Cipher suites

Cipher suites are combinations of cryptographic parameters that define the security algorithms and key sizes.

Guardium® uses operating system level ciphers for many different purposes, such as,
  • GIM agent
  • SSH
  • S-TAP® agents (both Windows and Linux®)
  • Guardium inspection core (that is, the Guardium sniffer)
Use the show ssl_ciphers CLI command to view the ciphers configured for the sniffer. For example,
my.example.com> show ssl_ciphers
Sample output
The inspection core is using the DEFAULT ciphers: AES256-SHA,AES128-SHA
ok

To change the SSL ciphers, use the store ssl_ciphers CLI command.

For more information, see the store ssl_ciphers command in Configuration and control CLI commands.

Note: If you run Linux or UNIX, use the nmap -sV --script ssl-enum-ciphers -p <port_number> <appliance> command to list all of the ciphers available on the Guardium appliance.

For a list of the ports that Guardium uses, see Guardium port requirements.

Hashing user passwords

Guardium uses the following cipher to hash user passwords:

PBKDF2-SHA512 cipher

GUI encryption ciphers

To view and manage the ciphers that are used between clients and servers in the Guardium GUI, use the show ssl_gui_ciphers CLI command. For example,

my.example.com> show ssl_gui_ciphers
1. SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA384
2. SSL_ECDHE_RSA_WITH_AES_256_GCM_SHA256
3. SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA384
4. SSL_ECDHE_RSA_WITH_AES_128_GCM_SHA256
5. SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
6. SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
7. SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA384
8. SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
9. SSL_ECDH_RSA_WITH_AES_256_CBC_SHA384
10. SSL_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
11. SSL_ECDHE_RSA_WITH_AES_256_CBC_SHA
12. SSL_ECDH_ECDSA_WITH_AES_256_CBC_SHA
13. SSL_ECDH_RSA_WITH_AES_256_CBC_SHA
14. SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
15. SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA256
16. SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
17. SSL_ECDH_RSA_WITH_AES_128_CBC_SHA256
18. SSL_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
19. SSL_ECDHE_RSA_WITH_AES_128_CBC_SHA
20. SSL_ECDH_ECDSA_WITH_AES_128_CBC_SHA
21. SSL_ECDH_RSA_WITH_AES_128_CBC_SHA
ok

For more information about the ssl_gui_ciphers commands, see delete ssl_gui_ciphers and restore ssl_gui_ciphers in Configuration and control CLI commands.

File backup cipher

Guardium uses the following cipher to encrypt and decrypt files and backups:

  • aes256

MySQL encryption ciphers

MySQL encrypts data at rest by using AES_ENCRYPT() and AES_DECRYPT(), which are considered to be the most cryptographically secure encryption functions that are currently available in MySQL. SHA-2, DES, and AES functions require MySQL to be configured with SSL support.