Skip to Content
Technical Articles

Perfect Forward Secrecy and how to choose PFS based Cipher suites

What are Cipher suites.

A cipher suite is a set of cryptographic algorithms.

a) Protect information required to create shared keys (key exchange)

b) Encrypt messages exchanged between clients and servers (bulk encryption)

c) Generate message hashes and signatures to ensure the integrity of a message (message                authentication)

Perfect Forward Secrecy for TLS

Perfect Forward Secrecy (PFS) is a concept in Transport Layer Security (TLS) that makes sure that even if attackers manage to gain access to the private key of a certificate, they are not able to decrypt communication from the past (or communication in the future, without using active man in the middle attacks). Or in other words: An attacker  can usually record encrypted communication of users with a website which is protected by TLS. Let’s assume that after some months of recording the encrypted data, the adversary then also manages to steal the private key from the server without PFS, it is possible to decrypt all TLS connections that was previously recorded, and also all future communication (until the certificate and its private key are renewed).

Common CryptoLib  from 8.4.38 or higher now supports Perfect Forward Secrecy cipher suites using ephemeral key agreement with  elliptic curve Diffie-Hellman key exchange. The following new cipher suites are available:

Cipher suite Minimum TLS Version
TLS_ECDHE_RSA_WITH_AES128_GCM_SHA256 TLS 1.2
TLS_ECDHE_RSA_WITH_AES256_GCM_SHA384 TLS 1.2
TLS_ECDHE_RSA_WITH_AES128_CBC_SHA TLS 1.0
TLS_ECDHE_RSA_WITH_AES256_CBC_SHA384 TLS 1.2
TLS_ECDHE_RSA_WITH_AES256_CBC_SHA TLS 1.0
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS 1.0

For example:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   Stands for

  • Protocol :  TLS
  • Perfect forward secrecy: ECDHE
  • It uses a key signed with an RSA certificate authority which is supported by most internal certificate authorities
  • Uses strong encryption: AES_256_GCM
  • Uses a strong hashing algorithm: SHA384

The PFS cipher suites are not enabled by default, and they do not apply to previously supported TLS  cipher suite configurations.

Please check  SAP Note 510007 for the TLS configuration, and use the new below command to test your TLS configuration strings.

“ sapgenpse tlsinfo <options>  <cipher suites>”.

To enable PFS, the new cipher suite keyword “PFS” is to be added, like in this example:

ssl/ciphersuites = PFS:HIGH:MEDIUM

It will give the PFS based cipher suites followed by the high and medium security cipher suites.

There are some preferred ordered elliptic curves which are enabled by default if PFS is turned on:

 

Profile parameter values which provides TLSv1.2 and allows TLSv1.0 as last-resort fallback to prevent interoperability problems with a huge amount of installed base that is limited to TLSv1.0:

ssl/ciphersuite        =      135:PFS:HIGH::EC_P256:EC_HIGH

ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH

 

Profile parameter values for limiting protocol versions to strict TLSv1.1 & TLSv1.2, also creating plenty of interoperability problems with the installed base:

ssl/ciphersuites=801:PFS:HIGH::EC_P256:EC_HIGH

ssl/client_ciphersuites=816:PFS:HIGH::EC_P256:EC_HIGH

 

(TLSv1.2+TLSv1.1+STRICT_PROTOCOL_VERSIONS+BC) = (512 + 256 + 32 + 1 ) = 801 (TLSv1.2+TLSv1.1+STRICT_PROTOCOL_VERSIONS+BLIND_CLIENT_CERTS) = (512 + 256 + 32 + 16) = 816

Once you are done with checking the cipher suites which you want to enable/disable in the system according to your requirement final value can be set in the ssl/ciphersuites and ssl/client_ciphersuites. Parameter in the default profile of the sap system and restart the system.

Considerations

Selecting the cipher suite can be a challenge. Several considerations play a role in making the correct choice. Server, capabilities, client and certificate authority (required compatibility).Cipher suite should be flexible enough with other servers otherwise compatibility issue can happen .Configuration of PFS cipher suites on TLS client side can cause interoperability issues with older third party servers. If Cipher suites are not configured properly, it will give SSL handshake issues

2 Comments
You must be Logged on to comment or reply to a post.
  • Hello Client_Cipher_Suites Experts,

    I do not understand how a value smaller 512 can work with TLS 1.2, if 512 is the value for TLS 1.2 :

    Profile parameter values which provides TLSv1.2 and allows TLSv1.0 as last-resort fallback to prevent interoperability problems with a huge amount of installed base that is limited to TLSv1.0:

    ssl/client_ciphersuites = 150:PFS:HIGH::EC_P256:EC_HIGH

    Example for adding Options:

    (TLSv1.2+TLSv1.1+STRICT_PROTOCOL_VERSIONS+BC) = (512 + 256 + 32 + 1 ) = 801 (TLSv1.2+TLSv1.1+STRICT_PROTOCOL_VERSIONS+BLIND_CLIENT_CERTS) = (512 + 256 + 32 + 16) = 816

    Please help me understand. Is there a ‘Ciphersuites for Dummies’ ?

    Kind Regards,

    Franz