HP-UX IPSec version A.02.00 Administrator's Guide
Product Specifications
HP-UX IPSec Transforms
Appendix A
284
HP-UX IPSec Transforms
Comparative Key Lengths
Below is a table showing the key lengths of AH and ESP algorithms. In general, the
longer the key length, the more secure the encryption algorithm will be. AES encryption
provides the most secure encryption, but should be used with some form of
authentication, such as the ESP-AES128-HMAC-SHA1 transform.
NOTE DES has been cracked (data encoded using DES has been decoded by a third party).
3DES (Triple-DES) uses three independent 56-bit keys. The data is encrypted in three
stages: it is encrypted using key1, decrypted using key2, and encrypted again using key3.
AES with HP-UX IPSec supports 128-bit keys. AES encryption is stronger than that of
3DES. In addition, processing speed is faster with AES, comparable to or better than
that of DES encryption.
HMAC-SHA1 generates a 160-bit message digest and uses a 160-bit shared secret key to
encrypt the digest.
HMAC-MD5 generates a 128-bit message digest and uses a 128-bit shared secret key to
encrypt the digest.
Authentication Algorithms
These algorithms are used to provide the authentication value used in an IPSec
Authentication Header (AH).
AH-MD5
Hashed Message Authentication Code (HMAC) using RSAs Message Digest-5. (128 bit
message digest encrypted with a 128 bit key.)
AH-SHA1
HMAC using the Secure Hash Algorithm-l. (160 bit digest encrypted with 160 bit key.)
Table A-2 AH and ESP Algorithms and Key Lengths
Algorithm Key Length
ESP-DES 56
ESP-3DES 168 (3 x 56)
ESP-AES 128
AH-MD5 128
AH-SHA1 160