Key exchange algorithms – Allied Telesis AT-S63 User Manual
Page 557

AT-S63 Management Software Menus Interface User’s Guide
Section IV: Security
557
Typically a MAC is calculated using a keyed one-way hash algorithm. A 
keyed one-way hash function operates on an arbitrary-length message 
and a key. It returns a fixed length hash. The properties which make the 
hash function one-way are:
❑ It is easy to calculate the hash from the message and the key
❑ It is very hard to compute the message and the key from the hash
❑ It is very hard to find another message and key which give the
same hash
The two most commonly used one-way hash algorithms are MD5 
(Message Digest 5, defined in RFC 1321) and SHA-1 (Secure Hash 
Algorithm, defined in FIPS-180-1). MD5 returns a 128-bit hash and SHA-1 
returns a 160-bit hash. MD5 is faster in software than SHA-1, but SHA-1 is 
generally regarded to be slightly more secure.
HMAC is a mechanism for calculating a keyed Message Authentication 
Code which can use any one-way hash function. It allows for keys to be 
handled the same way for all hash functions and it allows for different 
sized hashes to be returned.
Another method of calculating a MAC is to use a symmetric block cypher 
such as DES in CBC mode. This is done by encrypting the message and 
using the last encrypted block as the MAC and appending this to the 
original message (plain-text). Using CBC mode ensures that the whole 
message affects the resulting MAC.
Key Exchange
Algorithms
Key exchange algorithms are used by switches to securely generate and 
exchange encryption and authentication keys with other switches. 
Without key exchange algorithms, encryption and authentication 
session keys must be manually changed by the system administrator. 
Often, it is not practical to change the session keys manually. Key 
exchange algorithms enable switches to re-generate session keys 
automatically and on a frequent basis.
The most important property of any key exchange algorithm is that only 
the negotiating parties are able to decode, or generate, the shared 
secret. Because of this requirement, public key cryptography plays an 
important role in key exchange algorithms. Public key cryptography 
provides a method of encrypting a message which can only be 
decrypted by one party. A switch can generate a session key, encrypt the 
key using public key cryptography, transmit the key over an insecure 
channel, and be certain that the key can only be decrypted by the 
intended recipient. Symmetrical encryption algorithms can also be used 
for key exchange, but commonly require an initial shared secret to be 
manually entered into all switches in the secure network.
