Key exchange algorithms – Allied Telesis AT-S63 User Manual

AT-S63 Management Software Menus Interface User’s Guide

Section IV: Security

557

Typically a MAC is calculated using a keyed one-way hash algorithm. A
keyed one-way hash function operates on an arbitrary-length message
and a key. It returns a fixed length hash. The properties which make the
hash function one-way are:

❑ It is easy to calculate the hash from the message and the key

❑ It is very hard to compute the message and the key from the hash

❑ It is very hard to find another message and key which give the

same hash

The two most commonly used one-way hash algorithms are MD5
(Message Digest 5, defined in RFC 1321) and SHA-1 (Secure Hash
Algorithm, defined in FIPS-180-1). MD5 returns a 128-bit hash and SHA-1
returns a 160-bit hash. MD5 is faster in software than SHA-1, but SHA-1 is
generally regarded to be slightly more secure.

HMAC is a mechanism for calculating a keyed Message Authentication
Code which can use any one-way hash function. It allows for keys to be
handled the same way for all hash functions and it allows for different
sized hashes to be returned.

Another method of calculating a MAC is to use a symmetric block cypher
such as DES in CBC mode. This is done by encrypting the message and
using the last encrypted block as the MAC and appending this to the
original message (plain-text). Using CBC mode ensures that the whole
message affects the resulting MAC.

Key Exchange

Algorithms

Key exchange algorithms are used by switches to securely generate and
exchange encryption and authentication keys with other switches.
Without key exchange algorithms, encryption and authentication
session keys must be manually changed by the system administrator.
Often, it is not practical to change the session keys manually. Key
exchange algorithms enable switches to re-generate session keys
automatically and on a frequent basis.

The most important property of any key exchange algorithm is that only
the negotiating parties are able to decode, or generate, the shared
secret. Because of this requirement, public key cryptography plays an
important role in key exchange algorithms. Public key cryptography
provides a method of encrypting a message which can only be
decrypted by one party. A switch can generate a session key, encrypt the
key using public key cryptography, transmit the key over an insecure
channel, and be certain that the key can only be decrypted by the
intended recipient. Symmetrical encryption algorithms can also be used
for key exchange, but commonly require an initial shared secret to be
manually entered into all switches in the secure network.