Confidentiality
SSL uses private or secret key cryptography or symmetric cryptography to support message confidentiality or privacy. After an initial handshake (a negotiation process by message exchange), the client and server decide on a secret key and a cipher suite. Between the communicating parties, each message encryption and decryption using the secret key occurs based on the cipher suite.
Private key cryptography requires the two communicating parties to use the same key for encryption and decryption. Both parties must have the key and keep the key private. Well known secret key cryptographic algorithms include the Data Encryption Standard (DES), triple-strength DES (3DES), and Rivest Cipher 4 (RC4), which are all supported in WebSphere Application Server. These algorithms provide excellent security and quick encryption.
A cryptographic algorithm is a cipher, while a set of ciphers is a cipher suite. A cipher suite is a combination of cryptographic parameters that define the security algorithms and the key sizes used for authentication, key agreement, encryption strength and integrity protection.
The following cipher suites are supported in WebSphere Application Server:
- SSL_RSA_WITH_RC4_128_SHA
- SSL_RSA_WITH_RC4_128_MD5
- SSL_RSA_WITH_DES_CBC_SHA
- SSL_RSA_WITH_3DES_EDE_CBC_SHA
- SSL_DHE_DSS_WITH_DES_CBC_SHA
- SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
- SSL_RSA_EXPORT_WITH_RC4_40_MD5
- SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
- SSL_RSA_WITH_NULL_MD5
- SSL_RSA_WITH_NULL_SHA
- SSL_DH_anon_WITH_RC4_128_MD5
- SSL_DH_anon_WITH_DES_CBC_SHA
- SSL_DH_anon_WITH_3DES_EDE_CBC_SHA
- SSL_DH_anon_EXPORT_WITH_RC4_40_MD5
- SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA
All of the previously mentioned cipher suites provide data integrity protection by using hash algorithms like MD5 and SHA-1 . The cipher suite names ending with _SHA indicate that the SHA-1 algorithm is used. SHA-1 is considered a stronger hash, while MD5 provides better performance.
The SSL_DH_anon_xxx cipher suites (for example, those that begin with SSL_DH_anon_ , where, anon is anonymous) are not enabled on the product client side. Since the Java Secure Socket Extension (JSSE) client trust manager does not allow anonymous connections, the JSSE client must always establish trust in the server. However, the SSL_DH_anon_xxx cipher suites are enabled on the server side to support another type of client connection. That client might not require trust in the server. These cipher suites are vulnerable to man-in-the-middle attacks and are strongly discouraged.
Where:
Name Description SSL SSL RSA Public key algorithm developed by Rivest, Shamir and Adleman. Requires RSA or DSS key exchange DH Diffie-Hellman public key algorithm. Server certificate contains the Diffie-Hellman parameters signed by the certificate authority (CA) DHE Ephemeral Diffie-Hellman public key algorithm. Diffie-Hellman parameters are signed by a DSS or RSA certificate, which is signed by the certificate authority (CA) DSS Digital Signature Standard, using the Digital Signature Algorithm for digital signatures DES Data Encryption Standard, an symmetric encryption algorithm. Block cipher. Performance cost is high when using software without the support of a hardware cryptographic device 3DES Triple DES, increasing the security of DES by encrypting three times with different keys Strongest of the ciphers. Performance cost is very high when using software without the support of a hardware cryptographic device support RC4 A stream cipher designed for RSA. Variable key-size stream cipher with key length from 40 bits to 128 bits EDE Encrypt-decrypt-encrypt for the triple DES algorithm CBC Cipher block chaining. A mode in which every plain text block encrypted with the block cipher is first exclusive-ORed with the previous ciphertext block 128 128-bit key size 40 40-bit key size EXPORT Exportable MD5 Secure hashing function that converts an arbitrarily long data stream into a digest of fixed size. Produces 128-bit hash SHA Secure Hash Algorithm, same as SHA-1. Produces 160-bit hash anon For anonymous connections NULL No encryption WITH The cryptographic algorithm is defined after this key word
Refer to the Transport Layer Security (TLS) specification.
WebSphere is a trademark of the IBM Corporation in the United States, other countries, or both.
IBM is a trademark of the IBM Corporation in the United States, other countries, or both.