Authentication and Encryption Algorithms in IPsec

IPsec security protocols use two types of algorithms, authentication and encryption. The AH module uses authentication algorithms. The ESP module can use encryption as well as authentication algorithms. You can obtain a list of the algorithms on your system and their properties by using the ipsecalgs command. For more information, see the ipsecalgs(1M) man page. You can also use the functions that are described in the getipsecalgbyname(3NSL) man page to retrieve the properties of algorithms.

IPsec on a Solaris system uses the Solaris cryptographic framework to access the algorithms. The framework provides a central repository for algorithms, in addition to other services. The framework enables IPsec to take advantage of high performance cryptographic hardware accelerators. The framework also provides resource control features. For example, the framework enables you to limit the amount of CPU time spent in cryptographic operations in the kernel.

For more information, see the following:

• Chapter 13, Solaris Cryptographic Framework (Overview), in System Administration Guide: Security Services

• Chapter 8, Introduction to the Oracle Solaris Cryptographic Framework, in Oracle Solaris Security for Developers Guide

Authentication Algorithms in IPsec

Authentication algorithms produce an integrity checksum value or digest that is based on the data and a key. The AH module uses authentication algorithms. The ESP module can use authentication algorithms as well.

Encryption Algorithms in IPsec

Encryption algorithms encrypt data with a key. The ESP module in IPsec uses encryption algorithms. The algorithms operate on data in units of a block size.

Different releases of the Solaris 10 OS provide different default encryption algorithms.

Starting in the Solaris 10 7/07 release, do not add the Solaris Encryption Kit to your system. The kit downgrades the patch level for encryption on your system. The kit is incompatible with the encryption on your system.

• Starting in the Solaris 10 7/07 release, the contents of the Solaris Encryption Kit are installed by the Solaris installation media. This release adds the SHA2 authentication algorithms: sha256, sha384, and sha512. The SHA2 implementations conform to the RFC 4868 specification. This release also adds larger Diffie-Hellman groups: 2048-bit (group 14), 3072-bit (group 15), and 4096-bit (group 16). Note that Sun systems with CoolThreads technology accelerate the 2048-bit groups only.

• Before the Solaris 10 7/07 release, the Solaris installation media provides basic algorithms and you can add stronger algorithms from the Solaris Encryption Kit.

  By default, the DES-CBC, 3DES-CBC, AES-CBC, and Blowfish-CBC algorithms are installed. The key sizes that are supported by the AES-CBC and Blowfish-CBC algorithms are limited to 128 bits.

  AES-CBC and Blowfish-CBC algorithms that support key sizes that are greater than 128 bits are available to IPsec when you install the Solaris Encryption Kit. However, not all encryption algorithms are available outside of the United States. The kit is available on a separate CD that is not part of the Solaris 10 installation box. The Solaris 10 Encryption Kit Installation Guide describes how to install the kit. For more information, see the Sun Downloads web site. To download the kit, click the Downloads A-Z tab, then click the letter S. The Solaris 10 Encryption Kit is among the first 20 entries.