I can't speak to ciphers in VMware, but in the world of Windows your answer would be incorrect. Given a 12 character password: I can use 56bit, 128bit, AES/DES, etc..Depending on which cipher I used, I would get different results in the encryption. Password lenght/complexity does not determine which cipher is used.

adam

In that case, download the ESX VI Server Config Guide, and refer to page 251. It will tell you ALL you need to know.

___________________

*

Cipher Strength

*

Transmitting data over insecure connections presents a security risk because malicious

users might be able to scan data as it travels through the network. As a safeguard,

network components commonly encrypt the data so that it can't be easily read. To

encrypt data, the sending component, such as a gateway or redirector, applies

algorithms, or ciphers, to alter the data before transmitting it. The receiving component

uses a key to decrypt the data, returning it to its original form.

Several different ciphers are currently in use, and the level of security provided by each

is different. One measure of a cipher's ability to protect data is its cipher strength-the

number of bits in the encryption key. The larger the number, the more secure the cipher

To ensure the protection of the data transmitted to and from external network

connections, ESX Server uses one of the strongest block ciphers available-256-bit AES

block encryption. ESX Server also uses 1024-bit RSA for key exchange.

_____________

Also this little note is rather interesting:

Because VI Web Access cipher usage is determined by the Web browser you are

using, this management tool might use other ciphers

___________________

So maybe the passwords used are not that important for cipher, but the Web Browser you are using IS.

Thanks for finding the info in the guide. There are so many pdf files that I occassionally miss two or three when searching for info. I understand your last sentence regarding the browser. It's really a cop-out on VM's part. I can disable all sorts of ciphers in Windows. In fact, PCI requires that you do so. The fact that VM allows lower cipher browsers to connect is actually a problem. Might not pass PCI standards. In a normal apache install, I can disable the low-end ciphers.

I cant' say for sure exactly what the PCI scan consists of, but our security team hasn't been wrong yet (in terms of PCI results). ESX may uses high strength ciphers, but it also supports lower ones as indicated by the footnote.

adam

After doing some reading, and looking up info on Cipher, I believe you are correct. I have a security team, and I will get them to look at our servers, maybe between the two of us, we can figure this out.

I will ask about how to increase the cipher stregth, or at least figure out how to disable it. This should be a good learning experience.

There is a Foundstone free tool that can be used to test the cipher strength and show you which ones it sees you using. It is called SSLDigger. I have used it to check if I need to disable any cipher suites for a audit. You should install it and point it at the web site (such as ) and let to run its tests... Basically you need to modify the web server somehow to eliminate all 40-bit cipher suites, really all of them that support anything less than 128-bit encryption.

This link might help as well...