beautypg.com

Key exchange algorithms – Allied Telesis AT-S62 User Manual

Page 693

background image

AT-S62 Management Software Menus Interface User’s Guide

Section VII: Management Security

693

The two most commonly used one-way hash algorithms are MD5
(Message Digest 5, defined in RFC 1321) and SHA-1 (Secure Hash
Algorithm, defined in FIPS-180-1). MD5 returns a 128-bit hash and SHA-1
returns a 160-bit hash. MD5 is faster in software than SHA-1, but SHA-1 is
generally regarded to be slightly more secure.

HMAC is a mechanism for calculating a keyed Message Authentication
Code which can use any one-way hash function. It allows for keys to be
handled the same way for all hash functions and it allows for different
sized hashes to be returned.

Another method of calculating a MAC is to use a symmetric block cypher
such as DES in CBC mode. This is done by encrypting the message and
using the last encrypted block as the MAC and appending this to the
original message (plain-text). Using CBC mode ensures that the whole
message affects the resulting MAC.

Key Exchange

Algorithms

Key exchange algorithms are used by switches to securely generate and
exchange encryption and authentication keys with other switches. Without
key exchange algorithms, encryption and authentication session keys
must be manually changed by the system administrator. Often, it is not
practical to change the session keys manually. Key exchange algorithms
enable switches to re-generate session keys automatically and on a
frequent basis.

The most important property of any key exchange algorithm is that only
the negotiating parties are able to decode, or generate, the shared secret.
Because of this requirement, public key cryptography plays an important
role in key exchange algorithms. Public key cryptography provides a
method of encrypting a message which can only be decrypted by one
party. A switch can generate a session key, encrypt the key using public
key cryptography, transmit the key over an insecure channel, and be
certain that the key can only be decrypted by the intended recipient.
Symmetrical encryption algorithms can also be used for key exchange, but
commonly require an initial shared secret to be manually entered into all
switches in the secure network.

The Diffie-Hellman algorithm, which is used by the AT-S62 management
software, is one of the more commonly used key exchange algorithms. It is
not an encryption algorithm because messages cannot be encrypted using
Diffie-Hellman. Instead, it provides a method for two parties to generate
the same shared secret with the knowledge that no other party can
generate that same value. It uses public key cryptography and is
commonly known as the first public key algorithm. Its security is based on
the difficulty of solving the discrete logarithm problem, which can be
compared to the difficulty of factoring very large integers.

A Diffie-Hellman algorithm requires more processing overhead than RSA-
based key exchange schemes, but it does not need the initial exchange of
public keys. Instead, it uses published and well tested public key values.