Security Guidelines

Overview

Thales strongly recommends that IdCloud communication runs over an encrypted transport channel - TLS. Follow this set of recommendations to ensure the highest security standard.

Recommendations

  • Do not use SSL (neither SSL v1, v2 nor v3) or TLS v1.0 or TLS v1.1
  • TLS v1.2 must be enforced
  • The following cipher suites must not be used on the client side. Make sure that they are disabled using the Java system property jdk.tls.disabledAlgorithms.
    • Null encryption eNULL, NULL
    • Null authentication aNULL. (aNULL includes anonymous cipher suites ADH (Anonymous Diffie-Hellman) and AECDH (Anonymous Elliptic Curve Diffie Hellman).
    • export level ciphers EXP
    • key sizes of symmetric keys smaller than 128 bits
    • MD5 as hashing algorithm
    • IDEA cipher suites
    • RC4
    • Non-Ephemeral (EC)DH Cipher suites
    • DHE cipher suites with DHE key length less than 1024 bits (see note in the implementation)
    • For signature, do not use DSA/DSS because the signature operation can be weak if a bad entropy source is used.
  • Make sure the cipher suite order is defined by the server
  • Prefer the use of Authenticated Encryption (AE) or Authenticated Encryption with Associated Data (AEAD) cipher suites. The most commonly used are AES-GCM.
  • Use cipher suites with strong key exchange
    • The recommended key length for DHE cipher suites with RSA is 2048 bits.
    • The recommended key length for ECDHE is 224 bits
  • Use Perfect Forward Secrecy
    • Use cipher suites with DHE or ECDHE key exchange. These key exchanges use ephemeral keys and have the forward secrecy property.
  • It is recommended to set up the flag for sensitive result removal, so there is no trace of sensitive data and nobody can steal it and use them.