Network Systems DesignLine | IPsec, a Tutorial--Part II

Get the latest news, products and how-to information on network systems. Sign up for the Network Systems DesignLine newsletter, a weekly e-mail guide dedicated to the needs of engineers developing networking equipment and components. Here is our RSS feed.








 Network Systems DesignLine » How-To » IP Networking

 
 HOW-TO : IP Networking

IPsec, a Tutorial--Part II

Here is Part II of a Network Systems DesignLine multi-series excerpt from Chapter 2: IPsec Fundamentals from the book IPsec Virtual Private Network Fundamentals. In this section we will describe the mechanics of cryptographic operations, including message hashing, message digests, and Digital Signatures.
By James Henry Carmouche Print This Story Send As Email Discuss This Story Reprints

Page 1 of 2

Network Systems Designline
(12/11/2006 3:19 AM EST)

Rate this article
WORSE | BETTER
1 2 3 4 5
Here's Part I.

Message Authentication, Message Integrity, and Sender Nonrepudiation Mechanisms
IPsec incorporates several cryptographic operations to ensure message authenticity, data integrity, and sender nonrepudiation. In this section we will describe the mechanics of these cryptographic operations, including message hashing, message digests, and Digital Signatures.

Hashing and Message Digests
Data integrity ensures that transmitted data has not been tampered with en route to its destination. Hashes can be deployed to ensure data integrity. A hash takes an input message of variable length and outputs fixed-length code. The fixed length code is then appended to the original message before transmission. A basic hashing function consists of an algorithm and a key that is known to both sender and receiver, as described in the scenario between James and Charlie illustrated in Figure 7.

Before sending his message to Charlie in Step 1 of Figure 7, James performs a mathematical operation, or hashing function, on the original message. The output of that mathematical operation is called a hash value, or message digest, which is then appended to the original message and sent to Charlie.

In Step 2 of Figure 7, Charlie then removes the hash value from the original message and runs the same hash operation on the original message received. Charlie then compares his has value with the one that James has sent appended to the original message. If the two hash values match, then Charlie can be assured that the message's integrity has not been compromised. That is to say that James' message to Charlie has not been modified and has not been spoofed by a source other than James himself.

Although message digests provide data integrity, they do not provide message authenticity unless the original message is hashed with a secret key shared between the two endpoints. This operation is commonly used in routing protocol authentication and also in the creation of hashed message authentication codes (HMACs) used for bulk data encryption by a symmetric key transform defined an IPsec SA.

In order for a hash to effectively provide data integrity, the hash operation must have the following characteristics:

  • Identical input messages must consistently yield the same output.
  • The input messages length can vary, but the length of the output of the hash operation must be of fixed length.
  • The output must be random, or give the appearance of randomness.
  • It must be irreversible, or one way--one should never be able to determine the original message by reversing the hash operation.
  • Each unique input message should yield a unique output value


Figure 7. Creating and Verifying a Message Digest

The most widely used hash algorithms are the Secure Hash Algorithm (SHA) and the Message Digest 5 algorithm (MD5). Both MD5 and SHA process input in 512-bit blocks, but the length of their output varies--MD5 outputs a 128-bit message digest, while the message digest output of SHA is 160 bits. As such, SHA is considered a stronger hash, but requires more processing power than the MD5 hash algorithm.

Note:
Although SHA-1 and MD5 are 160- and 128-bit computations, respectively, the length of the resulting hash is sometimes truncated to 96 bits in length in transmission.

Secure Cisco networks use hashing operations for a variety of things, including routing protocol authentication and in various applications of IPsec and IKE. Within the IPsec framework, hashing algorithms are used when appending message digests to the messages exchanged to generate shared secret keys during IKE, when collaborating with a certificate authority, when building Digital Signatures, and when computing a keyed messages authentication check for shared secret-key encryption.

Digital Signatures
Data authentication refers to information originating from the original valid source. Authentication in simple hashes can be compromised by data replay attacks and man-in-the-middle attacks. Digital Signatures use a combination of hashes and symmetric encryption in order to secure the integrity of the hash exchanged between two peers. Preserving data integrity ensures that a message has not been altered or compromised en route to its destination. A Digital Signature is an encrypted form of a hashed message. As such, a Digital Signature can be verified only by those parties containing the necessary public key that corresponds to the private key used to encrypt the hash. Therefore, if the Digital Signature is verified, its source is deemed to be authentic, as the public key would not decrypt a message digest value encrypted by a different private key. Consider again the exchange of a message between two routers, James and Charlie. A Digital Signature can be used to provide an additional level of authenticity over a standard hash. The first step that James takes to create the Digital Signature of his original message is derivation of a public and private key pair associated with the original message. Figure 8 illustrates the process of creating and validating a Digital Signature.



Page 2: next page Print This Story Send As Email Discuss This Story Reprints

Page 1 | 2


 
eSearch  

 Top 5 Most Read
 How-To Stories
1. 2. 3. 4. 5.

 Top 5 Most Read
 News Stories
1. 2. 3. 4. 5.

  • Introduction to Optical Transmission Systems

    		•
  • Optimizing Embedded Systems for Broadband 10 Gigabit Ethernet Connectivity

    		•
  • Interfacing a DS3231 with an 8051-Type Microcontroller

    		•
    The entire library >>  

    		 
     Top 5 Most Read
     Product Stories
    1. 2. 3. 4. 5.

     Sponsor

    EE Times TechCareers
    Search Jobs

    Enter Keyword(s):


    Function:


    State:
      

    Post Your Resume
    -----------------
    Employers Area
    Most Recent Posts More career-related news, resources and job postings for technology professionals

     Tech Library
    ¤ Looking for the appropriate Industry Association? This comprehensive, up-to-date list will take you to the right Web site for the help you need.

    ¤ Got a question about a standard? Here are direct links to resources detailing the industry's most important communications standards.

    ¤ Freshen up on technology, new and old, with these links to interesting and informative tutorials.

    More from TechLibrary
    Welcome to our DesignLine network of web communities. On these sites, we provide practical how-to technical information for engineers and engineering managers involved in Automotive,audio, DSP, DTV, EDA, Industrial Control, Mobile Handset, Power Management, Programmable Logic,RF,Video, and Wireless networking design. Check out the sites and let us know your thoughts.
    		 



    HOME  |  ABOUT  |  FEEDBACK  |  CONTACT
    Career Center | CommsDesign.com | Embedded.com | EE Times | TechOnline
    Planet Analog | DeepChip | eeProductCenter | Electronic Supply & Manufacturing | Webinars


    All material on this site Copyright © 2006 CMP Media LLC. All rights reserved
    Privacy Statement | Your California Privacy Rights | Terms of Service