Keychain

What Is Keychain?

Keychain is a system that manages a series of encryption and authentication rules, rather than individual keys or algorithms. It centrally controls and flexibly manages its keys to provide dynamic security authentication services for applications. This document explains the need for keychain, its components, and common applications.

The Components of a Keychain

A keychain comprises encryption rules, known as keys, each consisting of an algorithm, a key string, and a lifetime. These components are used for encrypting and decrypting packets, with the lifetime specifying the duration for which the algorithm and key string are used for packet encryption and decryption.

• Supported algorithms: MD5, SHA-1, HMAC-MD5, HMAC-SHA1-12, HMAC-SHA1-20, HMAC-SHA-256, SHA-256, SM3, HMAC-SHA-384, and HMAC-SHA-512.

• Key string: a character string employed for encryption. Different key strings can be used to encrypt the same cleartext, resulting in different ciphertexts. The same ciphertext can only be obtained by using the same key string for encryption.

• Lifetime: indicates the duration for which a key remains valid. Once a key's lifetime expires, it is replaced by another active key.

Why do we need Keychain?

Prior to establishing a session with a peer end using a routing protocol, an application must create a connection at the transport layer.

To secure the session connections and data exchange, MD5 can authenticate packets; however, it has the following drawbacks:

• MD5 is relatively basic and may not meet high network security requirements.

• Keys must be changed frequently to ensure their security. The MD5 authentication algorithm and key are configured on applications, with static one-to-one mappings. This requires manual updating of keys on both ends of the devices.

To address these issues, an application authentication keychain is introduced:

• Each key in a keychain can use a more secure algorithm than MD5, with the option for even more secure algorithms in the future.

• Each key in a keychain has an independent algorithm, key string, and lifetime. Applications on both ends of devices use keychain authentication, matching multiple keys. Authentication algorithms and key strings for multiple applications can be periodically updated on both ends based on key lifetimes.

• Dynamic updates to keys in a keychain do not require disconnecting and reconnecting transport-layer connections in use, ensuring stability of session connections and service continuity.

Typical Applications of Keychain

To ensure the integrity of network routing protocols such as RIP, IS-IS, OSPF, and BGP, packets must be encrypted. Keychain enhances the security of these protocol packets by dynamically changing the algorithm and key string. The following example illustrates the application of keychain to IS-IS.

IS-IS is a widely used routing protocol that requires a high level of security. One approach to achieving this is by configuring a fixed algorithm and key string for authenticating IS-IS packets. However, fixed authentication algorithms and key strings are vulnerable to cracking. To bolster the security of IS-IS, keychain can be used for packet authentication.