Oracle Security Developer Tools provide the cryptographic building blocks necessary for developing robust security applications, ranging from basic tasks such as digital signatures and secure messaging to more complex projects such as securely implementing a service-oriented architecture. The tools are built upon the core foundations of cryptography, public key infrastructure, web services security, and federated identity management. Show
Security tools are a critical component for application development projects. Commercial requirements and government regulations dictate that sensitive data be kept confidential and protected from tampering or alteration. A wide range of Oracle products utilize the Oracle Security Developer Tools, including:
This chapter takes a closer look at the underlying security technologies and introduces the components of the Oracle Security Developer Tools. It covers these topics:
1.1 About CryptographyCryptography protects the transmitted messages in communication channels from being intercepted (a passive attack) or modified (an active attack) by an intruder. To protect the message, an originator uses a cryptographic tool to convert plain, readable messages or plaintext into encrypted ciphertext. The message recipient likewise uses a cryptographic tool to decrypt the ciphertext into its original readable format. Cryptography secures communications over a network such as the internet by providing:
For additional cryptography resources, refer References. 1.1.1 Types of Cryptographic AlgorithmsCryptographic algorithms or ciphers use keys to convert plain text to ciphertext and vice versa. Essentially, there are three types of cryptographic algorithms categorized by the number of keys used for encryption and decryption, and by their application and usage. These are Symmetric Cryptographic Algorithms, Asymmetric Cryptographic Algorithms, and Hash Functions. Each type is optimized for certain applications. Hash functions are suited for ensuring data integrity. Symmetric cryptography is ideally suited for encrypting messages. Asymmetric cryptography is used for the secure exchange of keys, authentication, and non-repudiation. Asymmetric cryptography could also be used to encrypt messages, although this is rarely done. Symmetric cryptography operates about 1000 times faster, and is better suited for encryption than asymmetric cryptography. The cryptographic algorithm types are:
1.1.1.1 About Symmetric Cryptographic AlgorithmsA symmetric cryptography algorithm (also known as secret key cryptography) uses a single key for both encryption and decryption. The sender uses the key to encrypt the plaintext and sends the ciphertext to the receiver. The receiver applies the same key to decrypt the message and recover the plaintext. The key must be known to both the sender and receiver. The biggest problem with symmetric cryptography is the secure distribution of the key. Symmetric cryptography schemes are generally categorized as being either a block cipher or stream cipher. A block cipher encrypts one fixed-size block of data (usually 64 bits) at a time using the same key on each block. Some common block ciphers used today include Blowfish, AES, DES, and 3DES. Stream ciphers operate on a single bit at a time and implement some form of feedback mechanism so that the key is constantly changing. RC4 is an example of a stream cipher that is used for secure communications using the SSL protocol. 1.1.1.2 About Asymmetric Cryptographic AlgorithmsAn asymmetric cryptography algorithm (also known as public key cryptography) uses one key to encrypt the plaintext and another key to decrypt the ciphertext. It does not matter which key is applied first, but both keys are required for the process to work. In asymmetric cryptography, one of the keys is designated the public key and is made widely available. The other key is designated the private key and is never revealed to another party. To send messages under this scheme, the sender encrypts some information using the receiver's public key. The receiver then decrypts the ciphertext using her private key. This method can also be used to prove who sent a message (non-repudiation). The sender can encrypt some plaintext with her private key, and when the receiver decrypts the message with the sender's public key, the receiver knows that the message indeed came from that sender. Some of the common asymmetric algorithms in use today are RSA, DSA, and Diffie-Hellman. 1.1.1.3 Understanding Hash FunctionsA hash function (also known as a message digest) is a one-way encryption algorithm that essentially uses no key. Instead, a fixed-length hash value is computed based upon the plaintext that makes it impossible for either the contents or length of the plaintext to be recovered. Hash algorithms are typically used to provide a digital fingerprint of a file's contents, often used to ensure that the file has not been altered by an intruder or virus. Hash functions are also commonly employed by many operating systems to encrypt passwords. Hash functions help preserve the integrity of a file. Some common hash functions include MD2, MD4, MD5 and SHA. 1.2 About Public Key Infrastructure (PKI)A public key infrastructure (PKI) is designed to enable secure communications over public and private networks. Besides secure transmission and storage of data, PKI also enables secure e-mail, digital signatures, and data integrity. PKI uses public key cryptography, a mathematical technique that uses a pair of related cryptographic keys to verify the identity of the sender (digital signature), and to ensure the privacy of a message (encryption). PKI facilities secure information exchange over Internet. Critical elements for achieving the goals of PKI include:
Relying third parties use the certificates issued by the CA and the public keys contained in them to verify digital certificates and encrypt data. 1.2.1 Understanding Key PairsEncryption techniques often use a key, known only to the sender and the recipient. Public key cryptography uses a key pair of mathematically related cryptographic keys—the public key and the private key. When both use the same key, the encryption scheme is called symmetric. Difficulties with relying on a symmetric system include getting that key to both parties without allowing an eavesdropper to get it, too; and the fact that a separate key is needed for every two people, so that each individual must maintain many keys, one for each recipient. For an explanation of the use of key pairs, see "About Asymmetric Cryptographic Algorithms". Table 1-1 summarizes who uses public and private keys and when: Table 1-1 Summary of Public and Private Key Usage
1.2.2 About the Certificate AuthorityA Certificate Authority (CA) is a trusted third party that vouches for the public key owner's identity. Examples of certificate authorities include Verisign and Thawte. 1.2.3 What are Digital Certificates?The certification authority validates the public key's link to a particular entity by creating a digital certificate. This digital certificate contains the public key and information about the key holder and the signing certification authority. Using a PKI certificate to authenticate one's identity is analogous to identifying oneself with a driver's license or passport. 1.2.4 Related PKI StandardsA number of standards and protocols support PKI certificate implementation. These are Cryptographic Message Syntax (CMS), Secure/Multipurpose Internet Mail Extension (S/MIME), Lightweight Directory Access Protocol (LDAP), Time Stamp Protocol (TSP), Online Certificate Status Protocol (OCSP), and Certificate Management Protocol (CMP). Cryptographic Message Syntax Cryptographic Message Syntax (CMS) is a general syntax for data protection developed by the Internet Engineering Task Force (IETF). It supports a wide variety of content types including signed data, enveloped data, digests, and encrypted data, among others. CMS allows multiple encapsulation so that, for example, previously signed data can be enveloped by a second party. Values produced by CMS are encoded using X.509 Basic Encoding Rules (BER), meaning that the values are represented as octet strings. Secure/Multipurpose Internet Mail Extension Secure/Multipurpose Internet Mail Extension (S/MIME) is an Internet Engineering Task Force (IETF) standard for securing MIME data through the use of digital signatures and encryption. S/MIME provides the following cryptographic security services for electronic messaging applications:
Lightweight Directory Access Protocol Lightweight Directory Access Protocol (LDAP) is the open standard for obtaining and posting information to commonly used directory servers. In a public key infrastructure (PKI) system, a user's digital certificate is often stored in an LDAP directory and accessed as needed by requesting applications and services. Time Stamp Protocol In a Time Stamp Protocol (TSP) system, a trusted third-party Time Stamp Authority (TSA) issues time stamps for digital messages. Time stamping proves that a message was sent by a particular entity at a particular time, providing non-repudiation for online transactions. The Time Stamp Protocol, as specified in RFC 3161, defines the participating entities, the message formats, and the transport protocol involved in time stamping a digital message. To see how a time-stamping system can work, suppose Sally signs a document and wants it time stamped. She computes a message digest of the document using a secure hash function and then sends the message digest (but not the document itself) to the TSA, which sends her in return a digital time stamp consisting of the message digest, the date and time it was received at the TSA server, and the signature of the TSA. Since the message digest does not reveal any information about the content of the document, the TSA cannot eavesdrop on the documents it time stamps. Later, Sally can present the document and time stamp together to prove when the document was written. A verifier computes the message digest of the document, makes sure it matches the digest in the time stamp, and then verifies the signature of the TSA on the time stamp. Online Certificate Status Protocol Online Certificate Status Protocol (OCSP) is one of two common schemes for checking the validity of digital certificates. The other, older method, which OCSP has superseded in some scenarios, is known as the certificate revocation list (CRL). OCSP overcomes the chief limitation of CRL: the fact that updates must be frequently down-loaded to keep the list current at the client end. When a user attempts to access a server, OCSP sends a request for certificate status information. The server sends back a response of good, revoked, or unknown. The protocol specifies the syntax for communication between the server (which contains the certificate status) and the client application (which is informed of that status). Certificate Management Protocol The certificate management protocol (CMP) handles all relevant aspects of certificate creation and management. CMP supports interactions between public key infrastructure (PKI) components, such as Certificate Authorities (CAs), Registration Authorities (RAs), and end entities that are issued certificates. 1.2.5 Benefits of PKIPKI provides secure and reliable authentication. It provides data integrity, non-repudiation, and prevents unauthorized access to transmitted or stored information. PKI provides users with the following benefits:
1.3 About Web Services SecurityWeb services provide a standard way for organizations to integrate Web-based applications using open standard technologies such as XML, SOAP, and WSDL. While the core SOAP specification solves many problems related to XML and Web Services, it does not provide a means to address message security requirements such as confidentiality, integrity, message authentication, and non-repudiation. SOAP is a lightweight protocol for exchange of information in a service oriented environment. In such an environment, applications can expose selected functionality (business logic, for example) for use by other applications. SOAP provides the means by which applications supply and consume these services; it is an XML-based protocol for message transport in a distributed, decentralized Web Services application environment. The need for securing SOAP prompted OASIS to put forward the Web Services Security standard, which:
1.4 About SAMLSecurity Assertions Markup Language (SAML) is an XML-based framework for exchanging security information over the Internet. SAML enables the exchange of authentication and authorization information between various security services systems that otherwise would not be able to interoperate. The SAML 1.0, 1.1, and 2.0 specifications were adopted by the Organization for the Advancement of Structured Information Standards (OASIS) in 2002, 2003, and 2005 respectively. OASIS is a worldwide not-for-profit consortium that drives the development, convergence, and adoption of e-business standards. SAML 2.0 marks the convergence of the Liberty ID-FF, Shibboleth, and SAML 1.0/1.1 federation protocols. 1.4.1 Understanding SAML AssertionsSAML associates an identity, such as an e-mail address or a
directory listing, with a subject, such as a user or system, and defines the access rights within a specific domain. The basic SAML document is the SAML provides three kinds of declarations, or
Assertions are XML documents generated about events that have already occurred. While SAML makes assertions about credentials, it does not actually authenticate or authorize users. Example 1-1 shows a typical SAML authentication assertion wrapped in a SAMLP response message: Example 1-1 Sample SAMLP Response Containing a SAML 1.0 Authentication Assertion <samlp:Response MajorVersion="1" MinorVersion="0" ResponseID="128.14.234.20.90123456" InResponseTo="123.45.678.90.12345678" IssueInstant="2005-12-14T10:00:23Z" xmlns:saml="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:1.0:protocol"> <samlp:Status> <samlp:StatusCode Value="samlp:Success" /> </samlp:Status> <saml:Assertion MajorVersion="1" MinorVersion="0" AssertionID="123.45.678.90.12345678" Issuer="IssuingAuthority.com" IssueInstant="2005-12-14T10:00:23Z" > <saml:Conditions NotBefore="2005-12-14T10:00:30Z" NotAfter="2005-12-14T10:15:00Z" /> </saml:Conditions <saml:AuthenticationStatement AuthenticationMethod="urn:oasis:names:tc:SAML:1.0:am:password" AuthenticationInstant="2005-12-14T10:00:20Z"> <saml:Subject> <saml:NameIdentifier NameQualifier="RelyingParty.com"> john.smith </saml:NameIdentifier> <saml:SubjectConfirmation> <saml:ConfirmationMethod> urn:oasis:names:tc:SAML:1.0:cm:artifact-01 </saml:ConfirmationMethod> </saml:SubjectConfirmation> </saml:Subject> </saml:AuthenticationStatement> </saml:Assertion> </samlp:Response>
1.4.2 Understanding SAML Requests and ResponsesWhen a user signs into a SAML-compliant service, the service sends a "request for authentication assertion" to the issuing authority (identity provider). The issuing authority returns an "authentication assertion" reference stating that the user was authenticated by a particular method at a specific time. The authority that issues assertions is known as the issuing authority or identity provider. An issuing authority can be a third-party service provider or an individual business that is serving as an issuing authority within a private federation of businesses. SAML-compliant applications and services, which trust the issuing authority or identity provider and make use of its services, are called relying parties or service providers. 1.4.2.1 About the SAML Request and Response CycleIn a typical SAML cycle, the relying party (or service provider), which needs to authenticate a specific client request, sends a SAML request to its issuing authority or identity provider. The identity provider responds with a SAML assertion, which supplies the relying party or service provider with the requested security information. For example, when a user signs into a SAML-compliant service of a relying party or identity provider, the service sends a "request for authentication assertion" to the issuing authority (identity provider). The issuing authority returns an "authentication assertion" reference stating that the user was authenticated by a particular method at a specific time. The service can then pass this assertion reference to other relying party/identity provider sites to validate the user's credentials. When the user accesses another SAML-compliant site that requires authentication, that site uses the reference to request the "authentication assertion" from the issuing authority or identity provider, which states that the user has already been authenticated. At the issuing authority, an assertion layer handles request and response messages using the SAML protocol, which can bind to various communication and transport protocols (HTTP, SOAP, and so on). Note that while the client always consumes assertions, the issuing authority or identity provider can act as producer and consumer since it can both create and validate assertions. This cycle is illustrated in Figure 1-1. Figure 1-1 SAML Request-Response Cycle This figure shows a SAML request and response cycle, and shows a user, boxes for relying parties, and a box for the issuing authority. The user or client request first goes to the relying party, which sends a SAML request to its issuing authority. The issuing authority responds with a SAML assertion, which supplies the relying party with the requested security information. Two-way arrows denote the client communication with the relying party (there can be more than one relying party), and also denote the request-response communication between the relying party and issuing authority. Finally, the box for the issuing authority separates out the assertion layer (SAML) from the transport layer (HTTP, SOAP, and so on) to show that the communication between these layers enables the issuing authority to create and validate assertions. 1.4.2.2 About SAML Protocol Bindings and ProfilesSAML defines a protocol, SAMLP, for requesting and obtaining assertions. Bindings define the standard way that SAML request and response messages are transported between the issuing authorities (identity providers) and relying parties (identity providers) by providing mappings between SAML messages and standard communication protocols. For example, the defined transport mechanism for SAML requests and responses is Simple Object Access Protocol (SOAP) over HTTP. This enables the exchange of SAML information across several Web services in a standard manner. A profile describes how SAML assertion and protocol messages are combined with particular transport bindings to achieve a specific practical use case. Among the most widely-implemented SAML profiles, for example, are Web browser profiles for single sign-on and SOAP profiles for securing SOAP payloads. 1.4.2.3 How SAML Integrates with XML SecurityIn addition, SAML was designed to integrate with XML Signature and XML Encryption, standards from the World Wide Web Consortium for embedding encrypted data or digital signatures within an XML document. This support for XML signatures allows SAML to handle not only authentication, but also message integrity and nonrepudiation of the sender. See Oracle XML Security for more information about Oracle XML Security. 1.5 About Identity FederationAs global businesses strive for ever-closer relationships with suppliers and customers, they face challenges in creating more intimate, yet highly secure business transactions. Parties conducting a business transaction must be certain of the identity of the person or agent with whom they are dealing; they must also be assured that the other has the authority to act on behalf of the business with whom the transaction is being conducted. Federated Identity Management, makes parties establish trust relationships that allow one party to recognize and rely upon security tokens issued by another party. Identity Federation addresses challenges such as complexity, cost control, enabling secure access to resources for employees and customers, and regulatory compliance. Historically, in the course of doing business with partners, companies have resorted to acquiring names, responsibilities, and other pertinent information about all entities who might act on behalf of the partner company. With changing roles and responsibilities, and particularly in large enterprises, this can create significant logistical problems as the data quickly becomes very costly to maintain and manage. Key federation concepts include:
Note: For additional information about the standards mentioned here, see References. 1.6 About Oracle Security Developer Tools1.6.1 Understanding Toolkit ArchitectureThe Oracle Security Developer Tools consists of tools for XML, SAML, and Web Services Security Applications, tools for Public Key Cryptography (PKI) Applications, tools for E-mail Security Applications, tools for Low-level Cryptographic Applications, and tools for Web Tokens arranged across different layers of the setup. It is useful to consider the tools in the toolkit as a whole, and then to look at functional subsets of tools for different applications. Figure 1-2 The Oracle Security Developer Tools Figure 1-2 shows the components of the Oracle Security Developer Tools. Typically, a tool will utilize functions provided by the tool immediately below it in the stack. For example, the Oracle SAML tool leverages functions provided by the Oracle XML Security tool. Note that:
Oracle Crypto and Oracle Security Engine are the basic cryptographic tools of the set. The next layer consists of Oracle CMS for message syntax, Oracle XML Security for signature encryption, and Oracle PKI SDK, which is a suite of PKI tools consisting of Oracle PKI LDAP SDK, Oracle PKI TSP SDK, Oracle PKI OCSP SDK, and Oracle PKI CMP SDK. Oracle S/MIME exploits Oracle CMS to provide a toolset for secure e-mail. The next layer contains Oracle SAML and Oracle Liberty SDK, which provides structured assertion markup and federated identity management capabilities. Finally, Oracle Web Services Security facilitates secure interactions with web services. 1.6.2 Tools for XML, SAML, and Web Services Security ApplicationsOracle XML Security package provides security for XML documents. It provides the foundation for Oracle Web Services Security, Oracle SAML, and Oracle Liberty SDK. The Oracle XML Security package provides the foundation for the following components of the toolkit:
Figure 1-3 Tools for XML, SAML, and WS Security This graphic shows that Oracle SAML, Oracle Web Services Security, and Oracle Liberty tools are built on Oracle XML Security. Note: A diagram like this is necessarily simplified; in practice the jar relationships between the Oracle Security Developer Tools are complex and depend upon implementation details. For example, to use the SAML libraries, you actually need several components:
See Figure 1-2 for a more complete picture of dependencies. See the subsequent tool chapters in this guide for instructions on setting up the classpath for each tool, so that you have the correct environment for each type of application. 1.6.2.1 About Oracle XML SecurityXML Security refers to the common data security requirements of XML documents, such as confidentiality, integrity, message authentication, and non-repudiation. Oracle XML Security fulfills these needs by providing the following features:
1.6.2.2 About Oracle SAMLThe Oracle SAML API provides tools and documentation to assist developers of SAML-compliant Java security services. You can integrate Oracle SAML into existing Java solutions including applets, applications, EJBs, servlets, and JSPs. Oracle SAML provides the following features:
1.6.2.3 About Oracle Web Services SecurityOracle Web Services Security provides an authentication and authorization framework based on Organization for the Advancement of Structured Information Standards (OASIS) specifications. Oracle Web Services Security provides the following features:
1.6.2.4 About Oracle Liberty SDKOracle Liberty SDK allows Java developers to design and develop single sign-on (SSO) and federated identity solutions based on the Liberty Alliance specifications. Oracle Liberty SDK, available in versions 1.1 and 1.2, aims to unify, simplify, and extend all aspects of development and integration of systems conforming to the Liberty Alliance 1.1 and 1.2 specifications. Oracle Liberty SDK provides the following features:
Note: For additional information about the standards and specifications mentioned in this chapter, see References. 1.6.3 Tools for Public Key Cryptography (PKI) ApplicationsThe Oracle PKI package consists of tools for working with digital certificates within an LDAP repository, for developing timestamp services conforming to RFC 3161, for OCSP messaging compliant with RFC 2560, and for the certificate management protocol (CMP) specification. The Oracle PKI package also provides the foundation for Oracle XKMS, which enables you to develop XML transactions for digital signature processing. Figure 1-4 PKI Tools This graphic shows that Oracle's XKMS tool is built on Oracle PKI tools, which consist of Oracle LDAP, Oracle TSP, Oracle OCSP, and Oracle CMP. 1.6.3.1 About Oracle PKI LDAP SDKOracle PKI LDAP SDK provides facilities for accessing a digital certificate within an LDAP directory. Some of the tasks you can perform using the Oracle PKI LDAP SDK are:
1.6.3.2 About Oracle PKI TSP SDKThe Oracle PKI TSP SDK provides the following features and functionality:
1.6.3.3 About Oracle PKI OCSP SDKThe Oracle PKI OCSP SDK provides the following features and functionality:
1.6.3.4 About Oracle PKI CMP SDKCertificate management protocol (CMP) messages support the following set of functions:
The Oracle PKI CMP SDK conforms to RFC 2510 and is compatible with other products that conform to this certificate management protocol specification. In addition, it conforms to RFC 2511 and is compatible with other products that conform to this certificate request message format (CRMF) specification. 1.6.3.5 About Oracle XKMSOracle XKMS (XML Key Management Specification) provides a convenient way to handle public key infrastructures by allowing developers to write XML transactions for digital signature processing. Oracle XKMS implements the W3C XKMS standard and avoids some of the cost and complexity involved with public key infrastructures. 1.6.4 Tools for E-mail Security ApplicationsOracle CMS provides tools for reading and writing CMS objects, as well as the foundation for the Oracle S/MIME tools for e-mail security, including certificate parsing and verification, X.509 certificates, private key encryption, and related features. Figure 1-5 CMS and S/MIME Tools This graphic shows that Oracle's S/MIME tool is built on Oracle CMS.
1.6.4.1 About Oracle CMSOracle CMS provides an extensive set of tools for reading and writing CMS objects, and supporting tools for developing secure message envelopes. Oracle CMS implements the IETF Cryptographic Message Syntax specified in RFC-2630. Oracle CMS implements all the RFC-2630 content types. 1.6.4.2 About Oracle S/MIMEOracle S/MIME provides the following Secure/Multipurpose Internet Mail Extension (S/MIME) features:
1.6.5 Tools for Low-level Cryptographic ApplicationsOracle Crypto provides a broad range of cryptographic algorithms, message digests, and MAC algorithms, as well as the basis for the Oracle Security Engine for X.509 certificates and CRL extensions. Figure 1-6 Cryptographic Tools This graphic shows that Oracle Security Engine is built upon the Oracle Crypto tool. 1.6.5.1 About Oracle CryptoThe Oracle Crypto toolkit provides the following features:
1.6.5.2 About Oracle Security EngineThe Oracle Security Engine toolkit provides the following features:
1.6.6 Tools for Web TokensOracle JWT enables you to create a JSON object that is digitally signed using a JSON Web Signature (JWS) and optionally encrypted using JSON Web Encryption (JWE). 1.6.6.1 About Oracle JWTOracle JWT (JSON Web Token) provides support for the JSON Web Token standard. Using Oracle JWT, you can construct and maintain JSON objects to represent claims being transferred between parties using a compact token format. 1.7 About Supported StandardsOracle Security Developer Tools support multiple standards for SAML, XML Security Transforms, and WS-Security. The supported standards and protocols are shown in the following table: Table 1-2 Supported Standards
Note: By way of clarification, note that SAML token profile 1.1 applies to SAML 2.0, while SAML token profile 1.0 applies to SAML 1.0 and SAML 1.1. 1.8 Setting the CLASSPATH Environment VariableEach tool in the OSDT toolkit has specific To determine which jars you need for a specific OSDT tool, refer the Setting Up Your Environment section of the chapter that describes the tool. 1.8.1 Setting the CLASSPATH on WindowsOn Windows, set your To set the
1.8.2 Setting the CLASSPATH on UNIXOn UNIX, set your For example: setenv CLASSPATH $CLASSPATH:$ORACLE_HOME/modules/oracle.osdt_11.1.1/osdt_core.jar: $ORACLE_HOME/modules/oracle.osdt_11.1.1/osdt_cert.jar: $ORACLE_HOME/modules/oracle.osdt_11.1.1/osdt_xmlsec.jar: $ORACLE_HOME/modules/oracle.osdt_11.1.1/osdt_saml.jar: $ORACLE_HOME/modules/oracle.osdt_11.1.1/osdt_saml2.jar: $ORACLE_HOME/modules/org.jaxen_1.1.1.jar Which of the following allows a CA to revoke a compromised digital certificate in real time?Which of the following allows a certificate authority (CA) to revoke a compromised digital certificate in real time? Explanation: OCSP provides certificate authorities with the means necessary to revoke digital certificates in real-time.
Which of the following best explains how a certificate authority is used in protecting data?Which of the following best explains how a certificate authority is used in protecting data? A certificate authority verifies the authenticity of encryption keys used in secured communications.
What standard is not secure and should never be used on modern wireless networks?WEP was the first encryption protocol used to secure wireless networks and is now easily compromised and should never be used. TKIP shares many similarities with WEP encryption and is no longer considered secure. So it too should no longer be seriously considered when securing your network.
Which algorithm can they use to exchange a secret key?The Diffie-Hellman algorithm will be used to establish a secure communication channel. This channel is used by the systems to exchange a private key. This private key is then used to do symmetric encryption between the two systems.
|