beautypg.com

Zilog EZ80F91AZA User Manual

Page 53

background image

UM020107-1211

SSL Configuration

ZTP Network Security SSL Plug-In

User Manual

47

{NULLPTR, 0},

{NULLPTR, 0} }

};

5. Lastly, to initialize the SSL server, use the certificate chain created in

Step 4

. For

example, to use this certificate chain with the TLSv1 handshake protocol, use the fol-
lowing function call:

TLS1_ServerInit( &CertChain, &DheParams );

Certificate Creation Issues

Consider the following points when creating your own certificates and private keys to be
used with the SSL:

The SSLv2 protocol always uses the RSA algorithm to exchange the Master Key dur-
ing the establishment of a session. Therefore, X.509 certificates created for use with
the SSLv2 protocol must contain an RSA Public Key, and the corresponding private
key must be an RSA Private Key. Similarly, the constructed SSLv2 certificate chain
must contain only one X.509 certificate.

It is important to choose a key length that is appropriate for the importance of the data
being exchanged. The sample certificates in the

Certificate

directory of the

SSLDemo

folder use a 512-bit public key. The longer the key, the less likely an

attacker is to discover or hack the key. However, as key size increases, the SSL layer
takes more time to complete the key exchange algorithm during the establishment of a
session.

The SSL layer in ZTP requires the private key to be in clear text format. Be sure that
the utility used to generate the private key does not encrypt the output. To prevent
encrypting of the private key, the

–nodes

option is used in the OpenSSL example,

discussed earlier in this chapter. If the Private Key is encrypted, then the SSL layer
will be unable to complete the key exchange, and it will not establish an SSL session.

The X.509 certificate and Private Key must be encoded in the same manner. The SSL
layer in ZTP cannot process these parameters if one is

DER_ENCODED_DATA

and the

other is

BASE64_DER_ENCODED_DATA

.

If the SSL server’s Private Key and X.509 certificate are in the PEM format
(

BASE64_DER_ENCODED_DATA

), they must be stored in RAM because the algorithm

which converts PEM-formatted data into DER-formatted data (

DER_ENCODED_DATA

)

performs the conversion in place (i.e., Base64 decoding overwrites the encoded data).

Because private keys are stored in memory and must be transferred to the CPU over
the system data bus, some form of physical security is required to prevent an attacker
from analyzing the system memory or snooping the data bus and obtaining the private
key.

This manual is related to the following products:
See also other documents in the category Zilog Sensors: