SSL Cipher Suites

SSL cipher suites can be used with SOAP and SEAL communicator modules. OneSpan Authentication Server supports SSL cipher suites defined under the security level labels Custom, Very High, High, Medium, and Low.

The security levels are applied to the following communication protocols:

• SOAP
• SEAL
• RADIUS (RADIUS/EAP-TTLS and RADIUS/PEAP only)

Default security levels for SSL cipher suites

For each communication interface of OneSpan Authentication Server, the SSL cipher suite security level is set by default (see Table: Default SSL cipher suite security levels for communication interfaces).

You can configure a communicator module that is enabled with SSL/TLS to use an SSL cipher security level other than the default level and select either Very High, High, Medium, or Low, via the Configuration Utility. To do so, launch the Configuration Utility and navigate to Communicators. There, each communicator module (SOAP, RADIUS, SEAL) has its own tab where you can select an option from the SSL Cipher Suite Security Level drop-down list. Alternatively, you can set this same setting via the Administration Web Interface.

Custom SSL cipher suites

A custom list of cipher suites can be defined specifically for OneSpan Authentication Server. The format of the list is defined by OpenSSL.

Each lower security level contains the cipher suites of every higher level, too. In the following table, only the cipher suites specific to each level are listed.

The cipher suite security levels define rules which protocols, protocol versions, and algorithms are allowed for a specific level, the resulting cipher lists depend on the OpenSSL library. This means that even if a higher cipher suite level defines stricter rules than a lower one, the applicable ciphers may be the same.

For instance, Very High is stricter than High, but effectively both levels allow the same ciphers. In that case, it does not make a difference, which cipher suite security level you select. The same is true for Medium and Low.

Blocked cipher suites

The OneSpan Authentication Server communication interfaces, when configured to use SSL/TLS, will actively block certain cipher suites. All OneSpan Authentication Server components actively block the suites to which the criteria listed below apply. This also includes custom cipher suites, i.e. if the criteria also apply to custom-defined cipher suites, the OneSpan Authentication Server components will also actively block these suites.

Criteria for cipher suites to be blocked:

• All cipher suites which do not offer encryption
• All cipher suites which do not offer authentication
• All export encryption algorithms
• Cipher suites defined by OpenSSL as low encryption
• All cipher suites which use MD5 as hashing algorithm
• All cipher suites that use pre-shared keys

Cipher suites in OneSpan Authentication Server Administration Web Interface

The following cipher suites are accepted by the Administration Web Interface(if deployed on an Apache Tomcat server (i.e. the default deployment)):

* Encryption of symmetric keys that are 128 bit or greater require Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.