Monday, March 1, 2010

TLS cipher suites

The TLS/SSL3.0 protocol uses cryptographic mechanisms to implement a secure connection. These cryptographic mechanisms are actually cipher suites that define each mechanism used.

The four main mechanisms are
- Key Establishment, the rules and protocols that generate, establish and handle keys.
- Confidentiality, the symmetric encryption used to provide confidentiality.
- Signature, digital signature algorithm used.
- Hash, hash algorithm used.

When doing assessment, people might ask whether the cipher suite is FIPS (Federal Information Processing Standards) compliant. Some web server comes with FIPS compliant cipher suites setting. But FIPS did not explicitly provide a list of approved cipher suites. It only define the approved encryption, digital signature and hashing algorithm.

NIST (National Institute of Standards and Technology) based on the FIPS approved algorithm, provides a guideline (under NIST Special Publication 800-52) that gave a list of recommended cipher suites for TLS implementation.

-TLS_DHE_DSS_WITH_AES_256_CBC_SHA
-TLS_DHE_RSA_WITH_AES_256_CBC_SHA
-TLS_RSA_WITH_AES_256_CBC_SHA
-TLS_DH_DSS_WITH_AES_256_CBC_SHA
-TLS_DH_RSA_WITH_AES_265_CBC_SHA
-TLS_DHE_DSS_WITH_AES_128_CBC_SHA
-TLS_DHE_RSA_WITH_AES_128_CBC_SHA
-TLS_RSA_WITH_AES_128_CBC_SHA
-TLS_DH_DSS_WITH_AES_128_CBC_SHA
-TLS_DH_RSA_WITH_AES_128_CBC_SHA
-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
-TLS_RSA_WITH_3DES_EDE_CBC_SHA
-TLS_DH_DSS_WITH_3DES_EDE_CBC_SHA
-TLS_DH_RSA_WITH_3DES_EDE_CBC_SHA


No comments: