Table 21, Hash algorithms, Pseudo-random function algorithm – Dell POWEREDGE M1000E User Manual

Web Tools Administrator’s Guide

233

53-1001772-01

IPsec concepts

17

DRAFT: BROCADE CONFIDENTIAL

Hash algorithms

Hash message authentication codes (HMAC) check data integrity through a mathematical
calculation on a message using a hash algorithm combined with a shared, secret key.

Table 21

lists

the available encryption algorithms. The sending computer uses the hash function and shared key
to compute a checksum or code for the message, and sends it to the receiving computer. The
receiving computer must perform the same hash function on the received message and shared key
and compare the result. If the hash values are different, it indicates that a third party may have
tampered with the message in transit, and the packet is rejected.

Pseudo-Random Function algorithm

The Pseudo-Random Function (PRF) algorithm generates output that appears to be random data,
using the HMAC chosen as the hash algorithm as the seed value. PRF is used to strengthen
security.

Public key certificate-based authentication

Industry standard X.500 database servers are available as certificate authority servers to enable
certificate-based authentication of computers.

SA lifetime

The SA lifetime may be defined as the number of bytes transmitted before the SA is rekeyed, or as
a time value in seconds, or both. When both are used, the SA lifetime is determined by the
threshold that is first reached. Whenever an SA lifetime expires, the security association (SA) is
renegotiated and the key is refreshed or regenerated.

For example, if a 200 MB file is transferred with a 100 MB lifetime, at least two keys are generated.
If a communication takes one hour, and you specify a lifetime of 300 seconds (five minutes), more
than 12 keys may be generated to complete the communication.

The SA lifetime limits the length of time a key is used before it is replaced by a new key, thus
limiting the amount of time a given key is available to a potential attacker. Part of a message may
be protected by an old key, while new keys protect the remainder of the message, so even if an
attacker deciphers one key, only a portion of the message is vulnerable.

Diffie-Hellman groups

Diffie-Hellman (DH) groups are used to determine the length of the base prime numbers for the
Diffie-Hellman exchange. Diffie-Hellman key exchange is a cryptographic protocol that allows two
parties that have no prior knowledge of each other to jointly establish a shared secret key over an
insecure communications channel.

TABLE 21

Hash algorithm options

Hash algorithm

Description

RFC/Publication number

aes_xcbc

Uses a cypher block and extended cypher block
chaining (CBC).

RFC 3566

hmac_md5

The MD5 computation produces a 128-bit
hash.

RFC 1321

hmac_sha1

The SHA1 computation produces a 160-bit
hash.

FIPS Pub 180-1