| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
| CipherSpec and CipherSuite Terminology in IBM MQ Manual |
« View previous topic :: View next topic » |
| Author |
Message
|
| tczielke |
 Posted: Fri Mar 01, 2019 1:06 pm Post subject: |
 |
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
Another note.
I have a "SSL and TLS - Designing and Building Secure Systems" book by Eric Rescorla (TLS RFC writer for the IETF) that was written around 2001. I checked and it does confirm that CipherSuite is a replacement for CipherSpec, which happened between SSL v2 and SSL v3.
From the section Cipher Suites in Chapter 4 of this book:
| Quote: |
| SSLv2 CIPHER-SPECSs are analogous to SSLv3 CipherSuites |
It then goes onto to explain some of the details of the transition of SSL v2 CipherSpecs to SSLv3 CipherSuites.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
 |
| tczielke |
| Posted: Fri Mar 01, 2019 5:25 pm Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
That SSL book helped me find the SSL v2 specification, and I think I sorted out what happened with CipherSpec. I am going to document it here in case it helps anyone else out, because I find it somewhat confusing.
SSL v2 specification -> https://www.ietf.org/archive/id/draft-hickman-netscape-ssl-00.txt
In the SSL v2 specification there is no reference to CipherSuite. Only CipherSpec is used for the negotiated piece of the ClientHello and ServerHello at the handshake protocol level.
SSL v3 specification -> https://tools.ietf.org/html/rfc6101#page-47
At SSL v3, CipherSpec at the handshake protocol level is replaced with the term CipherSuite. However, the CipherSpec term is still persisted at the record protocol level. Applications initially interface with TLS at the handshake level, so it is proper from this point forward to refer the term as CipherSuite. The SSL v3 and TLS specifications that I have read document it this way, as well.
TLS 1.2 specification -> https://www.ietf.org/rfc/rfc5246.txt
TLS 1.2 still refers to CipherSpec but it is formally defined as "Security Parameters".
TLS 1.3 specification -> https://tools.ietf.org/html/rfc8446
CipherSpec no longer appears in the specification. SecurityParameters is still documented but not to much detail.
So bottom line, we should be using the term CipherSuite from SSL v3 and forward, at least that is how it seems clear to me. 
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
| rekarm01 |
| Posted: Sun Mar 03, 2019 12:31 pm Post subject: |
|
|
Grand Master
Joined: 25 Jun 2008
Posts: 1415
|
| tczielke wrote: |
| So bottom line, we should be using the term CipherSuite from SSL v3 and forward, at least that is how it seems clear to me. |
Thanks for the additional references. It should be interesting to see what IBM does with this information. |
|
| Back to top |
|
|
| tczielke |
| Posted: Thu Jul 25, 2019 11:03 am Post subject: |
|
|
Guardian
Joined: 08 Jul 2010
Posts: 941
Location: Illinois, USA
|
I thought this was kind of interesting. I was reading through my course notes from a "Designing and Architecting Cluster Solutions" IBM MQ class, and it said the following for SSL Terms:
| Quote: |
Encryption algorithm + Hash function = CipherSpec
CipherSpec + Key exchange and authentication algorithm = CipherSuite
|
So it got the terminology correct there. But then on the very next slide it uses CipherSpec exclusively when it should be using CipherSuite.
| Quote: |
SSL (v3.0) can allow clients to pass CipherSpecs on the SSL handshake . . .
WebSphere MQ imposes the restriction that only one CipherSpec can be supplied on the channel definition . . .
|
Very odd. It must just be a nuance that is easy to miss.
_________________
Working with MQ since 2010. |
|
| Back to top |
|
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
