Security Cipher Suites

The Remote Workstation Card exchanges information with several services while connecting to endpoint managers, connection managers, and PCoIP clients. The various communication phases are described followed by the set of supported cipher algorithms available to each phase.

The minimum TLS Security Mode for Maximum Compatibility and Suite B across all endpoint session types have been updated to:

  • Maximum Compatibility: TLS 1.2 or higher with 112-bit or higher elliptic curve encryption.

  • Suite B: TLS 1.2 or higher with Suite B-compliant 192-bit elliptic curve encryption.

Tip regarding elliptic curve encryption

Security strength in bits of elliptic curve encryption is ½ of the key size.

Examples:

  • If elliptic curve encryption uses the P-384 curve (which needs a 384-bit key), then the security strength is 384/2 = 192 bits.

  • If elliptic curve encryption uses the P-224 curve (which needs a 224-bit key), then the security strength is 224/2 = 112 bits.

TLS connections have a preferred order of Cipher suite/Elliptic Curve Cryptography (ECC) that is determined by the TLS server when the connection is TLS Server based. TLS client based connections have no order of preference. The two TLS server based communication phases described below—Encrypting Browser Connections and Encrypting Endpoint Discovery.

The following links describes the communication phases used when establishing a PCoIP session, and lists it's supported cipher suite and supported ECC curve.

Encrypting Browser Connections

PCoIP Remote Workstation Cards allow a browser to connect to the Administrative Web Interface (AWI) over a secure connection. This connection is a TLS server controlled connection and thus the order of the listed ECC Curves is important.

Secure Cipher Suites:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Supported Elliptic Curve:

  • NIST P-256

  • NIST P-384

  • NIST P-521

  • NIST P-224

Recommended Web Browsers

Recommended web browsers are Firefox, Chrome, Internet Explorer 11, and Edge.

Minimum SSL Version

These secure connections require Transport Layer Security (TLS) 1.2 compliant browsers.

Encrypting Endpoint Discovery

PCoIP Remote Workstation Cards that are not managed by an endpoint manager, such as the PCoIP Management Console, listen for incoming discovery requests.

When an endpoint discovery request from an endpoint manager is received by the PCoIP Remote Workstation Card, communications between the endpoint manager and the PCoIP Remote Workstation Card are established securely using one of the supported cipher suites and ECC curves.

This connection is a TLS server controlled connection and thus the order of the listed ECC Curves is important.

Secure Cipher Suites:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Supported Elliptic Curve:

  • NIST P-256

  • NIST P-384

  • NIST P-521

  • NIST P-224

Minimum SSL Version

There is a minimum requirement of TLS 1.2.

Encrypting Pre-Session Communications with PCoIP Connection Managers or Brokering Agents

Before a PCoIP session is negotiated with a PCoIP host using a PCoIP Connection Manager or brokering agent, each user is authenticated and then selects a desktop from a list of authorized resources. To complete this authentication process, the PCoIP Remote Workstation Card uses a cipher suite to securely communicate with a PCoIP Connection Manager, Remote Workstation Card Broker Agent or Cloud Access Manager broker agent over port 443.

Secure Cipher Suites:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Supported Elliptic Curve:

  • NIST P-256

  • NIST P-384

  • NIST P-521

  • NIST P-224

System Configuration Requirements

These cipher suites can only be configured at the host, and have a minimum requirement of TLS 1.1.

Encrypting PCoIP Session Negotiation with PCoIP Clients

After user authentication and resource selection, PCoIP sessions are negotiated between the PCoIP Remote Workstation Card and the PCoIP client. A client can be a PCoIP Zero Client or a Teradici Software Client for Windows or Linux. Secure negotiations take place before the PCoIP session is established, and are secured using either Maximum Compatibility or Suite B (Zero Client only) cipher suites.

Secure Cipher Suites:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Supported Elliptic Curve:

  • NIST P-256

  • NIST P-384

  • NIST P-521

  • NIST P-224

Connections to PCoIP Zero Client

Connections to PCoIP Zero Clients use a subset of the common cipher suites.

  • Maximum Compatibility: Maximum Compatibility cipher suites allow secure negotiation using any of the common cipher suites to offer flexibility for your network security requirements.

    Connections to Zero Clients are limited to two of the common cipher suites and any compatible ECC.

    Supported cipher suites:

    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    Supported Elliptic Curves (no order of preference):

    • NIST P-256

    • NIST P-384

    • NIST P-521

    • NIST P-224

  • Suite B: Suite B applies only to PCoIP Zero Client connections. It offers the greatest security for negotiating session connections with a PCoIP client and uses one of the common cipher security suites.

    Supported cipher suite:

    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

    Supported elliptic curve:

    • NIST P-384

Minimum SSL Version

There is a minimum requirement of TLS 1.2.

Encrypting Endpoint Manager Administration

Once an endpoint manager discovers a PCoIP Remote Workstation Card, it uses the PCoIP Management Protocol to administer the endpoint. Communications between endpoint managers and PCoIP Remote Workstation Cards are secured using one of the supported cipher suites.

Supported cipher suites:

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Supported Elliptic Curve:

  • NIST P-256

  • NIST P-384

  • NIST P-521

  • NIST P-224

Minimum SSL Version

There is a minimum requirement of TLS 1.1.

Encrypting RADIUS Server using EAP-TLS during 802.1x Authentication

In environments that have implemented an 802.1x radius server, the radius server uses the following secure communications to authenticate the endpoint.

Supported cipher suites:

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA

  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Supported Elliptic Curve:

  • NIST P-256

  • NIST P-384

  • NIST P-521

  • NIST P-224

Encrypting Pre-Session Communications with VMware Horizon Environments

Before a PCoIP session is negotiated with a PCoIP host in a VMware Horizon environment, each user is authenticated and then selects a desktop from a list of authorized resources. To complete this authentication process, the PCoIP Zero Client communicates with a Horizon Connection Server over port 443 using one of the supported cipher suites.

Supported cipher suites:

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

{! /common/common_ciphers.md !}

System Configuration Requirements

These cipher suites can only be configured at the host, and have a minimum requirement of TLS 1.1.

Supported Elliptic Curve:

  • NIST P-384

Minimum TLS version

Suite B: TLS 1.2 or higher with Suite B-compliant 192-bit elliptic curve encryption.

In-Session Encryption

Once a PCoIP session has been negotiated and the connection established, PCoIP Remote Workstation Cards encrypt the session data using the AES-256-GCM encryption algorithm. This algorithm secures all PCoIP communications during an active PCoIP session.

Supported Session Algorithm:

  • AES-256-GCM