amuck-landowner

TLS 1.2: AES_128_GCM or AES_256_CBC for better security?

tdc-adm

New Member
Hi, I want to set up a ssl server with best security. I can force my friends to use browsers with TLS support. For now, Chrome support AES_128_GCM and AES_256_CBC with TLS 1.2. What cipher should I choose? Are there any diffrence on 128 bits and 256 bits in this case?
 

wlanboy

Content Contributer
GCM is recommended; it is even approved by NIST.

Since TLS 1.2 (and for this topic TLS 1.1 too) CBC is ok because it is immune to BEAST attacks.

Difference on 128 bit vs 256 bit: 256 bit is more "secure" - harder to calculate.
 

Shados

Professional Snake Miner
In practice, both 128bit and 256bit AES are impossible to crack, so choosing on the basis of GCM > CBC is probably a good move.
 

GIANT_CRAB

New Member
AHSFDGSFDGAG

Luckily, I have been looking through all these cipher suites these few days

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:!NULL:!eNULL:!aNULL:!DSS:!RC4:!DES:!3DES:-MEDIUM:-LOW

USE THAT, YOU GET BEST THING EVER. These are basically the only cipher suites with forward secrecy.
 

Wintereise

New Member
Going to FS only ciphers only will mean that legacy API clients (think curl / old wget with outdated certs) will all be unable to connect to you -- as @GIANT_CRAB found out today.

Use a mixture of older, and newer -- with preference on newer. And yes, GCM is preferred.
 

tdc-adm

New Member
I can force my friends to use browsers with TLS support.
As I mentioned above, I don't worry about old clients. Because they are all my friends, they should change their browsers for their better privacy. Actually, I will setup seafile web interface for my friends so I will select the most secured cipher. For now, I don't see any browser support AES_256_GCM.
 

kaniini

Beware the bunny-rabbit!
Verified Provider
The reason why you don't see support for AES_256_GCM is because GCM operates on 128 bit blocks, with a 128 bit trailing MAC, yielding a 256 bit frame.  In effect, there is no 256-bit GCM mode (this would yield a 512 bit frame) so there can't be a AES_256_GCM.

edit: thinko
 
Last edited by a moderator:

kaniini

Beware the bunny-rabbit!
Verified Provider
Difference on 128 bit vs 256 bit: 256 bit is more "secure" - harder to calculate.
The difficulty for encrypting and decrypting a 256-bit block is the same as a 128-bit block.  Considering properly-implemented TLS uses a ratchet to change the session key after each N records sent, a 128-bit block cipher is actually more secure for two reasons:

1. Ratcheting will occur more frequently (it is done every N records), thusly compromise of a single session key means less data will be recovered.

2. The IV used is different for each block, so smaller block size = more IV variance, thusly more security.  Basically it takes twice the CPU time to decrypt two 128-bit blocks as it would one 256-bit block.
 

GIANT_CRAB

New Member
Going to FS only ciphers only will mean that legacy API clients (think curl / old wget with outdated certs) will all be unable to connect to you -- as @GIANT_CRAB found out today.

Use a mixture of older, and newer -- with preference on newer. And yes, GCM is preferred.
FUCKING PAYPAL.

They should really updated their stupid curl shit.

EDIT:

This cipher suite should work for Payfail

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:!NULL:!eNULL:!aNULL:!DSS:!RC4:!DES:!3DES:-MEDIUM:-LOW
 
Last edited by a moderator:

howardsl2

New Member
There is a website to test how well your site's SSL works. See if you can get an A+. To retest, click on "Clear cache" when the test is finished:

https://www.ssllabs.com/ssltest/

Here are the SSL ciphers I use (achieves Forward Secrecy):

ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

Adding this line in Nginx configuration for HSTS:

add_header Strict-Transport-Security max-age=15768000;

In addition, set up OCSP Stapling as mentioned here. This should further speed up your site.
 
Last edited by a moderator:

24/7/365

New Member
Verified Provider
I'm curious as to what your website hosts. Is it the next Wikileaks with information on friends and family? Is it the secret recipe to gran's beef brisket?
 

tdc-adm

New Member
I'm curious as to what your website hosts. Is it the next Wikileaks with information on friends and family? Is it the secret recipe to gran's beef brisket?
:D Not another Wikileaks site. But if I can set up a better mode, why don't I do it? At least I can learn something from your all advices  :lol: Thank you all.
 
Top
amuck-landowner