1. OpenID Foundation Avatar OpenID Foundation
  2. WGs
  3. fapi
  4. Issues

Vulnerability in TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

Issue #698 new
Joseph Heenan created an issue

In https://bitbucket.org/openid/fapi/issues/685/use-of-tls-12-ciphers#comment-66826146 Tom Jones mentioned this page:

https://ciphersuite.info/cs/TLS_DHE_RSA_WITH_AES_128_GCM_SHA256/

which suggests that that TLS cipher (which is one of the 4 required in FAPI1/2) has issues.

https://www.rfc-editor.org/rfc/rfc9325.html#appendix-A (the update to the TLS BCP which has been published since FAPI1 went to final) seems to mention “Dropped TLS_DHE_RSA_WITH_AES from the recommended ciphers”.

I’ve not researched this enough to have a recommendation but it seems worth checking before FAPI2 goes final. I’m not sure what we could/would do about FAPI1.

Comments (8)

  3. Tim Würtele

    Maybe useful in this context: The current (albeit several years old) recommendations by NIST seem to allow the use of TLS_DHE_RSA_WITH_AES_128_GCM_SHA256. The German BSI’s (basically the German counterpart to NIST) recommendations, dated Jan. 2024, list the TLS_DHE_*** suites as “only use until 2029”.

  4. Tom Jones

    based on messages from NSA I expect that TLS_DHE_RSA_*** to be automatically deprecated this year when the PQ modes are officially sanctioned by NIST for US gov’t use.

    Where deprecated means no new applications will be accepted, but existing ones can continue in operation.

    FAPI could deprecate them in the same manner as of the release of this doc.

  5. Ralph Bragg

    Hi,

    BPC195 already says these ciphers are recommended, why don’t we just revert to BCP recommended ciphers for TLS 1.2

    RB

    4.2.  Cipher Suites for TLS 1.2

   Given the foregoing considerations, implementation and deployment of
   the following cipher suites is RECOMMENDED:

   *  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

   *  TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

   *  TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

   *  TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

  7. Dima Postnikov

    I swear we had this discussion before, totally agree, we should reference BCP195.

    Although, FAPI might consider overriding “recommended“ to something stronger?

  8. Tom Jones

    What i have noticed, and is reported by US Medicare below - the cloud service providers like Akamai and Cloudflare are limiting what is accepted for TLS. Even the BCP may not be able to keep up with the changes that are coming over the next few years. Agility and stds based crypto suites or attack threat models are incompatible. ..tom

    ==================================================

    Akamai, which the Blue Button 2.0 API utilizes, is making an update to their required Ciphers. This will be occurring on May 27th, 2024 for the Blue Button 2.0 API Production environment.

    Our sandbox environment is currently limited to the Ciphers required in the update. This means that if apps are currently working in sandbox, they will not need to make a change. 

    All other developers will want to make sure that their chosen API request library and browser supports are adjusted to meet this new requirement. The new requirement is TLS 1.2 at a minimum, with TLS 1.3 recommended . We are also limiting to the following Cipher suites:

    TLS_AES_256_GCM_SHA384

    TLS_CHACHA20_POLY1305_SHA256

    TLS_AES_128_GCM_SHA256

    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

    TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256

    TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

  9. Log in to comment
Assignee
Type
bug
Priority
major
Status
new
Component
FAPI2: Security Profile
Milestone
FINAL
Votes
0
Watchers
5
Jira: the preferred issue tracker for Bitbucket. Join the team!