test

System Administration Guide: IP Services

Authentication and Encryption Algorithms

IPsec uses two types of algorithms, authentication and encryption. The authentication algorithms and the DES encryption algorithms are part of core Solaris installation. If you plan to use other algorithms that are supported for IPsec, you must install the Solaris Encryption Kit, which is provided on a separate CD.

Authentication Algorithms

Authentication algorithms produce an integrity checksum value or digest that is based on the data and a key. The authentication algorithm man pages describe the size of both the digest and key. The following table lists the authentication algorithms that are supported in the Solaris operating environment. The table also lists the format of the algorithms when they are used as security options to the IPsec utilities and their man page names.

Table 19–1 Supported Authentication Algorithms

Algorithm Name 

Security Option Format 

Man Page 

HMAC-MD5 

md5, hmac-md5 

authmd5h(7M)

HMAC-SHA-1 

sha, sha1, hmac-sha, hmac-sha1 

authsha1(7M)

Encryption Algorithms

Encryption algorithms encrypt data with a key. The algorithms operate on data in units of a block size. The encryption algorithm man pages describe the size of both the block size and the key size. By default, the DES-CBC and 3DES-CBC algorithms are installed. You must install the Solaris Encryption Kit to make the AES and Blowfish algorithms available to IPsec. The kit is available on a separate CD that is not part of the Solaris 9 installation box. The Encryption Kit Installation Guide describes how to install the Solaris Encryption Kit.

The following table lists the encryption algorithms that are supported in the Solaris operating environment. The table also lists the format of the algorithms when they are used as security options to the IPsec utilities, their man page names, and the package that contains them.

Table 19–2 Supported Encryption Algorithms

Algorithm Name 

Security Option Format 

Man Page 

Package 

DES-CBC

des, des-cbc 

encrdes(7M)

SUNWcsr, SUNWcarx.u 

3DES–CBC or Triple-DES

3des, 3des-cbc 

encr3des(7M)

SUNWcsr, SUNWcarx.u 

Blowfish

blowfish, blowfish-cbc 

encrbfsh(7M)

SUNWcryr, SUNWcryrx 

AES-CBC

aes, aes-cbc 

encraes(7M)

SUNWcryr, SUNWcryrx