While enumerating a client's HTTPS service with Nmap and the --script ssl-enum-ciphers option, you observe that one of the advertised suites is TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014). Based on its components, which statement best describes this suite's security properties and the implication for your penetration-test report?
It lacks forward secrecy because the key exchange is based on the server's static RSA key; recommend disabling the suite.
It provides perfect forward secrecy through elliptic-curve ephemeral Diffie-Hellman and is generally considered a strong suite, so no finding is required.
It employs the RC4 stream cipher, which is prohibited by current TLS guidance, so report it as a high-risk issue.
It is weak because it relies on DES for bulk encryption; you should recommend immediate removal.
The prefix ECDHE indicates Elliptic-Curve Diffie-Hellman in ephemeral mode, which provides perfect forward secrecy because a new key pair is generated for every handshake. The RSA portion is only for server authentication, not for key exchange. The symmetric encryption uses 256-bit AES in CBC mode with an HMAC-SHA-1 message-authentication code. None of these elements are regarded as inherently weak or deprecated under current TLS 1.2 guidance; therefore the suite is still considered strong and does not in itself warrant a finding. The other options are incorrect because the suite does not use DES or RC4, and static RSA would be identified by the keyword RSA alone (without ECDHE) and would not provide forward secrecy.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is perfect forward secrecy?
Open an interactive chat with Bash
What does ECDHE stand for in this cipher suite?
Open an interactive chat with Bash
Why is AES-256-CBC considered a strong encryption method?
Open an interactive chat with Bash
ELI5: What is Perfect Forward Secrecy (PFS) in cryptographic suites?
Open an interactive chat with Bash
What does ECDHE in a cipher suite mean?
Open an interactive chat with Bash
How does AES 256 CBC work in TLS encryption?
Open an interactive chat with Bash
Certified Ethical Hacker (CEH)
Cryptography
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .