beautypg.com

Zilog EZ80F91AZA User Manual

Page 45

background image

UM020107-1211

SSL Configuration

ZTP Network Security SSL Plug-In

User Manual

39

prime:

00:84:5f:92:80:12:59:11:5a:5d:22:84:e9:8d:6e:

fc:1b:6b:e4:7d:bb:76:97:57:07:c1:9a:4d:1f:ea:

88:ae:d5:13:08:5a:00:9a:78:a2:28:47:aa:f6:90:

ce:5d:cd:75:01:cc:9c:89:7a:79:4d:af:37:c1:ad:

ba:74:3d:12:3b

generator: 2 (0x2)

-----BEGIN DH PARAMETERS-----

MEYCQQCEX5KAElkRWl0ihOmNbvwba+R9u3aXVwfBmk0f6oiu1RMIWgCaeKIoR6r2

kM5dzXUBzJyJenlNrzfBrbp0PRI7AgEC

-----END DH PARAMETERS-----

To use this output with the ZTP Network Security SSL Plug-In, cut and paste the two lines
of text between the BEGIN DH PARAMETERS and END DH PARAMETERS delimiters
mentioned above, and place it into an array that is referenced by the

pData

member of the

ASN1_ENC_DATA

structure. The following code fragment shows how to instantiate a vari-

able of type

ASN1_ENC_DATA

that uses these DH parameters.

SSL_BYTE DH_Params_Pem[] = {"\

MEYCQQCEX5KAElkRWl0ihOmNbvwba+R9u3aXVwfBmk0f6oiu1RMIWgCaeKIoR6r2\

kM5dzXUBzJyJenlNrzfBrbp0PRI7AgEC"};

ASN1_ENC_DATA

DheParams =

{

PEM_ENCODED_DATA,

sizeof(DH_Params_Pem)-1,

DH_Params_Pem

};

By default, the OpenSSL

dhparam

command will generate DH parameters with a genera-

tor of two or five. If larger generators are required, use the

-dsaparam

option, as shown

in the following code fragment:

OpenSSL> dhparam -text -dsaparam -out dh_param.txt 512

Modulus Length

As the number of bits in the DH modulus is increased, it becomes more difficult for
attackers to guess the DH shared secret generated by the algorithm. However, this increase
also increases the amount of time it takes for the ZTP Network Security SSL Plug-In to
compute results using the DH key exchange algorithm.

Additionally, if export cipher suites are enabled, it is important to ensure that the modulus
does not exceed export requirements. The original SSLv3 and TLSv1 cipher suites
required the DH modulus of export cipher suites to be less than or equal to 512 bits to con-
form with United States export regulations at that time. Since then, export regulations
have been relaxed to allow the export of 1024-bit public keys (and 56-bit symmetric keys);

This manual is related to the following products:
See also other documents in the category Zilog Sensors: