SSH Tectia  
Previous Next Up [Contents] [Index]

    About This Document >>
    Installing SSH Tectia Server >>
    Getting Started >>
    Configuration >>
        SSH Tectia Server Configuration Tool >>
            SSH Tectia Server
            General
            Network
            Encryption
            Identity
            Tunneling
            User Authentication
            Password
            Public Key
            Certificates
            CRL Caching
            RSA SecurID
            GSSAPI
            RADIUS
            Host Restrictions
            User Restrictions
            SFTP Server
            Power Users
            License
        Configuration Files >>
        Subconfigurations >>
        Auditing
    Authentication >>
    Application Tunneling >>
    Troubleshooting >>
    Configuration File Reference >>
    Command-Line Tools >>
    Log Messages >>

Encryption

Use the Encryption page of the SSH Tectia Server Configuration tool to specify which encryption algorithms (ciphers) and message authentication codes (MAC) are to be used, and how frequently key exchange should be performed. Also the file used to generate randomness can be specified here.


server-encryption-5.gif
Figure : Defining the encryption settings

Ciphers

Select the ciphers to use for encrypting the session, either by selecting one from the drop-down menu, or by typing a list of supported ciphers, separated by commas.

Possible cipher values are the following:

  • AnyCipher: Any available cipher (instead of none) can be used.
  • AnyStdCipher: Allows only standard ciphers, i.e. those ciphers mentioned in the IETF-SecSh-draft (excluding none). This is the default cipher value.
  • aes128: Use 128-bit Advanced Encryption Standard encryption.
  • aes192: Use 192-bit Advanced Encryption Standard encryption.
  • aes256: Use 256-bit Advanced Encryption Standard encryption.
  • 3des: Use 3DES encryption.
  • blowfish: Use Blowfish encryption.
  • twofish: Use Twofish encryption.
  • arcfour: Use Arcfour encryption.
  • cast: Use CAST-128 encryption.
  • seed: Use SEED encryption.
  • des: Use DES encryption. DES is generally considered a very weak cipher, and its use is not recommended. It is offered as a fallback option only.
  • none: Do not use encryption. Use this option for testing purposes only!

In the FIPS mode, the following ciphers are supported:

  • aes128
  • aes192
  • aes256
  • 3des
  • des

MACs

Select the desired message authentication code (MAC) algorithm to use for data integrity verification. Select a single value from the drop-down menu, or type in a list of supported MACs, separated by commas.

Possible MAC values are the following:

  • AnyMac: Any available MAC (instead of none) can be used.
  • AnyStdMac: Allows only standard MACs, i.e. those MACs that are mentioned in the IETF-SecSh-draft (excluding none). This is the default value.
  • hmac-sha1: Use the hmac-sha1 MAC.
  • hmac-md5: Use the hmac-md5 MAC.
  • none: Do not use MAC.

In the FIPS mode, only hmac-sha1 is supported.

Rekey interval (seconds)

Specify the number of seconds after which key exchange is performed again. A value of 0 (zero) turns rekey requests off. (However, this does not prevent the client from requesting rekeys.)

The default value is 0 seconds (meaning that rekey requests are not used). Please note that all clients do not support this function.

Random seed file

Click the button on the right-hand side of the text field to change the file to be used as random seed. The Select File dialog appears, allowing you to specify the desired file. You can also type the path and filename directly in the text field.

The default random seed file is server_random_seed, located in the installation directory.

FIPS Mode

SSH Tectia Server can be operated in FIPS mode, using a version of the cryptographic library that has been validated according to the Federal Information Processing Standard (FIPS) 140-2. In this mode the cryptographic operations are performed according to the rules of the FIPS 140-2 standard.

The software uses standard libraries by default - the FIPS 140-2 validated libraries are available separately. If the FIPS-certified cryptographic library has been installed, SSH Tectia Server will detect and use it automatically.

For a list of platforms on which the FIPS library has been validated or tested, see SSH Tectia Client/Server Product Description.

Select the Enable FIPS Mode check box to use the FIPS-certified version of the SSH cryptographic library.

Note: The system does not actually check whether the FIPS-certified version of the library has been installed.

Previous Next Up [Contents] [Index]


[ Contact Information | Support | Feedback | SSH Home Page | SSH Products ]

Copyright © 2010 SSH Communications Security Corp.
This software is protected by international copyright laws. All rights reserved.
Copyright Notice