Security Cipher Suites and Encryption Methods¶
Overview¶
The PCoIP Zero Client exchanges information with several services while connecting to endpoint managers, and PCoIP hosts. The various communication types are described followed by the set of supported TLS cipher suites, Elliptic Curve Cryptography (ECC) curves, or encryption methods available to each type.
Tip regarding elliptic curve encryption
Security strength in bits of elliptic curve encryption is ½ of the key size.
Examples:
-
If elliptic curve encryption uses the P-384 curve (which needs a 384-bit key), then the security strength is 384/2 = 192 bits.
-
If elliptic curve encryption uses the P-224 curve (which needs a 224-bit key), then the security strength is 224/2 = 112 bits.
Cipher suite and ECC curve order of preference for TLS client based connections are determined by the TLS server the client connects to—such as Management Console or an 802.1x RADIUS Server. TLS server based connections have a preferred order of cipher suites and ECC curves that are determined by the TLS server. The two TLS server based communication types described below are—Encrypting Browser Connections, and Encrypting Endpoint Discovery.
TLS server based connections:
TLS client based connections:
-
Encrypting RADIUS Server Using EAP-TLS During 802.1X Authentication
-
Encrypting Pre-Session Communications with VMware Horizon Environments
-
Encrypting Pre-Session Amazon WorkSpaces Regional Code Lookup
-
Encrypting Connections to Environments Using Smart Cards with OneSign Server
-
Encrypting Pre-Session Communications with PCoIP Connection Managers or Brokering Agents
Non-TLS based connections:
Encrypting Browser Connections¶
PCoIP Zero Clients allow a browser to connect to the Administrative Web Interface (AWI) over a secure connection. This connection is a TLS server controlled connection and is listed in the order of preference. In this scenario, the PCoIP Zero Client acts as the TLS server.
Session resumption using TLS session tickets
Session resumption using TLS session tickets, defined in RFC 5077, is supported and always enabled. The session ticket data is secured using AES-128-CBC for encryption and HMAC-SHA256 for integrity protection.
The cipher suite and ECC order of preference is listed in descending order where the first entry is the most preferred.
Supported Cipher Suites:
-
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Supported Elliptic Curves:
-
NIST P-256
-
NIST P-384
-
NIST P-521
-
NIST P-224
Recommended web browsers
Recommended web browsers are Firefox, Chrome, and Edge.
Encrypting Endpoint Discovery¶
PCoIP Zero Clients that are not managed by an endpoint manager, such as the PCoIP Management Console, listen for incoming discovery requests only when the Management Security Level is set to Low. When an endpoint discovery request from an endpoint manager is received by the PCoIP Zero Client, communications between the endpoint manager and the PCoIP Zero Client are established securely using one of the supported cipher suites and ECC curves. In this scenario, the PCoIP Zero Client acts as the TLS server.
The cipher suite and ECC order of preference is listed in descending order where the first entry is the most preferred.
Supported Cipher Suites:
-
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Supported Elliptic Curves:
-
NIST P-256
-
NIST P-384
-
NIST P-521
-
NIST P-224
Encrypting PCoIP Session Negotiation with PCoIP Hosts¶
After user authentication and resource selection, PCoIP sessions are negotiated between the PCoIP Zero Client and the PCoIP host. A host can be a PCoIP Remote Workstation Card or PCoIP Software host such as HP Anyware Agent, VMware Horizon Agent, or Amazon WorkSpace. Communications between the PCoIP Zero Client and the host are secured using either Maximum Compatibility or Suite B (Remote Workstation Card only) cipher suites. In this scenario, the PCoIP Zero Client acts as the TLS client.
The cipher suite and ECC order of preference is listed in descending order where the first entry is the most preferred.
Connections to Remote Workstation Cards
Connections to Remote Workstation Cards are limited to a subset of cipher suites and any compatible ECC curve when in Maximum Compatibility mode. See Remote Workstation Card Administrators Guide Security Cipher Suites topic for further information.
Maximum Compatibility: PCoIP Zero Clients advertise the full set of their common cipher suites and curves in Maximum Compatibility mode.
Supported Cipher Suites:
-
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Supported Elliptic Curves:
-
NIST P-256
-
NIST P-384
-
NIST P-521
-
NIST P-224
Suite B: Suite B can only be used for connections to PCoIP Remote Workstation Cards.
Supported Cipher Suite:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
Supported Elliptic Curve:
- NIST P-384
Encrypting Endpoint Manager Administration¶
Once an endpoint manager discovers a PCoIP Zero Client, it uses the PCoIP Management Protocol to administer the endpoint. Communications between endpoint managers and PCoIP Zero Clients are secured using one of the supported cipher suites and ECC curves. This is a TLS client based connection.
Supported Cipher Suites:
-
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Supported Elliptic Curves:
-
NIST P-256
-
NIST P-384
-
NIST P-521
-
NIST P-224
Encrypting RADIUS server using EAP-TLS during 802.1X authentication¶
In environments that have implemented an 802.1X RADIUS server, communications between the RADIUS server and PCoIP Zero Clients are secured using one of the supported cipher suites and ECC curves. This is a TLS client based connection.
Supported Cipher Suites:
-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
-
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
-
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Supported Elliptic Curves:
-
NIST P-256
-
NIST P-384
-
NIST P-521
-
NIST P-224
Encrypting Pre-Session Communications with VMware Horizon Environments¶
Before a PCoIP session is negotiated with a PCoIP host in a VMware Horizon environment, each user is authenticated and then selects a desktop from a list of authorized resources. To complete this authentication process, the PCoIP Zero Client communicates with a Horizon Connection Server over port 443 using one of the supported cipher suites and ECC curves. This is a TLS client based connection.
Supported Cipher Suites:
-
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
-
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Supported Elliptic Curves:
-
NIST P-256
-
NIST P-384
-
NIST P-521
-
NIST P-224
System Configuration
These cipher suites can only be configured on the View Connection Server.
Encrypting Pre-Session Amazon WorkSpaces Regional Code Lookup¶
Direct connections from a PCoIP Zero Client to an Amazon WorkSpace require a secure regional code lookup using Amazon Simple Storage Service (Amazon S3). Secure communications between Amazon S3 and PCoIP Zero Clients are established using one of the supported cipher suites and ECC curves. This is a TLS client based connection.
Supported Cipher Suites:
-
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Supported Elliptic Curves:
-
NIST P-256
-
NIST P-384
-
NIST P-521
-
NIST P-224
Encrypting Connections to Environments Using Smart Cards with OneSign Server¶
Environments that have implemented OneSign servers to use smart card security solutions are required to have a secure connection to the smart card server. Secure communications between OneSign servers and PCoIP Zero Clients are established using one of the supported cipher suites and ECC curves. This is a TLS client based connection.
Supported Cipher Suites:
-
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Supported Elliptic Curves:
-
NIST P-256
-
NIST P-384
-
NIST P-521
-
NIST P-224
Encrypting Pre-Session Communications with PCoIP Connection Managers or Brokering Agents¶
Before a PCoIP session is negotiated with a PCoIP host using a PCoIP Connection Manager or brokering agent, each user is authenticated and then selects a desktop from a list of authorized resources. To complete this authentication process, the PCoIP Zero Client uses a cipher suite and ECC curve to securely communicate with a PCoIP Connection Manager, Remote Workstation Card Agent or HP Anyware Manager broker agent over port 443. This is a TLS client based connection.
Supported Cipher Suites:
-
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
-
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
-
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
Supported Elliptic Curves:
-
NIST P-256
-
NIST P-384
-
NIST P-521
-
NIST P-224
In-Session Encryption¶
Once a PCoIP session has been negotiated and the connection established, PCoIP Zero Clients encrypt the session data using the AES-256-GCM encryption algorithm. This algorithm secures all PCoIP communications during an active PCoIP session.
Supported Session Algorithm:
- AES-256-GCM
Encryption in SCEP Requests¶
-
Endpoint SCEP requests do not use a TLS connection. The Tera2 endpoint generates its own 3072-bit SCEP RSA private key when certificates other than Peer-to-peer Suite B certificates are requested. For Peer-to-peer Suite B certificates, the endpoint generates its own ECC P-384 SCEP private key.
The private key is used to construct parts of the PKCS#10-formatted certificate request which is then delivered to the SCEP server, and the SCEP server's Registration Authority (RA) RSA certificate's public key is used to encrypt the actual certificate request. The SCEP challenge password is encrypted as it is contained within the certificate request.
The following cryptography algorithms are used to generate a SCEP request:-
Content Key Encryption Algorithm: RSAES-OAEP
-
Hash Algorithm: SHA384
-
Content Encryption Algorithm: AES-256-CBC
-