1.2.3 Use a Strong Key Exchange
In recent years, the DHE key exchange fell out of fashion, so much so that modern clients no longer support it. As a result, there is only one widely supported secure option for the key exchange, and that's ECDHE. Although DHE suites do have some issues, they are not likely to be a problem in practice if used only as fallback. You shouldn't use the RSA key exchange (not to be confused with RSA authentication) because in that case you lose forward security.
For key exchange to be secure, ECDHE and DHE have to be used with secure parameters. For ECDHE, the parameters are called named curves and only two are practical: X25519
and P-256
(also known as sec256r1
). For DHE (if using), ensure the parameters provide 2,048 bits of security. Some server applications provide secure DHE parameters out of the box; with others, you'll have to provide your own.
The first standardized post-quantum cryptography algorithms became available in August 2024. Among them is ML-KEM, a new key exchange that is thought to be secure against both classical and post-quantum attacks. Although post-quantum computers could be many years away, capable attackers can capture encrypted network traffic today, only to decrypt it later. For this reason, the time to deploy quantum-safe key exchange is now. In TLS, ML-KEM is not deployed on its own, but in combination with ECDHE; this hybrid approach provides additional safety in case ML-KEM, a very young primitive by any standard, is found to be flawed in some way.