Aes extensions – Zilog EZ80F91AZA User Manual

UM020107-1211

ZTP Network Security SSL Plug-In

User Manual

67

When SSLv3 was drafted, the U.S. export laws restricted the length of the encryption keys
to 40 bits, and public keys to 512 bits. Therefore, when cipher algorithms are used that
require longer key lengths, only 40 bits of the key are protected by the key exchange algo-
rithm. Similarly, the public key size used in export cipher suites must be restricted to 512
bits or less. The public keys used for signature verification are not restricted in export
cipher suites, but the key size of the (Ephemeral) Diffie-Hellman parameters must be 512
bits or less.

AES Extensions

The advanced encryption standard (AES) is being adopted because the U.S. government
prefers symmetric ciphers; it is intended to replace the older data encryption standard
(DES). Because the SSL specifications were drafted prior to the standardization of AES,
they do not define any AES-based cipher suites. RFC 3268 defines a set of cipher suites
compatible with the TLSv1 specification.

Table 11 shows the AES-based cipher suites defined in RFC 3268, and indicates which are
supported by the ZTP Network Security SSL Plug-In.

Table 11. SSLv2 Cipher Suites

Cipher Suite Mnemonic

Supported?

TLS_RSA_WITH_AES_128_CBC_SHA

Yes

TLS_DH_DSS_WITH_AES_128_CBC_SHA

Yes

TLS_DH_RSA_WITH_AES_128_CBC_SHA

Yes

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

Yes

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

Yes

TLS_DH_anon_WITH_AES_128_CBC_SHA

No

TLS_RSA_WITH_AES_256_CBC_SHA

Yes

TLS_DH_DSS_WITH_AES_256_CBC_SHA

Yes

TLS_DH_RSA_WITH_AES_256_CBC_SHA

Yes

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

Yes

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Yes

TLS_DH_anon_WITH_AES_256_CBC_SHA

No

Note: