diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2001-12-07 17:25:22 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2001-12-07 17:25:22 +0000 |
commit | 97440a90dce74c5e8b7a9cc181fe48caa9c94160 (patch) | |
tree | 5a27f3f5ff91014f2d0a6c6627e16d3cb4060acf | |
parent | aee1b46bd5b195396458f66584d49e8344c2f5eb (diff) | |
download | gnutls-97440a90dce74c5e8b7a9cc181fe48caa9c94160.tar.gz |
added missing files
-rw-r--r-- | doc/tex/auth.tex | 83 | ||||
-rw-r--r-- | doc/tex/ciphers.tex | 59 |
2 files changed, 142 insertions, 0 deletions
diff --git a/doc/tex/auth.tex b/doc/tex/auth.tex new file mode 100644 index 0000000000..16dcb02da6 --- /dev/null +++ b/doc/tex/auth.tex @@ -0,0 +1,83 @@ +\section{Authentication methods} +\par +The following authentication schemas are supported in \gnutls: +\begin{enumerate} + \item X509 Public Key Infrastructure + \item Anonymous authentication + \item SRP authentication +\end{enumerate} + +\subsection{Authentication using X.509 certificates} +If using this kind of authentication then the key exchange methods +shown in \hyperref{figure}{figure }{}{fig:x509} are +available to use. Authentication in this method is performed using signed +certificates by a trusted Certificate Authority (CA). Note that \gnutls is +not a generic purpose X.509 toolkit\footnote{Aegypten is such a toolkit.}. +It does only include the required, +in order to use the TLS ciphersuites which require X.509 certificates. + +\begin{figure}[hbtp] +\begin{tabular}{|l|p{9cm}|} +\hline +RSA & The RSA algorithm is used to encrypt a key and send it to the peer. +The certificate must allow the key to be used for encryption. +\\ +\hline +DHE\_RSA & The RSA algorithm is used to sign Ephemeral Diffie Hellman +parameters which are send to the peer. The key in the certificate must allow +the key to be used for signing +\\ +\hline +DHE\_DSS & The DSS\footnote{DSS stands for Digital Signature Standard} algorithm is used to sign Ephemeral Diffie Hellman +parameters which are send to the peer. Currently \gnutls does not support this ciphersuite. +\\ +\hline +\end{tabular} + +\caption{Supported X.509 key exchange algorithms} +\label{fig:x509} + +\end{figure} + +\subsection{Anonymous authentication} +The anonymous key exchanges perform encryption but there is no indication of the +identity of the peer. This kind of authentication is vulnerable to man in the middle attack, +but this protocol can be used even if there is no prior communication or common trusted +parties with the peer. Unless really required, do not use anonymous authentication. +Available key exchange methods are shown in \hyperref{figure}{figure }{}{fig:anon}. + +\begin{figure}[hbtp] +\begin{tabular}{|l|p{9cm}|} + +\hline +ANON\_DH & This algorithm exchanges Diffie Hellman parameters. +\\ +\hline +\end{tabular} + +\caption{Supported anonymous key exchange algorithms} +\label{fig:anon} + +\end{figure} + +\subsection{Authentication using SRP} +Authentication using the SRP\footnote{SRP stands for Secure Password Protocol and +is described in RFC2945. The SRP key exchange is not a part of the TLS 1.0 protocol} +is actually password authentication, since the two peers are identified by the knowledge +of a password. This protocol also offers protection against off-line attacks (password file stealing +etc.). Use SRP authentication if password based authentication is required. +Available key exchange methods are shown in \hyperref{figure}{figure }{}{fig:srp}. + +\begin{figure}[hbtp] +\begin{tabular}{|l|p{9cm}|} + +\hline +SRP & Authentication using the SRP protocol. +\\ +\hline +\end{tabular} + +\caption{Supported SRP key exchange algorithms} +\label{fig:srp} + +\end{figure} diff --git a/doc/tex/ciphers.tex b/doc/tex/ciphers.tex new file mode 100644 index 0000000000..a7a2945555 --- /dev/null +++ b/doc/tex/ciphers.tex @@ -0,0 +1,59 @@ +\section{Symmetric encryption algorithms} +\par +Confidentiality is provided by using block encryption algorithms like {\bf 3DES}, +{\bf AES\footnote{AES or Advanced Encryption Standard is actually the RIJNDAEL algorithm. This is the +algorithm that will replace DES.}}, or +stream algorithms like {\bf ARCFOUR\footnote{ARCFOUR is a compatible +algorithm with RSA's RC4 algorithm.}} See \hyperref{fig:ciphers}{figure }{}{fig:ciphers} for a complete list. +Ciphers are encryption algorithms that use a single (secret) key +to encrypt and decrypt data. Block algorithms in TLS also provide protection +against statistical analysis of the data. \gnutls makes use of this property +thus, if you're operating in TLS 1.0 mode, a random number of blocks will be +appended to the data. This will prevent eavesdroppers from guessing the +actual data size. + +\begin{figure}[hbtp] +\begin{tabular}{|l|p{9cm}|} + +\hline +3DES\_CBC & 3DES\_CBC is the DES block cipher algorithm used with multiple (triple) +encryption (EDE). Has 64 bits block size and is used in CBC mode. +\\ +\hline +ARCFOUR & ARCFOUR\footnote{A compatible cipher with RC4 of RSADSI} is a +fast stream cipher. +\\ +\hline +AES\_CBC & AES or RIJNDAEL is the block cipher algorithm that replaces the old +(and insecure\footnote{due to small key length}) DES algorithm. Has +128 bits block size and is used in CBC mode. +\\ +\hline +TWOFISH\_CBC & TWOFISH is a block cipher algorithm by Counterpane. Has +128 bits block size and is used in CBC mode. +\\ +\hline +\end{tabular} +\caption{Supported cipher algorithms} +\label{fig:ciphers} +\end{figure} + + + +\addvspace{1.5cm} + +\begin{figure}[hbtp] +\begin{tabular}{|l|p{9cm}|} + +\hline +MAC\_MD5 & MD5 is a hash algorithm by Ron Rivest. Outputs 128 bits of data. +\\ +\hline +MAC\_SHA & SHA is a hash algorithm by NSA. Outputs 160 bits of data. +\\ +\hline +\end{tabular} +\caption{Supported MAC algorithms} +\label{fig:mac} +\end{figure} + |