ServerIron ADX Global Server Load Balancing Guide 53-1002437-01
Encryption key Authentication key
•
•
Secure GSLB
These keys are randomly generated. The secure random generator from the RSA toolkit is used for random number generation.
When the GSLB controller sends the session keys to the site, the keys are first encrypted with the local private key followed by public key of the peer. An SHA-1 digest of the keys is also attached to the message. In effect, both authentication and integrity are provided.
On receiving these encrypted passwords from the GSLB controller, the site ServerIron ADX decrypts the encryption key and authentication key using its private key and peer public key and verifies the SHA-1 hash is same as received. RSA decryption technology is used for this purpose.
• Peer authentication — Each network device must be authenticated before it can connect to the
GSLB network. This check ensures that any peer a GSLB device communicates with is the legitimate peer. Peer authentication is provided by using the Rivest-Shamir-Adleman (RSA) public key technology. The key length is 1024 bits.
• Data Encryption — Converts plaintext into cipher text (encrypted data). Only the designated receiver can decrypt and retrieve the information. Encryption of the GSLB protocol message data will deny unauthorized access to the GSLB protocol data. All GSLB protocol messages between the controller and site ServerIron ADX are encrypted using the Blowfish Cipher Block Chaining (CBC) algorithm. The key length is 256 bits (standard 16 rounds).
• Data integrity — Reassures the recipient the message has not been altered after it was generated and transmitted by a legitimate source. Data integrity is ensured by using Hashed Message Authentication Codes (HMAC) with SHA1. The key length is 20 bytes. The digest length is 20 bytes.
A MAC is included with each GSLB protocol packet. The MAC is computed using the authentication key, packet sequence number, and the contents of the packet:
mac = MAC(key, sequence-number unencrypted-packet)
The unencrypted packet refers to the entire packet without a MAC. The sequence number is a 32-bit implicit packet sequence number. This number is initialized to zero for the first packet, and it is incremented for every GSLB protocol packet sent thereafter.
The message authentication key is negotiated during authentication phase as described in the section “Initial session key generation” on page 57.
• Data authentication — Guarantees that the sender of the data is the legitimate peer. An authentication-session key is used to perform a hash between the peers that have already been authenticated. Only the two peers can generate the hash based on the key.
Each MAC hash is generated using the negotiated authentication key. This key is shared between the two peers. Therefore, a message received with the correct MAC hash authenticates the peer because only the sender and the receiver have knowledge of the authentication key.
• Protection — Against replay and "man-in-the-middle" attacks.
• Dynamic session key generation — Makes it difficult for an intruder to decipher session keys, by regenerating keys periodically or randomly.
Initial session key generation
Once the initial authentication is completed, the GSLB controller generates two session keys:
1
57