IBM Security Verify

 View Only

Is there a list of recommended cipher specs ?

  • 1.  Is there a list of recommended cipher specs ?

    Posted Thu May 12, 2022 02:14 PM
    I was asked by an MQ customer if there is a recommended list of cipher specs that should be used -  and which ones not to use when using TLS.

    I've dug around and found
    TLS 1.3 are good

    Elliptic Curve Diffie-Hellman Ephemeral, Elliptic Curve Certificate, are good...  eg


    But with the recent announcement from IBM about quantum computing, and how it will make breaking  prime number based  encryption easy, it looks like RSA should not be used.

    I see that Lattice based encryption is available to ICSF on z/16 - but I cannot find this in openssl or in GSKIT.

    So given we want to connect  z/OS, Windows and Linux systems together, is there a simple guide to help users decide what to use.  Is there an industry direction?

    Is the following valid?

    Authentication(Certificate) type

    You can create certificates with certificate types of RSA or Digital Signature Algorithm(DSA), Elliptic Curve (and DSA).

    I recommend having an Elliptic Curve (+DSA) certificate as the server certificate because it is stronger and better than the others.

    This means using cipher specs like TLS_…_ECDSA_WITH….

    Handshake prototols

    1. Diffie-Hellman is better than RSA.
    2. Use TLS_ECDH… over TLS_DH… (Diffie-Hellman using Elliptic Curve)
    3. Use TLS_ECDHE_ (Elliptic Curve Diffie-Hellman with Ephemeral) over TLS_ECDH_ (Elliptic Curve Diffie-Hellman; Ephemeral is better)

    This means use cipher suites


    Symmetric encryption algorithms

    This is the information after the WITH_

    AES is better than DES or 3DES.

    Use cipher suite

    1. TLS_…_…_WITH_AES_256_…_…
    2. TLS_…_…_WITH_AES_128_…_…

    Block data encryption

    GCM is better than CCM which is better than CBC. (For example GCM calculations can exploit multiple processor pipelines whereas CBC does not exploit multiple CPUs).

    AEAD ciphers include GCM and ChaCha20-Poly1305(available in TLS 1.3).

    SHA384 is stronger than SHA256 which is stronger than SHA. I saw some comments that SHA384 is better than SHA512 because of problems if a bad guy changes the size of the file when SHA512 is used.

    1. TLS_…_…_WITH_AES_256_GCM_SHA384
    2. TLS_…_…_WITH_AES_128_GCM_SHA256

    Colin Paice

    Colin Paice