Avaya Data Encryption User Manual
Configuring Data Encryption Services
BayRS Version 12.10
Site Manager Software Version 6.10
Part No. 117386-B Rev 00
February 1998
4401 Great America Pa rkw ay 8 Federal S treet
Santa Clara, CA 95054 Billerica, MA 01821
Copyright © 1998 Bay Networks, Inc.
All rights reserved. Printed in the USA. February 1998.
The information in this document is subject to change without notice. The statements, configurations, technical data,
and recommendations in this document are believed to be accurate and reliable, but are presented without express or
implied warranty. Users must take full responsibility fo r th eir a pplic a tio ns of any products specified in this document.
The information in this document is proprietary to Bay Networks, Inc.
The software described in this document is furnished under a license agreement and may only be used in accordance
with the terms of that licen se. A summary of the Software License is included in this document.
Trademarks
AN, BN, and Bay Networks are registered trademarks and Advanced Remote Node, ARN, ASN, System 5000, and
the Bay Networks logo are trademarks of Bay Networks, Inc.
All other trademarks and registered trademarks are t he property of their respective owners.
Restricted Rights Legend
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Sof tware clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer
software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in
the Commercial Computer Software-Restricted Rights cl ause at FAR 52. 227-19.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, Bay Networks, Inc. reserves the
right to make changes to the pr oducts described in this document without notice.
Bay Networks, Inc. does not assume any liability that may occur du e to the use or application of the product(s) or
circuit layout(s) described herein.
Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All
rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided th at the
above copyright notice and this paragraph are duplicated in all such forms and that any docu mentation, advertising
materials, and other materials related to such distribution and use acknowledge that su ch portions of the software were
developed by the University of California, Berkeley. The name of the University may not be used to endorse or
promote products derived from such portions of the software without specific prior written permission.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
In addition, the program and information containe d herein are licensed only pursuant to a license agreement that
contains restricti ons on use and disclosure (that may incorporate by reference certain li mitations and notices imposed
by third parties).
ii
117386-B Rev 00
Bay Networks, Inc. Software License Agreement
NOTICE: Please carefully read this license agre ement before copying or using the accompanying software or
installing the hardware unit with pre-enabled software (each of which is referred to as “Software” in this Agreement).
BY COPYING OR USING THE SOFTWARE, YOU ACCEPT ALL OF THE TERMS AND CONDITIONS OF
THIS LICENSE AGREEMENT. THE TERMS EXPRESSED IN THIS AGREEMENT ARE THE ONLY TERMS
UNDER WHICH BAY NETWORKS WILL PERMIT YOU TO USE THE SOFTWARE. If you do not accept these
terms and conditions, return the product, unused and in the original shipping container, within 30 days of purchase to
obtain a credit for the full purchase price
1. License Grant. Bay Networks, Inc. (“Bay Networks”) grants the end user of the Software (“Licensee”) a personal,
nonexclusive, nontransferable license: a) to use the Software either on a single computer or, if applicable, on a single
authorized device identified by host ID, for which it was originally acquired; b) to copy the Software solely for backup
purposes in support of authorized use of the Software; and c) to use and copy the associated user manual solely in
support of authorized use of the Software by Licensee. This license applies to the Software only and does not extend
to Bay Networks Agent software or other Bay Networks software pro ducts. Bay Networks Agent software or other
Bay Networks software products are licensed for use under the terms of the applicable Bay Networks, Inc. Software
License Agreement that accomp anies such software and upon payment by the end user of the applicable license fees
for such software.
2. Restrictions on use; reservation of rights. The Software and user manuals are protected und er copyright laws.
Bay Networks and/or it s licensors retain all title and ownership in both the Software and user manuals, including any
revisions made by Bay Networks or i ts licensors. The copyright notice must be reproduced and included wi th any
copy of any portion of the Software or user manuals. Licensee may not modify, translate, decompile, disassemble, use
for any competitiv e analysis, re v erse engineer , distrib ute, or create deriv ati ve works from the Softwa re or user manuals
or any copy, in whole or in part. Except as expressly provided in this Agreement, Licensee may not copy or transfer
the Software or user manuals, in whole or in part. The Software and user manuals embody Bay Networks’ and its
licensors’ confidential and proprietary intellectual property. Licensee shall not sublicense, assign, or otherwise
disclose to any third party the Software, or any information about the operation, design, performance, or
implementation of the Software and user manuals that is confidential to Bay Networks and its licensors; however,
Licensee may grant permission to its consultants, subcontractors, a nd agents to use the Softw are at Licensee’s facility ,
provided they have agreed to use the Software only in accordance with the terms of this license.
3. Limited warranty. Bay Networks warrants each item of Software, as delivered by Bay Networks and properly
installed and operated on Bay Networks hardware or other equipment it is originally licensed for, to function
substantially as described in its accompanying user manual during its warranty period, which begins on the date
Software is first shipped to Licensee. If an y item of S oftware f ails to so function d uring its w arranty period, as the sole
remedy Bay Networks will at its discretion provide a suitable fix, patch, or workaround for the problem that may be
included in a future Software release. Bay Network s fur ther w arra nts to Licen see that the medi a on which the
Software is provided will be free from defec ts in materials and wo rkman ship under no rmal use for a peri od of 90 da ys
from the date Software is first shipped to Licensee. Bay Networks will replace defective media at no cha rge if it is
returned to Bay Netw orks during the warran ty perio d alon g with proof of the date of shipment . This war ranty do es not
apply if the media has been dam aged as a resul t of acci dent, misuse , or ab use. The Licen see assumes all re sponsibilit y
for selection of the Software to achieve Licensee’s intended results and for the installation, use, and results obtained
from the Software. Bay Networks does not warrant a) that the functions contained in the software will meet the
Licensee’ s requireme nts, b) that the Software will operate in the hardware or software combinations tha t the L icens ee
may select, c) that the operation of the Softw a re will be uninterru pte d or error free, or d) that all defec ts in the
operation of the Software will be corrected. Bay Networks is not obligated to remedy any Software defect that cannot
be reproduced with the latest Software release. These warranties do not apply to the So ftw are if i t has been (i) altered,
except by Bay Netwo rks or in a ccordance with its instru ction s; (ii) used in con junc tion with another v en dor’s product,
resulting in the defect; or (iii) damaged by improper environment, abuse, misuse, accident, or negligence. THE
FOREGOING WARRANTIES AND LIMITATIONS ARE EXCLUSIVE REMEDIES AND ARE IN LIEU OF ALL
OTHER WARRANTIES EXPRESS OR IMPLIED, INCLUDING W ITHOUT LIMITATION ANY WARRANTY OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Licensee is responsible for the security of
117386-B Rev 00
iii
its own data and information and for maintaining adequate procedures apart from the Software to reconstruct lost or
altered files, data, or programs.
4. Limitation of liability. IN NO EVENT WILL BAY NETWORKS OR ITS LICENSORS BE LIABLE FOR ANY
COST OF SUBSTITUTE PROCUREMENT; SPECIAL, INDIRECT, INCIDENTAL, OR CONSEQUENTIAL
DAMAGES; OR ANY DAMAGES RESULTING FROM INACCURATE OR LOST DATA OR LOSS OF USE OR
PROFITS ARISING OUT OF OR IN CONNECTION WITH THE PERFORMANCE OF THE SOFTWARE, EVEN
IF BAY NETWORKS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT
SHALL THE LIABILITY OF BAY NETWORKS RELATING TO THE SOFTWARE OR THIS AGREEMENT
EXCEED THE PRICE PAID TO BAY NETWORKS FOR THE SOFTWARE LICENSE.
5. Government Licensees. This provision applies to all Software and documentation acquired directly or indirectly
by or on behalf of the United States Government. The Software and documentation are commercial products, licensed
on the open market at market prices, and were developed entirely at private expense and without the use of any U.S.
Government funds. The license to the U.S. Government is granted only with restricted rights, and use, duplication, or
disclosure by the U.S. Government is subject to the restrictions set forth in subparagraph (c)(1) of the Commercial
Computer Software––Restricte d Rig hts cla u se o f FAR 52.227-19 and the limita tio ns set o ut in this license for civilian
agencies, and subparagraph (c)(1)(ii ) of the Rights in Technical Data and Computer Software clause of DFARS
252.227-7013, for agencies of t he Department of Defense or their successors, whichever is applicable.
6. Use of Software in the European Community. This provision applies to all Software acquired for use within the
European Community. If Licensee uses the Software within a country in the European Community, the Software
Directive enacted by the Council of European Commun ities Directive dated 14 May, 1991, will apply to the
examination of th e Software to facilitate interoperability. Licensee agrees to notify Ba y Networks of any such
intended examination of the Software and may procure support and assistance from Bay Networks.
7. Term and termination. This license is effective until terminated; however, all of the restrictions with respect to
Bay Networks’ copyright in the Software and user manuals will cease being effective at the date of expiration of the
Bay Networks copyright; those restrictions relating to use and disclosure of Bay Network s’ confidential informati on
shall continue in effect. Licensee may terminate this license at any time. The license will automatically terminate if
Licensee fails to comply with any of the terms and conditions of the license. Upon termination for any reason,
Licensee will immediately destroy or return to Bay Networks the Software, user manuals, and all copies. Bay
Networks is not liable to Licensee for damages in any form solely by reason of the termination of this license.
8. Export and Re-export. Licensee agrees not to export, directly or indirectly, t he S oftware or related technical data
or information without first obtaining any required export licenses or other governmental approvals. Without limiting
the foregoing, Licensee, on behalf of itself and its subsidiaries and affiliates, agrees that it will not, without first
obtaining all export licenses and approvals required by the U.S. Government: (i) export, re-export, transfer, or divert
any such Software or technical data, or any direct product thereof, to any country to which such exports or re-exports
are restricte d or em b argoed under United States ex po r t con t rol laws and regulations, or to any national or resident of
such restricted or embargoed countries; or (ii) provide the Software or related technical data or information to any
military end user or for any military end use, including the design, development, or production of any chemical,
nuclear, or biological weapons.
9. General. If any provision of this Agreement is held to be invalid or unenforceable by a court of competent
jurisdiction, the remainder of the provisions of this Agreement shall remain in full force and effect. This Agreement
will be governed by the laws of the state of California.
Should you have any questions concerning this Agreement, contact Bay Networks, Inc., 4401 Great America Parkway,
P.O. Box 58185, Santa Clara, California 95054-8185.
LICENSEE ACKNOWLEDGES THAT LICENSEE HAS READ THIS AGREEMENT, UNDERSTANDS IT, AND
AGREES TO BE BOUND BY ITS TERMS AND CONDITIONS. LICENSEE FURTHER AGREES THAT THIS
AGREEMENT IS THE ENTIRE AND EXCLUSIVE AGREEMENT BETWEEN BAY NETWORKS AND
LICENSEE, WHICH SUPERSEDES ALL PRIOR ORAL AND WRITTEN AGREEMENTS AND
COMMUNICATIONS BETWEEN THE PARTIES PERTAINING TO THE SUBJECT MATTER OF THIS
AGREEMENT. NO DIFFERENT OR ADDITIONAL TERMS WILL BE ENFORCEABLE AGAINST B AY
NETWORKS UNLESS BAY NETWORKS GIVES ITS EXPRESS WRITTEN CONSENT, INCLUDING AN
EXPRESS WAIVER OF THE TERMS OF THIS AGREEMENT.
iv
117386-B Rev 00
Contents
About This Guide
Before You Begin .............................................................................................................. xi
Conventions ................................................. ............................................. ........................xii
Acronyms ........................... .......................... .......................... ......................... .................xiii
Bay Networks Technical Publications ..............................................................................xiii
Bay Networks Customer Service .....................................................................................xiv
How to Get Help ..............................................................................................................xiv
Bay Networks Educational Ser v ic es ..... ....................................... ...... ....... ...... ....... .......... xv
Chapter 1
Data Encryption Overview
Data Encryption Architecture ..........................................................................................1-1
Data Encryption Standard (DES) .............................................................................1-2
40-Bit and 56-Bit Encryption Strengths .............................................................1-2
Message Digest 5 (MD5) .........................................................................................1-3
WAN Encryption Protocol (WEP) .............................................................................1-3
Security and Data Encryption .........................................................................................1-3
Site Security .............................................................................................................1-4
Configuration Security ..............................................................................................1-4
Encryption Keys ..............................................................................................................1-4
Random Number Generator (RNG) .........................................................................1-5
Node Protection Key (NPK) ......................................................................................1-6
Generating an NPK ...........................................................................................1-6
Entering the NPK on the Router ........................ ....... ...... ...... .............................1-6
Choosing a Secure Shell Password ...................................................................1-7
Entering the NPK into Site Manager ..................................................................1-7
Long-Term Shared Secret (LTSS) ............................................................................1-7
Master Encryption Key (MEK) ..................................................................................1-8
Traffic Encryption Key (TEK) ....................................................................................1-8
117386-B Rev 00
v
Chapter 2
Considerations Before You Enable Encryption
Requirements for Enabling Encryption ...........................................................................2-1
Selecting Encr yp tio n Strengt h ........................................ ....... ...... ...................................2-1
Synchronizing Router Clocks .........................................................................................2-2
Using Encryption with AN Routers ...........................................................................2-2
Encryption and Performance ..........................................................................................2-2
Maintenance Considerations for the NPK .......................................................................2-3
Using Floppy Disks to Store Key Files ............................................................................2-3
Reading Key Files on PC Floppy Disk from UNIX ....................................................2-3
Configuring Encryption with Dial Backup ........................................................................2-4
Chapter 3
Enabling Encryption
Before You Begin ............................................................................................................3-1
Modifying Encryption Parameters Using Technician Interface ........................................3-1
Starting Encryption .........................................................................................................3-2
Creating Seeds ...............................................................................................................3-2
Creating Seeds on a PC ..........................................................................................3-3
Changing the Path to the Key Files ...................................................................3-3
Changing the Length of the LTSS Key Generator ..............................................3-3
Running the wfkseed Command ......................................................................3-3
Creating Seeds on a UNIX Platform ........................................................................3-5
Each of these steps is detailed in the following sections. ..................................3-5
Setting a Path to the Key Files ...........................................................................3-5
Changing the Length of the LTSS Key Generator ..............................................3-5
Running the WEP wfkseed Command .............................................................3-6
Creating Seeds on the Router ..................................................................................3-7
Creating NPKs and LTSSs .............................................................................................3-7
Creating NPKs .........................................................................................................3-7
Creating LTSSs ........................................................................................................3-8
Entering an NPK on a Router .........................................................................................3-9
Changing NPKs ............................................................................................................3-10
Monitoring NPKs ...........................................................................................................3-10
Changing an NPK on a Router ...............................................................................3-11
Changing an NPK in the MIB .................................................................................3-11
vi
117386-B Rev 00
Changing LTSSs ...........................................................................................................3-11
Creating TEKs ..............................................................................................................3-11
Starting Encryption for PPP ..........................................................................................3-13
Starting Encryption for Frame Relay .............................................................................3-16
Configuring WEP Parameters .......................................................................................3-19
Configuring WEP Line Parameters ........................................................................3-19
Configuring WEP Interface Parameters .................................................................3-21
Disabling Encryptio n ................ .............................................. ...... ...... ...........................3-23
Deleting Encryption from an Interface ..........................................................................3-24
Deleting Encryption from a Router ...............................................................................3-25
Appendix A
Encryption Parameters
PPP and Frame Relay Encryption Parameters .............................................................. A-1
WEP Line Parameters ................................................................................................... A-4
WEP Circuit Interface Parameters ................................................................................. A-5
Appendix B
Definitions of k Commands
Index
117386-B Rev 00
vii
Figures
Figure 1-1. Hierarchy of Encryption Keys ...................................................................1-5
117386-B Rev 00
ix
About This Guide
If you are responsible for configuring and managing Bay Networks® routers, read
this guide to learn how to configure data encryption.
If you want to Go to
Learn about data encryption services Chapter 1
Read implementation notes Chapter 2
Start encryption services Chapter 3
Obtain information about Site Manager parameters (this is the same
information you obtain using Site Manager online Help)
Learn about k commands Appendix B
Appendix A
Before You Begin
Before using this guide, you must complete the following procedures. For a new
router:
• Install the router (refer to the installation guide that came with your router).
• Connect the router to the network and create a pilot configuration file (see
Quick-Starti ng Router s , Conf igur ing BaySt ac k Remote Acc ess , or Connecting
ASN Routers to a Network).
Make sure that you are running the latest version of Bay Networks Site Manager
and router software. For instructions, refer to Upgrading Routers from Version
7–11.xx to Version 12.00.
117386-B Rev 00
xi
Configuring Data Encryption Se rvices
.
.
Conventions
angle brackets (< >) Indicate that you choose the text to enter based on the
description inside the brackets. Do not type the
brackets when entering the command.
ping
Example: if command syntax is
you enter
ping 192.32.10.12
<ip_address>
,
bold text
Indicates text that you need to enter, command names,
and buttons in menu paths.
Example: Enter
Example: Use the
wfsm &
dinfo
command.
Example: ATM DXI > Interf ace s > PVCs identifies the
PVCs button in the window that appears when you
select the Interfaces option from the ATM DXI menu.
brackets ([ ]) Indicate optional elements. You can choose none, one,
or all of the options.
.
ellipsis points Horizontal (. . .) and ve rtic al ellipsis points indicat e
()
omitted info rmation.
italic text Indicates variable values in command syntax
descriptions, new terms, file and directory names, and
book titles.
quotation marks (“ ”) Indicate the title of a chapter or section within a book.
screen text Indicates data that appears on the screen.
Example:
Set Bay Networks Trap Monitor Filters
separator ( > ) Separates menu and option names in instructions and
internal pin-to-pin wire connections.
Example: Protocols > AppleTalk identifies the
AppleTalk option in the Protocols menu.
Example: Pin 7 > 19 > 20
vertical line (
) Indicates that you enter only one of the parts of the
|
command. The vertical line separates choices. Do not
type the vertical line when entering the command.
Example: If the command syntax is
show at routes
show at routes
xii
nets
, you enter either
|
show at nets
or
, but not both.
117386-B Rev 00
Acronyms
About This Guide
ANSI American National Standards Institute
DES Data Encryption Standard
DLCI data link connection identifier
IETF Internet Engineering Task Force
ISDN Integrated Services Digital Network
LTSS long-term shared secret
MD5 Message Digest 5
MEK Master Encryption Key
MIB management information base
NPK Node Protection Key
NTP Network Time Protocol
pcfs personal computer file system
PPP Point-to-Point Protocol
PVC permanent virtual circuit
PRI Primary Rate Interface
RNG random number generator
SEO strong encryption option
TEK Traffic Encryption Key
WAN wide area network
WEP WAN Encryption Protocol
Bay Networks Technical Publications
You can now print technical manuals and release notes free, directly from the
Internet. Go to
products for which you need documentation. The n locate the s pecific c ategory and
model or version for your hardware or software product. Using Adobe Acrobat
Reader, you can open the manuals and release notes, search for the sections you
need, and print them on most s tandard prin ters. You can do wnload Ac robat Reader
free from the Adobe Systems Web site,
Documentation sets and CDs are a vailable through your local Bay Networ ks sales
office or account representative.
117386-B Rev 00
support.baynetworks.com/library/tpubs
www.adobe.com
. Find the Bay Networks
.
xiii
Configuring Data Encryption Se rvices
Bay Networks Customer Service
You can purchase a support contract from your Bay Networks distributor or
authorized reseller, or directly from Bay Ne tworks Services. For information
about, or to purchase a Bay Networks service contract, either call your local Bay
Networks field sales office or one of the following numbers:
Region Telephone number Fax number
United States and
Canada
Europe 33-4-92-96-69-66 33-4-92-96-69-96
Asia/Pacific 61-2-9927-8888 61-2-9927-8899
Latin America 561-988-7661 561-988-7550
Information about customer service is also available on the World Wide Web at
support.baynetworks.com.
How to Get Help
If you purchased a service contract for your Bay Networks product from a
distributor or authorized reseller, contact the technical support staff for that
distributor or reseller for assistance.
If you purchased a Bay Networks service program, call one of the following Bay
Networks Technical Solutions Centers:
800-2LANW AN; th en enter Expr ess Routing
Code (ERC) 290, when prompted, to
purchase or renew a service contract
978-916-8880 (direct)
978-916-3514
xiv
Technical Solutions Center Telephone number Fax number
Billerica, MA 800-2LANWAN 508-916-3514
Santa Clara, CA 800-2LANWAN 408-495-1188
Valbonne, France 33-4-92-96-69-68 33-4-92-96-69-98
Sydney, Australia 61-2-9927-8800 61-2-9927-8811
Tokyo, Japan 81-3-5402-0180 81-3-5402-0173
117386-B Rev 00
Bay Networks Educational Services
Through Bay Networks Educa tional Services , you can attend cl asses and purcha se
CDs, videos, and computer-based training programs about Bay Networks
products. Training programs can take place at your site or at a Bay Networks
location. For more information about training programs, call one of the following
numbers:
Region Telephone number
United States and Canada 800-2LANWAN; then enter Express Routing Code (ERC)
282 when prompted
978-916-3460 (direct)
Europe, Middle East, and
Africa
Asia/Pacific 61-2-9927-8822
Tokyo and Japan 81-3-5402-7041
33-4-92-96-15-83
About This Guide
117386-B Rev 00
xv
Chapter 1
Data Encryption Overview
Bay Networks data encryption services enable you to protect sensitive traffic on
your network. Encryption prevents unauthorized persons from reading, changing,
or replaying data that travels between Bay Networks routers.
Data encryption services include:
®
• Software-based enc ryption for PPP dedicated links for the BN
ASN™, System 5000™ router modules, and all serial interfaces. This includes
encryption on multiline and multilink.
, AN®, ARN
™,
• Software-based encryption for frame relay circuits that have one permanent
virtual circuit (PVC) per service record. This includes encryption on
multiline.
• Encryption configurable on a line or circuit basis.
• Encryption independent or combined with data compression.
You can configure PPP dial backup for a frame relay circuit that uses data
encryption. Be aware, however, that if the primary circuit fails, data that travels
over the backup circuit is unencrypted.
Data Encryption Architecture
Bay Networks uses the following standards and protocols to provide encryption
services:
• Data Encryption Standard (DES)
• Message Digest 5 (MD5)
• WAN Encryption Protocol (WEP), proprietary to Bay Networks
117386-B Rev 00
1-1
Configuring Data Encryption Se rvices
Data Encryption Standard (DES)
Bay Networks bases encryption services on DES, which the United States
government has ado pte d to protect sen si ti v e b ut nonclas sif i ed data. The Ameri can
National Standards Institute (ANSI), the Internet Engineering Task Force (IETF),
and various banking and financial standards groups have also incorporated DES
into security standards.
DES describes the process that transforms 64-bit blocks of data from readable
plaintext to scrambled ciphertext. A 40-bit or 56-bit number that you generate,
known as a key, controls the scrambling and unscrambling. Both ends of a link
must use the same key value for one end to be able to decipher the data that the
other end sends.
DES is designed so that e ven if someone knows some of the plai nte xt da ta and t he
corresponding ciphertext, there is no way to determine the key without trying all
possible keys. The strength of encryption-based security rests on the size of the
key, and on properly protecting the key.
Because DES is a public standard, the encryption is secure only if the
communicating routers and the management station keep the DES key secret and
protected from unauthorized change.
1-2
40-Bit and 56-Bit Encryption Strengths
Bay Networks offers two encryption strengths:
• The standard router software includes encryption that uses 40-bit DES keys.
This version provides reasonably strong security.
• A strong encryption option (SEO) for router software that uses 56-bit DES
keys.
SEO software is generally available only in the United States and Canada. U.S.
law allows export of the SEO only with a U.S. export license. For more
information on the export, import, and use of SEO outside the United States and
Canada, refer to the SEO software license agreement.
117386-B Rev 00
Message Digest 5 (MD5)
MD5 is a secure hash algorithm, and is a componen t in a number of IETF standard
protocols. MD5 opera te s o n data of varying lengths, and produces from it a single
128-bit output called the digest. It is very difficult, given one message and its
digest, to fabricate another message that has the same digest.
This property enables MD5 to function like a checksum to detect errors in the
integrity of a message. When a message that contains a secret key is hashed, the
resulting digest also authenticates the origin of the message: only a source that
possesses the secret key could have calculated the digest. This technique is called
keyed MD5.
Bay Networks encryption uses MD5 to:
• Authenticate the originator of the message, that is, to verify that the source
possesses the secret key.
• Verify the integrity of the DES keying material.
• Create new keys as part of a process that changes key values.
Data Encryption Overview
WAN Encryption Protocol (WEP)
WEP employs the DES algorithm, combined with MD5 and the appropriate key,
to encrypt data and add protocol information the receiver requires to identify the
data as encrypted. This encryption protocol is proprietary to Bay Networks.
WEP begins by establishing the security of the link and verifying that both ends
have the same key. The two sides of the link issue connection request and
acknowledgment messages. They use keyed MD5 to exchange and authenticate
these messages. If the negotiation fails, data communication does not occur on
that circuit.
Security and Data Encrypti on
To use data encryption effectively, you must take precautions to protect the
security of your network equipment and the configuration process.
117386-B Rev 00
1-3
Configuring Data Encryption Se rvices
Site Security
Carefully r estrict unauthorized access to rout ers that encrypt data and the
workstations you use to configure encryption. Because DES is a public standard,
data is secure only if you properly protect the encryption keys. The configuration
files that contain these keys include safeguards to prevent unauthorized access.
However, a good strategy is to physically protect your equipment.
Configuration Security
You store the k e y managemen t f il es th at Bay Ne tw orks encrypt ion se rvice s use o n
removable media, such as floppy disks, and you should store this media in a
secure place. Thi s is the eas iest way t o prevent unauthorized per sons f rom gain ing
access to these files.
You should always configure the node protection keys (NPKs) locally, not over a
network. When you connect a computer to a router’s console port to configure
encryption, use a computer that is not connected to any other equipment.
You can, however, configure long term shared secrets (LTSSs) remotely because
LTSSs are encrypted.
Follow recommendations about network security in this guide.
Encryption Keys
Figure 1-1 illustrates the hierarchy of keys that Bay Networks encryption uses to
protect and transmit data.
1-4
117386-B Rev 00
Data Encryption Overview
LTSS
LTSS
LTSS
NPK
12
23
24
2
Santa Clara
Site Manager
MEK=(LTSS , TIME)
FR or PPP
TEK Data
12
Billerica: NPK
Santa Clara: NPK
Billerica-SC: LTSS
Billerica-NY: LTSS
.....
Billerica
1
2
12
13
NPK
LTSS
LTSS
LTSS
WEP0001A
1
12
13
14
Figure 1-1. Hierarchy of Encryption Keys
The keys are the:
• Node Protection Key (NPK). It encrypts the LTSS.
• Long-Term Shared Secret (LTSS). It is the source for the Master Encryption
Key.
• Master Encryption Key (MEK). It encrypts the Traffic Encryption Key.
• Traffic Encryption Key (TEK). The TEK encrypts the data that travels across
the network.
Random Number Generator (RNG)
The Bay Networks key management software uses an RNG in Site Manager to
generate values for the keys. These values are statistically random. An RNG uses
as its source a seed that you supply. For instructions, see “Creating Seeds” on
page 3-2.
Site Manager also uses its RNG to generate NPKs, and LTSSs.
The router software uses the RNG to generate TEKs.
117386-B Rev 00
1-5
Loading...