Skip to content

Supported Security Protocols & Encryption Methods

The Trust Center exchanges information with several services as part of its secure operations. This topic describes the communication types, followed by the set of supported TLS cipher suites, Elliptic Curve Cryptography (ECC) curves, or encryption methods available to each type. Cipher suite and ECC curve order of preference for TLS client based connections are determined by the TLS server the client connects to.

Encrypting Management API Connections

The Trust Center exposes Management APIs that are accessed over HTTPS. These connections use TLS to ensure secure communication between clients and the Trust Center.

The cipher suite and ECC order of preference is listed in descending order where the first entry is the most preferred. Both TLS 1.3 and TLS 1.2 are supported.

Supported Cipher Suites:

  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Encrypting Endpoint Registration and Connector APIs

When an endpoint initially registers or later connects to the Trust Center, it establishes a secure communication channel using HTTPS (TLS 1.3 or TLS 1.2). These communications are secured using one of the supported cipher suites.

Supported Cipher Suites:

  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Trust Center Registration Certificate

The Trust Center Registration Certificate is issued by HP. This certificate is used for mutual TLS during endpoint registration. The Trust Center presents this certificate to prove it is a valid Trust Center. Endpoints are provisioned with the root CA of the registration certificate and will not register if they do not receive a valid Trust Center registration certificate.

Certificate Specifications:

  • RSA 4096-bit private key
  • SHA384 hash with an RSA signature algorithm

This certificate is valid for one year after issuance. Renewal requires sending a new certificate signing request to HP PKI infrastructure. On each renewal a new private key is generated.

TZC Endpoint Birth Certificate

An Endpoint Birth Certificate is issued to Trusted Zero Clients during factory provisioning by HP PKI infrastructure.

Certificate Specifications:

  • RSA 2048-bit TPM-wrapped private key
  • SHA256 hash with an RSA signature algorithm

This certificate is valid for 20 years after issuance. There is no renewal procedure for this certificate as it exists for the lifetime of the Trusted Zero Client.

The Private key is encrypted using a TPM on the Trusted Zero Client.

Software Endpoint Birth Certificate

For software endpoints (endpoints other than Trusted Zero Client), the endpoint birth certificate is issued by the Trust Center.

Certificate Specifications:

  • RSA 2048-bit private key
  • SHA256 hash using RSA

The certificate is valid for one year. The certificate is renewed once the endpoint obtains a new onboarding token and requests a new software endpoint birth certificate from the Trust Center.

Trust Center Operational Certificate

The Trust Center Operation Certificate is used for mutual TLS when endpoint establish a connection to the Trust Center. This certificate is issued by the Trust Center and acts as the server certificate for endpoint connections after registration. Endpoints are provisioned with the issuing CA for this certificate during registration.

Certificate Specifications:

  • RSA 2048-bit private key
  • SHA256 hash using RSA

The Trust Center operational certificate is valid for 1 year. The PKI provider is internal to Trust Center and automatically rotates the certificate.

Endpoint Operational Certificate

The Endpoint Operation Certificate is for mutual TLS when endpoint establish a connection to the Trust Center. This certificate is issued by the Trust Center and acts as the client certificate for endpoint connections after registration. The Trust Center manages the CA for these certificates.

Certificate Specifications:

  • RSA 2048-bit private key
  • SHA256 hash using RSA

The endpoint operation certificate has a administrator-defined validity period defaulting to 3 days.

The endpoint will automatically renew this certificate before expiry based on an administrator-defined validity check, eg. 1 day prior to expiry. If the endpoint operational certificate has already expired, for example if the endpoint was offline for longer than the validity period, then the endpoint may still request a new certificate by automatically re-registering with an endpoint birth certificate.

Token Signing

The Trust Center uses JSON Web Tokens (JWTs) and a JSON Web Key Set (JWKS) for both Management API authorization and Trust Tokens.

Token signing is performed using:

  • ECDSA with curve P-384
  • Security strength: 192 bits (equivalent in strength to an RSA 7680 bit key)

Management API JWTS are valid for 1 hour. Trust Token JWTs have a configurable validity, but are expected to generally be short-lived down to seconds or minutes in most use cases.

Trust Agent Communications

The Trust Agent is a client component running on an endpoint that manages secure communications between endpoints and the Trust Center. It leverages WolfSSL for secure communications.

WolfSSL provides:

  • TLS 1.2 and TLS 1.3 support
  • Hardware-accelerated cryptography when available
  • Support for secure key storage

The Trust Agent ensures that all communications between the endpoint and Trust Center are encrypted and authenticated using mutual TLS.

For Trusted Zero Clients, the Trust Agent integrates with a Trusted Platform Module (TPM) for secure key storage and operations. The supported TPM key type is:

  • RSA 2048-bit keys

Trust Agent Secret Storage

The Trust Agent stores certain secrets, such as token signing private keys and stored credentials, that are encrypted-at-rest so that only a running Trust Agent can see the values of these properties. All secrets are encrypted with AES-256-GCM using WolfCrypt, with a 32-byte (256 bit) key, 12-byte IV and 16-byte authentication tag for data integrity.

On Trusted Zero Clients, this property encryption key is itself encrypted at rest using the Endpoint Birth Certificate private key. This private key is TPM-wrapped so it cannot be used outside of the TPM on the device it was created on, ensuring the property encryption key can only be used by the Trust Agent itself running on the expected system.

On software-based endpoints this property encryption key is not encrypted, because these platforms do not yet have TPM support. On these platforms, the encrypted storage of these properties prevents them from being accessed outside the Trust Agent, but does not offer guarantees against filesystem reads by privileged local users.