The ever–evolving TLS ciphersuite

Of all the subjects I’ve taken at UTS, Network Security has been one of the most fascinating. My mathematics and networking have never been great, but I’ve been keenly interested in ciphers and encryption for years, and have been tasked with applying them in various contexts.

This semester, we were tasked with developing our own SSL implementation from scratch, and demoing it to the lecturer. This included writing functions for hashing (I chose SHA2), public key crypto (RSA for me), and symmetric key crypto (I wanted to do my beloved Twofish, but settled on AES).

The ever marching march of progress

Well, that subtitle was inspired. During the writing of the CipherSuite data structure for the client and server hello messages, I came up with something interesting. This is section 9 of the TLS 1.0 RFC:

In the absence of an application profile standard specifying otherwise, a TLS compliant application MUST implement the cipher suite TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA.

And the TLS 1.1 RFC:

In the absence of an application profile standard specifying otherwise, a TLS compliant application MUST implement the cipher suite TLS_RSA_WITH_3DES_EDE_CBC_SHA.

And the TLS 1.2 RFC:

In the absence of an application profile standard specifying otherwise, a TLS-compliant application MUST implement the cipher suite TLS_RSA_WITH_AES_128_CBC_SHA.

This means we’ve seen a steady transition from Diffie-Helman to RSA for public key crypto, and from TripleDES to 128bit AES for symmetric crypto.

What this means

The implications are interesting, even if largely symbolic. I’d expect most parties to have a defined set of CipherSuites, meaning they’d never fall to what amounts to a default. Even if they did, precious few browsers mandate TLS 1.2 anyway (or even 1.1).

Still, the switching of TripleDES to AES seems long overdue. There are practical reasons for still needing 3DES in certain circumstances, but for computers equipped with AES hardware acceleration and no backwards comparability requirements, they’re better served using it.

What I’ve been most surprised about is the perpetual foot dragging of system administrators refusing to implement anything beyond SSL 3.0, let alone TLS 1.1 or 1.2. But that’s a topic for another day.

UPDATE: It’s due to shitty, outdated browsers with wide install bases. This is why we can’t have nice things.