Data authentication – Allied Telesis AT-S62 User Manual

Chapter 31: Encryption Keys

692

Section VII: Management Security

public and private key pair cannot be randomly assigned, but must be
generated together. In a typical scenario, a decryption station generates a
key pair and then distributes the public key to encrypting stations. This
distribution does not need to be kept secret, but it must be protected
against the substitution of the public key by a malicious third party.
Another use for asymmetrical encryption is as a digital signature. The
signature station publishes its public key, and then signs its messages by
encrypting them with its private key. To verify the source of a message,
the receiver decrypts the messages with the published public key. If the
message that results is valid, then the signing station is authenticated as
the source of the message.

The most common asymmetrical encryption algorithm is RSA. This
algorithm uses mathematical operations which are relatively easy to
calculate in one direction, but which have no known reverse solution. The
security of RSA relies on the difficulty of factoring the modulus of the RSA
key. Because key lengths of 512 bits or greater are used in public key
encryption systems, decrypting RSA encrypted messages is almost
impossible using current technology. The AT-S62 software uses the RSA
algorithm.

Asymmetrical encryption algorithms require enormous computational
resources, making them very slow when compared to symmetrical
algorithms. For this reason they are normally only used on small blocks of
data (for example, exchanging symmetrical algorithm keys), and not for
entire data streams.

Data

Authentication

Data authentication for switches is driven by the need for organizations to
verify that sensitive data has not been altered.

Data authentication operates by calculating a message authentication
code (MAC), commonly referred to as a hash, of the original data and
appending it to the message. The MAC produced is a function of the
algorithm used and the key. Since it is easy to discover what type of
algorithm is being used, the security of an authentication system relies on
the secrecy of its key information. When the message is received by the
remote switch, another MAC is calculated and checked against the MAC
appended to the message. If the two MACs are identical, the message is
authentic.

Typically a MAC is calculated using a keyed one-way hash algorithm. A
keyed one-way hash function operates on an arbitrary-length message
and a key. It returns a fixed length hash. The properties which make the
hash function one-way are:

ˆ

it is easy to calculate the hash from the message and the key

ˆ

it is very hard to compute the message and the key from the hash

ˆ

it is very hard to find another message and key which give the same
hash