AWS Certified Security - Specialty Exam: SSL Negotiation Configuration for ELBs and Perfect Forward Secrecy (PFS)

SSL Ciphers for Perfect Forward Secrecy in ELB SSL Negotiation Configuration

Question

A company CSO wants to verify that the SSL Negotiation Configuration policy of the ELBs supports perfect forward secrecy (PFS)

What SSL Ciphers should the policy utilize to meet this requirement?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

Answer: B.

Option A is incorrect because this is the SSL protocol.

Option B is correct because Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) cipher suites support PFS.

Option C is incorrect because RC4-MD5 does not support PFS.

Option D is incorrect because any transposition cipher is a very weak cipher and does not support PFS.

Reference:

https://docs.aws.amazon.com/aws-backup/latest/devguide/infrastructure-security.html

Perfect Forward Secrecy (PFS) is a security feature in SSL/TLS that ensures that a session key used for data encryption is unique for each session and not derived from any long-term secret key. Even if an attacker gains access to the server's secret key, they will not be able to decrypt any previously recorded sessions.

To support PFS, the SSL Negotiation Configuration policy of the ELBs should utilize SSL ciphers that support the Elliptic Curve Diffie-Hellman Ephemeral (ECDHE) key exchange. ECDHE allows the server and client to negotiate a session key without exchanging long-term secret keys, providing forward secrecy.

Therefore, option B - ECDHE-* is the correct answer, as it specifies the use of any ECDHE cipher suite. Option A - Protocol-TLSv1.2 only specifies the protocol version, but does not ensure PFS. Option C - RC4-MD5 is a weak cipher that is vulnerable to attacks and should not be used. Option D - Transposition Cipher is not an SSL cipher and is not relevant to SSL/TLS security.