From: Nikos Mavrogiannopoulos Date: Sat, 14 Jan 2012 12:51:16 +0000 (+0100) Subject: properly spread authentication and credentials doc. X-Git-Tag: gnutls-3_0_12~29 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0ed881bd33f70f0bc211128a2ef1090952fa4337;p=thirdparty%2Fgnutls.git properly spread authentication and credentials doc. --- diff --git a/doc/cha-cert-auth.texi b/doc/cha-cert-auth.texi index 8dcb6e94db..5253f5b368 100644 --- a/doc/cha-cert-auth.texi +++ b/doc/cha-cert-auth.texi @@ -8,6 +8,55 @@ using a browser today. @acronym{GnuTLS} supports both @acronym{X.509} certificates @xcite{PKIX} and @acronym{OpenPGP} certificates using a common API. +The key exchange algorithms supported by certificate authentication are +shown in @ref{tab:key-exchange}. + +@float Table,tab:key-exchange +@multitable @columnfractions .2 .7 + +@headitem Key exchange @tab Description + +@item RSA @tab +The RSA algorithm is used to encrypt a key and send it to the peer. +The certificate must allow the key to be used for encryption. + +@item RSA_EXPORT @tab +The RSA algorithm is used to encrypt a key and send it to the peer. +In the EXPORT algorithm, the server signs temporary RSA parameters of +512 bits --- which are considered weak --- and sends them to the +client. + +@item DHE_RSA @tab +The RSA algorithm is used to sign ephemeral Diffie-Hellman parameters +which are sent to the peer. The key in the certificate must allow the +key to be used for signing. Note that key exchange algorithms which +use ephemeral Diffie-Hellman parameters, offer perfect forward +secrecy. That means that even if the private key used for signing is +compromised, it cannot be used to reveal past session data. + +@item ECDHE_RSA @tab +The RSA algorithm is used to sign ephemeral elliptic curve Diffie-Hellman +parameters which are sent to the peer. The key in the certificate must allow +the key to be used for signing. It also offers perfect forward +secrecy. That means that even if the private key used for signing is +compromised, it cannot be used to reveal past session data. + +@item DHE_DSS @tab +The DSA algorithm is used to sign ephemeral Diffie-Hellman parameters +which are sent to the peer. The certificate must contain DSA +parameters to use this key exchange algorithm. DSA is the algorithm +of the Digital Signature Standard (DSS). + +@item ECDHE_ECDSA @tab +The Elliptic curve DSA algorithm is used to sign ephemeral elliptic +curve Diffie-Hellman parameters which are sent to the peer. The +certificate must contain ECDSA parameters to use this key exchange +algorithm. + +@end multitable +@caption{Supported key exchange algorithms.} +@end float + @menu * X.509 certificates:: * OpenPGP certificates:: diff --git a/doc/cha-gtls-app.texi b/doc/cha-gtls-app.texi index 0541fd693b..1a9f08a324 100644 --- a/doc/cha-gtls-app.texi +++ b/doc/cha-gtls-app.texi @@ -310,6 +310,53 @@ current session using @funcref{gnutls_credentials_set}. * Anonymous credentials:: @end menu +Each authentication method is associated with a key exchange method, and a credentials type. +The contents of the credentials is method-dependent, e.g. certificates +for certificate authentication and should be initialized and associated +with a session (see @funcref{gnutls_credentials_set}). A mapping of the key exchange methods +with the credential types is shown in @ref{tab:key-exchange-cred}. + +@float Table,tab:key-exchange-cred +@multitable @columnfractions .25 .25 .2 .2 + +@headitem Authentication method @tab Key exchange @tab Client credentials @tab Server credentials + +@item Certificate +@tab @code{KX_RSA}, +@code{KX_DHE_RSA}, +@code{KX_DHE_DSS}, +@code{KX_ECDHE_RSA}, +@code{KX_ECDHE_ECDSA}, +@code{KX_RSA_EXPORT} +@tab @code{CRD_CERTIFICATE} +@tab @code{CRD_CERTIFICATE} + +@item Password and certificate +@tab @code{KX_SRP_RSA}, @code{KX_SRP_DSS} +@tab @code{CRD_SRP} +@tab @code{CRD_CERTIFICATE}, @code{CRD_SRP} + +@item Password +@tab @code{KX_SRP} +@tab @code{CRD_SRP} +@tab @code{CRD_SRP} + +@item Anonymous +@tab @code{KX_ANON_DH}, +@code{KX_ANON_ECDH} +@tab @code{CRD_ANON} +@tab @code{CRD_ANON} + +@item Pre-shared key +@tab @code{KX_PSK}, +@code{KX_DHE_PSK}, @code{KX_ECDHE_PSK} +@tab @code{CRD_PSK} +@tab @code{CRD_PSK} + +@end multitable +@caption{Key exchange algorithms and the corresponding credential types.} +@end float + @node Certificate credentials @subsection Certificates @subsubheading Server certificate authentication diff --git a/doc/cha-intro-tls.texi b/doc/cha-intro-tls.texi index 588b5cc7fc..f0063bf91b 100644 --- a/doc/cha-intro-tls.texi +++ b/doc/cha-intro-tls.texi @@ -343,101 +343,6 @@ The available authentication methods in @acronym{GnuTLS} follow. @end itemize -@float Table,tab:key-exchange -@multitable @columnfractions .2 .7 - -@headitem Key exchange @tab Description - -@item RSA @tab -The RSA algorithm is used to encrypt a key and send it to the peer. -The certificate must allow the key to be used for encryption. - -@item RSA_EXPORT @tab -The RSA algorithm is used to encrypt a key and send it to the peer. -In the EXPORT algorithm, the server signs temporary RSA parameters of -512 bits --- which are considered weak --- and sends them to the -client. - -@item DHE_RSA @tab -The RSA algorithm is used to sign ephemeral Diffie-Hellman parameters -which are sent to the peer. The key in the certificate must allow the -key to be used for signing. Note that key exchange algorithms which -use ephemeral Diffie-Hellman parameters, offer perfect forward -secrecy. That means that even if the private key used for signing is -compromised, it cannot be used to reveal past session data. - -@item ECDHE_RSA @tab -The RSA algorithm is used to sign ephemeral elliptic curve Diffie-Hellman -parameters which are sent to the peer. The key in the certificate must allow -the key to be used for signing. It also offers perfect forward -secrecy. That means that even if the private key used for signing is -compromised, it cannot be used to reveal past session data. - -@item DHE_DSS @tab -The DSA algorithm is used to sign ephemeral Diffie-Hellman parameters -which are sent to the peer. The certificate must contain DSA -parameters to use this key exchange algorithm. DSA is the algorithm -of the Digital Signature Standard (DSS). - -@item ECDHE_ECDSA @tab -The Elliptic curve DSA algorithm is used to sign ephemeral elliptic -curve Diffie-Hellman parameters which are sent to the peer. The -certificate must contain ECDSA parameters to use this key exchange -algorithm. - -@end multitable -@caption{Supported key exchange algorithms.} -@end float - -Each authentication method is associated with a key exchange method, shown -in @ref{tab:key-exchange}, and a credentials type. -The contents of the credentials is method-dependent, e.g. certificates -for certificate authentication and should be initialized and associated -with a session (see @funcref{gnutls_credentials_set}). A mapping of the key exchange methods -with the credential types is shown in @ref{tab:key-exchange-cred}. - -@float Table,tab:key-exchange-cred -@multitable @columnfractions .25 .25 .2 .2 - -@headitem Authentication method @tab Key exchange @tab Client credentials @tab Server credentials - -@item Certificate -@tab @code{KX_RSA}, -@code{KX_DHE_RSA}, -@code{KX_DHE_DSS}, -@code{KX_ECDHE_RSA}, -@code{KX_ECDHE_ECDSA}, -@code{KX_RSA_EXPORT} -@tab @code{CRD_CERTIFICATE} -@tab @code{CRD_CERTIFICATE} - -@item Password and certificate -@tab @code{KX_SRP_RSA}, @code{KX_SRP_DSS} -@tab @code{CRD_SRP} -@tab @code{CRD_CERTIFICATE}, @code{CRD_SRP} - -@item Password -@tab @code{KX_SRP} -@tab @code{CRD_SRP} -@tab @code{CRD_SRP} - -@item Anonymous -@tab @code{KX_ANON_DH}, -@code{KX_ANON_ECDH} -@tab @code{CRD_ANON} -@tab @code{CRD_ANON} - -@item Pre-shared key -@tab @code{KX_PSK}, -@code{KX_DHE_PSK}, @code{KX_ECDHE_PSK} -@tab @code{CRD_PSK} -@tab @code{CRD_PSK} - -@end multitable -@caption{Key exchange algorithms and the corresponding credential types.} -@end float - - @node Client Authentication @subsection Client authentication @cindex client certificate authentication