TLS 1.2: AES_128_GCM or AES_256_CBC for better security?

Discussion in 'Questions and Answers' started by tdc-adm, Feb 25, 2014.

Tags:
  1. tdc-adm

    tdc-adm New Member

    70
    6
    May 27, 2013
    Hi, I want to set up a ssl server with best security. I can force my friends to use browsers with TLS support. For now, Chrome support AES_128_GCM and AES_256_CBC with TLS 1.2. What cipher should I choose? Are there any diffrence on 128 bits and 256 bits in this case?
     
  2. wlanboy

    wlanboy Content Contributer

    2,126
    1,169
    May 16, 2013
    GCM is recommended; it is even approved by NIST.

    Since TLS 1.2 (and for this topic TLS 1.1 too) CBC is ok because it is immune to BEAST attacks.

    Difference on 128 bit vs 256 bit: 256 bit is more "secure" - harder to calculate.
     
    tdc-adm likes this.
  3. Shados

    Shados Professional Snake Miner

    213
    47
    May 15, 2013
    In practice, both 128bit and 256bit AES are impossible to crack, so choosing on the basis of GCM > CBC is probably a good move.
     
    tdc-adm likes this.
  4. GIANT_CRAB

    GIANT_CRAB New Member

    525
    270
    May 21, 2013
    AHSFDGSFDGAG

    Luckily, I have been looking through all these cipher suites these few days

    ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:!NULL:!eNULL:!aNULL:!DSS:!RC4:!DES:!3DES:-MEDIUM:-LOW

    USE THAT, YOU GET BEST THING EVER. These are basically the only cipher suites with forward secrecy.
     
    tdc-adm likes this.
  5. Wintereise

    Wintereise New Member

    241
    159
    May 16, 2013
    Going to FS only ciphers only will mean that legacy API clients (think curl / old wget with outdated certs) will all be unable to connect to you -- as @GIANT_CRAB found out today.

    Use a mixture of older, and newer -- with preference on newer. And yes, GCM is preferred.
     
    tdc-adm likes this.
  6. tdc-adm

    tdc-adm New Member

    70
    6
    May 27, 2013
    As I mentioned above, I don't worry about old clients. Because they are all my friends, they should change their browsers for their better privacy. Actually, I will setup seafile web interface for my friends so I will select the most secured cipher. For now, I don't see any browser support AES_256_GCM.
     
  7. kaniini

    kaniini Beware the bunny-rabbit! Verified Provider

    497
    236
    Jun 18, 2013
    The reason why you don't see support for AES_256_GCM is because GCM operates on 128 bit blocks, with a 128 bit trailing MAC, yielding a 256 bit frame.  In effect, there is no 256-bit GCM mode (this would yield a 512 bit frame) so there can't be a AES_256_GCM.

    edit: thinko
     
    Last edited by a moderator: Feb 26, 2014
    eva2000 likes this.
  8. kaniini

    kaniini Beware the bunny-rabbit! Verified Provider

    497
    236
    Jun 18, 2013
    The difficulty for encrypting and decrypting a 256-bit block is the same as a 128-bit block.  Considering properly-implemented TLS uses a ratchet to change the session key after each N records sent, a 128-bit block cipher is actually more secure for two reasons:

    1. Ratcheting will occur more frequently (it is done every N records), thusly compromise of a single session key means less data will be recovered.

    2. The IV used is different for each block, so smaller block size = more IV variance, thusly more security.  Basically it takes twice the CPU time to decrypt two 128-bit blocks as it would one 256-bit block.
     
    tdc-adm likes this.
  9. GIANT_CRAB

    GIANT_CRAB New Member

    525
    270
    May 21, 2013
    FUCKING PAYPAL.

    They should really updated their stupid curl shit.

    EDIT:

    This cipher suite should work for Payfail

    ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:!NULL:!eNULL:!aNULL:!DSS:!RC4:!DES:!3DES:-MEDIUM:-LOW
     
    Last edited by a moderator: Feb 26, 2014
    tdc-adm likes this.
  10. howardsl2

    howardsl2 New Member

    61
    31
    Jan 28, 2014
    There is a website to test how well your site's SSL works. See if you can get an A+. To retest, click on "Clear cache" when the test is finished:

    https://www.ssllabs.com/ssltest/

    Here are the SSL ciphers I use (achieves Forward Secrecy):

    ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

    Adding this line in Nginx configuration for HSTS:

    add_header Strict-Transport-Security max-age=15768000;

    In addition, set up OCSP Stapling as mentioned here. This should further speed up your site.
     
    Last edited by a moderator: Feb 27, 2014
    tdc-adm likes this.
  11. 24/7/365

    24/7/365 New Member Verified Provider

    37
    14
    Nov 4, 2013
    I'm curious as to what your website hosts. Is it the next Wikileaks with information on friends and family? Is it the secret recipe to gran's beef brisket?
     
  12. tdc-adm

    tdc-adm New Member

    70
    6
    May 27, 2013
    :D Not another Wikileaks site. But if I can set up a better mode, why don't I do it? At least I can learn something from your all advices  :lol: Thank you all.