Connect:Direct for z/OS added support for TLSv1.3 introduced in IBM z/OS 2.4.
Secure data transfer support using Transport Layer Security version 1.3 (TLSv1.3)Security in IBM z/OS version 2.4 has been enhanced by using the latest industry standard of Transport Layer Security version 1.3 (TLSv1.3) protocol. The TLS Version 1.3 protocol is a major revision to the TLS protocol that is intended to provide better security and improve handshake performance.
TLSv1.3 with Connect:Direct for z/OS provides certain added points in overall security of our product, below are some highlights:
- Speed Benefits:
TLSv1.3 is much faster than its predecessor because the time taken for a handshake is reduced. In TLSv1.3, it takes one round-trip from both sides to complete a handshake. TLSv1.3 reduced the number of round trips compared to TLSv1.2 and thereby reduced the number of negotiations from 4 to 2.
The shorter TLS handshake has made the connection between different Connect:Direct nodes much faster, with less latency, which improves the enterprise network performance.
‘Zero Round Trip Time Resumption’ (0-RTT) will make TLSv1.3 faster as it allows for near-instantaneous session resumption (restart) to Connect:Direct nodes. TLSv1.3, uses a pre-shared key to resume a connection, hence making checkpointing and restart connection between two Connect:Direct nodes nearly instantaneous.
- Cipher specifications simplified:
As already stated above, half of the negotiation time has been eliminated for much faster handshake, which has resulted in a decrease in the size of the cipher too.
TLS 1.2 and its predecessors use Cipher Suites that include 4 ciphers. Here’s an example (ECDHE, ECDSA, AES_128_GCM & SHA256):
In TLS 1.3, cipher suites no longer include the key exchange and signature algorithms. Now it’s just the bulk cipher and the hashing algorithm (AES_256_GCM & SHA384).
The biggest drawback in TLSv1.2 is multiple cipher combinations make it difficult for the parties negotiating during the handshake, as TLSv1.2 provides little guidance in choosing a cipher suite for the best security.
The cipher suites that are valid for TLSv1.2 and earlier protocols are not supported for TLSv1.3.
Connect:Direct for z/OS supports the following TLSv1.3 cipher suites:
- Security Improvement:
TLSv1.3 obsoletes all the prior TLS features which were vulnerable to attacks, such as SHA-1, RC4, DES, 3DES, AES-CBC, MD5. Security administrators and developers may find TLSv1.3 is the preferred protocol.
Stroll through the following links for more details on TLSv1.3 introduced in z/OS 2.4, and how Altran is benefiting from it in Connect:Direct for z/OS.
Have a nice TLS connection today!!!