beautypg.com

Zilog EZ80F91AZA User Manual

Page 42

background image

UM020107-1211

SSL Configuration

ZTP Network Security SSL Plug-In

User Manual

36

CipherGen

table. For additional information about configuring the

HashGen

array, see

Table 5 on page 25

.

Configuring the

PkiGen

array is difficult. Use the values listed in Table 6 to determine the

minimum set of PKI algorithms required based on the

KeyAlg

field in all cipher suite

entries.

1. When RSA export cipher suites are used, the ZTP Network Security SSL Plug-In will

abort the establishment of a session if the RSA modulus exceeds the export limit
regarding public key size.

2. Any cipher suite containing the text DHE uses Ephemeral Diffie-Hellman (EDH)

parameters to arrive at a shared secret between the client and the server. Therefore, the

pDheInit

function pointer must reference the

dhe_init

routine, or else Ephemeral

Diffie-Hellman cipher suites cannot be supported. The difference between a Diffie-
Hellman (DH) certificate and DHE parameters is that the private and public Diffie-
Hellman values never change when a DH certificate is used. In contrast, when DHE
parameters are used, the private and public values are changed each time a new ses-
sion is established.

3. When DSS certificates (using the DSA signature algorithm) are employed, EDH key

exchange is always performed. This situation exists because the DSA algorithm can-
not be used to establish a shared secret; it can only be used to digitally sign some other
datum. Therefore,

DHE_DSS

cipher suites use Ephemeral Diffie-Hellman parameters

to arrive at a shared secret, and these parameters are signed using the public key con-
tained in the DSS certificate.

RSA certificates are used for encryption and signatures. Cipher suites using RSA for key
exchange through RSA encryption contain text such as

_RSA_WITH_

or

_RSA_EXPORT_WITH_

. Cipher suites using Ephemeral Diffie-Hellman parameters signed

with RSA use text such as

_DHE_RSA_

.

In general, when a cipher suite contains two public key algorithms (for example,

TLS_DHE_RSA_WITH_DES_CBC_SHA

), the first public key algorithm identifies the key

Table 6. PKI Algorithm Requirements by Cipher Suite

KeyAlg Value From

Cipher Suite

Required PKIGen

Entry

Required pDheInit

Setting

SSL_PKI_RSA

rsa_init

NULLPTR

SSL_PKI_DH

dh_init

NULLPTR

SSL_PKI_DHE_RSA

rsa_init

dhe_init

SSL_PKI_DHE_DSS

dsa_init

dhe_init

Notes:

This manual is related to the following products:
See also other documents in the category Zilog Sensors: