Key exchange algorithms – Allied Telesis AT-S63 User Manual
Page 461

AT-S63 Management Software Features Guide
Section IX: Management Security
461
It is very hard to find another message and key which give the same 
hash
The two most commonly used one-way hash algorithms are MD5 
(Message Digest 5, defined in RFC 1321) and SHA-1 (Secure Hash 
Algorithm, defined in FIPS-180-1). MD5 returns a 128-bit hash and SHA-1 
returns a 160-bit hash. MD5 is faster in software than SHA-1, but SHA-1 is 
generally regarded to be slightly more secure.
HMAC is a mechanism for calculating a keyed Message Authentication 
Code which can use any one-way hash function. It allows for keys to be 
handled the same way for all hash functions and it allows for different 
sized hashes to be returned.
Another method of calculating a MAC is to use a symmetric block cipher 
such as DES in CBC mode. This is done by encrypting the message and 
using the last encrypted block as the MAC and appending this to the 
original message (plain-text). Using CBC mode ensures that the whole 
message affects the resulting MAC.
Key Exchange
Algorithms
Key exchange algorithms are used by switches to securely generate and 
exchange encryption and authentication keys with other switches. Without 
key exchange algorithms, encryption and authentication session keys 
must be manually changed by the system administrator. Often, it is not 
practical to change the session keys manually. Key exchange algorithms 
enable switches to re-generate session keys automatically and on a 
frequent basis.
The most important property of any key exchange algorithm is that only 
the negotiating parties are able to decode, or generate, the shared secret. 
Because of this requirement, public key cryptography plays an important 
role in key exchange algorithms. Public key cryptography provides a 
method of encrypting a message which can only be decrypted by one 
party. A switch can generate a session key, encrypt the key using public 
key cryptography, transmit the key over an insecure channel, and be 
certain that the key can only be decrypted by the intended recipient. 
Symmetrical encryption algorithms can also be used for key exchange, but 
commonly require an initial shared secret to be manually entered into all 
switches in the secure network.
The Diffie-Hellman algorithm, which is used by the AT-S63 Management 
Software, is one of the more commonly used key exchange algorithms. It 
is not an encryption algorithm because messages cannot be encrypted 
using Diffie-Hellman. Instead, it provides a method for two parties to 
generate the same shared secret with the knowledge that no other party 
can generate that same value. It uses public key cryptography and is 
commonly known as the first public key algorithm. Its security is based on 
the difficulty of solving the discrete logarithm problem, which can be 
compared to the difficulty of factoring very large integers.
