The integrity and authentication of VPN traffic is handled by hash algorithms. Hashes provide data integrity and authentication by ensuring that unauthorized persons do not tamper with transmitted messages. A hash, also called a message digest, is a number that is generated from a string of text. The hash is smaller than the text itself. It is generated by using a formula in such a way that it is extremely unlikely that some other text will produce the same hash value.
The original sender generates a hash of the message and sends it with the message itself. The recipient parses the message and the hash, produces another hash from the received message, and compares the two hashes. If they are the same, the recipient can be reasonably sure of the integrity of the original message.
In the figure, Gail sent Alex an EFT of $100. Jeremy has intercepted and altered this EFT to show himself as the recipient and the amount as $1000. In this case, if a data integrity algorithm were used, the hashes would not match, and the transaction would be invalid.
VPN data is transported over the public Internet. As shown, there is potential for this data to be intercepted and modified. To guard against this threat, hosts can add a hash to the message. If the transmitted hash matches the received hash, the integrity of the message has been preserved. However, if there is no match, the message was altered.
VPNs use a message authentication code to verify the integrity and the authenticity of a message, without using any additional mechanisms.
Hash-based Message Authentication Code (HMAC) is a mechanism for message authentication using hash functions. A keyed HMAC is a data integrity algorithm that guarantees the integrity of a message. An HMAC has two parameters, a message input and a secret key that is known only to the message originator and intended receivers. The message sender uses an HMAC function to produce a value (the message authentication code) that is formed by condensing the secret key and the message input. The message authentication code is sent along with the message. The receiver computes the message authentication code on the received message using the same key and HMAC function as the sender used. Then the receiver compares the result that is computed with the received message authentication code. If the two values match, the message has been correctly received and the receiver is assured that the sender is a member of the community of users that share the key. The cryptographic strength of the HMAC depends upon the cryptographic strength of the underlying hash function, on the size and quality of the key, and on the size of the hash output length in bits.
There are two common HMAC algorithms:
- MD5 - Uses a 128-bit shared secret key. The variable-length message and 128-bit shared secret key are combined and run through the HMAC-MD5 hash algorithm. The output is a 128-bit hash. The hash is appended to the original message and forwarded to the remote end.
- SHA - SHA-1 uses a 160-bit secret key. The variable-length message and the 160-bit shared secret key are combined and run through the HMAC-SHA1 hash algorithm. The output is a 160-bit hash. The hash is appended to the original message and forwarded to the remote end.
Note: Cisco IOS also supports, 256-bit, 384-bit, and 512-bit SHA implementations.