HMAC to authenticate the source IKE-2
- Jean-luc KRIKER
https://www.juniper.net/documentation/en_US/junos/topics/concept/ipsec-authentication-solutions.html
HMAC:  Hash-based Message Authentication Code or Hash-based MAC Â
MAC # signature or cryptographic checksum
>>> the message has not been changed
Stream cypher ( Block ) are very quick, good for streaming traffic, mobile traffic.
| MACÂ | https://www.youtube.com/watch?v=DiLPn_ldAAQ&ab_channel=IntroductiontoCryptographybyChristofPaar |
|---|---|
| symmetrical key ( how to exchange/distribute/change keys ) | |
| 1 | Arbitrary Input length |
| 2 | Fix output length |
| 3 | message authentication: because of the secure channel use - build with private/public Key |
| 4 | Integrity ( change inline ) |
| 5 | None-repudiation is not given ( the Rx can create from the message the signature with the symmetrical key) |
| HMAC (Â Â Nested MAC(MAC(message) ) | Integrity and Authentication |
|---|---|
| 2 stage Hashing ( XOR ) with 2 different key ( ipad and opad ) | https://www.youtube.com/watch?v=wlSG3pEiQdc&ab_channel=Computerphile inner key / outer key Keys are 510bits ( fixed value, in the standard ) ipad: opad: HMAX(message) = h [ (K"+opad) || ( h(K"+ipad)||x)  ] |
Sender ( Data + pre-shared Key ) > hash>> HASH1Â send: Data + Hash1 | Â Receiver: ( Data + preshared key) Data > hash> Hash2Â Compare Hash2 wit rx Hash1 |
| Usage of HMAC | |
| IKE Phase 2 (in IPSEC VPN) | |
TLS (old name SSL)Â for website using HTTPS TLS replace the good old SSL / Secure Socket Layer control protocol TCP/443 |
