> > >> Just a note that TLS 1.2 cannot be implemented over UDP. To meet the TLS 1.2 spec, you must use TCP as it requires a connection-oriented protocol. UDP is connectionless - it provides no guarantee that the packet was received at the other end, and there is no guarantee that the packet received by the server originated with the sender IP address found in the UDP packet.
TCP requires a three-way handshake to ensure the connection is established, that the two parties to the connection are genuine, and to ensure that packets that are sent are received in the correct sequence. Once the connection is established over TCP, the client requests a secure connection with a list of supported ciphers and hashes. The server picks a cipher and hash and returns the choice to the client. Then the server provides a signed certificate to the client (usually signed by a third party certificate authority), which contains the server's public key. The client verifies the certificate and returns its public key to the server in an encrypted connection using the server's public key to encrypt the response (it is a little more complicated than that, but that is the gist of it in a nutshell). Once the key exchange is completed, data can be exchanged. TLS 1.2 is generally used to support encrypted data exchange when you do not have control over both the client and the server (which is typical for HTTPS or SMTPS). When UDP is used, it is more common to use symmetric keys for data exchange, such as AES 256 with a pre-shared key (PSK). This is the way encryption is implemented for UDP in OSSEC. AES 256 meets the requirements for HIPAA, PDI DSS 3.2, and DFARS (NIST 800-171). Of course, you can use symmetric key cryptography with TCP too. When public key cryptography is used for encryption, as provided through TLS 1.2, the specification of TLS 1.2 for HIPAA, PCI DSS, and other regulatory compliance is done to stop people from using earlier (flawed) versions of PKI, such as SSL 2, SSL 3, TLS 1.0, and TLS 1.1. While it is generally recommended not to "roll your own" cryptography, the open source OpenSSL library provides a complete set of wrapper functions through the EVP interface that make it easy to implement encryption for almost any cipher using C/C++ (Google for "openssl evp functions" for more info). Most mainstream programming languages provide libraries to support encryption protocols, including Python, Perl, Go, and many others. Hope this helps. Best, Dave Stoddard Network Alarm Corporation https://networkalarmcorp.com https://redgravity.net dgs at networkalarmcorp dot com -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
