# TLS 1.2: AES_128_GCM or AES_256_CBC for better security?



## tdc-adm (Feb 25, 2014)

Hi, I want to set up a ssl server with best security. I can force my friends to use browsers with TLS support. For now, Chrome support AES_128_GCM and AES_256_CBC with TLS 1.2. What cipher should I choose? Are there any diffrence on 128 bits and 256 bits in this case?


----------



## wlanboy (Feb 25, 2014)

GCM is recommended; it is even approved by NIST.

Since TLS 1.2 (and for this topic TLS 1.1 too) CBC is ok because it is immune to BEAST attacks.

Difference on 128 bit vs 256 bit: 256 bit is more "secure" - harder to calculate.


----------



## Shados (Feb 26, 2014)

In practice, both 128bit and 256bit AES are impossible to crack, so choosing on the basis of GCM > CBC is probably a good move.


----------



## GIANT_CRAB (Feb 26, 2014)

AHSFDGSFDGAG

Luckily, I have been looking through all these cipher suites these few days

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHAHE-RSA-AES256-GCM-SHA384HE-RSA-AES256-SHA256HE-RSA-CAMELLIA256-SHAHE-RSA-AES256-SHA:!NULL:!eNULL:!aNULL:!DSS:!RC4:!DES:!3DES:-MEDIUM:-LOW

USE THAT, YOU GET BEST THING EVER. These are basically the only cipher suites with forward secrecy.


----------



## Wintereise (Feb 26, 2014)

Going to FS only ciphers only will mean that legacy API clients (think curl / old wget with outdated certs) will all be unable to connect to you -- as @GIANT_CRAB found out today.

Use a mixture of older, and newer -- with preference on newer. And yes, GCM is preferred.


----------



## tdc-adm (Feb 26, 2014)

tdc-adm said:


> I can force my friends to use browsers with TLS support.


As I mentioned above, I don't worry about old clients. Because they are all my friends, they should change their browsers for their better privacy. Actually, I will setup seafile web interface for my friends so I will select the most secured cipher. For now, I don't see any browser support AES_256_GCM.


----------



## kaniini (Feb 26, 2014)

The reason why you don't see support for AES_256_GCM is because GCM operates on 128 bit blocks, with a 128 bit trailing MAC, yielding a 256 bit frame.  In effect, there is no 256-bit GCM mode (this would yield a 512 bit frame) so there can't be a AES_256_GCM.

edit: thinko


----------



## kaniini (Feb 26, 2014)

wlanboy said:


> Difference on 128 bit vs 256 bit: 256 bit is more "secure" - harder to calculate.


The difficulty for encrypting and decrypting a 256-bit block is the same as a 128-bit block.  Considering properly-implemented TLS uses a ratchet to change the session key after each N records sent, a 128-bit block cipher is actually more secure for two reasons:

1. Ratcheting will occur more frequently (it is done every N records), thusly compromise of a single session key means less data will be recovered.

2. The IV used is different for each block, so smaller block size = more IV variance, thusly more security.  Basically it takes twice the CPU time to decrypt two 128-bit blocks as it would one 256-bit block.


----------



## GIANT_CRAB (Feb 26, 2014)

Wintereise said:


> Going to FS only ciphers only will mean that legacy API clients (think curl / old wget with outdated certs) will all be unable to connect to you -- as @GIANT_CRAB found out today.
> 
> Use a mixture of older, and newer -- with preference on newer. And yes, GCM is preferred.


FUCKING PAYPAL.

They should really updated their stupid curl shit.

EDIT:

This cipher suite should work for Payfail

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHAHE-RSA-AES256-GCM-SHA384HE-RSA-AES256-SHA256HE-RSA-CAMELLIA256-SHAHE-RSA-AES256-SHA:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:!NULL:!eNULL:!aNULL:!DSS:!RC4:!DES:!3DES:-MEDIUM:-LOW


----------



## howardsl2 (Feb 27, 2014)

There is a website to test how well your site's SSL works. See if you can get an A+. To retest, click on "Clear cache" when the test is finished:

https://www.ssllabs.com/ssltest/

Here are the SSL ciphers I use (achieves Forward Secrecy):

ECDH+AESGCMH+AESGCM:ECDH+AES256H+AES256:ECDH+AES128H+AES:ECDH+3DESH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

Adding this line in Nginx configuration for HSTS:

add_header Strict-Transport-Security max-age=15768000;

In addition, set up OCSP Stapling as mentioned here. This should further speed up your site.


----------



## 24/7/365 (Feb 27, 2014)

I'm curious as to what your website hosts. Is it the next Wikileaks with information on friends and family? Is it the secret recipe to gran's beef brisket?


----------



## tdc-adm (Feb 27, 2014)

24/7/365 said:


> I'm curious as to what your website hosts. Is it the next Wikileaks with information on friends and family? Is it the secret recipe to gran's beef brisket?


  Not another Wikileaks site. But if I can set up a better mode, why don't I do it? At least I can learn something from your all advices  :lol: Thank you all.


----------

