Enhanced Security: AES-256 Encryption for SSL and TLS

December 1st, 2020

AES-256 EncryptionSSL and TLS play critical roles in securing data transmission over the internet, and AES-256 is integral in their most secure configurations. The original standard was known as Secure Sockets Layer (SSL). Although it was replaced by Transport Layer Security (TLS), many in the industry still refer to TLS by its predecessor’s acronym. While TLS can be relied on for securing information at a high level—such as US Government TOP SECRET data—improper or outdated implementations of the standard may not provide much security at all.

Variations in which cipher is used in TLS impact how secure TLS ultimately is. Some ciphers are fast but insecure, while others are slower, require a greater amount of computational resources, and can provide a higher degree of security. Weaker ciphers—such as the early export-grade ciphers—still exist, but they should no longer be used.

The Advanced Encryption Standard (AES), is an encryption specification that succeeded the Data Encryption Standard (DES). AES was standardized in 2001 after a 5 year review, and is currently one of the most popular algorithms used in symmetric-key cryptography. It is often seen as the gold standard symmetric-key encryption technique, with many security-conscious organizations requiring their employees to use AES-256 for all communications. It is also used prominently in TLS.

AES has been available in most cryptographic libraries for a long time. It became available in OpenSSL in 2002 with v0.9.7. OpenSSL is the foundation of most SSL services in UNIX and Linux environments, such as that used by LuxSci. GPG, the open source implementation of PGP, also include an AES-256 option.

This article discusses AES, its role in TLS, which web browsers and email programs support it, as well as how you can make sure that you only use 256-bit AES encryption for communications that require a high level of security.

How secure is AES-256 and AES-128?

AES is Federal Information Processing Standard (FIPS) certified, and there are currently no known non-brute force attacks that work directly against AES. However there are some side-channel timing attacks on the processing of AES. These are not feasible over a network environment and aren’t applicable to SSL in general. Because of this, AES is considered robust enough to protect secret government information:

The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use.”

Out of the three different key lengths, AES-256 offers a higher degree of security than the 128-bit and 192-bit versions of the standard.

AES-256 Maximal Security

The Beast Attack and TLS-secured web sites

When TLS is used to protect website traffic (as opposed to IMAP, SMTP, encryption of files, etc.), there is an attack against it known as The Beast. This attack makes it possible for people that have access to a trusted location on your network to break into your TLS session and eavesdrop on your communications.

Thankfully, The Beast attack can easily be protected against. All you have to do is use TLS v1.1+ ciphers. This is why The Beast is no longer considered an important attack vector. See also:

How long will AES-256 remain suitable for security?

The rise of quantum computing has caused quite a stir in the security community, with fears that will render many of our security algorithms useless. While quantum computing looks like it will change the landscape when it comes to public-key algorithms, it is not believed that it will have significant impacts on algorithms like AES-256 in the near future.

The biggest quantum computing threat against AES is currently considered to be Grover’s algorithm. It is theorized to be able to perform a brute-force key search using quadratically fewer steps than required in classical computing. The implication of this is that an attacker with access to a quantum computer may be able to successfully attack a cipher with a key that is twice the length of what would normally be possible in classical computing.

However, the expense of quantum hardware and real-word complications of using Grover’s algorithm mitigate the threat of these attacks. NIST states that, “… AES 128 will remain secure for decades to come. Furthermore, even if quantum computers turn out to be much less expensive than anticipated, the known difficulty of parallelizing Grover’s algorithm suggests that both AES 192 and AES 256 will still be safe for a very long time.”

Currently, there is no great rush to move away from AES to other symmetric key algorithms.

How is the cipher chosen in an SSL or TLS session?

In general, when an SSL client, such as an email program or web browser, connects to a server and wishes to use SSL or TLS, the client sends the server a list of encryption ciphers that it supports. The server then goes through the list and chooses the first match that it also supports. Usually, the client orders the list with the most secure methods first, so that the most secure method supported by both the client and server is selected. Sometimes, the client orders the list based on other criteria to make a compromise between security and speed. This can result in a sub-optimal cipher being chosen.

Most modern web and email servers that support TLS encryption will have a wide range of different  encryption techniques that they support. These can vary from 128-bit RC4, to 256-bit AES, to others. This range of options allows users who have old or broken software to still take advantage of encryption, even if it is weaker than what is considered ideal in many situations.

Additionally, most companies that provide security services do not permit techniques that  are deemed weak and can be broken easily. If you are connecting to a reputable service provided over TLS, the type of encryption will almost certainly be determined by your client program (i.e. email program or web browser), based on the options listed by the server.

What encryption techniques are supported by modern web browsers?

The latest versions of most modern browsers should support appropriate encryption algorithms.

You can check out whether your web browser uses up-to-date security practices by visiting:

https://www.howsmyssl.com/

If it says “Probably Okay”, it means that no security problems could be detected. If it says “Improvable” or “Bad”, then your browser may be using an outdated version of TLS or have other security issues. If this is the case, then you need to update to the latest version of your browser, or switch to a browser like Firefox or Chrome that is actively being developed.

What encryption techniques were supported by legacy web browsers?

For older web browsers, before AES support became universal, we analyzed cipher suppor to to see which ones supported AES.  For posterity, we include this information here:

Web Browser
Operating System Best Cipher Verdict?
Native Android Browser (LG G3) Android v4.4.2+ AES 256-bit Good!
Chrome v39+ Android v4.4.2+ AES 256-bit Good!
FireFox Mobile v8+ Android AES 256-bit Good!
Safari iOS v8+ (iPhone/iPad/etc.) AES 256-bit Good
Safari iOS v5.0.1 AES 128-bit Good
Safari iOS v2.2 AES 128-bit Good
Silk Kindle Fire RC4 128-bit Terrible
FireFox v35+ Windows XP & Vista, Mac OSX AES 256-bit Good!
FireFox v8+ Windows XP & Vista, Mac OSX AES 256-bit Good!
FireFox v3.0.5 Windows XP & Vista, Mac OSX AES 256-bit Good!
Safari v8+ Windows Vista/7, Mac OSX AES 256-bit Good
Safari v5.1.2 Windows Vista/7, Mac OSX AES 128-bit Good
Safari v3.2.1 Windows Vista, Mac OSX AES 128-bit Good
Safari v3.2.1 Windows XP RC4 128-bit Terrible
Chrome v40+ Windows Vista/7, Mac OSX AES 256-bit Good!
Chrome v15+ Windows Vista/7, Mac OSX AES 256-bit Good!
Chrome v1.x Windows Vista AES 128-bit Good
Chrome v1.x Windows XP RC4 128-bit Terrible
Internet Explorer v11 Windows 7 AES 256-bit Good
Internet Explorer v9 Windows 7 AES 128-bit Good
Internet Explorer v9 Windows Vista RC4 128-bit Terrible
Internet Explorer v7 & v8 Windows Vista AES 128-bit Good
Internet Explorer v8 Windows XP RC4 128-bit Terrible
Internet Explorer v7 Windows XP RC4 128-bit Terrible
Internet Explorer v6 Windows XP RC4 128-bit Terrible
Opera v26+ Mac OSX AES 256-bit Good!
Opera v11.10+ Windows Vista AES 256-bit Good!
Opera v9.62 Windows XP & Vista AES 256-bit Good!

So, by default, legacy browsers will take advantage of AES encryption, when available.  We also found that any program that uses old windows default SSL libraries, will use RC4 in Windows XP and 128-bit AES in Windows Vista.

What encryption techniques are supported by modern email programs?

Asking this question about web browsers begs the question as to what is supported by the various email programs out there.  Clearly, if you are using a WebMail interface to your email, then the answer depends on what web browser you are using. The latest versions of most well-known email programs will use suitable encryption techniques, including AES-256. If you are using outdated/legacy email software, you should update it to the latest version immediately.

What encryption techniques were supported by legacy email programs?

We tested several popular legacy email programs on legacy operating systems to see what the best encryption cipher they end up being capable of using was. This was done before AES usage became essentially universal. Here were the results (for posterity):

Email Program Operating System Verdict? Results
Mozilla Thunderbird v2+ Windows XP & Vista Good! 256-bit AES
Thunderbird v2+ Mac OSX v10.4.11 Good! 256-bit AES
Outlook 2010 Windows 7 Good! 256-bit AES
Outlook 2007 Windows XP Terrible 128-bit RC4 is the best supported
Outlook 2007 Windows Vista Good 128-bit AES chosen (though 256-bit is there, it is not listed 1st in the program and thus not used)
Outlook 2003 Windows XP Terrible 128-bit RC4 is the best supported
Mail.app Mac OSX v10.10 Good 256-bit AES
Mail.app Mac OSX v10.5.5 Good 128-bit AES chosen (though 256-bit is there, it is not listed 1st in the program and thus not used)
Mail.app Mac OSX v10.4.11 Good 128-bit AES chosen (though 256-bit is there, it is not listed 1st in the program and thus not used)
Mail.app iPhone v2.2 Good 128-bit AES chosen (though 256-bit is there, it is not listed 1st in the program and thus not used)
Eudora v7 Windows XP Good 256-bit AES
Eudora v8 Mac OSX v10.4 Good 256-bit AES
Entourage v12 Mac OSX v10.4 Terrible DES

We see a similar pattern here. For most cases, the cipher used depended on the Operating System and not the program.  Some programs roll their own SSL (i.e., Thunderbird/Eudora) and some use the OS built-in libraries.  So, from this we can infer that any newer version of Outlook on Vista or Windows 7+ will go for at least 128-bit AES, most things on Windows XP would use 128-bit RC4, etc.

How to force use of AES-256 on secure web browser and email programs

Web browsing clients like Mozilla Firefox or Opera, as well as email clients like Thunderbird use AES-256 by default, as long as it is also supported by the server.

However, it’s also possible to force the use of 256-bit AES encryption. This can be useful if your organization mandates that secure connections use 256-bit AES, or if you do not trust that the servers you wish to connect to will have secure ciphers in place.

You can ensure that AES-256 is always used by following the instructions below. If the server does not support AES-256, the connection will fail.

Mozilla Firefox:

  1. Type “about:config” in the address bar to open up the detailed list of configuration parameters.
  2. Scroll down to “tls.version.min”, and make sure that it is set to “1” as an absolute minimum. This will turn off support for SSLv2 and SSLv3.
  3. Search for “ssl3“
  4. Look for each of the ciphers that do not include “aes_256” in their names. If any of these say “true”, double click on them to change them to “false”. This will make them no longer available for use.
  5. You will be left with various versions of AES-256 with TLS v1.0+.
  6. You don’t have to restart Firefox for this to take effect.

Mozilla Thunderbird: (see also optimization tips for Thunderbird)

  1. From Thunderbird’s home screen, click on the three horizontal lines in the top right corner.
  2. Click Preferences, then Preferences once more in the menu that comes up.
  3. Click Advanced, then scroll to the bottom right where it says Config Editor. Click on Config Editor.
  4. Be aware that configuration changes can affect the stability of the program, and only proceed if you know what you are doing. Click I Accept the risk.
  5. Scroll down to “tls.version.min”, and make sure that it is set to “1” as an absolute minimum. This will turn off support for SSLv2 and SSLv3.
  6. Search for “ssl3“
  7. Look for each of the ciphers that do not include “aes_256” in their names. If any of these say “true”, double click on them to change them to “false”. This will make them no longer available for use.
  8. Restart Thunderbird so that any persistent connections are broken and re-opened.
  9. Make sure that your email accounts are all configured to use SSL or TLS (not “if available”, but “always”).
  10. If possible, go to your email provider and disallow insecure connections to your account. This will make the connection fail even if the email program is accidentally configured to make a secure connection. (LuxSci allows this to be set on the user-level or to be enforced by policy account-wide).

Skype:

  • Off topic, but Skype uses 256-bit AES encryption, so if you use it for chat or voice calls, your data is also being encrypted in this fashion.

Locking down your web site (in Apache)

If you are the owner of a website and have TLS security on it, you can lock it down so that the only cipher that your website supports is 256-bit AES. This takes the choice out of the end user’s hands. They can either use AES-256, or they won’t be able to connect. However, this also means that some users may not be able to access your site unless they change to a more secure browser.

To lock your site down so that it only supports 128-bit and 256-bit AES, add the following to your Apache httpd.conf file:

SSLCipherSuite AES256-SHA:AES128-SHA

This can be added globally, in a virtual host, or even in your .htaccess file. It will ensure that any successful connection to your site will use one of these ciphers. Be sure to add it to the secure settings for your site and not just the insecure site area. More information is available at Apache.

In general, you will want to only support TLS v1.2+ and NIST-recommended cipher suites. See: what level of TLS is required for HIPAA.

AES encryption is still reliable

AES encryption is still the preferred standard for TLS. On modern machines, it doesn’t affect performance in a noticeable manner, and it provides an adequate level of security.

However, it’s important to note that TLS only protects data sent between you and the server. When you send and receive email, the message data travels in the clear, so TLS does not protect it throughout the entire journey. The Case for Email Security explains this in more detail.

Thankfully, services like LuxSci’s SecureLine provide email encryption, which can safeguard your email the whole way. For more information on how you can protect your organization’s data, contact our team.

LUXSCI