Chapter 1
Overview of CSS SSL
SSL Cryptography Overview
An important property of the message digest is that it is extremely difficult to
reverse. Simply appending a digest of the message to itself before sending it is not
enough to guarantee integrity. An attacker can change the message and then
change the digest accordingly. Encoding the message digest with the sender's
private key creates a Message Authentication Code (MAC), the message integrity
algorithm, which the recipient can then decode using the sender's public key. SSL
supports two different algorithms for a MAC: Message Digest 5 (MD5) and
Secure Hash Algorithm (SHA).
This integrity scheme, however, does not work if the sender's private key is
compromised. The attacker can now forge the sender's MACs. Message integrity
also depends heavily on the protection of private keys. This process is known as
digital signing.
RSA key pairs are effective for signing the MAC. However, it may be
advantageous to separate the functions of key exchange and signing. The Digital
Signature Algorithm (DSA) is an SSL algorithm that is used strictly for digital
signatures but not for key exchange.
DSA was standardized as FIPS-186, which is the Digital Signature Standard
(DSS). DSA and DSS can be used interchangeably. DSS uses the same
crypto-math as Diffie-Hellman and requires parameters similar to Diffie-Hellman
to generate keys. Additionally, DSS is restricted for use only with the Secure
Hash Algorithm 1 (SHA-1) message digest.
Cisco Content Services Switch SSL Configuration Guide
1-5
OL-5655-01