beautypg.com

Data authentication – Allied Telesis AT-S60 User Manual

Page 346

background image

AT-S60 Management Software User’s Guide

Section III: Security Features

345

Data Authentication

Data authentication for switches is driven by the need for organizations
to verify that sensitive data has not been altered.

Data authentication operates by calculating a Message Authentication
Code (MAC), commonly referred to as a hash, of the original data and
appending it to the message. The MAC produced is a function of the
algorithm used and the key. Since it is easy to discover what type of
algorithm is being used, the security of an authentication system relies
on the secrecy of its key information. When the message is received by
the remote switch, another MAC is calculated and checked against the
MAC appended to the message. If the two MACs are identical, the
message is authentic.

Typically a MAC is calculated using a keyed one-way hash algorithm. A
keyed one-way hash function operates on an arbitrary-length message
and a key. It returns a fixed length hash. The properties which make the
hash function one-way are:

❑ it is easy to calculate the hash from the message and the key

❑ it is very hard to compute the message and the key from the hash

❑ it is very hard to find another message and key which give the

same hash

The two most commonly used one-way hash algorithms are MD5
(Message Digest 5, defined in RFC 1321) and SHA-1 (Secure Hash
Algorithm, defined in FIPS-180-1). MD5 returns a 128-bit hash and SHA-1
returns a 160-bit hash. MD5 is faster in software than SHA-1, but SHA-1 is
generally regarded to be slightly more secure.

HMAC is a mechanism for calculating a keyed Message Authentication
Code which can use any one-way hash function. It allows for keys to be
handled the same way for all hash functions and it allows for different
sized hashes to be returned.

Another method of calculating a MAC is to use a symmetric block cypher
such as DES in CBC mode. This is done by encrypting the message and
using the last encrypted block as the MAC and appending this to the
original message (plain-text). Using CBC mode ensures that the whole
message affects the resulting MAC.

See also other documents in the category Allied Telesis Computer hardware: