· 2 min read
TLS-ECDH-ECDSA-WITH-3DES-EDE-CBC-SHA Cipher Suite
A breakdown of the Cipher Suite TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, its strengths, and its weaknesses.
Key Exchange Mechanism
Elliptic Curve Diffie Hellman - ECDH
Grade - B
Static Elliptic Curve Diffie Hellman (ECDH) does not use ephemeral (temporary) keys, meaning it violates perfect forward secrecy. ECDHE should be used in preference.
Authentication
Elliptic Curve Digital Signature Algorithm - ECDSA
Grade - A
ECDSA (Elliptic Curve Digital Signature Algorithm) is used in cipher suites for authentication and integrity verification. Its efficiency in generating and verifying digital signatures makes it suitable for secure communication protocols like TLS, ensuring data confidentiality and integrity during exchanges over networks.
Hash
Secure Hash Algorithm - SHA
Grade - D
Chosen prefix attacks for SHA1 are feasible at an accessible cost to a well-funded adversary. This level of expense, while significant, does not pose a substantial barrier to attackers with sufficient resources, making such attacks a credible threat.
Cipher Mode
Cipher Block Chaining - CBC
Grade - D
Cipher Block Chaining (CBC) mode is vulnerable to the Lucky13 and POODLE (in TLS v1.2 and below) attacks. The Lucky13 attack exploits timing discrepancies in padding validation, allowing attackers to gradually reveal plaintext. The POODLE attack leverages padding errors to decrypt ciphertext by repeatedly modifying and sending it to the server, observing the error responses. These vulnerabilities arise from CBC’s handling of padding and error messages, making it less secure than modern encryption modes like Galois Counter Mode (GCM), which offer stronger integrity and confidentiality guarantees.