Resetting SSL secret keys

 

During an SSL handshake a secret key is generated to encrypt data between the SSL client and SSL server. The secret key is used in a mathematical formula that is applied to the data to transform plaintext into unreadable ciphertext, and ciphertext into plaintext.

The secret key is generated from the random text sent as part of the handshake and is used to encrypt plaintext into ciphertext. The secret key is also used in the MAC (Message Authentication Code) algorithm, which is used to determine whether a message has been altered. See Message digests for more information.

If the secret key is discovered, the plaintext of a message could be deciphered from the ciphertext, or the message digest could be calculated, allowing messages to be altered without detection. Even for a complex algorithm, the plaintext can eventually be discovered by applying every possible mathematical transformation to the ciphertext. To minimize the amount of data that can be deciphered or altered if the secret key is broken, the secret key can be renegotiated periodically.

Once the secret key has been renegotiated, the previous secret key can no longer be used to decrypt data encrypted with the new secret key. The commands ALTER QMGR SSLRKEYC and DISPLAY QMGR SSLRKEYC are used to set the values used during key renegotiation. On iSeries™ and Java™, we can use the CHGMQM SSLRSTCNT and DSPMQM commands. For more information on these commands, see the WebSphere MQ Script (MQSC) Command Reference.

 

Parent topic:

The SSL key repository

sy11000_