HP-UX IPSec version A.02.00 Administrator's Guide
HP-UX IPSec Overview
Internet Key Exchange (IKE)
Chapter 140
public value to generate a new value. Because of the mathematical
properties of the numbers, each party will generate the same value,
which can then be used as a symmetric key.
Figure 1-10 Diffie-Hellman Key Generation
Diffie-Hellman is vulnerable to attacks where a third-party intercepts
messages between the sender and receiver and assumes the identity of
the other party. Because of this, Diffie-Hellman is used with some form of
authentication to ensure that symmetric keys are established between
correct parties.
In summary, if two entities use the same, well-known Diffie-Hellman
group, they can publicly exchange values and generate the same shared
value that they can use as a symmetric key, or use as a base for a
symmetric key. Diffie-Hellman should be used with some form of
authentication.
IKE Primary Authentication
IKE must authenticate the identities of the systems using the
Diffie-Hellman algorithm. This process is known as primary
authentication. HP-UX IPSec IKE can use two primary authentication
methods:
•Preshared keys
Public
Value
Public
Value
Private
Value
Private
Value
Shared
Secret
Value
Shared
Secret
Value
A
B
=
Private Value A
combined with
Public Value B
Private Value B
combined with
Public Value A
Step 1
A & B select Diffie-Hellman Group
Node A
Node B
Step 2
Step 3