beautypg.com

Initial session key generation, Rsa challenge dialogue – Brocade Virtual ADX Global Server Load Balancing Guide (Supporting ADX v03.1.00) User Manual

Page 62

background image

52

Brocade Virtual ADX Global Server Load Balancing Guide

53-1003245-01

Secure GSLB

1

The unencrypted packet refers to the entire packet without a MAC. The sequence number is a
32-bit implicit packet sequence number. This number is initialized to zero for the first packet,
and it is incremented for every GSLB protocol packet sent thereafter.

The message authentication key is negotiated during authentication phase as described in the
section

“Initial session key generation”

on page 52.

Data authentication: Guarantees that the sender of the data is the legitimate peer. An
authentication-session key is used to perform a hash between the peers that have already
been authenticated. Only the two peers can generate the hash based on the key.
Each MAC hash is generated using the negotiated authentication key. This key is shared
between the two peers. Therefore, a message received with the correct MAC hash
authenticates the peer because only the sender and the receiver have knowledge of the
authentication key.

Protection: Against replay and "man-in-the-middle" attacks.

Dynamic session key generation: Makes it difficult for an intruder to decipher session keys, by
regenerating keys periodically or randomly.

Initial session key generation

Once the initial authentication is completed, the GSLB controller generates two session keys:

Encryption key

Authentication key

These keys are randomly generated. The secure random generator from the RSA toolkit is used for
random number generation.

When the GSLB controller sends the session keys to the site, the keys are first encrypted with the
local private key followed by public key of the peer. An SHA-1 digest of the keys is also attached to
the message. In effect, both authentication and integrity are provided.

On receiving these encrypted passwords from the GSLB controller, the site ADX device decrypts the
encryption key and authentication key using its private key and peer public key and verifies the
SHA-1 hash is same as received. RSA decryption technology is used for this purpose.

RSA challenge dialogue

Once the initial peer authentication is complete, there is a challenge response dialogue between
the two ADX devices as follows.

From GSLB Controller to Site ADX device:

GSLB controller uses the site ADX device public key to encrypt a random sequence of bytes.

The GSLB controller sends these encrypted bytes to the site ADX device.

The site ADX device uses its private key to decrypt the bytes.

The site ADX device sends the decrypted bytes back to the GSLB controller.

The GSLB controller compares the decrypted bytes to the original bytes it sent to the site ADX
device.

If the two sets of bytes match, it means the site ADX device's private key corresponds to an
authorized public key, and the site ADX device is authenticated.

See also other documents in the category Brocade Computer Accessories: