algorithm

Function

Using the algorithm command, you can specify the algorithm that should be associated with the key-id.

Using the undo algorithm command, you can delete the algorithm configured for that key-id.

By default, no algorithm is configured.

Format

algorithm { md5 | sha-1 | hmac-md5 | hmac-sha1-12 | hmac-sha1-20 | hmac-sha-256 | sha-256 | sm3 | aes-128-cmac }

undo algorithm

Parameters

Parameter Description Value
md5

Indicates that MD5 is used for packet encryption and authentication.

To ensure high security, do not use the MD5 algorithm.

-
sha-1

Indicates that SHA-1 is used for packet encryption and authentication.

To ensure high security, do not use the SHA-1 algorithm.

-
hmac-md5

Indicates that HMAC (Keyed-Hashing for Message Authentication)-Message Digest 5 (MD5) is used for packet encryption and authentication.

-
hmac-sha1-12

Indicates that HMAC-Secure Hash Algorithm 1-12 (SHA1-12) is used for packet encryption and authentication.

-
hmac-sha1-20

Indicates that HMAC-SHA1-20 is used for packet encryption and authentication.

-
hmac-sha-256

Indicates that HMAC-Secure Hash Algorithm-256 (SHA-256) is used for packet encryption and authentication.

HAMC-SHA-256 authentication mode is better and more secure than other authentication modes. To ensure high security, HAMC-SHA-256 authentication algorithm is recommended.

-
sha-256

Indicates that SHA-256 is used for packet encryption and authentication.

-
sm3

Indicates that SM3 is used for packet encryption and authentication.

-
aes-128-cmac

Specifies that message authentication algorithm used is AES-128-CMAC.

-

Views

weekly Key-ID view, yearly Key-ID view, daily Key-ID view, monthly Key-ID view, absolute Key-ID view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
key-chain write

Usage Guidelines

Usage Scenario

A keychain ensures the security of application protocol packet transmission by dynamically changing the authentication algorithm and key string. A keychain consists of multiple key IDs, each of which needs to be configured with an authentication algorithm. Different key IDs are valid within different time periods, ensuring dynamic change of keychain authentication algorithms.

Packets are authenticated and encrypted based on the authentication algorithm associated with a specified key ID, improving the packet transmission security.

The characteristics of each authentication algorithm are as follows:

  • Message Digest 5 (MD5): generates a 128-bit message digest based on an input message of any length.
  • SHA-1: allows input of messages whose lengths are less than 264 bits and generates 160-bit message digests.
  • HMAC-MD5 (Keyed-Hashing for Message Authentication-md5): HMAC-MD5 converts input information of any length into 512-bit information, and generates a 128-bit message digest. If the length of an entered message is less than 512 bits, 0s are added to make up a 512-bit message. If the length of the input information exceeds 512 bits, the information is converted into a 128-bit information through an MD5 algorithm, and then 0s are added to form a 512-bit information.
  • HMAC-SHA1-12: The 160-bit HMAC-SHA1-12 message digest is generated based on the 512-bit message converted from the entered message of any length. The most significant 96 bits (12 x 8) are used as the authentication code.
  • HMAC-SHA1-20: The 160-bit HMAC-SHA1-20 message digest is generated based on the 512-bit message converted from the entered message of any length. All the 160 bits are used as the authentication code.
  • SHA-256: allows input of messages whose lengths are less than 264 bits and generates 256-bit message digests.
  • HMAC-SHA-256: The 256-bit HMAC-SHA-256 message digest is generated based on the 512-bit message converted from the entered message of any length. All the 256 bits are used as the authentication code.
  • SM3: allows input of messages whose lengths are less than 264 bits and generates 256-bit message digests.
  • AES-128-CMAC: generates a 128-bit message digest after receiving a 128-bit message input.

    The calculation speed of the MD5 algorithm is faster than that of the SHA algorithm; the SHA algorithm is more secure than the MD5 algorithm. Compared with MD5 and SHA, HMAC is more secure, but slower in calculation speed. MD5 and SHA-1 algorithms are not recommended since they are less secure.

Prerequisites

Key IDs have been configured.

Precautions

Key IDs configured on the sender and receiver of packets must correspond to the same authentication and encryption algorithms. Otherwise, packet transmission fails for not passing the authentication.

If algorithm is not configured, key-id will never be active.

The aes-128-cmac algorithm is used only when the key of the keychain is bound to TCP-AO authentication. Keychain authentication cannot use the aes-128-cmac algorithm.

Example

# Configure algorithm HMAC-SHA-256 on key-id 1.
<HUAWEI> system-view
[~HUAWEI] keychain huawei mode absolute
[*HUAWEI-keychain-huawei] key-id 1
[*HUAWEI-keychain-huawei-keyid-1] algorithm hmac-sha-256
Parent Topic: Keychain Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
Next topic >