlights:

  • NIST requires TLS 1.1 support, with TLS 1.2 being warmly recommended. SSL 2.0 and 3.0 are explicitly forbidden. TLS servers for "government-only applications" are required NOT to support TLS 1.0 either (so they really want to force usage of recent versions). Sysadmins are expected to "develop migration plans" for a general support of TLS 1.2 no later than January 1st, 2015 (so NIST is even in kind of a hurry)(I don't believe it will really happen so soon, though).
  • They drop static Diffie-Hellman (nobody supports that anyway) and they finally embrace RSA. 2048-bit or longer keys, of course. ECDSA is also acceptable, using the P-256 or P-384 standard NIST curves.
  • They recommend ECDHE cipher suites (and they much prefer ECDHE over DHE).
  • Encryption shall be 3DES or AES. 3DES support MUST still be maintained (they insist on it, "for interoperability reasons"; one must assume that there still are a lot of deployed systems which do not support AES cipher suites).
  • When using TLS 1.2, use of AES-GCM is, of course, recommended.
  • They include an appendix which talks about Certificate Transparency, DANE (DNSSEC), Convergence... but they don't emit specific recommendations.
  • There is not a single word, good or bad, about SRP. They do talk a bit about PSK cipher suites (and they recommend not using them).
Tom Leek
  • 170,038
  • 29
  • 342
  • 480
7

You might want to have a look at RFC 6460 - Suite B Profile for Transport Layer Security (TLS). (Thanks to Jumbogram for highlighting the new RFC).

There are also some lists of known weak ciphersuites to avoid. You can find some guidelines on testing those from OWASP.

And recently there's a little bit of a humdrum going on about BEAST, including several posts on stackexchange... here's one of my favourites :)

Community
  • 1
Yoav Aner
  • 5,329
  • 3
  • 25
  • 37