Transport Layer Security (TLS)Data Confidentiality using Standard and High Grade Encryption
TLS is an Internet Standard for providing data confidentiality. Along with the pages on SASL (Simple Authentication and Security Layer) and Strong Authentication, this page describes the infrastructure of the Isode products that use cryptography. TLS also provides strong authentication using X.509, which is described on the Strong Authentication page.
Isode TLS can use the following Cipher Suites:
|Cipher||Key Strength (Standard)||Key Strength (High Grade)|
|Triple DES||not supported||168 (112 effective)|
|AES||not supported||128, 256|
Where X.509 based authentication is used, the supported cryptographic are described in the Strong Authentication page. Diffie Hellman key exchange and SHA (Secure Hash Algorithm) may be used with Isode TLS, either in conjunction with X.509 based authentication or independently. Configuration of Isode TLS will select valid combinations of Cipher Suite and Authentication.
Standard and High Grade Encryption
Isode's products support data encryption at up to 56 bits, as shown in column 2 of the previous table.
High Grade versions of the Isode products are available, supporting the algorithms and key lengths shown in column 3 of the table above. Availability of these products is dependent on the country of end use, and controlled by UK Export regulations. Use in the European Union does not require an export license. Use in US, Canada, Australia, New Zealand, Japan, Switzerland and Norway is permitted under a standard export license. Use in all other countries requires an export license. Isode does not anticipate problems in obtaining an export license for reasonable use of the Isode products.
Isode products conform to the following standards:
- RFC 8446: The Transport Layer Security (TLS) Protocol Version 1.3, E. Rescoria, August 2018
- RFC 5246: The Transport Layer Security (TLS) Protocol Version 1.2, T. Dierks, E. Rescoria, August 2008
- RFC 3268: Advanced Encryption Standard (AES) Ciphersuites for Transport Layer Security (TLS)
Isode makes use of the OpenSSL package to provide TLS data confidentiality services. OpenSSL has FIPS 140-2 conformance which is a US government security standard for cryptographic modules. FIPS 140-2 is defined here.
This is a high quality package used by many commercial products. Isode would like to acknowledge the contribution from the authors of OpenSSL, and of the organizations that have funded work on these packages.
There is also a strong security benefit in using open source technology, particularly for the cryptographic components. Because the source is widely used and openly available, it has been subject to substantial peer review. This leads to a high confidence in the security of these products.
Isode tracks versions of OpenSSL, and in the event of security fixes to OpenSSL which may Impact Isode products, will release product updates.
Isode's TLS Support
Isode uses TLS in the following protocols and products:
- LDAP (M-Vault, Sodium Sync)
- SMTP, LMTP, SOM Isode protocol (M-Switch products)
- IMAP, POP3 (M-Box)
- XMPP (M-Link, Swiften XMPP Client Library)