Brocade Web Tools Administrator's Guide v6.2.0 (53-1001194-01, April 2009)
Web Tools Administrator’s Guide 243
53-1001194-01
IPSec Concepts
17
Internet Key Exchange (IKE) Concepts
Key exchange is used to authenticate the end points of an IP connection, and to determine security
policies for IP traffic over the connection. The initiating node proposes a policy based on the
following:
• An encryption algorithm to protect data.
• A hash algorithm to check the integrity of the authentication data.
• A Pseudo-Random Function (PRF) algorithm that can be used with the hash algorithm for
additional cryptographic strength.
• An authentication method requiring a digital signature, and optionally a certificate exchange.
• A Diffie-Hellman exchange that generates prime numbers used in establishing a shared secret
key.
Encryption algorithms
An encryption algorithm is used to encrypt messages used in the IKE negotiation. Table 20 lists the
available encryption algorithms. A brief description is provided. If you need further information,
please refer to the RFC.
Hash algorithms
Hash message authentication codes (HMAC) check data integrity through a mathematical
calculation on a message using a hash algorithm combined with a shared, secret key. The sending
computer uses the hash function and shared key to compute a checksum or code for the message,
and sends it to the receiving computer. The receiving computer must perform the same hash
function on the received message and shared key and compare the result. If the hash values are
different, it indicates that a third party may have tampered with the message in transit, and the
packet is rejected.
TABLE 20 Encryption algorithm options
Encryption Algorithm Description RFC Number
3des_cbc 3DES processes each block three times, using
a unique 56-bit key each time.
RFC 2451
null_enc No encryption is performed.
aes128_cbc Advanced Encryption Standard (AES) 128 bit
block cipher.
RFC 4869
aes256_cbc Advanced Encryption Standard (AES) 256 bit
block cipher.
RFC 4869
TABLE 21 Hash algorithm options
Hash Algorithm Description RFC/Publication Number
aes_xcbc Uses a cypher block and extended cypher block
chaining (CBC).
RFC 3566
hmac_md5 The MD5 computation produces a 128-bit
hash.
RFC 1321
hmac_sha1 The SHA1 computation produces a 160-bit
hash.
FIPS Pub 180-1