Data authentication – Allied Telesis AT-S63 User Manual

Chapter 34: Encryption Keys

400

Section IX: Management Security

secret. Only the decryption, or private key, needs to be kept secret. The
other name for this type of algorithm is public key encryption. The public
and private key pair cannot be randomly assigned, but must be generated
together. In a typical scenario, a decryption station generates a key pair
and then distributes the public key to encrypting stations. This distribution
does not need to be kept secret, but it must be protected against the
substitution of the public key by a malicious third party. Another use for
asymmetrical encryption is as a digital signature. The signature station
publishes its public key, and then signs its messages by encrypting them
with its private key. To verify the source of a message, the receiver
decrypts the messages with the published public key. If the message that
results is valid, then the signing station is authenticated as the source of
the message.

The most common asymmetrical encryption algorithm is RSA. This
algorithm uses mathematical operations which are relatively easy to
calculate in one direction, but which have no known reverse solution. The
security of RSA relies on the difficulty of factoring the modulus of the RSA
key. Because key lengths of 512 bits or greater are used in public key
encryption systems, decrypting RSA encrypted messages is almost
impossible using current technology. The AT-S63 Management Software
uses the RSA algorithm.

Asymmetrical encryption algorithms require enormous computational
resources, making them very slow when compared to symmetrical
algorithms. For this reason they are normally only used on small blocks of
data (for example, exchanging symmetrical algorithm keys), and not for
entire data streams.

Data

Authentication

Data authentication for switches is driven by the need for organizations to
verify that sensitive data has not been altered.

Data authentication operates by calculating a message authentication
code (MAC), commonly referred to as a hash, of the original data and
appending it to the message. The MAC produced is a function of the
algorithm used and the key. Because it is easy to discover what type of
algorithm is being used, the security of an authentication system relies on
the secrecy of its key information. When the message is received by the
remote switch, another MAC is calculated and checked against the MAC
appended to the message. If the two MACs are identical, the message is
authentic.

Typically a MAC is calculated using a keyed one-way hash algorithm. A
keyed one-way hash function operates on an arbitrary-length message
and a key. It returns a fixed length hash. The properties which make the
hash function one-way are:

ˆ

It is easy to calculate the hash from the message and the key

ˆ

It is very hard to compute the message and the key from the hash