Why is Cipher Strength so important

The SSLLabs.com test will provide ratings based on the Keys strength as noted below. I will provide a cipher suite that supports Perfect Forward Secrecy (FS) for Elliptical Curves and RSA in the best possible order. Currently they include legacy ones that are considered safe for your consideration based on your need and environment.

0 bits (no encryption) 0%
< 128 bits (e.g., 40, 56) 20%
< 256 bits (e.g., 128, 168) 80% <---we will score a 90-95%     Removing 128 bit ciphers would drop support for too many people!
>= 256 bits (e.g., 256) 100%

  • Anything under 128 is not recommended
  • Most Certificate Authorities (CA) support 256 bit encryption - few even support issuing 384 bit to end clients (if required)
  • If being created for a US Top Secret environment:
    • Use 256 bit keys
    • Only use TLSv1.2 and TLSV1.3 Protocols
    • Elliptic Curve Digital Signature Algorithm (ECDSA) & Elliptic Curve Diffie-Hellman (ECDH) Key Exchange use Curve P-384
    • Secure Hash Algorithm (SHA) 384
    • Minimum 3072-bit modulus

What does all of this mean in the end and what are we going to end up with????

Using RSA or ECC with Diffie-Hellman Parameters makes a HUGE difference in our security with very little cost!!!

ECC can use smaller key sizes while offering comparable cryptographic strength.

  Symmetric Key length (bit)     RSA Key length (bit)     ECC Key length (bit)     Ratio ECC/RSA Key     RSA Certificate Size     ECC Certificate Size     Ratio ECC/RSA Certificate  
80 1024 160 5x smaller 2048 192 10x smaller
112 2048 224 9x smaller 4096 224 18x smaller
128 3072 256 12x smaller 7680 256 23x smaller
192 7680 384 20x smaller 15360 384 39x smaller
256 15360 521 29x smaller 30720 512 57x smaller

Elliptic Curve w/o Diffie-Hellman Parameters being generated gives us a 3072 bit RSA equivalent key
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 ECDH 256 bits (eq. 3072 bits RSA) FS

ECC Curves without DH Parameters

RSA w/o Diffie-Hellman Parameters being generated gives us a 3072 bit RSA equivalent key
RSA without DH

RSA without Diffie-Hellman Parameters

RSA with Diffie-Hellman being generated & using EC secp384r1 - 7680 bit RSA equivalent!!!
RSA with DH Parameters and secp384r1
browser comaptability

RSA with Diffie-Hellman being generated & using EC secp512r1 - 15360 bit RSA equivalent!!!
RSA with DH parameters and secp521r1
No problems with browsers using RSA with Diffie-Hellman/EC Curve secp512r1
browser comaptability