Zilog EZ80F91AZA User Manual
Page 75
UM020107-1211
ZTP Network Security SSL Plug-In
User Manual
69
Appendix B. Advanced Topic: Creating
Private Cipher Suites
When the SSL specifications were originally drafted, they contained a default set of sup-
ported cipher suites. A cipher suite is a combination of PKI algorithm, symmetric cipher,
and digest algorithm used to secure data exchanged in an SSL session. The specifications
also permitted implementors to define their own cipher suites. This feature is useful only
in environments in which the implementor has control over the code used by both clients
and servers, because third party implementations are unlikely to recognize the implemen-
tor’s cipher suites. In addition, the implementor must ensure that the codes used to define
their cipher suites are unique in their environment. If an implementor defines a new cipher
suite code (for example,
0xFF
,
0x7C
), then this code must be understood by all SSL
devices in the environment (i.e., the same PKI, cipher, and digest algorithms), or else it
will not be possible to establish SSL sessions.
Users of the ZTP Network Security SSL Plug-In international distribution are only permit-
ted to define new cipher suites that are a combination of cryptographic algorithms which
are currently supported. If you are using the U.S. version, modify the source code to the
cryptographic library to add additional algorithms that can be used to define new cipher
suites.
This section provides a simple example to show how to add a new TLSv1 cipher suite.
RFC 3268 defines a number of standard cipher suites that can be added to the TLS proto-
col to support AES. Some of these cipher suites are already supported in this implementa-
tion. All of the cipher suites specified in RFC 3268 use the SHA1 digest algorithm. In this
example, a private AES-based cipher suite is defined for the ZTP Network Security SSL
Plug-In, which uses MD5.
Procedure
1. Examine the cipher suite codes defined in the
CipherSuite.h
header file, as shown
in the following code strings.
#define TLS_RSA_WITH_RC4_128_MD5 0x0400
#define TLS_RSA_WITH_RC4_128_SHA 0x0500
Notice that the last byte of these code strings is
0x00
. Private cipher suites must use a
value of
0xFF
in the cipher suite code. Therefore, the
0x11FF
value is used for the
new cipher suite.
For this cipher suite, it is appropriate to use the RSA, AES and MD5 algorithms;
therefore, a suitable mnemonic for the cipher suite is:
PRIVATE_RSA_WITH_AES_128_CBC_MD5