Validated Cryptography e., the server ephemeral key-pair and the client ephemeral key-pair shall have at least
19 confidentiality of the session. While support of these cipher suites is not required by these
guidelines, it is strongly recommended. There is no mechanism to specify the minimum key size for the server or client certificate
or for the CAs that are in the certification path. 3.3.1.1
Implementation Considerations System administrators need to fully understand the ramifications of selecting cipher
suites and configuring applications to support only those cipher suites. The security guarantees of the cryptography are limited to the weakest cipher suite supported by the
configuration. When configuring an implementation, there are several factors that affect supported cipher suite selection.
[ RFC4346
] describes timing attacks on CBC cipher suites, as well mitigation techniques.
TLS implementations shall use the bad_record_mac error to indicate a padding error. Implementations shall compute the MAC regardless of whether padding errors exist.
In addition to the CBC attacks addressed in [ RFC4346
], the Lucky 13 attack [ Lucky13
] demonstrates that a constant-time decryption routine is also needed to prevent timing
attacks. TLS implementations should support constant-time decryption, or near constant-
time decryption. Note that CBC-based attacks can be prevented by using AEAD cipher suites e.g., GCM,
CCM, supported in TLS 1.2. 3.3.1.1.1
Algorithm Support Many TLS servers and clients support RC4 [
Schneier96 ] cipher suites. RC4 is not an
Approved algorithm. If the server were configured to support RC4 cipher suites, they may be chosen over the recommended cipher suites composed of Approved algorithms.
Therefore it is important that the server is configured only to use recommended cipher suites.
Server implementations may not allow the server administrator to specify preference order. In such servers, the only way to ensure that a server uses Approved algorithms for
encryption is to disable cipher suites that use other encryption algorithms such as RC4 and Camellia [
RFC3713 ].
3.3.1.1.2 Cipher Suite Scope
The selection of a cryptographic algorithm may be system-wide and not application specific for some implementations. For example, disabling an algorithm for one
application on a system might disable that algorithm for all applications on that system.