beautypg.com

Zilog EZ80F91AZA User Manual

Page 75

background image

UM020107-1211

ZTP Network Security SSL Plug-In

User Manual

69

Appendix B. Advanced Topic: Creating
Private Cipher Suites

When the SSL specifications were originally drafted, they contained a default set of sup-
ported cipher suites. A cipher suite is a combination of PKI algorithm, symmetric cipher,
and digest algorithm used to secure data exchanged in an SSL session. The specifications
also permitted implementors to define their own cipher suites. This feature is useful only
in environments in which the implementor has control over the code used by both clients
and servers, because third party implementations are unlikely to recognize the implemen-
tor’s cipher suites. In addition, the implementor must ensure that the codes used to define
their cipher suites are unique in their environment. If an implementor defines a new cipher
suite code (for example,

0xFF

,

0x7C

), then this code must be understood by all SSL

devices in the environment (i.e., the same PKI, cipher, and digest algorithms), or else it
will not be possible to establish SSL sessions.

Users of the ZTP Network Security SSL Plug-In international distribution are only permit-
ted to define new cipher suites that are a combination of cryptographic algorithms which
are currently supported. If you are using the U.S. version, modify the source code to the
cryptographic library to add additional algorithms that can be used to define new cipher
suites.

This section provides a simple example to show how to add a new TLSv1 cipher suite.

RFC 3268 defines a number of standard cipher suites that can be added to the TLS proto-
col to support AES. Some of these cipher suites are already supported in this implementa-
tion. All of the cipher suites specified in RFC 3268 use the SHA1 digest algorithm. In this
example, a private AES-based cipher suite is defined for the ZTP Network Security SSL
Plug-In, which uses MD5.

Procedure

1. Examine the cipher suite codes defined in the

CipherSuite.h

header file, as shown

in the following code strings.

#define TLS_RSA_WITH_RC4_128_MD5 0x0400

#define TLS_RSA_WITH_RC4_128_SHA 0x0500

Notice that the last byte of these code strings is

0x00

. Private cipher suites must use a

value of

0xFF

in the cipher suite code. Therefore, the

0x11FF

value is used for the

new cipher suite.

For this cipher suite, it is appropriate to use the RSA, AES and MD5 algorithms;
therefore, a suitable mnemonic for the cipher suite is:

PRIVATE_RSA_WITH_AES_128_CBC_MD5

This manual is related to the following products:
See also other documents in the category Zilog Sensors: