Pki algorithm selection – Zilog EZ80F91AZA User Manual
Page 34
UM020107-1211
SSL Configuration
ZTP Network Security SSL Plug-In
User Manual
28
NullCipher_New
};
It is important to keep the
CipherGen
array synchronized with the table of cipher suites
referenced by the
pSSL2_CipherSuites
,
pSSL3_CipherSuites
, and
pTLS1_CipherSuites
pointers. For example, if the
DES3_New
function pointer is
replaced with
NullCipher_New
, then the 3DES cipher algorithm will not be included in
the application. Therefore, if any of the cipher suite tables contains an entry which uses
3DES – such as
TLS_RSA_WITH_3DES_EDE_CBC_SHA
– these cipher suites must be dis-
abled because they will not function properly without the 3DES algorithm. For more
information about this topic, see the
The AES cipher was standardized after the SSL specifications were created. Therefore,
there are no defined cipher suites in the SSLv2, SSLv3 or TLSv1 specifications that use
AES. However, changes to the TLSv1 specification have included cipher suites that use
either the 128-bit or 256-bit AES algorithm. The ZTP Network Security SSL Plug-In
defines several cipher suites for TLSv1 and SSLv3 using AES, but does not include any
definitions for SSLv2 cipher suites using AES. Because AES is relatively new to SSL, it
may be difficult to find third party applications supporting AES-based cipher suites. At the
date of publication of this document, for example, Microsoft Internet Explorer v6.0 did not
include AES support.
PKI Algorithm Selection
A public key infrastructure (PKI) allows an insecure network to exchange data securely
via authentication and privately via encryption. PKI systems employ public key cryptogra-
phy in which a public and private key pair is used to perform cryptographic operations.
In public key cryptography, one entity holds the private key in secrecy; while the public
key is freely distributed. Public key algorithms allow entities to securely arrive at a com-
mon shared secret without having any prior knowledge of each other.
In contrast, private key systems require all parties to be in possession of a common shared
secret before secure communication begins. As the number of participants in private key
systems increases, it becomes harder to keep the shared secret private. Once a secret is
compromised, secure communication is no longer assured. In public key systems, only
one device must keep the private key a secret regardless of the number of participants. The
downside of public key cryptography is that its asymmetric algorithms tend to be more
computationally intensive than private key symmetric algorithms.
SSL servers are required to be in possession of a public and private key pair. The server’s
public key is placed into a certificate that is signed and validated by a trusted third party.
During the establishment of an SSL session, the client receives a copy of the server’s cer-
Note: