Data security is an important aspect of most computer systems. In many systems, data security is provided, at least in part, by data encryption. Data encryption schemes have evolved over time to provide increasing amounts of security and performance. In some encryption schemes, an encrypted message is arranged in an envelope structure. For example, in one encryption scheme, an envelope includes a randomly-generated cryptographic key, and a data portion that is encrypted with the cryptographic key. The cryptographic key is encrypted using a shared key encrypting key (“KEK”) known by both the sender and the recipient. When the recipient receives the message, the recipient uses the shared KEK to decrypt the cryptographic key in the envelope, and uses the decrypted cryptographic key to decrypt the data portion of the message. Provided that the KEK is not compromised, the value of the KEK can be rotated by re-encrypting the cryptographic key in each envelope. If the KEK is compromised, an attacker that gains access to an envelope can decode the cryptographic key in the envelope and decrypt the encrypted data.
In a client-server system, data encryption can be performed client-side or server-side. For example, in a data storage service, a storage server provides server-side encryption by encrypting plaintext data received from clients and retaining the data in encrypted form. When a client requests data from the server, the encrypted data is decrypted by the server before the data is returned to the client. When client-side encryption is used, the client encrypts data before sending the data to the storage server. The storage server receives and stores the encrypted data, and when requested, returns the data to the client in encrypted form. In some situations, server-side encryption does not protect the stored data against an unauthorized client using stolen access credentials. However, server-side encryption can sometimes provide higher cryptography performance (i.e., using custom cryptography chipsets).
Since cryptographic protocols are often updated in response to new security threats and advances in cryptographic technology, it can be difficult to maintain up-to-date cryptographic software on client computers. Some cryptographic network protocols (such as transport layer security (“TLS”)) are designed to allow a variety of different systems running in different environments to securely communicate over untrusted networks. In some implementations, these protocols provide improved flexibility and interoperability by using a handshake process. The handshake process negotiates the configuration of a specific connection between two endpoints (i.e., client and server). In the case of TLS, part of the negotiated configuration is a cipher suite which will be used for key exchange and data record encryption. In some systems, when a client connects to a server, but the server determines that none of the client's cipher suites are supported by the server, the server will reject the connection from the client. Such situations may occur where a client has not received security patches or has been misconfigured.