During a routine audit a web server is flagged for allowing the use of weak ciphers. Which of the following
should be disabled to mitigate this risk? (Select TWO).

A.
SSL 1.0

B.
RC4

C.
SSL 3.0

D.
AES

E.
DES

F.
TLS 1.0

Explanation:
TLS 1.0 and SSL 1.0 both have known vulnerabilities and have been replaced by later versions. Any
systems running these ciphers should have them disabled.
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic
protocols designed to provide communications security over a computer network. They use X.509
certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are
communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing
between the parties. This allows for data/message confidentiality, and message authentication codes for
message integrity and as a by-product, message authentication
Netscape developed the original SSL protocol. Version 1.0 was never publicly released because of serious
security flaws in the protocol; version 2.0, released in February 1995, “contained a number of security
flaws which ultimately led to the design of SSL version 3.0”.
TLS 1.0 was first defined in RFC 2246 in January 1999 as an upgrade of SSL Version 3.0. As stated in the
RFC, “the differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough
to preclude interoperability between TLS 1.0 and SSL 3.0″. TLS 1.0 does include a means by which a TLS
implementation can downgrade the connection to SSL 3.0, thus weakening security.
TLS 1.1 and then TLS 1.2 were created to replace TLS 1.0.
Incorrect Answers:B: In cryptography, RC4 is the most widely used software stream cipher and is used in popular Internet
protocols such as Transport Layer Security (TLS). Whilst some argue that RC4 does have a weakness, it is
still commonly used today. SSL 1.0 and TLS 1.0 are considered to be weaker ciphers.
C: Although TLS 1.2 has been created to replace SSL 3.0, SSL 3.0 is still commonly used today. SSL 1.0 and
TLS 1.0 are considered to be weaker ciphers.
D: AES (Advanced Encryption Standard) has been adopted by the U.S. government and is now used
worldwide. It supersedes the Data Encryption Standard (DES) which was published in 1977. The algorithm
described by AES is a symmetric-key algorithm, meaning the same key is used for both encrypting and
decrypting the data. AES is not considered to be a weak cipher.
F: In cryptography, Triple DES (3DES) is the common name for the Triple Data Encryption Algorithm
symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three
times to each data block. Although DES has been superseded by 3DES and AES, DES is still used today. SSL
1.0 and TLS 1.0 are considered to be weaker ciphers.

http://en.wikipedia.org/wiki/Transport_Layer_Security
http://en.wikipedia.org/wiki/Triple_DES