Guidelines on Securing Public Web Servers


9.   The server sends a message to the client informing it that future messages from the 


server will be encrypted with the session key.  It then sends a separate (encrypted) 


message indicating that the server portion of the handshake is finished.  


10.   The SSL/TLS handshake is now complete, and the SSL/TLS session has begun.  The 


client and the server use the session keys to encrypt and decrypt the data they send to 


each other and to validate its integrity.  


7.5.4  SSL/TLS Encryption Schemes 


The SSL/TLS protocols support the use of a variety of different cryptographic algorithms for 


operations such as authenticating the Web server and Web client to each other, transmitting 


certificates, and establishing session keys.  Web clients and Web servers may support different 


cipher suites, or sets of ciphers; depending on factors such as the version of SSL/TLS they 


support, organizational policies regarding acceptable encryption strength; and government 


restrictions on export, import, and use of SSL/TLS enabled software.  Among its other 


functions, the SSL/TLS handshake protocols determine how the Web server and Web client 


negotiate which cipher suites they will use to authenticate each other, to transmit certificates, 


and to establish session keys.  Table 7.1 provides a list of Federal cipher suites, their 


recommended usage, and their relative strength [SSL98 and Cho02].   


Table 7.1: SSL/TLS Encryption Schemes with Diffie Hellman or RSA Key Exchange 


Recommended Use 


Cipher Suites 


Highest Security: 


Encryption: Advanced Encryption Standard (AES) 


256 bit encryption 


Authentication & Digest: Digital Signature Standard 


(DSS) or RSA with 2048 bit keys, and Secure Hash 


Algorithim 1 (SHA 1)


Security and Performance: 


Encryption: AES 128 bit encryption 


Authentication & Digest: DSS or RSA with 1024 bit 


keys, and SHA 1 


Security and Compatibility: 


Encryption: AES 128 bit encryption with fallback to 


Triple Data Encryption Standard (3DES) 168/112 


bit encryption (note: 3DES is considerably slower 


than AES) 


Authentication & Digest: DSS or RSA with 1024 bit 


keys, and SHA 1


Authentication and Tamper Detection 


Authentication & Digest: DSS or RSA with 1024 bit 


keys and SHA 1 


Choosing an appropriate encryption algorithm depends on several factors that will vary with 


organization.  Although at first glance it might appear that the strongest encryption available 


should always be used, that is not always true.  The higher the level of the encryption, the 


greater impact it will have on the Web server's resources and communications speed.


28


  


Furthermore, a number of countries still maintain restrictions on the export, import, and/or use 


                                                   


28


 AES 128 is the exception to this rule, since it provides higher performance and security than Triple DES. 


57






  

    

      

    
    
Home

    
    About
    
    Services
    
    Network
    
    Support
    
    FAQ
    
    Order
    
    Contact
    

    

     
    Web Hosting SSH



    

    

    

      Our partners:Jsp 
      Web Hosting
      Unlimited Web Hosting 
      Cheapest Web Hosting  Java 
      Web Hosting
      Web Templates
      Best Web Templates PHP Mysql Web Hosting
      
      Interland Web Hosting
      Cheap Web Hosting 
      PHP Web Hosting
      Tomcat Web Hosting
      Quality Web Hosting
      Best Web Hosting  Mac 
      Web Hosting  
      

      Lunarwebhost.net  Business web hosting 
      division of Vision Web Hosting Inc. All rights reserved