tcp-algorithm-id

Function

Using the tcp-algorithm-id command, you can specify TCP algorithm ids to represent algorithms supported by the keychain uniquely.

Using the undo tcp-algorithm-id command, you can restore the default values specified by Internet Assigned Numbers Authority (IANA).

By default, the algorithm IDs supported by IANA are used.

Format

tcp-algorithm-id md5 md5-algorithm-id

tcp-algorithm-id sha-1 sha1-algorithm-id

tcp-algorithm-id hmac-md5 hmac-md5-algorithm-id

tcp-algorithm-id hmac-sha1-12 hmac-sha1-12-algorithm-id

tcp-algorithm-id hmac-sha1-20 hmac-sha1-20-algorithm-id

tcp-algorithm-id hmac-sha-256 hmac-sha-256-algorithm-id

tcp-algorithm-id sha-256 sha-256-algorithm-id

tcp-algorithm-id sm3 sm3-algorithm-id

tcp-algorithm-id aes-128-cmac aes-128-cmac-id

undo tcp-algorithm-id md5

undo tcp-algorithm-id sha-1

undo tcp-algorithm-id hmac-md5

undo tcp-algorithm-id hmac-sha1-12

undo tcp-algorithm-id hmac-sha1-20

undo tcp-algorithm-id hmac-sha-256

undo tcp-algorithm-id sha-256

undo tcp-algorithm-id sm3

undo tcp-algorithm-id aes-128-cmac

Parameters

Parameter Description Value
md5-algorithm-id

Specifies the TCP algorithm ID to represent the MD5 algorithm.

The value is a string of 1 to 63 characters. The default value is 3.
sha-1

Indicates that SHA-1 is used for packet encryption and authentication.

To ensure high security, do not use the SHA-1 algorithm.

The length of the key is 20 bytes.
sha1-algorithm-id

Specifies the TCP algorithm ID to represent the SHA-1 algorithm.

The value is a string of 1 to 63 characters. The default value is 4.
hmac-md5

Indicates that HMAC-MD5 is used for packet encryption and authentication.

The length of the key is 16 bytes.
hmac-md5-algorithm-id

Specifies the TCP algorithm ID to represent the HMAC-MD5 algorithm.

The value is a string of 1 to 63 characters. The default value is 5.
hmac-sha1-12

Indicates that HMAC-SHA1-12 is used for packet encryption and authentication.

The length of the key is 12 bytes.
hmac-sha1-12-algorithm-id

Specifies the TCP algorithm ID to represent the HMAC-SHA1-12 algorithm.

The value is a string of 1 to 63 characters. The default value is 2.
hmac-sha1-20

Indicates that HMAC-SHA1-20 is used for packet encryption and authentication.

The length of the key is 20 bytes.
hmac-sha1-20-algorithm-id

Specifies the TCP algorithm ID to represent the HMAC-SHA1-20 algorithm.

The value is a string of 1 to 63 characters. The default value is 6.
hmac-sha-256

Indicates that HMAC-SHA-256 is used for packet encryption and authentication.

HAMC-SHA-256 authentication mode is better and more secure than other authentication modes. To ensure high security, HAMC-SHA-256 authentication algorithm is recommended.

The length of the key is 32 bytes.
hmac-sha-256-algorithm-id

Specifies the TCP algorithm ID to represent the HMAC-SHA-256 algorithm.

The value is a string of 1 to 63 characters. The default value is 7.
sha-256

Indicates that SHA-256 is used for packet encryption and authentication.

The length of the key is 32 bytes.
sha-256-algorithm-id

Specifies the TCP algorithm ID to represent the SHA-256 algorithm.

The value is a string of 1 to 63 characters. The default value is 8.
sm3

Indicates that SM3 is used for packet encryption and authentication.

The length of the key is 32 bytes.
sm3-algorithm-id

Specifies the TCP algorithm ID to represent the SM3 algorithm.

The value is a string of 1 to 63 characters. The default value is 9.
aes-128-cmac

Indicates that AES-128-CMAC is used for packet encryption and authentication.

The key length is 16 bytes.
aes-128-cmac-id

Specifies the TCP algorithm ID to represent the AES-128-CMAC algorithm.

The value is a string of 1 to 63 characters. The default value is 10.
md5

Indicates that MD5 is used for packet encryption and authentication.

To ensure high security, do not use the MD5 algorithm.

The length of the key is 16 bytes.

Views

Keychain view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
key-chain write

Usage Guidelines

Usage Scenario

A keychain ensures a secure protocol packet transmission by changing the authentication algorithm and key dynamically. Packets to be transmitted over non-TCP and TCP connections are authenticated using the authentication and encryption algorithms corresponding to a key ID. The difference lies in that the TCP connection needs to be authenticated to enhance the security.

The TCP connection is authenticated using the authentication algorithm specified by the algorithm ID. The algorithm ID is not defined by the IANA. Different vendors use different algorithm IDs to identify authentication algorithms. When two devices of different vendors are connected, ensure that algorithm IDs configured on the two devices are identical.

Prerequisites

The authentication algorithm used to authenticate the TCP connection needs to be specified.

Implementation Procedure

The algorithm IDs configured for the two communication devices must be identical:

The characteristics of each authentication algorithm are as follows:

  • MD5(Message Digest 5): The 128-bit MD5 message digest is calculated based on the entered message of any length.
  • SHA-1(Secure Hash Algorithm): The 160-bit SHA-1 message digest is calculated based on the entered message with the length shorter than the 64th power of 2.
  • HMAC-MD5(Keyed-Hashing for Message Authentication-md5): The 128-bit HMAC-MD5 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. If the length of an entered message is less than 512 bits, 0s are added to make up a 512-bit message. If the length of an entered message is greater than 512 bits, the message is converted into a 128-bit message based on the MD5 algorithm. After that, 0s are added to make up a 512-bit message.
  • HMAC-SHA1-12: The 160-bit HMAC-SHA1-12 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. The leftmost 96 bits (12 x 8) are used as the authentication code.
  • HMAC-SHA1-20: The 160-bit HMAC-SHA1-20 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. All the 160 bits are used as the authentication code.
  • SHA-256: The 256-bit SHA-2 message digest is calculated based on the entered message with the length shorter than the 64th power of 2.
  • HMAC-SHA-256: The 256-bit HMAC-SHA-256 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. All the 256 bits are used as the authentication code.

    The calculation speed of the MD5 algorithm is faster than that of the SHA algorithm; the SHA algorithm is more secure than the MD5 algorithm. Compared with MD5 and SHA, HMAC is more secure, but slower in calculation speed. To ensure high security, do not use the MD5 or SHA-1 algorithm.

Precautions

Each algorithm ID uniquely identifies an algorithm.

Example

# Configure the hmac-sha-256 TCP algorithm-id as 1.
<HUAWEI> system-view
[~HUAWEI] keychain huawei mode absolute
[*HUAWEI-keychain-huawei] tcp-algorithm-id hmac-sha-256 1
Parent Topic: Keychain Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >