Hash algorithms, Pseudo-random function algorithm, Public key certificate-based authentication – Brocade Web Tools Administrators Guide (Supporting Fabric OS v7.3.0) User Manual

Hash algorithms

Hash message authentication codes (HMAC) check data integrity through a mathematical calculation
on a message using a hash algorithm combined with a shared, secret key. The following table lists the
available encryption algorithms. The sending computer uses the hash function and shared key to
compute a checksum or code for the message, and sends it to the receiving computer. The receiving
computer must perform the same hash function on the received message and shared key and compare
the result. If the hash values are different, it indicates that a third party may have tampered with the
message in transit, and the packet is rejected.

Hash algorithm options

TABLE 22

Hash algorithm Description

RFC/Publication number

aes_xcbc

Uses a cypher block and extended cypher block chaining (CBC).

RFC 3566

hmac_md5

The MD5 computation produces a 128-bit hash.

RFC 1321

hmac_sha1

The SHA1 computation produces a 160-bit hash.

FIPS Pub 180-1

Pseudo-Random Function algorithm

The Pseudo-Random Function (PRF) algorithm generates output that appears to be random data, using
the HMAC chosen as the hash algorithm as the seed value. PRF is used to strengthen security.

Public key certificate-based authentication

Industry standard X.500 database servers are available as certificate authority servers to enable
certificate-based authentication of computers.

SA lifetime

The SA lifetime may be defined as the number of bytes transmitted before the SA is rekeyed, or as a
time value in seconds, or both. When both are used, the SA lifetime is determined by the threshold that
is first reached. Whenever an SA lifetime expires, the security association (SA) is renegotiated and the
key is refreshed or regenerated.

For example, if a 200 MB file is transferred with a 100 MB lifetime, at least two keys are generated. If a
communication takes one hour, and you specify a lifetime of 300 seconds (five minutes), more than 12
keys may be generated to complete the communication.

The SA lifetime limits the length of time a key is used before it is replaced by a new key, thus limiting
the amount of time a given key is available to a potential attacker. Part of a message may be protected
by an old key, while new keys protect the remainder of the message, so even if an attacker deciphers
one key, only a portion of the message is vulnerable.

Diffie-Hellman groups

Diffie-Hellman (DH) groups are used to determine the length of the base prime numbers for the Diffie-
Hellman exchange. Diffie-Hellman key exchange is a cryptographic protocol that allows two parties that
have no prior knowledge of each other to jointly establish a shared secret key over an insecure
communications channel.

Hash algorithms

Web Tools Administrator's Guide

227

53-1003169-01