HP-UX IPSec version A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

Glossary

Perfect Forward Secrecy (PFS)

Glossary 307

IPSec/Quick Mode Security Association

(IPSec/QM SA) A secure communication

channel for IPSec, including encryption and

authentication methods, encryption keys

and lifetimes.

ISAKMP HP supports the Internet Security

Association and Key Management Protocol

(ISAKMP) in conjunction with the Oakley

Key Exchange Protocol to establish an

authenticated key exchange. ISAKMP

defines procedures and packet formats to

establish a security association between two

negotiating entities.

ISAKMP/Main Mode Security

Association (ISAKMP/MM SA) The

ISAKMP/MM SA is a secure communication

channel that IKE uses to negotiate

IPSec/Quick Mode SAs.

ISAKMP/MM SA See ISAKMP/Main Mode

Security Association.

MAC A message authentication code (MAC)

is an authentication tag, also called a

checksum, derived by application of an

authentication scheme, together with a

secret key, to a message. MACs are

computed and verified with the same key so

they can only be verified by the intended

receiver, unlike digital signatures.

Hash function-based MACs (HMACS) use a

key or keys in conjunction with a hash

function to produce a checksum that is

appended to the message. An example is the

keyed-MD5 method of message

authentication.

MACs can also be derived from block

ciphers. The DES-CBC MAC is a widely used

US and international standard. The basic

idea is to encrypt the message blocks using

DES CBC and output the final black in the

ciphertext as the checksum.

Main Mode (MM) The first phase (Phase

One) of IKE negotiations, which establishes

an ISAKMP/MM Security Association (SA).

IKE authenticates the identity of the peer

system and uses a Diffie-Hellman exchange

to establish dynamic keying material. The

ISAKMP/MM SA is a secure communication

channel that IKE uses to negotiate

IPSec/Quick Mode SAs.

Manual Keys Manually configured

cryptographic keys for IPSec. An alternative

to using the Internet Key Exchange (IKE)

protocol to generate cryptographic keys and

other information for IPSec Security

Associations (SAs).

MD5 (Message Digest-5). Authentication

algorithm developed by RSA. MD5 generates

a 128-bit message digest using a 128-bit key.

IPSec truncates the message digest to 96

bits.

MM See Main Mode.

Oakley Oakley is a key exchange protocol

which works within the ISAKMP framework

to generate authenticated keying material

for use with other security services.

Policy A generic term referring to packet

filter information and actions. The packet

filter is used to select a policy for a packet

and the actions are applied to the packets

using the policy.

Perfect Forward Secrecy (PFS) With

Perfect Forward Secrecy the exposure of one

key permits access only to data protected by

that key. HP-UX IPSec supports PFS for

keys and identities (the IKE daemon can be