client rekey encryption
Use client rekey encryption to specify KEK encryption algorithms supported by a GM.
Use undo client rekey encryption to restore the default.
Syntax
In non-FIPS mode:
client rekey encryption { 3des-cbc | aes-cbc-128 | aes-cbc-192 | aes-cbc-256 | des-cbc } *
undo client rekey encryption
In FIPS mode:
client rekey encryption { aes-cbc-128 | aes-cbc-192 | aes-cbc-256 } *
undo client rekey encryption
Default
In non-FIPS mode, a GM supports DES-CBC, 3DES-CBC, AES-CBC-128, AES-CBC-192, and
AES-CBC-256.
In FIPS mode, a GM supports AES-CBC-128, AES-CBC-192, and AES-CBC-256.
Views
GDOI GM group view
Predefined user roles
network-admin
Parameters
des-cbc: Specifies the DES algorithm in CBC mode, which uses a 64-bit key.
3des-cbc: Specifies the 3DES algorithm in CBC mode, which uses a 168-bit key.
aes-cbc-128: Specifies the AES algorithm in CBC mode that uses a 128-bit key.
aes-cbc-192: Specifies the AES algorithm in CBC mode that uses a 192-bit key.
aes-cbc-256: Specifies the AES algorithm in CBC mode that uses a 256-bit key.
Usage guidelines
This command specifies the KEK encryption algorithms supported in registration and rekey
processes.
•
During GM registration, a GM terminates the negotiation with the KS if the KEK encryption
algorithm sent by the KS is not supported, and the registration fails.
•
During rekey, the GM discards rekey messages received from the KS if the KEK encryption
algorithm sent by the KS is not supported.
Examples
# Specify the supported KEK encryption algorithm as AES-CBC-128 for the GDOI GM group abc.
<Sysname> system-view
[Sysname] gdoi gm group abc
[Sysname-gdoi-gm-group-abc] client rekey encryption aes-cbc-128
Related commands
gdoi gm group
655