Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Transport Layer Security
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===Cipher=== {{see also|Cipher suite|Block cipher|Cipher security summary}} {{Anchor|cipher-table}} {{sticky header}} {{sort under}} {|class="wikitable sortable sticky-header-multi sort-under" style=text-align:center |+[[Cipher]] security against publicly known feasible attacks |- !colspan=3|Cipher!!colspan=6|Protocol version!!rowspan=2|Status |- !Type !Algorithm !Nominal strength (bits) !SSL 2.0 !SSL 3.0<br/><ref group="n"name="rfc5746">{{IETF RFC|5746}} must be implemented to fix a renegotiation flaw that would otherwise break this protocol.</ref><ref group="n"name="renegotiation">If libraries implement fixes listed in {{IETF RFC|5746}}, this violates the SSL 3.0 specification, which the IETF cannot change unlike TLS. Most current libraries implement the fix and disregard the violation that this causes.</ref><ref group="n"name="BEAST">The [[#BEAST attack|BEAST]] attack breaks all block ciphers (CBC ciphers) used in SSL 3.0 and TLS 1.0 unless mitigated by the client or the server. See {{section link||Web browsers}}.</ref><ref group="n"name="POODLEciphertable">The [[POODLE]] attack breaks all block ciphers (CBC ciphers) used in SSL 3.0 unless mitigated by the client or the server. See {{section link||Web browsers}}.</ref> !TLS 1.0<br/><ref group="n"name="rfc5746"/><ref group="n"name="BEAST"/> !TLS 1.1<br/><ref group="n"name="rfc5746"/> !TLS 1.2<br/><ref group="n"name="rfc5746"/> !TLS 1.3 |- ! rowspan="17" {{verth|va=middle|[[Block cipher]] with [[Block cipher mode of operation|mode of operation]]}} ![[Advanced Encryption Standard|AES]] [[Galois/Counter Mode|GCM]]<ref name="aes-gcm">{{IETF RFC|5288|5289}}</ref><ref group="n"name="aead">[[AEAD block cipher modes of operation|AEAD]] ciphers (such as [[Galois/Counter Mode|GCM]] and [[CCM mode|CCM]]) can only be used in TLS 1.2 or later.</ref> |rowspan=3|256, 128 |{{N/A}}||{{N/A}}||{{N/A}}||{{N/A}}||{{Good|Secure}}||{{Good|Secure}}||rowspan="9"|Defined for TLS 1.2 in RFCs |- ![[Advanced Encryption Standard|AES]] [[CCM mode|CCM]]<ref name="aes-ccm">{{IETF RFC|6655|7251}}</ref><ref group="n"name="aead"/> |{{N/A}}||{{N/A}}||{{N/A}}||{{N/A}}||{{Good|Secure}}||{{Good|Secure}} |- ![[Advanced Encryption Standard|AES]] [[Cipher block chaining|CBC]]<ref group="n"name=Lucky13/> |{{N/A}}||{{Bad|Insecure}}||{{Depends|Depends on mitigations}}||{{Depends|Depends on mitigations}}||{{Depends|Depends on mitigations}}||{{N/A}} |- ![[Camellia (cipher)|Camellia]] [[Galois/Counter Mode|GCM]]<ref name="camellia-gcm">{{IETF RFC|6367}}</ref><ref group="n"name="aead"/> |rowspan=2|256, 128 |{{N/A}}||{{N/A}}||{{N/A}}||{{N/A}}||{{Good|Secure}}||{{N/A}} |- ![[Camellia (cipher)|Camellia]] [[Cipher block chaining|CBC]]<ref name="camellia-cbc">{{IETF RFC|5932|6367}}</ref><ref group="n"name=Lucky13/> |{{N/A}}||{{Bad|Insecure}}||{{Depends|Depends on mitigations}}||{{Depends|Depends on mitigations}}||{{Depends|Depends on mitigations}}||{{N/A}} |- ![[ARIA (cipher)|ARIA]] [[Galois/Counter Mode|GCM]]<ref name=aria/><ref group="n"name="aead"/> |rowspan=2|256, 128 |{{N/A}}||{{N/A}}||{{N/A}}||{{N/A}}||{{Good|Secure}}||{{N/A}} |- ![[ARIA (cipher)|ARIA]] [[Cipher block chaining|CBC]]<ref name="aria">{{IETF RFC|6209}}</ref><ref group="n"name=Lucky13/> |{{N/A}}||{{N/A}}||{{Depends|Depends on mitigations}}||{{Depends|Depends on mitigations}}||{{Depends|Depends on mitigations}}||{{N/A}} |- ![[SEED (cipher)|SEED]] [[Cipher block chaining|CBC]]<ref name="seed-cbc">{{IETF RFC|4162}}</ref><ref group="n"name=Lucky13/> |128 |{{N/A}}||{{Bad|Insecure}}||{{Depends|Depends on mitigations}}||{{Depends|Depends on mitigations}}||{{Depends|Depends on mitigations}}||{{N/A}} |- ![[Triple DES|3DES EDE]] [[Cipher block chaining|CBC]]<ref group="n"name=Lucky13>CBC ciphers can be attacked with the [[Lucky Thirteen attack]] if the library is not written carefully to eliminate timing side channels.</ref>{{refn|group="n"|name=Sweet32|The [[Sweet32]] attack breaks block ciphers with a block size of 64 bits.<ref name=Sweet32>{{cite web|url=https://sweet32.info/SWEET32_CCS16.pdf|title=On the Practical (In-)Security of 64-bit Block Ciphers β Collision Attacks on HTTP over TLS and OpenVPN|date=2016-10-28|access-date=2017-06-08|url-status=live|archive-url=https://web.archive.org/web/20170424021101/https://sweet32.info/SWEET32_CCS16.pdf|archive-date=2017-04-24}}</ref>}} |112{{refn|group="n"|name="3des"|Although the key length of 3DES is 168 bits, effective security strength of 3DES is only 112 bits,<ref name=NIST_SP_800-57>{{cite web|url=http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf|title=NIST Special Publication 800-57 ''Recommendation for Key Management β Part 1: General (Revised)''|date=2007-03-08|access-date=2014-07-03|url-status=dead|archive-url=https://web.archive.org/web/20140606050814/http://csrc.nist.gov/publications/nistpubs/800-57/sp800-57-Part1-revised2_Mar08-2007.pdf|archive-date=June 6, 2014}}</ref> which is below the recommended minimum of 128 bits.<ref name="best-practices">{{cite web|url=https://www.ssllabs.com/projects/best-practices/index.html|title=SSL/TLS Deployment Best Practices|author=Qualys SSL Labs|access-date=2 June 2015|url-status=live|archive-url=https://web.archive.org/web/20150704101956/https://www.ssllabs.com/projects/best-practices/index.html|archive-date=4 July 2015}}</ref>}} |{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{N/A}} |- ![[GOST (block cipher)|GOST R 34.12-2015 Magma]] [[Block cipher mode of operation#Counter (CTR)|CTR]]<ref name=gostlink/><ref group="n"name=Sweet32/> |256 |{{N/A}}||{{N/A}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{N/A}}||Defined in {{IETF RFC|4357|9189}} |- ![[Kuznyechik|GOST R 34.12-2015 Kuznyechik]] [[Block cipher mode of operation#Counter (CTR)|CTR]]<ref name=gostlink/> |256 |{{N/A}} |{{N/A}} |{{N/A}} |{{N/A}} |{{Good|Secure}} |{{N/A}} |Defined in {{IETF RFC|9189}} |- ![[GOST (block cipher)|GOST R 34.12-2015 Magma]] [[Authenticated encryption|MGM]]<ref name=gostlink/><ref group="n"name="aead"/><ref group="n"name=Sweet32/> |256 |{{N/A}} |{{N/A}} |{{N/A}} |{{N/A}} |{{N/A}} |{{Bad|Insecure}} |Defined in {{IETF RFC|9367}} |- ![[Kuznyechik|GOST R 34.12-2015 Kuznyechik]] [[Authenticated encryption|MGM]]<ref name=gostlink/><ref group="n"name="aead"/> |256 |{{N/A}} |{{N/A}} |{{N/A}} |{{N/A}} |{{N/A}} |{{Good|Secure}} |Defined in {{IETF RFC|9367}} |- ![[International Data Encryption Algorithm|IDEA]] [[Cipher block chaining|CBC]]<ref group="n"name=Lucky13/><ref group="n"name=Sweet32/>{{refn|group="n"|name="removal_from_tls1.2"|IDEA and DES have been removed from TLS 1.2.<ref>{{IETF RFC|5469}}</ref>}} |128 |{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{N/A}}||{{N/A}}||rowspan="2"|Removed from TLS 1.2 |- !rowspan=2|[[Data Encryption Standard|DES]] [[Cipher block chaining|CBC]]<ref group="n"name=Lucky13/><ref group="n"name=Sweet32/><ref group="n"name="removal_from_tls1.2"/> |{{0}}56 |{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{N/A}}||{{N/A}} |- |{{0}}40<ref group="n"name="EXPORT">40-bit strength cipher suites were intentionally designed with reduced key lengths to comply with since-rescinded US regulations forbidding the export of cryptographic software containing certain strong encryption algorithms (see [[Export of cryptography from the United States]]). These weak suites are forbidden in TLS 1.1 and later.</ref> |{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{N/A}}||{{N/A}}||{{N/A}}||rowspan=2|Forbidden in TLS 1.1 and later |- ![[RC2]] [[Cipher block chaining|CBC]]<ref group="n"name=Lucky13/><ref group="n"name=Sweet32/> |{{0}}40<ref group="n"name="EXPORT"/> |{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{N/A}}||{{N/A}}||{{N/A}} |- !rowspan=3 {{verth|[[Stream cipher]]}} ![[ChaCha20]]-[[Poly1305]]<ref name="chacha20poly1305">{{IETF RFC|7905}}</ref><ref group="n"name="aead"/> |256 |{{N/A}}||{{N/A}}||{{N/A}}||{{N/A}}||{{Good|Secure}}||{{Good|Secure}}||Defined for TLS 1.2 in RFCs |- !rowspan="2"|[[RC4]]<ref group="n"name="RC4">Use of RC4 in all versions of TLS is prohibited by {{IETF RFC|7465}} (because [[#RC4 attacks|RC4 attacks]] weaken or break RC4 used in SSL/TLS).</ref> |128 |{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{N/A}}||rowspan="2"|Prohibited in all versions of TLS by {{IETF RFC|7465}} |- |{{0}}40<ref group="n"name="EXPORT"/> |{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{N/A}}||{{N/A}}||{{N/A}} |- !{{CNone|None}} !{{CNone|Null}}<ref group="n">Authentication only, no encryption.</ref> |β |{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{Bad|Insecure}}||{{N/A}}||Defined for TLS 1.2 in RFCs |} '''Notes''' {{reflist|group="n"}}
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)