Cryptography can be used to neutralize some of these attacks and to ensure confidentiality and integrity of
network traffic. Cryptography can also be used to implement authentication schemes using digital signatures.
The TOE supports a technology based on cryptography called OpenSSL.
OpenSSL is a cryptography toolkit implementing the Secure Sockets Layer (SSL) versions 2 and 3, and
Transport Layer Security (TLS) version 1 network protocols and related cryptography standards required by
them.
SSL, which is encryption-based, is a technology that provides message encryption, server authentication,
message integrity, and optional client authentication. This section briefly describes the SSL protocol and how
it is used to provide secure communication to and from an SLES system. For more detailed information
about SSL, refer to the following:
Open SSL Web site at http://www.openssl.org/docs.
IBM Redbook TCP/IP Tutorial and Technical Overview, by Adolfo Rodriguez, et al. at
http://www.redbooks.ibm.com/redbooks/pdfs/gg243376.pdf.
“The TLS Protocol version 1.1” by Tim Dierks and Eric Rescorla at
http://www.ietf.org/rfc/rfc2246.txt?number=2246.
Internet Security Protocols: SSLeay & TLS, by Eric Young.
Cryptography and Network Security Principles and Practice, 2nd Edition, by William Stallings.
SSL was originally designed by Netscape. SSL version 3 was designed with public input. As SSL gained in
popularity, a Transport Layer Security (TLS) working group was formed to submit the protocol for Internet
standardization. OpenSSL implements Secure Socket Layer (SSL versions 2 and 3) and Transport Layer
Security (TLS version 1) protocols, as well as a full-strength general purpose cryptography library. Because
TLS is based on SSL, the rest of this section uses the term SSL to describe both the SSL and TLS protocols.
Where the protocols differ, TLS protocols are identified appropriately.
SSL is a socket-layer security protocol that is implemented at the transport layer. SSL is a reliable
connection-based protocol and therefore available on top of TCP but not UDP.
181
Figure 5-84: SSL location in the network stack