[Ach] Cipher-Order: AES128/AES256 - was: Secure E-Mail Transport based on DNSSec/TLSA/DANE

Gunnar Haslinger gh.bettercrypto at hitco.at
Tue Nov 3 20:21:22 CET 2015 

Am 03.11.2015 um 12:39 schrieb Aaron Zauner:
> The problem with these cipherstrings is that
> they're interpreted differently depending on the OpenSSL branch and
> version.

Is this true?
I think the String just works syntactically correct as designed.

Lets have a look at the current cipherString-B and split it up at the ":"
https://git.bettercrypto.org/ach-master.git/blob/HEAD:/src/common/cipherStringB.tex

EDH+CAMELLIA
EDH+aRSA
EECDH+aRSA+AESGCM
EECDH+aRSA+SHA256
EECDH
+CAMELLIA128
+AES128
+SSLv3
!aNULL
!eNULL
!LOW
!3DES
!MD5
!EXP
!PSK
!DSS
!RC4
!SEED
!IDEA
!ECDSA
kEDH
CAMELLIA128-SHA
AES128-SHA

As I can see you push "+AES128 "to the end by using "+" prefix in line 7.

This results in (as already pasted the mail before):
DHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256  
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256  
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-CAMELLIA256-SHA
DHE-RSA-AES256-SHA     
ECDHE-RSA-AES256-SHA   
DHE-RSA-CAMELLIA128-SHA
DHE-RSA-AES128-SHA     
ECDHE-RSA-AES128-SHA   
CAMELLIA128-SHA        
AES128-SHA             

Let's keep in mind the syntax rules, especially the "+" rule which might
be not very intuitive:
https://www.openssl.org/docs/manmaster/apps/ciphers.html
If ! is used then the ciphers are permanently deleted from the list. The
ciphers deleted can never reappear in the list even if they are
explicitly stated.
If - is used then the ciphers are deleted from the list, but some or all
of the ciphers can be added again by later options.
If + is used then the ciphers are moved to the end of the list. This
option doesn't add any new ciphers it just moves matching existing ones.

So for me I don't can see how Azet's information that AES128 should be
preferred could be covered by that cipher string.

Maybe you wanted to use "+AES256" and this was a typo?
replacing "+AES128" by "+AES256" to push back AES256 and prefer AES128
you get this list which looks better:

DHE-RSA-AES128-GCM-SHA256 
DHE-RSA-AES128-SHA256     
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256   
DHE-RSA-AES256-GCM-SHA384 
DHE-RSA-AES256-SHA256     
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384   
DHE-RSA-CAMELLIA256-SHA   
DHE-RSA-AES128-SHA        
ECDHE-RSA-AES128-SHA      
DHE-RSA-CAMELLIA128-SHA   
DHE-RSA-AES256-SHA        
ECDHE-RSA-AES256-SHA      
CAMELLIA128-SHA           
AES128-SHA                

Sorry - i didn't like to roll-up your Cipher-String-Discussion which I
don't know as I joined the list this summer - but in my mind this
cipher-string is long, complex and even doesn't include CipherStrings
like AES256-SHA256, AES256-SHA, AES256-GCM-SHA384, AES128-GCM-SHA256,
... which are not so bad to my mind (expect not supporting forward
secrecy, but AES128-SHA which you include at the end of your string even
doesn't support PFS, it's one of thes last-hope cipherstrings for old
Clients without DHE/ECDHE Support).

so again, I used "my own" cipher-string and my goal was:
1) be as secure as BetterCrypto-Cipherstring-B, but:
2) Performance: prefer ECDHE over DHE
3) Performance: prefer AES128 over AES256
4) throw out Camellia - but if you like Camellia just replace the "!"
before CAMELLIA by a "+" which keeps it in and pushes it to the back.

$ openssl ciphers -v
'EECDH:EDH:AESGCM:AES:+AES256:SHA:aRSA:!aNULL:!eNULL:!LOW:!MEDIUM:!MD5:!PSK:!SRP:!DES!3DES:!ECDSA:!kECDH:!DSS:!CAMELLIA'

ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH Au=RSA  Enc=AESGCM(128) Mac=AEAD
ECDHE-RSA-AES128-SHA256     TLSv1.2 Kx=ECDH Au=RSA  Enc=AES(128)   
Mac=SHA256
ECDHE-RSA-AES128-SHA        SSLv3   Kx=ECDH Au=RSA  Enc=AES(128)    Mac=SHA1
DHE-RSA-AES128-GCM-SHA256   TLSv1.2 Kx=DH   Au=RSA  Enc=AESGCM(128) Mac=AEAD
DHE-RSA-AES128-SHA256       TLSv1.2 Kx=DH   Au=RSA  Enc=AES(128)   
Mac=SHA256
DHE-RSA-AES128-SHA          SSLv3   Kx=DH   Au=RSA  Enc=AES(128)    Mac=SHA1
AES128-GCM-SHA256           TLSv1.2 Kx=RSA  Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256               TLSv1.2 Kx=RSA  Au=RSA  Enc=AES(128)   
Mac=SHA256
AES128-SHA                  SSLv3   Kx=RSA  Au=RSA  Enc=AES(128)    Mac=SHA1
ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA  Enc=AESGCM(256) Mac=AEAD
ECDHE-RSA-AES256-SHA384     TLSv1.2 Kx=ECDH Au=RSA  Enc=AES(256)   
Mac=SHA384
ECDHE-RSA-AES256-SHA        SSLv3   Kx=ECDH Au=RSA  Enc=AES(256)    Mac=SHA1
DHE-RSA-AES256-GCM-SHA384   TLSv1.2 Kx=DH   Au=RSA  Enc=AESGCM(256) Mac=AEAD
DHE-RSA-AES256-SHA256       TLSv1.2 Kx=DH   Au=RSA  Enc=AES(256)   
Mac=SHA256
DHE-RSA-AES256-SHA          SSLv3   Kx=DH   Au=RSA  Enc=AES(256)    Mac=SHA1
AES256-GCM-SHA384           TLSv1.2 Kx=RSA  Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256               TLSv1.2 Kx=RSA  Au=RSA  Enc=AES(256)   
Mac=SHA256
AES256-SHA                  SSLv3   Kx=RSA  Au=RSA  Enc=AES(256)    Mac=SHA1

and optionally with "+CAMELLIA" at the End:
DHE-RSA-CAMELLIA256-SHA     SSLv3   Kx=DH   Au=RSA  Enc=Camellia(256)
Mac=SHA1
DHE-RSA-CAMELLIA128-SHA     SSLv3   Kx=DH   Au=RSA  Enc=Camellia(128)
Mac=SHA1
CAMELLIA256-SHA             SSLv3   Kx=RSA  Au=RSA  Enc=Camellia(256)
Mac=SHA1
CAMELLIA128-SHA             SSLv3   Kx=RSA  Au=RSA  Enc=Camellia(128)
Mac=SHA1


regards,
Gunnar

More information about the Ach mailing list