algorithm

Function

The algorithm command configures the algorithm for a key ID.

The undo algorithm command deletes the algorithm configured for a key ID.

By default, no algorithm is configured for a key ID.

Format

algorithm { hmac-md5 | hmac-sha1-12 | hmac-sha1-20 | md5 | sha-1 | simple | hmac-sha-256 | sha-256 }

undo algorithm

Parameters

Parameter	Description	Value
hmac-md5	Indicates that Keyed-Hashing for Message Authentication (HMAC)-Message Digest 5 (MD5) is used for packet encryption and authentication.	The length of the key is 16 bytes.
hmac-sha1-12	Indicates that HMAC-Secure Hash Algorithm 1-12 (SHA1-12) is used for the packet encryption and authentication.	The length of the key is 12 bytes.
hmac-sha1-20	Indicates that HMAC-SHA1-20 is used for packet encryption and authentication.	The length of the key is 20 bytes.
md5	Indicates that MD5 is used for the packet encryption and authentication. NOTE: To ensure high security, do not use the MD5 algorithm.	The length of the key is 16 bytes.
sha-1	Indicates that SHA-1 is used for packet encryption and authentication.	The length of the key is 20 bytes.
simple	Indicates that the configured key is used for packet authentication.	-
hmac-sha-256	Indicates that HMAC-SHA-256 is used for packet encryption and authentication. NOTE: HAMC-SHA-256 authentication mode is better and more secure than other authentication modes. To ensure high security, HAMC-SHA-256 authentication algorithm is recommended.	The length of the key is 32 bytes.
sha-256	Indicates that SHA-256 is used for packet encryption and authentication.	The length of the key is 32 bytes.

Views

Key-ID view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

A keychain ensures a secure protocol packet transmission by changing the authentication algorithm and key dynamically. A keychain consists of multiple key IDs, each of which needs to be configured with an authentication algorithm. Different key IDs are valid within different time periods, ensuring dynamic change of keychain authentication algorithms.

Packets are authenticated and encrypted based on the authentication algorithm associated with a specified key ID, improving the packet transmission security.

The characteristics of each authentication algorithm are as follows:

Message Digest 5 (MD5): The 128-bit MD5 message digest is calculated based on the entered message of any length.
Secure Hash Algorithm 1 (SHA-1): The 160-bit SHA-1 message digest is calculated based on the entered message with the length shorter than the 64th power of 2.
Hash-based Message Authentication Code-MD5 (HMAC-MD5): The 128-bit HMAC-MD5 message digest is calculated based on the 512-bit message that is converted from the entered message of any length.

If the length of an entered message is less than 512 bits, 0s are added to make up a 512-bit message. If the length of an entered message is greater than 512 bits, the message is converted into a 128-bit message based on the MD5 algorithm. After that, 0s are added to make up a 512-bit message.
HMAC-SHA1-12: The 160-bit HMAC-SHA1-12 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. The leftmost 96 bits (12 x 8) are used as the authentication code.
HMAC-SHA1-20: The 160-bit HMAC-SHA1-20 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. All the 160 bits are used as the authentication code.
SHA-256: The 256-bit SHA-2 message digest is calculated based on the entered message with the length shorter than the 64th power of 2.
HMAC-SHA-256: The 256-bit HMAC-SHA-256 message digest is calculated based on the 512-bit message that is converted from the entered message of any length. All the 256 bits are used as the authentication code.

The calculation speed of the MD5 algorithm is faster than that of the SHA algorithm; the SHA algorithm is more secure than the MD5 algorithm. Compared with MD5 and SHA, HMAC is more secure, but slower in calculation speed. To ensure high security, do not use the MD5 algorithm.

Prerequisites

Key IDs have been configured.

Precautions

Key IDs configured for the sender and receiver of packets must correspond to the same authentication and encryption algorithms. Otherwise, packet transmission fails for the authentication failure.

If the algorithm is not configured, key-id will never be active.

Simple authentication is insecure. Therefore, changing it to another algorithm is recommended.

Example

# Configure algorithm sha-1 on key-id 1.

<sysname> system-view

[sysname] keychain a mode absolute

[sysname-keychain-a] key-id 1

[sysname-keychain-a-keyid-1] algorithm sha-1