HP-UX IPSec version A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

Glossary

Diffie-Hellman

Glossary306

DES has been cracked (data encoded using

DES has been decoded by a third party).

Diffie-Hellman Method to generate a

symmetric key where two parties can

publicly exchange values and generate the

same symmetric key. Start with prime p and

generator g, which may be publicly known

(typically these numbers are from a

well-known “Diffie-Hellman Group”). Each

party selects a private value (a and b) and

generates a public value (g**a mod p) and

(g**b mod p). They exchange the public

values. Each party then uses its private

value and the other party's public value to

generate the same symmetric key, (g**a)**b

mod p and (g**b)**a mod p, which both

evaluate to g**(a*b) mod p for future

communication.

The Diffie-Hellman method must be

combined with authentication to prevent

man-in-the-middle or third party attacks

(spoofing) attacks. Typically, it is combined

with public/private key certificates (when

sending the public value, each party signs

the public value with its private key and

includes a certificate).

Encryption The process of converting data

from one format to another.

Encapsulating Security Payload (ESP)

The ESP provides confidentiality

(encryption) and an anti-replay service. It

should be used with authentication, either

with the optional ESP authentication field

(authenticated ESP) or nested in an

Authentication Header message.

Authenticated ESP also provides data origin

authentication and connectionless integrity.

When used in tunnel mode, ESP also

provides limited traffic flow confidentiality.

ESP See Encapsulating Security Payload.

Filter A term used to refer to preferences in

encryption, authentication, compression and

protocol etc. for a particular end-user

system.

HMAC Hashed Message Authentication

Code. See also MAC.

IKE The Internet Key Exchange (IKE)

protocol is used before the ESP or AH

protocol exchanges to determine which

encryption and/or authentication services

will be used. IKE also manages the

distribution and update of the symmetric

(shared) encryption keys used by ESP and

AH.

The IKE protocol is a hybrid of three other

protocols: ISAKMP (Internet Security

Association and Key Management Protocol),

Oakley and SKEME. ISAKMP provides a

framework for authentication and key

exchange, but does not define the actual key

exchange. (ISAKMP) defines most of the

message format, with non-specific

key-exchange information fields). The

Oakley Key Determination protocol and

SKEME protocol define key exchange

techniques.

IPSec Policy IPSec Policies specify the

rules according to which data is transferred

securely. IPSec policies generally contain

packet filter information and an action. The

packet filter is used to select a policy for a

packet and the action is applied to the

packets using the policy

IPSec/QM SA See IPSec/Quick Mode

Security Association.