Introduction; Authentication; Encryption - Patton electronics SmartWare R.3.20 Software Configuration Manual

SmartWare Software Configuration Guide

Introduction

This chapter describes how to configure the VPN connections between two SmartNodes or between a
SmartNode and a third-party device.
A virtual private network (VPN) is a private data network that uses the public telecommunications infrastruc-
ture, maintaining privacy through the use of a tunneling protocol and security procedures.
There are different technologies to implement a VPN. SmartWare applies the internet protocol security (IPsec)
Architecture (see RFC 2401). The following sections describe the main building blocks of the IPsec architec-
ture as implemented in SmartWare.

Authentication

Authentication verifies the integrity of data stream and ensures that it is not tampered with while in transit. It
also provides confirmation about data stream origin.
Two authentication protocols are available:
• Authentication header (AH): protects the IP payload, the IP header, and the authentication header itself
• Encapsulating security payload (ESP): protects the IP payload and the ESP header and trailer, but not the
IP header
Two algorithms perform the authentication:
• HMAC-MD5-96: is a combination of the keyed-hashing for message authentication (HMAC) and the mes-
sage digest version 5 (MD5) hash algorithm. It requires an authenticator of 128-bit length and calculates a
hash of 96 bits over the packet to be protected (see RFC 2403).
• HMAC-SHA1-96: is a combination of the (HMAC) and the secure hash algorithm version 1 (SHA1). It
requires an authenticator of 160 bit length and calculates a hash of 96 bits over the packet to be protected
(see RFC 2404).

Encryption

Encryption protects the data in transit from unauthorized access. Encapsulating security payload (ESP) is the
protocol to transport encrypted IP packets over IP (see RFC 2406).
The following encryption algorithms are available:
DES-CBC (Data Encryption Standard - Cipher Block Chaining)
3DES-CBC (Triple Data Encryption Standard - Cipher Block Chaining)
AES-CBC (Advanced Encryption Standard - Cipher Block Chaining)
a. The 3DES algorithm uses only 112 out of the 128 Bit or 168 out of the 192 Bit as key information. Cisco only supports 192 Bit keys with 3DES.
The single DES algorithm no longer offers adequate security because of its short key length (a minimum key
length 100 bits is recommended). The AES algorithm is very efficient and allows the fastest encryption. AES
with a key length of 128 bits is therefore the recommended algorithm.

Introduction

25 • VPN configuration
Key Length [Bit]
56
a
128 or 192
128, 192, or 256
RFC
2405
1851
3268
282