blob: a5e63c23d7ee7e8f4c76b3995cb5b1045d1d3e85 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
|
\section{Authentication methods}
\par
The following authentication schemas are supported in \gnutls:
\begin{enumerate}
\item X509 Public Key Infrastructure
\item Anonymous authentication
\item SRP authentication
\end{enumerate}
\subsection{Authentication using X.509 certificates}
If using this kind of authentication then the key exchange methods
shown in \hyperref{figure}{figure }{}{fig:x509} are
available to use. Authentication in this method is performed using signed
certificates by a trusted Certificate Authority (CA). Note that \gnutls is
not a generic purpose X.509 toolkit\footnote{Aegypten is such a toolkit. See http://www.gnupg.org/aegypten/}.
It does only include the required,
in order to use the TLS ciphersuites which require X.509 certificates.
\begin{figure}[hbtp]
\begin{tabular}{|l|p{9cm}|}
\hline
X509PKI\_RSA & The RSA algorithm is used to encrypt a key and send it to the peer.
The certificate must allow the key to be used for encryption.
\\
\hline
X509PKI\_DHE\_RSA & The RSA algorithm is used to sign Ephemeral Diffie Hellman
parameters which are send to the peer. The key in the certificate must allow
the key to be used for signing
\\
\hline
X509PKI\_DHE\_DSS & The DSS\footnote{DSS stands for Digital Signature Standard} algorithm is used to sign Ephemeral Diffie Hellman
parameters which are send to the peer. Currently \gnutls does not support this ciphersuite.
\\
\hline
\end{tabular}
\caption{Supported X.509 key exchange algorithms}
\label{fig:x509}
\end{figure}
\subsection{Anonymous authentication}
The anonymous key exchanges perform encryption but there is no indication of the
identity of the peer. This kind of authentication is vulnerable to man in the middle attack,
but this protocol can be used even if there is no prior communication or common trusted
parties with the peer. Unless really required, do not use anonymous authentication.
Available key exchange methods are shown in \hyperref{figure}{figure }{}{fig:anon}.
\begin{figure}[hbtp]
\begin{tabular}{|l|p{9cm}|}
\hline
ANON\_DH & This algorithm exchanges Diffie Hellman parameters.
\\
\hline
\end{tabular}
\caption{Supported anonymous key exchange algorithms}
\label{fig:anon}
\end{figure}
\subsection{Authentication using SRP}
Authentication using the SRP\footnote{SRP stands for Secure Password Protocol and
is described in RFC2945. The SRP key exchange is not a part of the \tlsI protocol}
can be described as password authentication, since the two peers are identified by the knowledge
of a password. This protocol also offers protection against off-line attacks (password file stealing
etc.).
Available key exchange methods are shown in \hyperref{figure}{figure }{}{fig:srp}.
\begin{figure}[hbtp]
\begin{tabular}{|l|p{9cm}|}
\hline
SRP & Authentication using the SRP protocol.
\\
\hline
\end{tabular}
\caption{Supported SRP key exchange algorithms}
\label{fig:srp}
\end{figure}
|
