Menu
SslStream is supposed to negotiate the cipher type, key length, hash algorithm, etc. with its peer SSL stack. When using it in my code, I find that the negotiation always defaults to RC4 & MD5. I would like to use 3DES or AES for some added security.
Looking around the web I find only a few references to this problem and no solutions; one poster is claiming this actually makes sense, since the lowest common denominator between the two stacks is secure while has the added benefit of being faster/using less CPU resources. While this may be technically correct, my particular trade-off between complexity and cost lies elsewhere (I prefer to use AES with a long key).
If anyone can help I'd appreciate it.
423
SSLStream uses Schannel that is supplied with the operating system. The suites are listed in the default order in which they are chosen by the Microsoft Schannel Provider for :
Windows Vista:
RSA WITH AES_128 CBC SHA
RSA WITH AES_256 CBC SHA
RSA WITH RC4_128 SHA...
Windows XP:
RSA WITH RC4 128 MD5
RSA WITH RC4 128 SHARSA WITH 3DES CBC SHA
....
You can also modify the list of cipher suites by configuring the SSL Cipher Suite Order group policy settings using the Group Policy Object snap-in in Microsoft Management Console (Windows Vista)
But the issue is that Windows XP doesn't include AES in the list of ciphers available for SSLStream. However, it's possible to change Registry settings in Windows XP: HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy 1 for getting 3DES cipher.
109
You can select which protocols are available for selection by making some simple registry changes. We remove the ability to select RC4, for example. You only need to make the change at one end of the connection (eg server) because the client and server negotiate to find commonly supported algorithm
http://msdn.microsoft.com/en-us/library/ms925716.aspx
Best wishes James
35
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
