Confidentiality

Secure Sockets Layer (SSL) uses private or secret key cryptography or symmetric cryptography to support message confidentiality or privacy. After an initial handshake (a negotiation process by message exchange), the client and server decide on a secret key and a cipher suite. Between the communicating parties, each message encryption and decryption using the secret key occurs based on the cipher suite.

Private key cryptography requires the two communicating parties to use the same key for encryption and decryption. Both parties must have the key and keep the key private. Well-known secret key cryptographic algorithms include the Data Encryption Standard (DES), triple-strength DES (3DES), and Rivest Cipher 4 (RC4), which are all supported in WebSphere Application Server. These algorithms provide excellent security and quick encryption.

A cryptographic algorithm is a cipher, while a set of ciphers is a cipher suite. A cipher suite is a combination of cryptographic parameters that define the security algorithms and the key sizes that are used for authentication, key agreement, encryption strength, and integrity protection.

SSL_RSA_WITH_RC4_128_MD5
SSL_RSA_WITH_RC4_128_SHA
SSL_RSA_WITH_AES_128_CBC_SHA
SSL_RSA_WITH_AES_256_CBC_SHA
SSL_RSA_FIPS_WITH_DES_CBC_SHA
SSL_RSA_WITH_3DES_EDE_CBC_SHA
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA
SSL_DHE_RSA_WITH_AES_128_CBC_SHA
SSL_DHE_RSA_WITH_AES_256_CBC_SHA
SSL_DHE_RSA_WITH_DES_CBC_SHA
SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
SSL_DHE_DSS_WITH_AES_128_CBC_SHA
SSL_DHE_DSS_WITH_AES_256_CBC_SHA
SSL_DHE_DSS_WITH_RC4_128_SHA
SSL_DHE_DSS_WITH_DES_CBC_SHA
SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA
SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA

Important: Although anonymous cipher suites are enabled, the IBM version of the Java Secure Sockets Extension (JSSE) client trust manager does not support anonymous cipher suites. The default implementation can be overwritten by providing your own trust manager that does support anonymous cipher suites.

All of the previously mentioned cipher suites provide data integrity protection by using hash algorithms like MD5 and SHA-1. The cipher suite name that end with _SHA indicate that the SHA-1 algorithm is used. SHA-1 is considered a stronger hash, while MD5 provides better performance.

The SSL_DH_anon_xxx cipher suites (for example, those cipher suites that begin with SSL_DH_anon_, where, anon is anonymous) are not enabled on the product client side. Because the Java Secure Socket Extension (JSSE) client trust manager does not support anonymous connections, the JSSE client must always establish trust in the server. However, the SSL_DH_anon_xxx cipher suites are enabled on the server side to support another type of client connection. That client might not require trust in the server. These cipher suites are vulnerable to man-in-the-middle attacks and are strongly discouraged. In a man-in-the-middle attack, an attacker can intercept and potentially modify communications between two parties without either party being aware of the attack. Where:

Name Description

SSL Secure Sockets Layer
RSA

Public key algorithm that is developed by Rivest, Shamir, and Adleman
Requires RSA or DSS key exchange

DH

Diffie-Hellman public key algorithm
Server certificate contains the Diffie-Hellman parameters that are signed by the certificate authority (CA)

DHE

Ephemeral Diffie-Hellman public key algorithm
Diffie-Hellman parameters are signed by a DSS or an RSA certificate, which is signed by the certificate authority (CA)

DSS Digital Signature Standard, using the digital signature algorithm for digital signatures
DES

Data Encryption Standard, an symmetric encryption algorithm
Block cipher
Performance cost is high when using software without the support of a hardware cryptographic device

3DES

Triple DES, increasing the security of DES by encrypting three times with different keys
Strongest of the ciphers
Performance cost is very high when using software without the support of a hardware cryptographic device support

RC4

A stream cipher designed for RSA
Variable key-size stream cipher with key length from 40 bits to 128 bits

EDE Encrypt-decrypt-encrypt for the triple DES algorithm
CBC

Cipher block chaining
A mode in which every plain text block that is encrypted with the block cipher is first exclusive-ORed with the previous ciphertext block

128 128-bit key size
40 40-bit key size
EXPORT Exportable
MD5

Secure hashing function that converts an arbitrarily long data stream into a digest of fixed size
Produces 128-bit hash

SHA

Secure Hash Algorithm, same as SHA-1
Produces 160-bit hash

anon For anonymous connections
NULL No encryption
WITH The cryptographic algorithm is defined after this key word

Name	Description
SSL	Secure Sockets Layer
RSA	Public key algorithm that is developed by Rivest, Shamir, and Adleman Requires RSA or DSS key exchange
DH	Diffie-Hellman public key algorithm Server certificate contains the Diffie-Hellman parameters that are signed by the certificate authority (CA)
DHE	Ephemeral Diffie-Hellman public key algorithm Diffie-Hellman parameters are signed by a DSS or an RSA certificate, which is signed by the certificate authority (CA)
DSS	Digital Signature Standard, using the digital signature algorithm for digital signatures
DES	Data Encryption Standard, an symmetric encryption algorithm Block cipher Performance cost is high when using software without the support of a hardware cryptographic device
3DES	Triple DES, increasing the security of DES by encrypting three times with different keys Strongest of the ciphers Performance cost is very high when using software without the support of a hardware cryptographic device support
RC4	A stream cipher designed for RSA Variable key-size stream cipher with key length from 40 bits to 128 bits
EDE	Encrypt-decrypt-encrypt for the triple DES algorithm
CBC	Cipher block chaining A mode in which every plain text block that is encrypted with the block cipher is first exclusive-ORed with the previous ciphertext block
128	128-bit key size
40	40-bit key size
EXPORT	Exportable
MD5	Secure hashing function that converts an arbitrarily long data stream into a digest of fixed size Produces 128-bit hash
SHA	Secure Hash Algorithm, same as SHA-1 Produces 160-bit hash
anon	For anonymous connections
NULL	No encryption
WITH	The cryptographic algorithm is defined after this key word

Refer to the Transport Layer Security (TLS) specification at http://www.ietf.org/rfc/rfc2246.txt for further information.

Related concepts

Secure Sockets Layer

Searchable topic ID: csec_confidential