Security Cipher Suites

The PCoIP Zero Client exchanges information with several services while connecting to endpoint managers, connection managers, and PCoIP hosts. The various communication phases are described followed by the set of supported cipher algorithms available to each phase.

The minimum TLS Security Mode for Maximum Compatibility and Suite B across all Zero Client session types have been updated to:

  • Maximum Compatibility: TLS 1.2 or higher with 112-bit or higher elliptic curve encryption.

  • Suite B: TLS 1.2 or higher with Suite B-compliant 192-bit elliptic curve encryption.

Tip regarding elliptic curve encryption

Security strength in bits of elliptic curve encryption is ½ of the key size.

Examples:

  • If elliptic curve encryption uses the P-384 curve (which needs a 384-bit key), then the security strength is 384/2 = 192 bits.

  • If elliptic curve encryption uses the P-224 curve (which needs a 224-bit key), then the security strength is 224/2 = 112 bits.

TLS connections have a preferred order of Cipher suite/Elliptic Curve Cryptography (ECC) that is determined by the TLS server when the connection is TLS Server based. Client based connections have no order of preference. The two TLS server based communication phases described below—Encrypting Browser Connections and Encrypting Endpoint Discovery.

The following links describes the communication phases used when establishing a PCoIP session, and lists it's supported cipher suite and supported ECC curve.

Encrypting Browser Connections

PCoIP Zero Clients allow a browser to connect to the Administrative Web Interface (AWI) over a secure connection. This connection is a TLS server controlled connection and thus the order of the listed ECC Curves is important.

Secure Cipher Suites:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Supported Elliptic Curve:

  • NIST P-256

  • NIST P-384

  • NIST P-521

  • NIST P-224

Supported Elliptic Curves in order of preference:

  • NIST P-256 (most preferred)

  • NIST P-384

  • NIST P-521

  • NIST P-224

Minimum TLS version

This TLS server based connection requires TLS 1.2 or higher with 112-bit or higher elliptic curve encryption. The Elliptic Curve Cryptography (ECC) cipher suite curve preference is determined by the TLS server.

Recommended web browsers

Recommended web browsers are Firefox, Chrome, and Edge.

Minimum SSL Version

These secure connections require Transport Layer Security (TLS) 1.2 compliant browsers.

Encrypting Endpoint Discovery

PCoIP Zero Clients that are not managed by an endpoint manager, such as the PCoIP Management Console, listen for incoming discovery requests.

When an endpoint discovery request from an endpoint manager is received by the PCoIP Zero Client, communications between the endpoint manager and the PCoIP Zero Client are established securely using one of the supported cipher suites and ECC curves.

This connection is a TLS server controlled connection and thus the order of the listed ECC Curves is important.

Secure Cipher Suites:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Supported Elliptic Curve:

  • NIST P-256

  • NIST P-384

  • NIST P-521

  • NIST P-224

Supported Elliptic Curves in order of preference:

  • NIST P-256 (most preferred)

  • NIST P-384

  • NIST P-521

  • NIST P-224

Minimum TLS version

This TLS server based connection requires TLS 1.2 or higher with 112-bit or higher elliptic curve encryption. The Elliptic Curve Cryptography (ECC) cipher suite curve preference is determined by the TLS server.

Encrypting Pre-Session Amazon WorkSpaces Regional Code Lookup

Direct connections from a Zero Client to an Amazon WorkSpace requires a secure regional code lookup. The common cipher suites are used to perform the regional code lookup prior to the connection to Amazon WorkSpaces is established.

Secure Cipher Suites:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Supported Elliptic Curve:

  • NIST P-256

  • NIST P-384

  • NIST P-521

  • NIST P-224

Encrypting Connections to Environments Using Smart Cards with OneSign Server

Environments that have implemented OneSign servers to use smart card security solutions are required to have a secure connection connection to the smart card server.

Secure Cipher Suites:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Supported Elliptic Curve:

  • NIST P-256

  • NIST P-384

  • NIST P-521

  • NIST P-224

Encrypting Pre-Session Communications with PCoIP Connection Managers or Brokering Agents

Before a PCoIP session is negotiated with a PCoIP host using a PCoIP Connection Manager or brokering agent, each user is authenticated and then selects a desktop from a list of authorized resources. To complete this authentication process, the PCoIP Zero Client uses a cipher suite to securely communicate with a PCoIP Connection Manager, Remote Workstation Card Broker Agent or Cloud Access Manager broker agent over port 443.

Secure Cipher Suites:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Supported Elliptic Curve:

  • NIST P-256

  • NIST P-384

  • NIST P-521

  • NIST P-224

Connections to Remote Workstation Card

Connections to Remote Workstation Card use a subset of the common cipher suites.

Encrypting PCoIP Session Negotiation with PCoIP Hosts

After user authentication and resource selection, PCoIP sessions are negotiated between the PCoIP Zero Client and the PCoIP host. A host can be a PCoIP Remote Workstation Card, Cloud Access Software Agent, or Amazon WorkSpace instance. Secure negotiations take place before the PCoIP session is established, and are secured using either Maximum Compatibility or Suite B (Remote Workstation Card only) cipher suites.

Secure Cipher Suites:

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Supported Elliptic Curve:

  • NIST P-256

  • NIST P-384

  • NIST P-521

  • NIST P-224

Connections to Remote Workstation Card

Connections to Remote Workstation Card use a subset of the common cipher suites.

  • Maximum Compatibility: Maximum Compatibility cipher suites allow secure negotiation using any of the common cipher suites to offer flexibility for your network security requirements.

    Connections to Remote Workstation Cards are limited to two of the common cipher suites and any compatible ECC.

    Supported cipher suites:

    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

    • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

    Supported Elliptic Curves (no order of preference):

    • NIST P-256

    • NIST P-384

    • NIST P-521

    • NIST P-224

  • Suite B: Suite B applies only to Remote Workstation Card connections. It offers the greatest security for negotiating session connections with a PCoIP client and uses one of the common cipher security suites.

    Supported cipher suite:

    • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

    Supported elliptic curve:

    • NIST P-384

Minimum SSL Version

There is a minimum requirement of TLS 1.2.

Encrypting Endpoint Manager Administration

Once an endpoint manager discovers a PCoIP Zero Client, it uses the PCoIP Management Protocol to administer the endpoint. Communications between endpoint managers and PCoIP Zero Clients are secured using one of the supported cipher suites.

Supported cipher suites:

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Supported Elliptic Curve:

  • NIST P-256

  • NIST P-384

  • NIST P-521

  • NIST P-224

Minimum SSL Version

There is a minimum requirement of TLS 1.1.

Encrypting RADIUS server using EAP-TLS during 802.1x authentication

In environments that have implemented an 802.1x radius server, the radius server uses the following secure communications to authenticate the endpoint.

Supported cipher suites:

  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA

  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Supported Elliptic Curve:

  • NIST P-256

  • NIST P-384

  • NIST P-521

  • NIST P-224

Encrypting Pre-Session Communications with VMware Horizon Environments

Before a PCoIP session is negotiated with a PCoIP host in a VMware Horizon environment, each user is authenticated and then selects a desktop from a list of authorized resources. To complete this authentication process, the PCoIP Zero Client communicates with a Horizon Connection Server over port 443 using one of the supported cipher suites.

Supported cipher suites:

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

Supported Elliptic Curve:

  • NIST P-256

  • NIST P-384

  • NIST P-521

  • NIST P-224

System Configuration Requirements

These cipher suites can only be configured at the host, and have a minimum requirement of TLS 1.1.

In-Session Encryption

Once a PCoIP session has been negotiated and the connection established, PCoIP Zero Clients encrypt the session data using AES-256-GCM encryption algorithm. This algorithm secures all PCoIP communications during an active PCoIP session.

Supported Session Algorithm:

  • AES-256-GCM