Components of a keychain

Keychain module is a standalone infrastructure that can be used by any application that uses keys for authentication purposes to establish secure communication with peers.

A keychain is composed of the following components:
  • Keychain profile: Each keychain is identified with a profile name. A maximum of up to 64 keychains can be configured.
  • Key (key identifier): Keys can be added to the keychain profile by specifying key IDs. A maximum of 1024 keys can be configured across all the keychains. Each key ID within a keychain has its own properties, such as a password, authentication algorithm, send lifetime, and accept lifetime. A key is considered valid only if the key lifetime has not expired, and the password and authentication algorithm are specified. The range of returned key IDs usable varies with protocol. For each protocol, the key ID must be within a valid range. For example, the valid range of key IDs for OSPFv2 is 1 through 255. The application that uses the keychain module can reject the key IDs that are outside the permitted range. However, the keychain module does not place any restrictions in terms of user configuration of the key ID.
  • Authentication algorithm: An authentication algorithm must be used for the key. The application or protocol chooses the cryptographic algorithm that matches its criteria. The following algorithms are the supported authentication algorithms:
    • HMAC-SHA-1
    • HMAC-SHA-256
    • MD5
    • SHA-1
    • SHA-256
  • Password: Each key must have a password in encrypted form for the cryptographic algorithm.
  • Lifetime of key: Each key has a lifetime for send and accept duration. Each key in the keychain has a lifetime associated with it and a key is considered active if it is within the configured time range. The lifetime of the key also depends on the tolerance value.
    • Accept lifetime: The time period during which the key on a keychain becomes active and is received as valid.
    • Send lifetime: The time period during which the key on a keychain becomes active and is valid to be sent.
  • Tolerance: The tolerance value facilitates extension of the lifetime of the keys outside the active lifetime duration (prior to the start of the lifetime or after the end of the lifetime). If the tolerance value is configured, the start time of the key to become active is advanced (start time minus tolerance) and the end time is moved further ahead (end time plus tolerance) before the key expires, unless the end time is set to be infinite. A key is considered valid even when it is in the tolerance period.