Configuring Microsoft Windows IP Security to Operate with HP-UX IPSec
glossary
3DES Triple Data Encryption Standard. A symmetric key block encryption algorithm that encrypts
data three times, using a different 56-bit key each time (168 bits are used for keys). 3DES is
suitable for bulk data encryption.
AES Advanced Encryption Standard. Uses a symmetric key block encryption. HP-UX IPSec supports
AES with a 128-bit key. AES is suitable for encrypting large amounts of data.
AH The AH (Authentication Header) protocol provides data integrity, system-level authentication
for IP packets. It can also provide anti-replay protection. The AH protocol is part of the IPsec
protocol suite.
authentication The process of verifying a user's identity or integrity of data, or the identity of the party that
sent data.
DES Data Encryption Standard. Uses a 56-bit key for symmetric key block encryption. It is suitable
for encrypting large amounts of data.
DES has been cracked (data encoded using DES has been decoded by a third party).
Diffie-Hellman Method to generate a symmetric key where two parties can publicly exchange values and
generate the same shared key. Start with prime p and generator g, which may be publicly
known (typically these numbers are from a well-known Diffie-Hellman Group). Each party
selects a private value (a and b) and generates a public value (g**a mod p) and (g**b mod p).
They exchange the public values. Each party then uses its private value and the other party's
public value to generate the same shared key, (g**a)**b mod p and (g**b)**a mod p, which both
evaluate to g**(a*b) mod p for future communication.
The Diffie-Hellman method must be combined with authentication to prevent man-in-the-middle
or third party attacks (spoofing) attacks. For example, Diffie-Hellman can be used with certificate
or preshared key authentication.
ESP The ESP (Encapsulating Security Payload) protocol provides confidentiality (encryption), data
authentication, and an anti-replay service for IP packets. When used in tunnel mode, ESP also
provides limited traffic flow confidentiality. The ESP protocol is part of the IPsec protocol suite.
IKE The Internet Key Exchange (IKE) protocol is used before the ESP or AH protocol exchanges to
determine which encryption and/or authentication services will be used. IKE also manages the
distribution and update of the symmetric (shared) encryption keys used by ESP and AH.
IKE
authentication
The method used by IKE peers to authenticate each party's identity. HP-UX IPSec supports two
IKE authentication methods: preshared keys and RSA signatures using certificates.
IKE SA IKE Security Association. An IKE SA is a bi-directional, secure communication channel that
IKE uses to negotiate IPsec SAs. IKE can establish IKE SAs using either Main Mode or Aggressive
Mode negotiations. Also referred to as IKE Phase One SA, ISAKMP SA, ISAKMP/MM SA,
Aggressive Mode SA, Main Mode SA.
IPsec SA IPsec Security Association. An IPsec SA is a uni-directional, secure communication channel.
The IPsec SA operating parameters include the IPsec protocol used (ESP or AH), the mode
(transport or tunnel), the cryptographic algorithms (such as AES and SHA-1), the cryptographic
keys, the SA lifetime, and the endpoints (IP addresses, protocol and port numbers). IKE
establishes IPsec SAs using Quick Mode negotiations. Also referred to as IKE Phase Two SA,
IPsec SA, Quick Mode SA.
Perfect Forward
Secrecy (PFS)
With Perfect Forward Secrecy the exposure of one key permits access only to data protected
by that key. HP-UX IPSec supports PFS for keys and all identities (the IKE daemon can be
configured to create a new IKE SA for each IPsec negotiation). HP-UX IPSec does not support
PFS for keys only (the IKE SA is re-used for multiple IPsec negotiations, with a new
Diffie-Hellman key exchange for each IPsec negotiation).
SA See Security Association. A secure communication channel and its parameters, such as encryption
and authentication method, keys and lifetime..
SHA1 (Secure Hash Algorithm-1). Authentication algorithm that generates a 160-bit message digest
using a 160-bit key.
47