Encryption Algorithms; Ipsec Protocols - Juniper JUNOS OS 10.4 - FOR EX REV 1 Manual

Complete Software Guide for Junos

Encryption Algorithms

IPsec Protocols

1906
®
OS for EX Series Ethernet Switches, Release 10.4
backwards from the resulting message digest. Likewise, a change to a single character
in the message will cause it to generate a very different message digest number.
To verify that the message has not been tampered with, Junos OS compares the
calculated message digest against a message digest that is decrypted with a shared
key. Junos OS uses the MD5 hashed message authentication code (HMAC) variant
that provides an additional level of hashing. MD5 can be used with an authentication
header (AH) and Encapsulating Security Payload (ESP).
Secure Hash Algorithm 1 (SHA-1) uses a stronger algorithm than MD5. SHA-1 takes a
message of less than 264 bits in length and produces a 160-bit message digest. The
large message digest ensures that the data has not been changed and that it originates
from the correct source. Junos OS uses the SHA-1 HMAC variant that provides an
additional level of hashing. SHA-1 can be used with AH, ESP, and Internet Key Exchange
(IKE).
Encryption encodes data into a secure format so that it cannot be deciphered by
unauthorized users. As with authentication algorithms, a shared key is used with encryption
algorithms to verify the authenticity of IPsec devices. Junos OS uses the following
encryption algorithms:
Data Encryption Standard cipher-block chaining (DES-CBC) is a symmetric secret-key
block algorithm. DES uses a key size of 64 bits, where 8 bits are used for error detection
and the remaining 56 bits provide encryption. DES performs a series of simple logical
operations on the shared key, including permutations and substitutions. CBC takes the
first block of 64 bits of output from DES, combines this block with the second block,
feeds this back into the DES algorithm, and repeats this process for all subsequent
blocks.
Triple DES-CBC (3DES-CBC) is an encryption algorithm that is similar to DES-CBC but
provides a much stronger encryption result because it uses three keys for 168-bit (3 x
56-bit) encryption. 3DES works by using the first key to encrypt the blocks, the second
key to decrypt the blocks, and the third key to reencrypt the blocks.
IPsec protocols determine the type of authentication and encryption applied to packets
that are secured by the switch. Junos OS supports the following IPsec protocols:
AH—Defined in RFC 2402, AH provides connectionless integrity and data origin
authentication for IPv4. It also provides protection against replays. AH authenticates
as much of the IP header as possible, as well as the upper-level protocol data. However,
some IP header fields might change in transit. Because the value of these fields might
not be predictable by the sender, they cannot be protected by AH. In an IP header, AH
can be identified with a value of 51 in the Protocol field of an IPv4 packet.
ESP—Defined in RFC 2406, ESP can provide encryption and limited traffic flow
confidentiality or connectionless integrity, data origin authentication, and an anti-replay
service. In an IP header, ESP can be identified with a value of 50 in the Protocol field
of an IPv4 packet.
Copyright © 2010, Juniper Networks, Inc.