AH, ESP, HMAC-MD5 & HMAC-SHA-1, 3DES and AES

bilalghayad · ‎06-17-2010

Hi All;

Can I understand that HMAC is one of the method to implement the (Authentication Header AH) and (Encapsulation Security Payload) ESP?

When to use Authentication Header (AH) and when to use Encapsulation Security Payload (ESP)?

Can we use 3DES or AES with Authentication Header?

Any help?

Regards

Bilal

edadios · ‎06-17-2010

HMAC is a mechanism for message authentication using cryptographic hash functions.

http://www.faqs.org/rfcs/rfc2104.html

AH—Authentication Header. A security protocol which provides data authentication and optional anti replay services. AH is embedded in the data to be protected (a full IP datagram).

http://www.faqs.org/rfcs/rfc2402.html

ESP—Encapsulating Security Payload. A security protocol which provides data privacy services and optional data authentication, and anti replay services. ESP encapsulates the data to be protected.

http://www.faqs.org/rfcs/rfc2406.html

If you will be using an ASA, you can not use AH anyway, as it is not supported :

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/c5.html#wp2172593

If using router code 12.4, you can not use AH with AES

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cfg_vpn_ipsec_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1047924

Most implementatin now uses ESP.

I hope this helps you.

Regards,

bilalghayad · ‎06-17-2010

So HMAC is one of the mechanism that is used with Authenticaton Header, correct?

edadios · ‎06-18-2010

AH and ESP are both protocols, you can use them for ipsec vpn.

HMAC can be included with either ESP or AH.

Check the sample transform sets as per documents I provided to you previously.

Regards,