Selecting Ciphers

SSL and TLS can use a variety of encryption/decryption algorithms (called ciphers). In a single secure connection, as many as four different ciphers may be used for various purposes; this set of ciphers is called a cipher suite. Each party in a secure connection must designate which cipher suites it is going to support. When a new secure connection is made, the parties involved try to agree on which cipher suite to use. There must be at least one cipher suite that is available on both sides of the connection for this to be possible.

Different cipher suites have different levels of security and performance. The lower the level of security, the easier the cipher is to break. Unfortunately, stronger ciphers usually offer slower performance. Hence, there is a certain level of trade-off between the two. For this reason, the decision on which cipher suites to support is left to the developers and/or users of SSL and TLS applications.

Every cipher suite has a standard name (e.g. TLS_RSA_WITH_RC4_128_SHA). This name reveals which ciphers are used in the suite.

Some guidelines which may be useful when selecting cipher suites are:

• Triple DES offers high security but relatively poor performance (look for names with the characters, 3DES).
• DES (not 3DES) can be cracked relatively easily
• 128-bit RC4 offers high performance and reasonable security (look for names with the characters RC4_128).
• SHA is preferable to MD5 (choose algorithms whose names ending with SHA ahead of those ending with MD5).
• Export version of algorithms are deliberately weakened; avoid them if possible (i.e. avoid 40-bit suites).

Next: SOCKS Proxies