Data authentication – Allied Telesis AT-S62 User Manual

AT-S62 User’s Guide

Section VII: Management Security

497

Asymmetrical (Public Key) Encryption

Asymmetrical encryption algorithms use two keys—one for encryption
and one for decryption. The encryption key is called the public key
because it cannot be used to decrypt a message and therefore does not
have to be kept secret. Only the decryption, or private key, needs to be
kept secret. The other name for this type of algorithm is public key
encryption. The public and private key pair cannot be randomly
assigned, but must be generated together. In a typical scenario, a
decryption station generates a key pair and then distributes the public
key to encrypting stations. This distribution does not need to be kept
secret, but it must be protected against the substitution of the public
key by a malicious third party. Another use for asymmetrical encryption
is as a digital signature. The signature station publishes its public key,
and then signs its messages by encrypting them with its private key. To
verify the source of a message, the receiver decrypts the messages with
the published public key. If the message that results is valid, then the
signing station is authenticated as the source of the message.

The most common asymmetrical encryption algorithm is RSA. This
algorithm uses mathematical operations which are relatively easy to
calculate in one direction, but which have no known reverse solution.
The security of RSA relies on the difficulty of factoring the modulus of
the RSA key. Because key lengths of 512 bits or greater are used in public
key encryption systems, decrypting RSA encrypted messages is almost
impossible using current technology. The AT-S62 software uses the RSA
algorithm.

Asymmetrical encryption algorithms require enormous computational
resources, making them very slow when compared to symmetrical
algorithms. For this reason they are normally only used on small blocks
of data (for example, exchanging symmetrical algorithm keys), and not
for entire data streams.

Data

Authentication

Data authentication for switches is driven by the need for organizations
to verify that sensitive data has not been altered.

Data authentication operates by calculating a message authentication
code (MAC), commonly referred to as a hash, of the original data and
appending it to the message. The MAC produced is a function of the
algorithm used and the key. Since it is easy to discover what type of
algorithm is being used, the security of an authentication system relies
on the secrecy of its key information. When the message is received by
the remote switch, another MAC is calculated and checked against the
MAC appended to the message. If the two MACs are identical, the
message is authentic.