Reset Search
 

 

Article

KB28070 - Is PCS capable of using Forward Secrecy for SSL/TLS connections?

« Go Back

Information

 
Last Modified Date8/18/2016 11:10 PM
Synopsis
This article describes how to enable forward secrecy cipher suites on the Pulse Connect Secure (PCS) device.
Problem or Goal
In a classic SSL/TLS handshake a pre-master secret key is transmitted which is used to generate the session key; the session key is used to encrypt the session data. If the server's private key is available the handshake can be decrypted and the session key derived from the pre-master secret key, allowing the session data to be decrypted. 

Forward Secrecy uses ephemeral Diffie-Hellman for the key generation which does not transmit a pre-master secret key in the handshake so decrypting the stream is extremely difficult even if the server's private key is compromised.

Cause
Solution

For devices running 8.2 and later

Starting in PCS 8.2 and later, granular cipher suites feature was introduced allowing the administrator to select the specific cipher suites and adjust the cipher suite order.  As part of this feature, the Perfect Forward Secrecy option was added to provide an simple configuration to support only PFS cipher suites.

User-added image
 

For devices running between 7.4 to 8.1


ECDHE ciphers are available in the supported cipher list.   The client presents a list of supported ciphers in the SSL/TLS handshake and PCS will pick the cipher from this list that is highest up the ordered list.
 

ECDHE Ciphers supported by PCS are:

With Elliptic-Curve Cryptography (ECC) certificates:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_RC4_128_SHA


With RSA Certificates:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

See Chapter 45, FIPS Level 1 Support (Software FIPS), in the PCS 7.4 or later Admin Guide for more information on the ciphers and the their ordering on the SA.

Note: ECC certificates are currently only supported on MAG and Virtual Appliance platforms, they are not usable on SAx500 devices.  See Chapter 32, Elliptic Curve Cryptography, in the 7.4 or later Admin Guide for more details on these certificates and setting custom cipher options.


 
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255