beautypg.com

Cipher algorithm selection – Zilog EZ80F91AZA User Manual

Page 32

background image

UM020107-1211

SSL Configuration

ZTP Network Security SSL Plug-In

User Manual

26

NullHash_New,

SHA1_New,

NullHash_New

};

Care must be taken while removing the SHA1 digest algorithm. Sometimes this algorithm
is used in the process of signing digital certificates. Therefore, if the SHA1 digest algo-
rithm is not configured into the system and the SSL protocol must either generate or verify
a signature using the SHA1 algorithm, it will not be possible to complete the operation. As
a result, an SSL session will be prevented from becoming established.

It is important to keep the

HashGen

array synchronized with the table of cipher suites ref-

erenced by the

pSSL2_CipherSuites

,

pSSL3_CipherSuites

and

pTLS1_CipherSuites

pointers. For example, if the

SHA1_New

function pointer is

replaced with

NullHash_New

, then the SHA1 digest algorithm will not be included in the

application. Therefore, if any of the cipher suite tables contains an entry which uses
SHA1, such as

TLS_RSA_WITH_3DES_EDE_CBC_SHA

, these cipher suites must be dis-

abled as they will not function properly without the SHA1 algorithm. For more informa-
tion about this topic, see the

Cipher Suite Configuration

section on page 31.

Cipher Algorithm Selection

The SSL handshake protocols use symmetric cipher algorithms to encrypt and decrypt
application level data transferred through SSL. With symmetric ciphers, both the client
and server use the same set of keys to encrypt and decrypt data. These symmetric keys are
changed each time the client and server establish a new session. These keys are derived
from information exchanged during the execution of the (asymmetric) PKI algorithm dur-
ing the establishment of a session.

The ZTP Network Security SSL Plug-In recognizes the following four cipher algorithms:

RC4 (128-bit key)

DES (56-bit key)

3DES (168-bit key)

AES (128-bit key or 256-bit key)

Each of these four cipher algorithms has an entry that follows the

NullCipher_New

func-

tion pointer.

An SSL session is established using any one of these cipher algorithms. However, not all
SSL clients and servers implement the same set of ciphers. By supporting multiple cipher

Note:

This manual is related to the following products:
See also other documents in the category Zilog Sensors: