Selection of the Matching Encryption Algorithm
Each communication partner has a list of preferred ciphers defined in the encryption policy, with the most preferable cipher in first position of the list. The lists of both communication partners are compared and evaluated according to the following rules:
cla140
Each communication partner has a list of preferred ciphers defined in the encryption policy, with the most preferable cipher in first position of the list. The lists of both communication partners are compared and evaluated according to the following rules:
- For each list, the ciphers are taken from the first to the last and the matching cipher is searched in the other list until there is a match or the list ends.
- If there are two matching ciphers, the stronger one is used for the following session.
- If there is one matching cipher, this cipher is used for the following session.
- If no matching cipher was found, communication is not possible.
Example:
The cipher list of partner A contains: Triple-DES, AES-192, AES-128. The cipher list of partner B contains: AES-256, AES-128, Triple-DES, AES-192.
The system performs the following steps to identify matching ciphers:
- Go through the cipher list of partner A:The first entry, Triple-DES, is searched in the list of partner B.A match is found; Triple-DES is the first matching cipher.
- Go through the cipher list of partner B:The first entry, AES-256, is searched in the list of partner A.No match is found.The second entry, AES-128, is searched in the list of partner A.A match is found; AES-128 is the second matching cipher.
- The system considers AES-128 stronger than Triple-DES and uses this algorithm for the subsequent session.
Only the first two matches are considered; no further search and compare action is performed on the two cipher lists.