HP-UX IPSec Version A.03.00 Administrator's Guide
Shared Key Hash Functions
Shared key hash functions (also known as a symmetric key hash functions) are hash functions
that take a large block of variable-length data and a shared key as input and produce a small,
fixed-length hash value, or authentication code. The IPsec protocol suite uses a specific method
for producing the hash value and refers to the authentication value as the Hashed Message
Authentication Code (HMAC ).
Shared keyed hash functions are usually based on one-way hash functions: Starting with a hash
output value, it is difficult to create an input value that would generate the same output value,
even if no key is used. This makes it difficult for a third party to intercept a message and replace
it with a new message that generates the same authentication code. This ensures that only a
holder of the secret key can generate the correct authentication code.
In Figure 1-2, the sender, System A, uses the plaintext (data) and the shared key to calculate an
HMAC for the data and sends the HMAC with the data. The recipient, System B, computes its
own HMAC value using the same shared secret key and data. The recipient then compares the
result with the transmitted HMAC. If the HMAC values match, the recipient is assured that the
sender knows the same secret key, confirming the identity of the sender. The recipient is also
assured that the data was not altered during transit.
Figure 1-2 Shared Key Hash Function
Hash
Algorithm
Hash
Algorithm
Data
System A System B
Authentication
Value (HMAC)
Data
Authentication
Value (HMAC)
Key
HMAC’
Does
derived HMAC’=
received HMAC?
Integrity OK
No
Yes
Integrity
Bad
(Reject)
Key
Data
ESP Processing
On the sender (System A), the ESP module processes the outbound packet as follows:
1. The ESP module encrypts the IP payload using the encryption key (KeyE.
2. The ESP module collates an authentication value (the HMAC), for the encrypted payload
using the authentication key (KeyA) and appends the authentication value to the packet.
On the remote system (System B), the recipient ESP module processes the inbound ESP packet
as follows:
IPsec Protocol Suite 33