TLS-KRB5-EXPORT-WITH-DES-CBC-40-SHA Cipher Suite

Key Exchange Mechanism

Kerberos 5 - KRB5

Grade - C

Low usage

Cipher

Data Encryption Standard - DES

Grade - D

DES should not be used in cipher suites due to its weak 56-bit key size, making it highly vulnerable to brute-force attacks. Modern standards require stronger encryption, and DES’s vulnerabilities compromise security, making it unsuitable for protecting sensitive data in contemporary applications.

Hash

Secure Hash Algorithm - SHA

Grade - D

Chosen prefix attacks for SHA1 are feasible at an accessible cost to a well-funded adversary. This level of expense, while significant, does not pose a substantial barrier to attackers with sufficient resources, making such attacks a credible threat.

Key Size

40 Bit - 40

Grade - F

A 40-bit cipher length is too short because it can be easily broken through brute-force attacks due to the limited number of possible keys (2^40). Modern computational power allows attackers to quickly try all potential keys, making 40-bit encryption insufficient for protecting sensitive data.

Cipher Mode

Cipher Block Chaining - CBC

Grade - D

Cipher Block Chaining (CBC) mode is vulnerable to the Lucky13 and POODLE (in TLS v1.2 and below) attacks. The Lucky13 attack exploits timing discrepancies in padding validation, allowing attackers to gradually reveal plaintext. The POODLE attack leverages padding errors to decrypt ciphertext by repeatedly modifying and sending it to the server, observing the error responses. These vulnerabilities arise from CBC’s handling of padding and error messages, making it less secure than modern encryption modes like Galois Counter Mode (GCM), which offer stronger integrity and confidentiality guarantees.