HP-UX IPSec version A.02.00 Administrator's Guide
Using Certificates with HP-UX IPSec
Overview
Chapter 4116
Certificates are issued with a specific lifetime, defined by a start
date/time and an expiration date/time. However, situations can arise,
such as a compromised key value, that necessitate the revocation of the
certificate. In this case, the certificate authority can revoke the
certificate. This is accomplished by including the certificate’s serial
number on a Certificate Revocation List (CRL) updated and
published on a regular basis by the CA and made available to certificate
users.
Digital Signatures
With digital signatures, the sender uses its private key to create a digital
signature value, and sends the digital signature with the data. The
recipient uses the sender’s public key and the data to verify the digital
signature.
There are different methods to generate and verify the digital signature.
In one method, the sender generates a one-way hash value and encrypts
it with its private key to form the digital signature. The recipient uses
the sender’s public key to decrypt the digital signature and extract the
hash value; it then generates its own hash value and compares the hash
values. In another method, the sender uses its private key and the data
as input to a keyed secure hash algorithm that outputs the digital
signature. The receiver uses the data, the sender's public key and the
digital signature as input to a verification algorithm that verifies the
digital signature.
One difference between a digital signature and a symmetric-key hash
value is that only the holder of the private key can generate the digital
signature, while either holder of a symmetric key can generate a
symmetric-key hash value. Since only the private key holder can
generate the digital signature, a digital signature also provides
non-repudiation which makes it difficult for the sender to deny sending
the message.
IKE Public Key Distribution
IKE primary authentication with digital signatures requires that the
IKE initiator and responder obtain the other entity’s public key, using
security certificates. This may be done as part of the IKE negotiation -
the two entities may exchange certificates at the beginning of the IKE
negotiation. Alternatively, this may be done independent of the IKE