Changes

Jump to navigation Jump to search
Line 17: Line 17:  
Departments should choose TLS cipher suites using ephemeral Diffie-Hellman (DH) and ephemeral Elliptic Curve Diffie-Hellman (ECDH) (those with DHE or ECDHE specified in the cipher suite name) since they provide perfect forward secrecy. When using a cipher suite that provides perfect forward secrecy, the compromise of a long-term private key used in deriving a subsequent session key does not cause the compromise of prior session keys.
 
Departments should choose TLS cipher suites using ephemeral Diffie-Hellman (DH) and ephemeral Elliptic Curve Diffie-Hellman (ECDH) (those with DHE or ECDHE specified in the cipher suite name) since they provide perfect forward secrecy. When using a cipher suite that provides perfect forward secrecy, the compromise of a long-term private key used in deriving a subsequent session key does not cause the compromise of prior session keys.
 
<br>
 
<br>
 +
===About Cipher Suites===
 +
A cipher suite is a defined set of algorithms used to secure network connections between two end points (e.g.: user client and server). In the TLS handshake, cipher suites are presented by both the client and server as a means to agree on a communications scheme, and determine a common code to use. TLS 1.2 cipher suites include an initial key exchange algorithm, a bulk/message encryption algorithm, and a message authentication code, as in the example below:
 +
 +
'''TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384'''
 +
<br><br>
 +
The meaning of this name is:
 +
* ''TLS'' defines the protocol that this cipher suite is for; it will usually be TLS.
 +
* ''ECDHE_ECDSA'' indicates the key exchange algorithm being used. The key exchange algorithm is used to determine if and how the client and server will authenticate during the handshake.
 +
* ''AES_256_GCM'' indicates the block cipher being used to encrypt the message stream, together with the block cipher mode of operation.
 +
* ''SHA384'' indicates the message authentication algorithm which is used to authenticate a message.
 +
 
===Secure configuration advice recommendations===
 
===Secure configuration advice recommendations===
 
In general, when configuring servers:
 
In general, when configuring servers:
263

edits

Navigation menu

GCwiki