Securing CA NSM › Communication Protocol Security › Agent to Manager Communication Security

Agent to Manager Communication Security

Distributed Intelligence Architecture (DIA) allows for high speed, secure communications to transport data while providing remote node management and inherent failover capabilities. All out-bound communications from all DIA components use secure sockets. The SSL protocol provides connection security that has three basic properties:

• The connection is private. Encryption is used after an initial handshake to define a secret key. Symmetric cryptography is used for subsequent data encryption (DES, RC4, AES).
• The peer's identity can be authenticated using asymmetric or public key cryptography. Authentication is certificate based (RSA, DSS, ADH).
• The connection is reliable. Message transport includes a message integrity check using a keyed MAC. Secure hash functions are used for MAC computations (SHA, MD5).

The cipher suite, which declares the algorithms used for each of these areas, is fully configurable to use any of the combinations available through OpenSSL. In general, we use the strongest ciphers that also provide acceptable performance. The default cipher suites, as delivered, are as follows:

Protocol: SSLv3 or TLSv1

Key exchange: RSA

Authorization: RSA using a 1024-bit key

Encryption: AES with a 256-bit key

MAC algorithm: SHA1

If configured to run anonymously (peers are not authenticated), the defaults are as follows:

Protocol: SSLv3 or TLSv1

Key exchange: ADH

Authorization: NONE

Encryption: AES with a 256-bit key

MAC algorithm: SHA1