The Namespace Identifiers (NSID)
SunScreen SKIP provides users with the ability to separate the identity of an entity from its physical address. This means that each person (sender or receiver) participating in a transfer of encrypted data over a computer network can be identified by a namespace identifier/key identifier (NSID/key ID) pair.
NSIDs are a part of SKIP; these identifiers are used to identify the keys being used. The NSIDs supported by SunScreen SKIP are
-
NSID 0 (No Key ID present, figure out which key to use from the IP address)
-
NSID 1 (IPv4 address key ID, for hosts whose key IDs do not match their IP address, such as hosts that use signed SunCA keys)
-
NSID 8 (MD5 hash of Diffie-Hellman Public Value Key ID present, for UDH keys that are not signed by any CA)
The first two are nearly identical in that they both use signed X.509 keys, with one very important difference. SKIP packets that use NSID 1 include the key ID in the packet. SKIP packets that use NSID 0 figure out which key to use.
With SunCA keys, for example, it is necessary to put the key identifier into the SKIP header because the IP address may not correspond to the identifier in the certificate. If there is a SunCA key identifier of "0a000101" for a certificate, it becomes "10.0.1.1" in IP address terminology.
Further, if your IP address is "192.12.10.49," then you would have to include your key identifier in the SKIP header because it does not equal your IP address. But with NSID 0, which also uses X.509 certificates, it is guaranteed that the key identifier is the IP address; therefore, the key identifier does not have to be sent.
Using NSID 0 results in a small gain in efficiency by not having to send the key identifier. This is what is meant by "No Key ID present" in the NSID 0 bullet above. This approach reduces the amount of packet expansion because of SKIP.
- © 2010, Oracle Corporation and/or its affiliates