Tech specification of SSL


#1

May i know the tech specification of SSL?

Public key

  • RSA (Yes)
  • ECDHE
  • ElGamal

Private Key

  • Triple-Des (Data Encryption standard)
  • Advance Encryption standard (AES)

Key Size

  • Public key / symmetric : 256 bits and above
  • Private key / Asymmetric: 1048 and above

Recommended secure Cipher Suite

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384
  • TLS_RSA_WITH_AES_256_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA

#2

Do you have more specific context?

CAs in the web PKI are required by industry regulations to issue certificates using certain algorithms and minimum key sizes.

Most of your questions are matters of configuration and software support, and not related to the certificate or CA.


#3

Do you mean with regard to Let’s Encrypt? Or SSL in general?

These are not private key algorithms. Public/private keys are always keypairs and therefore use the same algorithm. The algorithms you’re listing here are symmetric ciphers.

This doesn’t make sense. See above about public/private keypairs.

This isn’t Let’s Encrypt specific, but a webserver configuration. It depends on your choice of backwards compatibility. See: https://wiki.mozilla.org/Security/Server_Side_TLS


#4

Hi @rebecca_88

if you have a RSA public/private key pair, 2048 and 4096 are standard. If you have an EC key, 256 and 384 are the standard.

All TLS_RSA_WITH… are deprecated. Because they don’t allow Forward Secrecy.

Using such a Key exchange means, that the client encrypts the master key with the public key, send it to the server, the server decrypts it with the private key.

If the complete (encrypted) traffic is saved and if the private key is compromised, the traffic can be decrypted. This isn’t possible with TLS_DHE and TLS_ECDHE - Key-Exchange because no encrypted key is sent over the network.