Skip to main content

NULL Encryption and Key Exchange Without Forward Secrecy are Discouraged

Document Type Expired Internet-Draft (individual)
Expired & archived
Author John Preuß Mattsson
Last updated 2023-07-25 (Latest revision 2023-01-19)
RFC stream (None)
Intended RFC status (None)
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date (None)
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:


Massive pervasive monitoring attacks using key exfiltration and made possible by key exchange without forward secrecy have been reported. If key exchange without Diffie-Hellman is used, static exfiltration of the long-term authentication keys enables passive attackers to compromise all past and future connections. Malicious actors can get access to long-term keys in different ways: physical attacks, hacking, social engineering attacks, espionage, or by simply demanding access to keying material with or without a court order. Exfiltration attacks are a major cybersecurity threat. If NULL encryption is used an on-path attacker can read all application data. The use of psk_ke and NULL encryption are not following zero trust principles of minimizing the impact of breach and governments have already made deadlines for their deprecation. This document evaluates TLS pre-shared key exchange modes, (EC)DHE groups, signature algorithms, and cipher suites and downgrades many entries to "N" and "D" where "D" indicates that the entries are "Discouraged".


John Preuß Mattsson

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)