Data Encryption and Integrity
Encryption protects the confidentiality of data in transit. This protection is accomplished by encrypting the data before it is sent using a secret key and cipher. The received data must be decrypted using the same key and cipher. The cipher used for a given session is the one supported by the server.
Data integrity ensures that data is not altered in transit.
Data encryption
Reflection for Secure IT Server for Windows supports the following data encryption standards:
- TripleDES (168-bit) CBC mode
- Cast (128-bit) CBC mode
- Blowfish (128-bit) CBC mode
- AES (also known as Rijndael) (128-, 192-, or 256-bit) in GCM, CBC, and CTR mode
Data integrity
Secure Shell connections use MACs (message authentication codes) to ensure data integrity. The client and server independently compute a hash for each packet of transferred data. If the message has changed in transit, the hash values are different and the packet is rejected. The MAC used for a given session is the MAC highest in the client's order of preference that is also supported by the server.
Reflection for Secure IT Server for Windows supports the following MAC algorithms:
- hmac-sha1
- hmac-sha256
- hmac-sha2-256
- hmac-sha512
- hmac-sha2-512
- hmac-md5
- hmac-sha1-96
- hmac-md5-96
- hmac-ripemd160
When using data encryption in GCM mode the MAC algorithm is ignored and data integrity is provided by the cipher.
More information