Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7484
Views
20
Helpful
4
Replies

Difference b/w hash MD5 encryption and 3DES encryption in IPSEC

Go to solution
Suresh Babu
Level 1
Level 1

‎01-28-2013 05:18 AM - edited ‎03-04-2019 06:51 PM

HI All,

Can you clarify the difference b/w hash MD5 encryption and 3DES encryption, As both seems the functionality is to encrypt the packet.

What makes the difference here and based on what all conditions .

Please clarify.

Regards

Suresh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎01-28-2013 06:33 AM

Hi Suresh,

You are talking about two very different and incomparable classes of algorithms. The MD5 and SHA are both what we call hash functions. Their purpose is to compute a fixed-size checksum, or a fingerprint of the input message. Cryptographic hashes must meet a number of requirements:

  • Must be reasonably fast
  • Must not allow to easily construct two different messages with the same hash value
  • Must not allow to easily modify an original message in a way that the hash value stays the same
  • Must not allow to deduce on the contents of the original message by looking at the hash value

However, note that the hash function always computes only a checksum but is not involved in encrypting the message itself. It is not possible to derive back the original message from the hash value - recall that MD5 produces a 128-bit result, regardless of how large the input is. There is no reverse process to transform the hash value back to the original message (nor should there be - see the requirements above).

So why do we use the hash functions in cryptography? The reason is that they allow us to verify very quickly and with high probability whether the message has been changed. If we compute a hash value and send it along with the message, the recipient can compute his own hash value and compare it to the received hash. If they don't match, the message must have been tampered with - in any case, it is not the original message anymore.

The 3DES and AES algorithms are ciphers, meaning that they transform the input plaintext into an encrypted data, or the ciphertext, using a parameter called the encryption key. Using the same key, these algorithms also allow you to derive the original plaintext back. So these are what we really call ciphers, and because they use the same key for both encryption and decryption, they are also called symmetric ciphers (the asymmetric cipher is, for example, RSA).

Please feel free to welcome further.

Best regards,

Peter

View solution in original post

Go to solution
Karsten Iwen
VIP
VIP

‎01-28-2013 07:05 AM

Just to add to Peters great explaination:

A cryptographic hash-function alone is not enough because the attacker could alter the data and compute a matching hash based on the altered data. So we use in IPSec a hash-based message authentication code (HMAC) where a secret key is used together with the data to calculate the hash. You find explainations here:

http://en.wikipedia.org/wiki/Cryptographic_hash_function

http://en.wikipedia.org/wiki/Hash-based_message_authentication_code

And if you recall the security-services that IPSec provide (confidentiality, integrity, origin-authentication and replay detection), the origin-authentication is done together with the integrity-protection with the help of the HMAC.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

4 Replies 4

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎01-28-2013 06:33 AM

Hi Suresh,

You are talking about two very different and incomparable classes of algorithms. The MD5 and SHA are both what we call hash functions. Their purpose is to compute a fixed-size checksum, or a fingerprint of the input message. Cryptographic hashes must meet a number of requirements:

  • Must be reasonably fast
  • Must not allow to easily construct two different messages with the same hash value
  • Must not allow to easily modify an original message in a way that the hash value stays the same
  • Must not allow to deduce on the contents of the original message by looking at the hash value

However, note that the hash function always computes only a checksum but is not involved in encrypting the message itself. It is not possible to derive back the original message from the hash value - recall that MD5 produces a 128-bit result, regardless of how large the input is. There is no reverse process to transform the hash value back to the original message (nor should there be - see the requirements above).

So why do we use the hash functions in cryptography? The reason is that they allow us to verify very quickly and with high probability whether the message has been changed. If we compute a hash value and send it along with the message, the recipient can compute his own hash value and compare it to the received hash. If they don't match, the message must have been tampered with - in any case, it is not the original message anymore.

The 3DES and AES algorithms are ciphers, meaning that they transform the input plaintext into an encrypted data, or the ciphertext, using a parameter called the encryption key. Using the same key, these algorithms also allow you to derive the original plaintext back. So these are what we really call ciphers, and because they use the same key for both encryption and decryption, they are also called symmetric ciphers (the asymmetric cipher is, for example, RSA).

Please feel free to welcome further.

Best regards,

Peter

Go to solution
Karsten Iwen
VIP
VIP

‎01-28-2013 07:05 AM

Just to add to Peters great explaination:

A cryptographic hash-function alone is not enough because the attacker could alter the data and compute a matching hash based on the altered data. So we use in IPSec a hash-based message authentication code (HMAC) where a secret key is used together with the data to calculate the hash. You find explainations here:

http://en.wikipedia.org/wiki/Cryptographic_hash_function

http://en.wikipedia.org/wiki/Hash-based_message_authentication_code

And if you recall the security-services that IPSec provide (confidentiality, integrity, origin-authentication and replay detection), the origin-authentication is done together with the integrity-protection with the help of the HMAC.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to Karsten Iwen

‎01-28-2013 09:52 AM

Hello Karsten,

Thank you for joining and completing my answer! Yes, you are completely right. In fact, I was waiting to see if anyone fills in this missing piece True. The hash is not computed just over the message because it would allow us to replace both easily. During the computation of the hash, we either encrypt the resulting hash value using a private key of the sender (the idea of digital signatures), or use a unique shared secret that is an input to the hash function along with the data block being hashed, making it very hard for a 3rd party to inject spoofed messages that would still pass the verification check after computing a hash value yourself.

Best regards,

Peter

0 Helpful

Go to solution
Suresh Babu
Level 1
Level 1
In response to Peter Paluch

‎01-29-2013 04:30 AM

HI,

Very useful inputs, Thanks

Regards

Suresh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card