Hello all,
I'm doing a project on Ipsecurity and have come
across a
problem. I'm sure some of you can help me with an
answer
Many Crypto Accelerator Chips expect Ipsec
application to
supply inner and outer digests of HMAC
Authentication only once when Key is formed or a New SA is created, and they
use those digests to Authenticate or to calculate ICV of packet using HMAC.
Again Application need to supply inner and outer digests only if keys is
changed or New SA is formed.
RFC 2104 on HMAC Keyed Hashing tells that
packet processing using authentication mechanism of HMAC
computation using MD5 or SHA can be enhanced by having precomputed inner
and outer digests of
(K XOR ipad and K XOR opad , where K is Authentication Key, ipad 0x36 and opad is 0x5c
as defined in RFC2104)
K_ipad and K_opad zero padded
strings.
So that we need to to precompute these
values only once when keys are created and can be used directly
when there is a packet to process thus avoiding two hashes on Kipad and Kopad
for every packet. however RFC does not tell about exact method of precomputing
inner and outer digests of HMAC computation only once and using them
untill key is changed.
In my case Authentication is failing because I'm
not able to precompute the inner and outer digests correctly :( .
because, I dont
have clear Idea on this aspect.
Can you tell me how it can be done ? I mean what
is the Exact method to do this?
How Precomputed hashes on Kipad and Kopad are
used
for Authenticating packet?
Thank You
Lokesh