During a web application assessment you capture a TLS handshake where the server's strongest negotiated option is TLS_RSA_WITH_AES_256_CBC_SHA and no cipher suites using DHE or ECDHE are offered. You explain that captured traffic could be decrypted later if the private key is compromised. Which server-side change most directly mitigates this risk?
Configure the server to prefer cipher suites that use ECDHE key exchange so every session establishes an ephemeral key
Disable TLS compression on the server to remove CRIME-style vulnerabilities
Renew the RSA certificate with a 4096-bit key signed using SHA-256 instead of SHA-1
Replace AES-CBC with AES-GCM to achieve authenticated encryption of the data channel
TLS_RSA cipher suites perform key exchange using the server's long-term RSA key, so anyone who later obtains that private key can decrypt an archived session. Enabling suites that use ephemeral Diffie-Hellman, such as ECDHE, generates a one-time session key that is discarded after use; even if the certificate key leaks, past traffic remains secure, providing perfect forward secrecy. Changing CBC to GCM, disabling compression, or using a longer RSA key improve other security properties but do not prevent retrospective decryption once the private key is exposed.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is 'perfect forward secrecy' and why is it important?
Open an interactive chat with Bash
How does ECDHE differ from RSA in TLS key exchange?
Open an interactive chat with Bash
Why is AES-GCM not a suitable replacement for AES-CBC in this scenario?
Open an interactive chat with Bash
What is ECDHE key exchange, and how does it enable perfect forward secrecy?
Open an interactive chat with Bash
Why is AES-GCM considered an improvement over AES-CBC in TLS encryption?
Open an interactive chat with Bash
What is perfect forward secrecy, and how does it protect past communications?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99
$19.99/mo
Billed monthly, Cancel any time.
3 Month Pass
$44.99
$14.99/mo
One time purchase of $44.99, Does not auto-renew.
MOST POPULAR
Annual Pass
$119.99
$9.99/mo
One time purchase of $119.99, Does not auto-renew.
BEST DEAL
Lifetime Pass
$189.99
One time purchase, Good for life.
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .