Allowed TLS Ciphers for B2B Transactions

[lukepopp]

Under FAPI-RW, the following Ciphers are permitted:

LS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

Issues:

• DHE is recommended to be used with key sizes of >=2048

• older clients (for example Java 7 or unpatched Window Servers) may only support 1024 bit keys

Does the FAPI list require restricting?

[NationalAustraliaBank]

NAB is aligned with FAPI and we are supportive of the BCP195 standards (https://tools.ietf.org/html/bcp195). However, we support the adoption of the recommended mitigating control for Diffie-Hellman ciphers by increasing the default key length in use (i.e. >2048 bits). This recommendation should be made mandatory to mitigate the perceived weakness of the cipher.
The use of PFS should also be considered.

[jogu]

FAPI part 1 ID 2 states:

The recommendations for Secure Use of Transport Layer Security in [BCP195] shall be followed

This upgrades any recommendations in BCP195 to mandatory.

https://tools.ietf.org/html/bcp195#section-4.3 states:

With a key exchange based on modular exponential (MODP) Diffie-
Hellman groups ("DHE" cipher suites), DH key lengths of at least 2048
bits are RECOMMENDED.

So I believe >= 2048 bits DHE keys are already required by the existing specifications and no changes are needed.

@NationalAustraliaBank can you clarify why you believe PFS is currently not required? I cannot currently see a way that a compliant implementation would not have forward secrecy.

[JamesMBligh]

Has this question be sufficiently addressed? If it has I will close. If there are specific issues to be addressed in the standard then please indicate a suggested change and I will leave the thread open.

-JB-