Network Working Group C. Bartle Internet-Draft Apple, Inc. Intended status: Standards Track N. Aviram Expires: 14 June 2023 11 December 2022 Deprecating Obsolete Key Exchange Methods in TLS draft-ietf-tls-deprecate-obsolete-kex-01 Abstract This document makes several prescriptions regarding the following key exchange methods in TLS, most of which have been superseded by better options: 1. This document deprecates the use of RSA key exchange in TLS. 2. It limits the use of Diffie Hellman key exchange over a finite field to avoid, to the extent possible, known vulnerabilities and improper security properties. 3. It discourages the use of static elliptic curve Diffie Hellman cipher suites. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 14 June 2023. Copyright Notice Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved. Bartle & Aviram Expires 14 June 2023 [Page 1] Internet-Draft Deprecating RSA and FFDH(E) December 2022 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements . . . . . . . . . . . . . . . . . . . . . . 4 2. Non-Ephemeral Diffie Hellman . . . . . . . . . . . . . . . . 4 3. Ephemeral Finite Field Diffie Hellman . . . . . . . . . . . . 4 4. RSA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 6. Security Considerations . . . . . . . . . . . . . . . . . . . 5 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 6 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 8.2. Informative References . . . . . . . . . . . . . . . . . 8 Appendix A. DH Cipher Suites Deprecated by This Document . . . . 10 Appendix B. ECDH Cipher Suites Whose Use Is Discouraged by This Document . . . . . . . . . . . . . . . . . . . . . . . . 13 Appendix C. DHE Cipher Suites Refered to by This Document . . . 15 Appendix D. RSA Cipher Suites Deprecated by This Document . . . 18 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 20 1. Introduction TLS supports a variety of key exchange algorithms, including RSA, Diffie Hellman over a finite field, and elliptic curve Diffie Hellman (ECDH). Diffie Hellman key exchange, over any group, comes in ephemeral and non-ephemeral varieties. Non-ephemeral DH algorithms use static DH public keys included in the authenticating peer's certificate; see [RFC4492] for discussion. In contrast, ephemeral DH algorithms use ephemeral DH public keys sent in the handshake and authenticated by the peer's certificate. Ephemeral and non-ephemeral finite field DH algorithms are called DHE and DH (or FFDHE and FFDH), respectively, and ephemeral and non-ephemeral elliptic curve DH algorithms are called ECDHE and ECDH, respectively [RFC4492]. In general, non-ephemeral cipher suites are not recommended due to their lack of forward secrecy. However, as demonstrated by the [Raccoon] attack on finite-field DH, public key reuse, either via Bartle & Aviram Expires 14 June 2023 [Page 2] Internet-Draft Deprecating RSA and FFDH(E) December 2022 non-ephemeral cipher suites or reused keys with ephemeral cipher suites, can lead to timing side channels that may leak connection secrets. For elliptic curve DH, invalid curve attacks similarly exploit secret reuse in order to break security [ICA], further demonstrating the risk of reusing public keys. While both side channels can be avoided in implementations, experience shows that in practice, implementations may fail to thwart such attacks due to the complexity and number of the required mitigations. Additionally, RSA key exchange suffers from security problems that are independent of implementation choices as well as problems that stem purely from the difficulty of implementing security countermeasures correctly. At a rough glance, the problems affecting FFDHE are as follows: 1. FFDHE suffers from interoperability problems because there is no mechanism for negotiating the group size, and some implementations only support small group sizes (see [RFC7919], Section 1). 2. In practice, some operators use 1024-bit FFDHE groups since this is the maximum size that ensures wide support (see [RFC7919], Section 1). This size leaves only a small security margin vs. the current discrete log record, which stands at 795 bits [DLOG795]. 3. Expanding on the previous point, just a handful of very large computations allow an attacker to cheaply decrypt a relatively large fraction of FFDHE traffic (namely, traffic encrypted using particular standardized groups) [weak-dh]. 4. When secrets are not fully ephemeral, FFDHE suffers from the [Raccoon] side channel attack. (Note that FFDH is inherently vulnerable to the Raccoon attack unless constant-time mitigations are employed.) 5. FFDHE groups may have small subgroups, which enables several attacks [subgroups]. The problems affecting RSA key exchange are as follows: 1. RSA key exchange offers no forward secrecy, by construction. 2. RSA key exchange may be vulnerable to Bleichenbacher's attack [BLEI]. Experience shows that variants of this attack arise every few years because implementing the relevant countermeasure correctly is difficult (see [ROBOT], [NEW-BLEI], [DROWN]). Bartle & Aviram Expires 14 June 2023 [Page 3] Internet-Draft Deprecating RSA and FFDH(E) December 2022 3. In addition to the above point, there is no convenient mechanism in TLS for the domain separation of keys. Therefore, a single endpoint that is vulnerable to Bleichenbacher's attack would affect all endpoints sharing the same RSA key (see [XPROT], [DROWN]). Given these problems, this document updates [RFC4346], [RFC5246], [RFC4162], [RFC6347], [RFC5932], [RFC5288], [RFC6209], [RFC6367], [RFC8422], [RFC5289], and [RFC5469] to remediate the above problems. 1.1. Requirements The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2. Non-Ephemeral Diffie Hellman Clients MUST NOT offer non-ephemeral FFDH cipher suites in TLS 1.2 connections. (Note that TLS 1.0 and 1.1 are deprecated by [RFC8996] and TLS 1.3 does not support FFDH [RFC8446].) This includes all cipher suites listed in the table in Appendix A. Clients SHOULD NOT offer non-ephemeral ECDH cipher suites in TLS 1.2 connections. (Note that TLS 1.0 and 1.1 are deprecated by [RFC8996] and TLS 1.3 does not support ECDH [RFC8446].) This includes all cipher suites listed in the table in Appendix B. 3. Ephemeral Finite Field Diffie Hellman Clients and servers MAY offer fully ephemeral FFDHE cipher suites in TLS 1.2 connections under the following conditions: 1. Clients and servers MUST NOT reuse ephemeral DHE public keys across TLS connections for all existing (and future) TLS versions. Doing so invalidates forward secrecy properties of these connections. For DHE, such reuse may also lead to vulnerabilities such as those used in the [Raccoon] attack. See Section 6 for related discussion. 2. The group size is at least 2048 bits. (Note that TLS 1.0 and 1.1 are deprecated by [RFC8996]. TLS 1.3 satisfies the second point above [RFC8446] and is not vulnerable to the [Raccoon] Attack.) Bartle & Aviram Expires 14 June 2023 [Page 4] Internet-Draft Deprecating RSA and FFDH(E) December 2022 We note that, previously, supporting the broadest range of clients would have required supporting either RSA key exchange or 1024-bit FFDHE. This is no longer the case, and it is possible to support most clients released since circa 2015 using 2048-bit FFDHE or more modern key exchange methods, and without RSA key exchange [server_side_tls]. All the cipher suites that do not meet the above requirements are listed in the table in Appendix C. 4. RSA Clients and servers MUST NOT offer RSA cipher suites in TLS 1.2 connections. (Note that TLS 1.0 and 1.1 are deprecated by [RFC8996], and TLS 1.3 does not support static RSA [RFC8446].) This includes all cipher suites listed in the table in Appendix D. Note that these cipher suites are already marked as not recommended in the "TLS Cipher Suites" registry. 5. IANA Considerations This document makes no requests to IANA. Note that all cipher suites listed in Section 4 and in Section 2 are already marked as not recommended in the "TLS Cipher Suites" registry. 6. Security Considerations Non-ephemeral finite field DH cipher suites (TLS_DH_*), as well as ephemeral key reuse for finite field DH cipher suites, are prohibited due to the [Raccoon] attack. Both are already considered bad practice since they do not provide forward secrecy. However, Raccoon revealed that timing side channels in processing TLS premaster secrets may be exploited to reveal the encrypted premaster secret. As for non-ephemeral elliptic curve DH cipher suites, forgoing forward secrecy not only allows retroactive decryption in the event of key compromise but may also enable a broad category of attacks where the attacker exploits key reuse to repeatedly query a cryptographic secret. This category includes, but is not necessarily limited to, the following examples: 1. Invalid curve attacks, where the attacker exploits key reuse to repeatedly query and eventually learn the key itself. These attacks have been shown to be practical against real-world TLS implementations [ICA]. Bartle & Aviram Expires 14 June 2023 [Page 5] Internet-Draft Deprecating RSA and FFDH(E) December 2022 2. Side channel attacks, where the attacker exploits key reuse and an additional side channel to learn a cryptographic secret. As one example of such attacks, refer to [MAY4]. 3. Fault attacks, where the attacker exploits key reuse and incorrect calculations to learn a cryptographic secret. As one example of such attacks, see [PARIS256]. Such attacks are often implementation-dependent, including the above examples. However, these examples demonstrate that building a system that reuses keys and avoids this category of attacks is difficult in practice. In contrast, avoiding key reuse not only prevents decryption in the event of key compromise, but also precludes this category of attacks altogether. Therefore, this document discourages the reuse of elliptic curve DH public keys. 7. Acknowledgments This document was inspired by discussions on the TLS WG mailing list and a suggestion by Filippo Valsorda following the release of the [Raccoon] attack. Thanks to Christopher A. Wood for writing up the initial draft of this document. 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC4162] Lee, H.J., Yoon, J.H., and J.I. Lee, "Addition of SEED Cipher Suites to Transport Layer Security (TLS)", RFC 4162, DOI 10.17487/RFC4162, August 2005, . [RFC4279] Eronen, P., Ed. and H. Tschofenig, Ed., "Pre-Shared Key Ciphersuites for Transport Layer Security (TLS)", RFC 4279, DOI 10.17487/RFC4279, December 2005, . [RFC4346] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.1", RFC 4346, DOI 10.17487/RFC4346, April 2006, . Bartle & Aviram Expires 14 June 2023 [Page 6] Internet-Draft Deprecating RSA and FFDH(E) December 2022 [RFC4785] Blumenthal, U. and P. Goel, "Pre-Shared Key (PSK) Ciphersuites with NULL Encryption for Transport Layer Security (TLS)", RFC 4785, DOI 10.17487/RFC4785, January 2007, . [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security (TLS) Protocol Version 1.2", RFC 5246, DOI 10.17487/RFC5246, August 2008, . [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, DOI 10.17487/RFC5288, August 2008, . [RFC5289] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA- 256/384 and AES Galois Counter Mode (GCM)", RFC 5289, DOI 10.17487/RFC5289, August 2008, . [RFC5469] Eronen, P., Ed., "DES and IDEA Cipher Suites for Transport Layer Security (TLS)", RFC 5469, DOI 10.17487/RFC5469, February 2009, . [RFC5487] Badra, M., "Pre-Shared Key Cipher Suites for TLS with SHA- 256/384 and AES Galois Counter Mode", RFC 5487, DOI 10.17487/RFC5487, March 2009, . [RFC5932] Kato, A., Kanda, M., and S. Kanno, "Camellia Cipher Suites for TLS", RFC 5932, DOI 10.17487/RFC5932, June 2010, . [RFC6209] Kim, W., Lee, J., Park, J., and D. Kwon, "Addition of the ARIA Cipher Suites to Transport Layer Security (TLS)", RFC 6209, DOI 10.17487/RFC6209, April 2011, . [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347, January 2012, . [RFC6367] Kanno, S. and M. Kanda, "Addition of the Camellia Cipher Suites to Transport Layer Security (TLS)", RFC 6367, DOI 10.17487/RFC6367, September 2011, . Bartle & Aviram Expires 14 June 2023 [Page 7] Internet-Draft Deprecating RSA and FFDH(E) December 2022 [RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for Transport Layer Security (TLS)", RFC 6655, DOI 10.17487/RFC6655, July 2012, . [RFC7905] Langley, A., Chang, W., Mavrogiannopoulos, N., Strombergson, J., and S. Josefsson, "ChaCha20-Poly1305 Cipher Suites for Transport Layer Security (TLS)", RFC 7905, DOI 10.17487/RFC7905, June 2016, . [RFC7919] Gillmor, D., "Negotiated Finite Field Diffie-Hellman Ephemeral Parameters for Transport Layer Security (TLS)", RFC 7919, DOI 10.17487/RFC7919, August 2016, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8422] Nir, Y., Josefsson, S., and M. Pegourie-Gonnard, "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS) Versions 1.2 and Earlier", RFC 8422, DOI 10.17487/RFC8422, August 2018, . [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, . [RFC8996] Moriarty, K. and S. Farrell, "Deprecating TLS 1.0 and TLS 1.1", BCP 195, RFC 8996, DOI 10.17487/RFC8996, March 2021, . 8.2. Informative References [BLEI] Bleichenbacher, D., "Chosen Ciphertext Attacks against Protocols Based on RSA Encryption Standard PKCS #1", Advances in Cryptology -- CRYPTO'98, LNCS vol. 1462, pages: 1-12 , 1998. [DLOG795] Boudot, F., Gaudry, P., Guillevic, A., Heninger, N., Thomé, E., and P. Zimmermann, "Comparing the difficulty of factorization and discrete logarithm: a 240-digit experiment", 17 August 2020, . Bartle & Aviram Expires 14 June 2023 [Page 8] Internet-Draft Deprecating RSA and FFDH(E) December 2022 [DROWN] Aviram, N., Schinzel, S., Somorovsky, J., Heninger, N., Dankel, M., Steube, J., Valenta, L., Adrian, D., Halderman, J. A., Dukhovni, V., Käsper, E., Cohney, S., Engels, S., Paar, C., and Y. Shavitt, "DROWN: Breaking TLS using SSLv2", August 2016, . [ICA] Jager, T., Schwenk, J., and J. Somorovsky, "Practical invalid curve attacks on TLS-ECDH", 21 September 2015, . [MAY4] Genkin, D., Valenta, L., and Y. Yarom, "May the fourth be with you: A microarchitectural side channel attack on several real-world applications of curve25519", n.d., . [NEW-BLEI] Meyer, C., Somorovsky, J., Weiss, E., Schwenk, J., Schinzel, S., and E. Tews, "Revisiting SSL/TLS Implementations: New Bleichenbacher Side Channels and Attacks", August 2014, . [PARIS256] Devlin, S. and F. Valsorda, "The PARIS256 Attack", n.d., . [Raccoon] Merget, R., Brinkmann, M., Aviram, N., Somorovsky, J., Mittmann, J., and J. Schwenk, "Raccoon Attack: Finding and Exploiting Most-Significant-Bit-Oracles in TLS-DH(E)", 9 September 2020, . [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer Security (TLS)", RFC 4492, DOI 10.17487/RFC4492, May 2006, . [ROBOT] Boeck, H., Somorovsky, J., and C. Young, "Return Of Bleichenbacher's Oracle Threat (ROBOT)", 27th USENIX Security Symposium , 2018. [SC-tls-des-idea-ciphers-to-historic] "Moving single-DES and IDEA TLS ciphersuites to Historic", 25 January 2021, . Bartle & Aviram Expires 14 June 2023 [Page 9] Internet-Draft Deprecating RSA and FFDH(E) December 2022 [server_side_tls] King, A., "Server Side TLS", July 2020, . [subgroups] Valenta, L., Adrian, D., Sanso, A., Cohney, S., Fried, J., Hastings, M., Halderman, J. A., and N. Heninger, "Measuring small subgroup attacks against Diffie-Hellman", 15 October 2016, . [weak-dh] Adrian, D., Bhargavan, K., Durumeric, Z., Gaudry, P., Green, M., Halderman, J. A., Heninger, N., Springall, D., Thomé, E., Valenta, L., VanderSloot, B., Wustrow, E., Zanella-Béguelin, S., and P. Zimmermann, "Weak Diffie- Hellman and the Logjam Attack", October 2015, . [XPROT] Jager, T., Schwenk, J., and J. Somorovsky, "On the Security of TLS 1.3 and QUIC Against Weaknesses in PKCS#1 v1.5 Encryption", Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security , 2015. Appendix A. DH Cipher Suites Deprecated by This Document +==========================================+====================+ | Ciphersuite | Reference | +==========================================+====================+ | TLS_DH_DSS_EXPORT_WITH_DES40_CBC_SHA | [RFC4346] | +------------------------------------------+--------------------+ | TLS_DH_DSS_WITH_DES_CBC_SHA | [RFC5469] | +------------------------------------------+--------------------+ | TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA | [RFC5246] | +------------------------------------------+--------------------+ | TLS_DH_RSA_EXPORT_WITH_DES40_CBC_SHA | [RFC4346] | +------------------------------------------+--------------------+ | TLS_DH_RSA_WITH_DES_CBC_SHA | [RFC5469] | +------------------------------------------+--------------------+ | TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA | [RFC5246] | +------------------------------------------+--------------------+ | TLS_DH_anon_EXPORT_WITH_RC4_40_MD5 | [RFC4346][RFC6347] | +------------------------------------------+--------------------+ | TLS_DH_anon_WITH_RC4_128_MD5 | [RFC5246][RFC6347] | +------------------------------------------+--------------------+ | TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA | [RFC4346] | +------------------------------------------+--------------------+ | TLS_DH_anon_WITH_DES_CBC_SHA | [RFC5469] | +------------------------------------------+--------------------+ Bartle & Aviram Expires 14 June 2023 [Page 10] Internet-Draft Deprecating RSA and FFDH(E) December 2022 | TLS_DH_anon_WITH_3DES_EDE_CBC_SHA | [RFC5246] | +------------------------------------------+--------------------+ | TLS_DH_DSS_WITH_AES_128_CBC_SHA | [RFC5246] | +------------------------------------------+--------------------+ | TLS_DH_RSA_WITH_AES_128_CBC_SHA | [RFC5246] | +------------------------------------------+--------------------+ | TLS_DH_anon_WITH_AES_128_CBC_SHA | [RFC5246] | +------------------------------------------+--------------------+ | TLS_DH_DSS_WITH_AES_256_CBC_SHA | [RFC5246] | +------------------------------------------+--------------------+ | TLS_DH_RSA_WITH_AES_256_CBC_SHA | [RFC5246] | +------------------------------------------+--------------------+ | TLS_DH_anon_WITH_AES_256_CBC_SHA | [RFC5246] | +------------------------------------------+--------------------+ | TLS_DH_DSS_WITH_AES_128_CBC_SHA256 | [RFC5246] | +------------------------------------------+--------------------+ | TLS_DH_RSA_WITH_AES_128_CBC_SHA256 | [RFC5246] | +------------------------------------------+--------------------+ | TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA | [RFC5932] | +------------------------------------------+--------------------+ | TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA | [RFC5932] | +------------------------------------------+--------------------+ | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA | [RFC5932] | +------------------------------------------+--------------------+ | TLS_DH_DSS_WITH_AES_256_CBC_SHA256 | [RFC5246] | +------------------------------------------+--------------------+ | TLS_DH_RSA_WITH_AES_256_CBC_SHA256 | [RFC5246] | +------------------------------------------+--------------------+ | TLS_DH_anon_WITH_AES_128_CBC_SHA256 | [RFC5246] | +------------------------------------------+--------------------+ | TLS_DH_anon_WITH_AES_256_CBC_SHA256 | [RFC5246] | +------------------------------------------+--------------------+ | TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA | [RFC5932] | +------------------------------------------+--------------------+ | TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA | [RFC5932] | +------------------------------------------+--------------------+ | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA | [RFC5932] | +------------------------------------------+--------------------+ | TLS_DH_DSS_WITH_SEED_CBC_SHA | [RFC4162] | +------------------------------------------+--------------------+ | TLS_DH_RSA_WITH_SEED_CBC_SHA | [RFC4162] | +------------------------------------------+--------------------+ | TLS_DH_anon_WITH_SEED_CBC_SHA | [RFC4162] | +------------------------------------------+--------------------+ | TLS_DH_RSA_WITH_AES_128_GCM_SHA256 | [RFC5288] | +------------------------------------------+--------------------+ | TLS_DH_RSA_WITH_AES_256_GCM_SHA384 | [RFC5288] | +------------------------------------------+--------------------+ Bartle & Aviram Expires 14 June 2023 [Page 11] Internet-Draft Deprecating RSA and FFDH(E) December 2022 | TLS_DH_DSS_WITH_AES_128_GCM_SHA256 | [RFC5288] | +------------------------------------------+--------------------+ | TLS_DH_DSS_WITH_AES_256_GCM_SHA384 | [RFC5288] | +------------------------------------------+--------------------+ | TLS_DH_anon_WITH_AES_128_GCM_SHA256 | [RFC5288] | +------------------------------------------+--------------------+ | TLS_DH_anon_WITH_AES_256_GCM_SHA384 | [RFC5288] | +------------------------------------------+--------------------+ | TLS_DH_DSS_WITH_CAMELLIA_128_CBC_SHA256 | [RFC5932] | +------------------------------------------+--------------------+ | TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA256 | [RFC5932] | +------------------------------------------+--------------------+ | TLS_DH_anon_WITH_CAMELLIA_128_CBC_SHA256 | [RFC5932] | +------------------------------------------+--------------------+ | TLS_DH_DSS_WITH_CAMELLIA_256_CBC_SHA256 | [RFC5932] | +------------------------------------------+--------------------+ | TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA256 | [RFC5932] | +------------------------------------------+--------------------+ | TLS_DH_anon_WITH_CAMELLIA_256_CBC_SHA256 | [RFC5932] | +------------------------------------------+--------------------+ | TLS_DH_DSS_WITH_ARIA_128_CBC_SHA256 | [RFC6209] | +------------------------------------------+--------------------+ | TLS_DH_DSS_WITH_ARIA_256_CBC_SHA384 | [RFC6209] | +------------------------------------------+--------------------+ | TLS_DH_RSA_WITH_ARIA_128_CBC_SHA256 | [RFC6209] | +------------------------------------------+--------------------+ | TLS_DH_RSA_WITH_ARIA_256_CBC_SHA384 | [RFC6209] | +------------------------------------------+--------------------+ | TLS_DH_anon_WITH_ARIA_128_CBC_SHA256 | [RFC6209] | +------------------------------------------+--------------------+ | TLS_DH_anon_WITH_ARIA_256_CBC_SHA384 | [RFC6209] | +------------------------------------------+--------------------+ | TLS_DH_RSA_WITH_ARIA_128_GCM_SHA256 | [RFC6209] | +------------------------------------------+--------------------+ | TLS_DH_RSA_WITH_ARIA_256_GCM_SHA384 | [RFC6209] | +------------------------------------------+--------------------+ | TLS_DH_DSS_WITH_ARIA_128_GCM_SHA256 | [RFC6209] | +------------------------------------------+--------------------+ | TLS_DH_DSS_WITH_ARIA_256_GCM_SHA384 | [RFC6209] | +------------------------------------------+--------------------+ | TLS_DH_anon_WITH_ARIA_128_GCM_SHA256 | [RFC6209] | +------------------------------------------+--------------------+ | TLS_DH_anon_WITH_ARIA_256_GCM_SHA384 | [RFC6209] | +------------------------------------------+--------------------+ | TLS_DH_RSA_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] | +------------------------------------------+--------------------+ | TLS_DH_RSA_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] | +------------------------------------------+--------------------+ Bartle & Aviram Expires 14 June 2023 [Page 12] Internet-Draft Deprecating RSA and FFDH(E) December 2022 | TLS_DH_DSS_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] | +------------------------------------------+--------------------+ | TLS_DH_DSS_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] | +------------------------------------------+--------------------+ | TLS_DH_anon_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] | +------------------------------------------+--------------------+ | TLS_DH_anon_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] | +------------------------------------------+--------------------+ Table 1 Appendix B. ECDH Cipher Suites Whose Use Is Discouraged by This Document +=============================================+====================+ | Ciphersuite | Reference | +=============================================+====================+ | TLS_ECDH_ECDSA_WITH_NULL_SHA | [RFC8422] | +---------------------------------------------+--------------------+ | TLS_ECDH_ECDSA_WITH_RC4_128_SHA | [RFC8422][RFC6347] | +---------------------------------------------+--------------------+ | TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA | [RFC8422] | +---------------------------------------------+--------------------+ | TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA | [RFC8422] | +---------------------------------------------+--------------------+ | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA | [RFC8422] | +---------------------------------------------+--------------------+ | TLS_ECDH_RSA_WITH_NULL_SHA | [RFC8422] | +---------------------------------------------+--------------------+ | TLS_ECDH_RSA_WITH_RC4_128_SHA | [RFC8422][RFC6347] | +---------------------------------------------+--------------------+ | TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA | [RFC8422] | +---------------------------------------------+--------------------+ | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA | [RFC8422] | +---------------------------------------------+--------------------+ | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA | [RFC8422] | +---------------------------------------------+--------------------+ | TLS_ECDH_anon_WITH_NULL_SHA | [RFC8422] | +---------------------------------------------+--------------------+ | TLS_ECDH_anon_WITH_RC4_128_SHA | [RFC8422][RFC6347] | +---------------------------------------------+--------------------+ | TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA | [RFC8422] | +---------------------------------------------+--------------------+ | TLS_ECDH_anon_WITH_AES_128_CBC_SHA | [RFC8422] | +---------------------------------------------+--------------------+ | TLS_ECDH_anon_WITH_AES_256_CBC_SHA | [RFC8422] | +---------------------------------------------+--------------------+ | TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 | [RFC5289] | Bartle & Aviram Expires 14 June 2023 [Page 13] Internet-Draft Deprecating RSA and FFDH(E) December 2022 +---------------------------------------------+--------------------+ | TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 | [RFC5289] | +---------------------------------------------+--------------------+ | TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 | [RFC5289] | +---------------------------------------------+--------------------+ | TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 | [RFC5289] | +---------------------------------------------+--------------------+ | TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 | [RFC5289] | +---------------------------------------------+--------------------+ | TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 | [RFC5289] | +---------------------------------------------+--------------------+ | TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 | [RFC5289] | +---------------------------------------------+--------------------+ | TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 | [RFC5289] | +---------------------------------------------+--------------------+ | TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 | [RFC6209] | +---------------------------------------------+--------------------+ | TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 | [RFC6209] | +---------------------------------------------+--------------------+ | TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 | [RFC6209] | +---------------------------------------------+--------------------+ | TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 | [RFC6209] | +---------------------------------------------+--------------------+ | TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 | [RFC6209] | +---------------------------------------------+--------------------+ | TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 | [RFC6209] | +---------------------------------------------+--------------------+ | TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 | [RFC6209] | +---------------------------------------------+--------------------+ | TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 | [RFC6209] | +---------------------------------------------+--------------------+ | TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 | [RFC6367] | +---------------------------------------------+--------------------+ | TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 | [RFC6367] | +---------------------------------------------+--------------------+ | TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 | [RFC6367] | +---------------------------------------------+--------------------+ | TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 | [RFC6367] | +---------------------------------------------+--------------------+ | TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] | +---------------------------------------------+--------------------+ | TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] | +---------------------------------------------+--------------------+ | TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 | [RFC6367] | +---------------------------------------------+--------------------+ | TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 | [RFC6367] | +---------------------------------------------+--------------------+ Bartle & Aviram Expires 14 June 2023 [Page 14] Internet-Draft Deprecating RSA and FFDH(E) December 2022 Table 2 Appendix C. DHE Cipher Suites Refered to by This Document +=========================================+==============================================+ |Ciphersuite |Reference | +=========================================+==============================================+ |TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA |[RFC4346] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_DSS_WITH_DES_CBC_SHA |[RFC5469][SC-tls-des-idea-ciphers-to-historic]| +-----------------------------------------+----------------------------------------------+ |TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA |[RFC5246] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA |[RFC4346] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_DES_CBC_SHA |[RFC5469][SC-tls-des-idea-ciphers-to-historic]| +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA |[RFC5246] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_PSK_WITH_NULL_SHA |[RFC4785] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_DSS_WITH_AES_128_CBC_SHA |[RFC5246] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_AES_128_CBC_SHA |[RFC5246] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_DSS_WITH_AES_256_CBC_SHA |[RFC5246] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_AES_256_CBC_SHA |[RFC5246] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 |[RFC5246] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA |[RFC5932] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA |[RFC5932] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 |[RFC5246] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 |[RFC5246] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 |[RFC5246] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA |[RFC5932] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA |[RFC5932] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_PSK_WITH_RC4_128_SHA |[RFC4279][RFC6347] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_PSK_WITH_3DES_EDE_CBC_SHA |[RFC4279] | Bartle & Aviram Expires 14 June 2023 [Page 15] Internet-Draft Deprecating RSA and FFDH(E) December 2022 +-----------------------------------------+----------------------------------------------+ |TLS_DHE_PSK_WITH_AES_128_CBC_SHA |[RFC4279] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_PSK_WITH_AES_256_CBC_SHA |[RFC4279] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_DSS_WITH_SEED_CBC_SHA |[RFC4162] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_SEED_CBC_SHA |[RFC4162] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 |[RFC5288] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 |[RFC5288] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_DSS_WITH_AES_128_GCM_SHA256 |[RFC5288] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_DSS_WITH_AES_256_GCM_SHA384 |[RFC5288] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_PSK_WITH_AES_128_GCM_SHA256 |[RFC5487] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_PSK_WITH_AES_256_GCM_SHA384 |[RFC5487] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_PSK_WITH_AES_128_CBC_SHA256 |[RFC5487] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_PSK_WITH_AES_256_CBC_SHA384 |[RFC5487] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_PSK_WITH_NULL_SHA256 |[RFC5487] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_PSK_WITH_NULL_SHA384 |[RFC5487] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA256 |[RFC5932] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 |[RFC5932] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA256 |[RFC5932] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA256 |[RFC5932] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_DSS_WITH_ARIA_128_CBC_SHA256 |[RFC6209] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_DSS_WITH_ARIA_256_CBC_SHA384 |[RFC6209] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_ARIA_128_CBC_SHA256 |[RFC6209] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_ARIA_256_CBC_SHA384 |[RFC6209] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_ARIA_128_GCM_SHA256 |[RFC6209] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_ARIA_256_GCM_SHA384 |[RFC6209] | Bartle & Aviram Expires 14 June 2023 [Page 16] Internet-Draft Deprecating RSA and FFDH(E) December 2022 +-----------------------------------------+----------------------------------------------+ |TLS_DHE_DSS_WITH_ARIA_128_GCM_SHA256 |[RFC6209] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_DSS_WITH_ARIA_256_GCM_SHA384 |[RFC6209] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_PSK_WITH_ARIA_128_CBC_SHA256 |[RFC6209] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_PSK_WITH_ARIA_256_CBC_SHA384 |[RFC6209] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_PSK_WITH_ARIA_128_GCM_SHA256 |[RFC6209] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_PSK_WITH_ARIA_256_GCM_SHA384 |[RFC6209] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 |[RFC6367] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 |[RFC6367] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_DSS_WITH_CAMELLIA_128_GCM_SHA256 |[RFC6367] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_DSS_WITH_CAMELLIA_256_GCM_SHA384 |[RFC6367] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_PSK_WITH_CAMELLIA_128_GCM_SHA256 |[RFC6367] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_PSK_WITH_CAMELLIA_256_GCM_SHA384 |[RFC6367] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_PSK_WITH_CAMELLIA_128_CBC_SHA256 |[RFC6367] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_PSK_WITH_CAMELLIA_256_CBC_SHA384 |[RFC6367] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_AES_128_CCM |[RFC6655] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_AES_256_CCM |[RFC6655] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_AES_128_CCM_8 |[RFC6655] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_AES_256_CCM_8 |[RFC6655] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_PSK_WITH_AES_128_CCM |[RFC6655] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_PSK_WITH_AES_256_CCM |[RFC6655] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256|[RFC7905] | +-----------------------------------------+----------------------------------------------+ |TLS_DHE_PSK_WITH_CHACHA20_POLY1305_SHA256|[RFC7905] | +-----------------------------------------+----------------------------------------------+ Table 3 Bartle & Aviram Expires 14 June 2023 [Page 17] Internet-Draft Deprecating RSA and FFDH(E) December 2022 Appendix D. RSA Cipher Suites Deprecated by This Document +=========================================+==============================================+ |Ciphersuite |Reference | +=========================================+==============================================+ |TLS_RSA_WITH_NULL_MD5 |[RFC5246] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_NULL_SHA |[RFC5246] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_EXPORT_WITH_RC4_40_MD5 |[RFC4346][RFC6347] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_RC4_128_MD5 |[RFC5246][RFC6347] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_RC4_128_SHA |[RFC5246][RFC6347] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 |[RFC4346] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_IDEA_CBC_SHA |[RFC5469][SC-tls-des-idea-ciphers-to-historic]| +-----------------------------------------+----------------------------------------------+ |TLS_RSA_EXPORT_WITH_DES40_CBC_SHA |[RFC4346] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_DES_CBC_SHA |[RFC5469][SC-tls-des-idea-ciphers-to-historic]| +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_3DES_EDE_CBC_SHA |[RFC5246] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_PSK_WITH_NULL_SHA |[RFC4785] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_AES_128_CBC_SHA |[RFC5246] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_AES_256_CBC_SHA |[RFC5246] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_NULL_SHA256 |[RFC5246] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_AES_128_CBC_SHA256 |[RFC5246] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_AES_256_CBC_SHA256 |[RFC5246] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_CAMELLIA_128_CBC_SHA |[RFC5932] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_CAMELLIA_256_CBC_SHA |[RFC5932] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_PSK_WITH_RC4_128_SHA |[RFC4279][RFC6347] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_PSK_WITH_3DES_EDE_CBC_SHA |[RFC4279] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_PSK_WITH_AES_128_CBC_SHA |[RFC4279] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_PSK_WITH_AES_256_CBC_SHA |[RFC4279] | Bartle & Aviram Expires 14 June 2023 [Page 18] Internet-Draft Deprecating RSA and FFDH(E) December 2022 +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_SEED_CBC_SHA |[RFC4162] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_AES_128_GCM_SHA256 |[RFC5288] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_AES_256_GCM_SHA384 |[RFC5288] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_PSK_WITH_AES_128_GCM_SHA256 |[RFC5487] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_PSK_WITH_AES_256_GCM_SHA384 |[RFC5487] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_PSK_WITH_AES_128_CBC_SHA256 |[RFC5487] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_PSK_WITH_AES_256_CBC_SHA384 |[RFC5487] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_PSK_WITH_NULL_SHA256 |[RFC5487] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_PSK_WITH_NULL_SHA384 |[RFC5487] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_CAMELLIA_128_CBC_SHA256 |[RFC5932] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_CAMELLIA_256_CBC_SHA256 |[RFC5932] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_ARIA_128_CBC_SHA256 |[RFC6209] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_ARIA_256_CBC_SHA384 |[RFC6209] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_ARIA_128_GCM_SHA256 |[RFC6209] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_ARIA_256_GCM_SHA384 |[RFC6209] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_PSK_WITH_ARIA_128_CBC_SHA256 |[RFC6209] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_PSK_WITH_ARIA_256_CBC_SHA384 |[RFC6209] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_PSK_WITH_ARIA_128_GCM_SHA256 |[RFC6209] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_PSK_WITH_ARIA_256_GCM_SHA384 |[RFC6209] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_CAMELLIA_128_GCM_SHA256 |[RFC6367] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_CAMELLIA_256_GCM_SHA384 |[RFC6367] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_PSK_WITH_CAMELLIA_128_GCM_SHA256 |[RFC6367] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_PSK_WITH_CAMELLIA_256_GCM_SHA384 |[RFC6367] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_PSK_WITH_CAMELLIA_128_CBC_SHA256 |[RFC6367] | Bartle & Aviram Expires 14 June 2023 [Page 19] Internet-Draft Deprecating RSA and FFDH(E) December 2022 +-----------------------------------------+----------------------------------------------+ |TLS_RSA_PSK_WITH_CAMELLIA_256_CBC_SHA384 |[RFC6367] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_AES_128_CCM |[RFC6655] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_AES_256_CCM |[RFC6655] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_AES_128_CCM_8 |[RFC6655] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_WITH_AES_256_CCM_8 |[RFC6655] | +-----------------------------------------+----------------------------------------------+ |TLS_RSA_PSK_WITH_CHACHA20_POLY1305_SHA256|[RFC7905] | +-----------------------------------------+----------------------------------------------+ Table 4 Authors' Addresses Carrick Bartle Apple, Inc. Email: cbartle@apple.com Nimrod Aviram Email: nimrod.aviram@gmail.com Bartle & Aviram Expires 14 June 2023 [Page 20]