SSL Cipher Suites

SSL cipher suites can be used with SOAP and SEAL communicator modules. OneSpan Authentication Server supports SSL cipher suites defined under the security level labels Custom, Very High, High, Medium, and Low.

The security levels are applied to the following communication protocols:

• SOAP
• SEAL
• RADIUS (RADIUS/EAP-TTLS and RADIUS/PEAP only)

Default security levels for SSL cipher suites

For each communication interface of OneSpan Authentication Server, the SSL cipher suite security level is set by default (see Table: Default SSL cipher suite security levels for communication interfaces).

You can configure a communicator module that is enabled with SSL/TLS to use an SSL cipher security level other than the default level and select either Very High, High, Medium, or Low, via the Configuration Utility. To do so, launch the Configuration Utility and navigate to Communicators. There, each communicator module (SOAP, RADIUS, SEAL) has its own tab where you can select an option from the SSL Cipher Suite Security Level drop-down list. Alternatively, you can set this same setting via the Administration Web Interface.

To configure SSL cipher suite security level via the Administration Web Interface

1. Navigate to SYSTEM > Server Configuration.
2. Select the Communicators tab.
3. Click EDIT.
4. Expand the communicator module you wish to configure, then select an option from its SSL Cipher Suite Security Level drop-down list.
5. Click SAVE.

You can also set the SSL cipher suite security level for the Message Delivery Component (MDC).

Custom SSL cipher suites

A custom list of cipher suites can be defined specifically for OneSpan Authentication Server. The format of the list is defined by OpenSSL.

Each lower security level contains the cipher suites of every higher level, too. In the following table, only the cipher suites specific to each level are listed.

The cipher suite security levels define rules which protocols, protocol versions, and algorithms are allowed for a specific level, the resulting cipher lists depend on the OpenSSL library. This means that even if a higher cipher suite level defines stricter rules than a lower one, the applicable ciphers may be the same.

For instance, Very High is stricter than High, but effectively both levels allow the same ciphers. In that case, it does not make a difference, which cipher suite security level you select. The same is true for Medium and Low.

You can configure SSL to use one or multiple cipher suites from this list. Custom cipher suites are configured via the identikeyconfig.xml file, located at:

/etc/vasco/ias (Linux)

%PROGRAMFILES%\VASCO\IDENTIKEY Authentication Server\bin (Windows)

To configure SSL to use a custom cipher suite (via identikeyconfig.xml)

1. Open the OneSpan Authentication Server configuration file, i.e. identikeyconfig.xml.
2. Locate the settings group for the communicator module for which you want to specify a custom SSL cipher suite.
3. Within that settings group, locate the <SSL> settings group. Custom cipher suite settings (along with all other SSL settings) are defined here.
4. For Message Delivery Component, SEAL, RADIUS, or SOAP connections, specify the SSL cipher suite in the data attribute of the Supported-Cipher-Suite setting. For Live Audit Connections, specify the custom SSL cipher suite in the data attribute of the SecurityLevelsetting instead.

   For all types of connections, you can specify multiple cipher suites by listing them and separating them via colons.

The following example shows SEAL communicator module SSL details for a Windows system. The only difference with the configuration for a Linux system would be the directory paths:

 

<SealCommunicator>
<Enabled type="bool" data="true" />
<Display-Name type="string" data="" />
<Library-Path type="string" data="%PROGRAMFILES%\VASCO\IDENTIKEY
Authentication Server\bin\ikcommseal.dll" />
<DPX-Upload-Location type="string" data="%PROGRAMFILES%\VASCO\IDENTIKEY
Authentication Server\dpx\" />
<IP-Address type="string" data="10.2.12.9" />
<IP-Port type="unsigned" data="20004" /> 
<SSL>
<Enabled type="bool" data="true" />
<Server-Certificate type="string" data="%PROGRAMFILES%\VASCO\IDENTIKEY
Authentication Server\bin\ikey_seal_cert.pem" />
<Private-Key-Password type="string" data="ld90DH_oRgPsA6QGlaeVXx8=" />
<CA-Certificate-Store type="string" data="" />
<Client-Authentication-Method type="string" data="none" />
<Reverify-Client-On-Reconnect type="bool" data="false" />
<Supported-Cipher-Suite type="string" data="HIGH" />
<Learn-Certificates type="bool" data="true" />
<ServerCertificate />
<ClientCertVerification />
</SSL>
<Require-Client-Component type="bool" data="false" />
<DNS-Target type="bool" data="true" />
</SealCommunicator>

The tags and structure of the SSL settings here are similar to those used by RADIUS, SOAP, and MDC. The following example shows a sample SSL configuration for Live Audit Connection:

 

<Profile04>
<Enabled type="bool" data="true" />
<Type type="string" data="live" />
<Display-Name type="string" data="Live Audit Viewer" />
<Fail-On-Error type="bool" data="false" />
<Unhandled-Only type="bool" data="false" />
<Error type="bool" data="true" />
<Warning type="bool" data="true" />
<Info type="bool" data="true" />
<SecurityLevel type="string" data="HIGH" />
<Success type="bool" data="true" />
<Failure type="bool" data="true" />
<Plugincfg>
<IP-Address type="string" data="10.2.12.9" />
<Server-Port type="unsigned" data="20006" />
<Auth-Timeout type="unsigned" data="60" />
<Max-Connections type="unsigned" data="3" />
<SSL>
<Enabled type="bool" data="true" />
<ServerCertificate>
<CertFile type="string" data="%PROGRAMFILES%\VASCO\IDENTIKEY
Authentication Server\bin\ikey_audit_cert.pem" />
<Password type="string" data="ld90DH_oRgPsA6QGlaeVXx8=" />
</ServerCertificate>
<ClientCertVerification>
<CACertFile type="string" data="" />
<RequireCert type="string" data="none" />
<LearnCertificates type="bool" data="false" />
<ReverifyOnReconnect type="bool" data="false" />
</ClientCertVerification>
</SSL>
</Plugincfg>
</Profile04>

In the SEAL communicator module example, you can configure the SSL to use custom cipher suites by replacing the word HIGH in the following line:

<Supported-Cipher-Suite type="string" data="HIGH" />

Replace it with a single cipher, or a list of ciphers separated by a colon. For example:

<Supported-Cipher-Suite type="string" data="AES256-SHA:AES128-SHA" />

With the live audit connection example, replace the word HIGH with the custom ciphers in the following line instead:

<SecurityLevel type="string" data="HIGH"/>

Blocked cipher suites

The OneSpan Authentication Server communication interfaces, when configured to use SSL/TLS, will actively block certain cipher suites. All OneSpan Authentication Server components actively block the suites to which the criteria listed below apply. This also includes custom cipher suites, i.e. if the criteria also apply to custom-defined cipher suites, the OneSpan Authentication Server components will also actively block these suites.

Criteria for cipher suites to be blocked:

• All cipher suites which do not offer encryption
• All cipher suites which do not offer authentication
• All export encryption algorithms
• Cipher suites defined by OpenSSL as low encryption
• All cipher suites which use MD5 as hashing algorithm
• All cipher suites that use pre-shared keys

Cipher suites in OneSpan Authentication Server Administration Web Interface

The following cipher suites are accepted by the Administration Web Interface(if deployed on an Apache Tomcat server (i.e. the default deployment)):

* Encryption of symmetric keys that are 128 bit or greater require Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files.