beautypg.com

Edh parameters, Topic, see the – Zilog EZ80F91AZA User Manual

Page 43

background image

UM020107-1211

SSL Configuration

ZTP Network Security SSL Plug-In

User Manual

37

exchange algorithm (DHE in this example). The second public key algorithm identifies
the algorithm used for authentication (RSA in this example). Because RSA can be used for
both key exchange and authentication, the text RSA only appears once in the cipher suite
mnemonic. This feature represents another advantage of using RSA certificates; i.e., only
one (computationally-intensive) public key operation must be performed to authenticate
the server and arrive at a shared secret, as opposed to cipher suites requiring the use of two
public key algorithms.

As indicated above, SSL primarily uses two public key algorithms to generate and verify
DSA and RSA signatures. Because the use of RSA certificates is more prevalent than DSS
(i.e., DSA) certificates, it is not required that the

dsa_init

function pointer be included

in the

PkiGen

array. However, in cases where a server’s certificate is signed using an

issuer’s DSA private key, it will not be possible to verify the signature unless the

dsa_init

function pointer is included in the

PkiGen

array. Furthermore, if signature ver-

ification is enabled (see the

Signature Verification

section on page 50), it will not be possi-

ble to establish a session.

EDH Parameters

When an Ephemeral Diffie-Hellman cipher suite is used to secure a communication chan-
nel between the SSL client and server, the server must supply DH parameters to the client
in a handshake message. Ephemeral Diffie-Hellman cipher suites contain the text

_DHE_

in the cipher suite mnemonic; e.g.,

TLS_DHE_RSA_WITH_DES_CBC_SHA

. The DH param-

eters contain two values necessary to complete the Diffie-Hellman key agreement algo-
rithm: the prime modulus, p, and the generator, g. The message that is sent also contains
the server’s public value.

In the ZTP Network Security SSL Plug-In implementation, the SSL server selects a new
private key and generates a public value prior to sending the Ephemeral Diffie-Hellman
parameters and the public value to the client. However, the server always uses the same
DH parameters (p and g). A reference to these DH parameters must be supplied to the
server on the

TLS1_ServerInit

or

SSL3_ServerInit

APIs, as shown in the following

TLSv1 initialization call example:

TLS1_ServerInit( &CertChain, &DheParams );

By default, the SSLv3 and TLSv1 servers in the ZTP Network Security SSL Plug-In use
the same set of DH parameters, but this usage is not mandatory. Because SSLv2 cipher
suites do not use Ephemeral Diffie-Hellman cipher suites, the final parameter on the

SSL2_Init

API is always specified as

NULLPTR

.

In the default configuration of the ZTP Network Security SSL Plug-In, the Ephemeral Dif-
fie-Hellman parameters are contained in the

dh_params.c

configuration file, as shown in

the following code fragment:

SSL_BYTE DH_Params_Pem[] = {"\

This manual is related to the following products:
See also other documents in the category Zilog Sensors: