Re: ipsec AH

From: Chris McCoy (mccoy-cm@pacbell.net)
Date: Tue Sep 09 2003 - 17:45:12 GMT-3

• Next message: miken: "Re: ISDN Spid status issue ?"
• Previous message: McClure, Allen: "RE: ipsec AH"
• Maybe in reply to: navaid@rogers.com: "ipsec AH"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Navaid,

  MD5 is a hashing standard designed by RSA Data
Security. It takes a variable length message and
outputs a 128 bit "hash" or fingerprint of the
message. SHA-1A is designed by the U.S. National
Security Agency (NSA) and outputs a 160 bit hash.
There have been attacks against a weakened variant of
MD5, which have led people to believe it isn't as
secure. Both SHA and MD5 have their outputs truncated
to 96 bits with ESP or AH before sending across the
wire, so the lengths don't really matter. I would use
SHA.

Chris M.

--- navaid@rogers.com wrote:
> Two options for authenticatoin header are sha and
> md5. Which one is more secure ? and why ?
>
> R9(config)#crypto ipsec transform-set test ?
> ah-md5-hmac AH-HMAC-MD5 transform
> ah-sha-hmac AH-HMAC-SHA transform
>
> Navaid
>
> 1
>
>
>

• Next message: miken: "Re: ISDN Spid status issue ?"
• Previous message: McClure, Allen: "RE: ipsec AH"
• Maybe in reply to: navaid@rogers.com: "ipsec AH"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Oct 01 2003 - 07:24:25 GMT-3