Skip to content

Security Cipher Suites and Encryption Methods

Overview

The Remote Workstation Card exchanges information with several services while connecting to endpoint managers, and PCoIP clients. The various communication types are described followed by the set of supported TLS cipher suites, Elliptic Curve Cryptography (ECC) curves, or encryption methods available to each type.

Tip regarding elliptic curve encryption

Security strength in bits of elliptic curve encryption is ½ of the key size.

Examples:

  • If elliptic curve encryption uses the P-384 curve (which needs a 384-bit key), then the security strength is 384/2 = 192 bits.

  • If elliptic curve encryption uses the P-224 curve (which needs a 224-bit key), then the security strength is 224/2 = 112 bits.

Cipher suite and ECC curve order of preference for TLS client based connections are determined by the TLS server the client connects to—such as Management Console or an 802.1x RADIUS Server. TLS server based connections have a preferred order of cipher suites and ECC curves that are determined by the TLS server. The three TLS server based communication types described below are—Encrypting Browser Connections, Encrypting Endpoint Discovery, and Encrypting PCoIP Session Negotiation with PCoIP Clients.

TLS server based connections:

TLS client based connections:

Non-TLS based connections:

Encrypting Browser Connections

PCoIP Remote Workstation Cards allow a browser to connect to the Administrative Web Interface (AWI) over a secure connection. This connection is a TLS server controlled connection and is listed in the order of preference. In this scenario, the Remote Workstation Card acts as the TLS server.

Session resumption using TLS session tickets

Session resumption using TLS session tickets, defined in RFC 5077, is supported and always enabled. The session ticket data is secured using AES-128-CBC for encryption and HMAC-SHA256 for integrity protection.

The cipher suite and ECC order of preference is listed in descending order where the first entry is the most preferred.

Supported cipher suites:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Supported Elliptic Curves:

  • NIST P-256

  • NIST P-384

  • NIST P-521

  • NIST P-224

Recommended Web Browsers

Recommended web browsers are Firefox, Chrome, and Edge.

Encrypting Endpoint Discovery

PCoIP Remote Workstation Cards that are not managed by an endpoint manager, such as the PCoIP Management Console, listen for incoming discovery requests only when the Management Security Level is set to Low. When an endpoint discovery request from an endpoint manager is received by the PCoIP Remote Workstation Card, communications between the endpoint manager and the PCoIP Remote Workstation Card are established securely using one of the supported cipher suites and ECC curves. In this scenario, the Remote Workstation Card acts as the TLS server.

The cipher suite and ECC order of preference is listed in descending order where the first entry is the most preferred.

Supported cipher suites:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Supported Elliptic Curves:

  • NIST P-256

  • NIST P-384

  • NIST P-521

  • NIST P-224

Encrypting PCoIP Session Negotiation with PCoIP Clients

PCoIP sessions are negotiated between the PCoIP Remote Workstation Card and the PCoIP client. A client can be a PCoIP Zero Client or a compatible PCoIP Software Client and communications are secured using either Maximum Compatibility or Suite B cipher suites. In this scenario, the Remote Workstation Card acts as the TLS server.

The cipher suite and ECC order of preference is listed in descending order where the first entry is the most preferred.

  • Maximum Compatibility: Connections to Zero Clients are limited to two of the common cipher suites and any compatible ECC curve.

    Supported cipher suites:

    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    Supported Elliptic Curves:

    • NIST P-256

    • NIST P-384

    • NIST P-521

    • NIST P-224

  • Suite B: Suite B can only be used for connections from PCoIP Zero Clients.

    Supported cipher suite:

    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

    Supported elliptic curve:

    • NIST P-384

Encrypting Endpoint Manager Administration

Once an endpoint manager discovers a PCoIP Remote Workstation Card, it uses the PCoIP Management Protocol to administer the endpoint. Communications between endpoint managers and PCoIP Remote Workstation Cards are secured using one of the supported cipher suites. This is a TLS client based connection.

Supported cipher suites:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Supported Elliptic Curves:

  • NIST P-256

  • NIST P-384

  • NIST P-521

  • NIST P-224

Encrypting RADIUS Server using EAP-TLS during 802.1X Authentication

In environments that have implemented an 802.1X RADIUS server, the RADIUS server uses the following secure communications to authenticate the endpoint. This is a TLS client based connection.

Supported cipher suites:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

Supported Elliptic Curves:

  • NIST P-256

  • NIST P-384

  • NIST P-521

  • NIST P-224

In-Session Encryption

Once a PCoIP session has been negotiated and the connection established, PCoIP Remote Workstation Cards encrypt the session data using the AES-256-GCM encryption algorithm. This algorithm secures all PCoIP communications during an active PCoIP session.

Supported Session Algorithm:

  • AES-256-GCM

Encryption in SCEP Requests

  • Endpoint SCEP requests do not use a TLS connection. The Tera2 endpoint generates its own 3072-bit SCEP RSA private key when certificates other than Peer-to-peer Suite B certificates are requested. For Peer-to-peer Suite B certificates, the endpoint generates its own ECC P-384 SCEP private key.
    The private key is used to construct parts of the PKCS#10-formatted certificate request which is then delivered to the SCEP server, and the SCEP server's Registration Authority (RA) RSA certificate's public key is used to encrypt the actual certificate request. The SCEP challenge password is encrypted as it is contained within the certificate request.
    The following cryptography algorithms are used to generate a SCEP request:

    • Content Key Encryption Algorithm: RSAES-OAEP

    • Hash Algorithm: SHA384

    • Content Encryption Algorithm: AES-256-CBC