HP-UX IPSec version A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

Glossary 361

Glossary

3DES Triple Data Encryption Standard. A

symmetric key block encryption algorithm

that encrypts data three times, using a

different 56-bit key each time (168 bits are

used for keys). 3DES is suitable for bulk

data encryption.

AES Advanced Encryption Standard. Uses a

symmetric key block encryption. HP-UX

IPSec supports AES with a 128-bit key. AES

is suitable for encrypting large amounts of

data.

AH The AH (Authentication Header)

protocol provides data integrity, system-level

authentication for IP packets. It can also

provide anti-replay protection. The AH

protocol is part of the IPsec protocol suite.

Aggressive Mode (AM) A mode used in

IKE Phase 1 negotiations to establish IKE

SAs. AM is less secure than Main Mode

because the IKE peers exchange identity

information before establishing a secure

channel, but requires the IKE peers to

exchange fewer packets (three instead of

six). The IKE protocol specification does not

require implementations to support AM.

asymmetric key cryptography See public

key cryptography.

authentication The process of verifying a

user's identity or integrity of data, or the

identity of the party that sent data.

Authentication Header (AH) See AH.

CA Certificate Authority. A trusted third

party that authenticates users and issues

security certificates. In addition to

establishing trust in the binding between a

user’s public key and other security-related

information in a certificate, the CA digitally

signs the certificate information using its

private key.

certificate A security certificate associates

(or binds) a public key with a principal--a

particular person, system, device, or other

entity. The security certificate is issued by

an entity, in whom users have put their

trust, called a Certificate Authority (CA)

that guarantees or confirms the identity of

the holder (person, device, or other entity) of

the corresponding private key. The CA

digitally signs the certificate with the CA’s

private key, so the certificate can be verified

using the CA’s public key.

The most commonly used format for

public-key certificates is the International

Organization for Standardization (ISO)

X.509 standard, Version 3.

Certificate Authority See CA.

Certificate Revocation List: See CRL.

CRL Certificate Revocation List. Security

certificates are issued with a specific

lifetime, defined by a start date/time and an

expiration date/time. However, situations

can arise, such as a compromised key value,

that necessitate the revocation of the

certificate. In this case, the certificate

authority can revoke the certificate. This is

accomplished by including the certificate’s

serial number on a Certificate Revocation

List (CRL) updated and published on a

regular basis by the CA and made available

to certificate users.

DES Data Encryption Standard. Uses a

56-bit key for symmetric key block

encryption. It is suitable for encrypting large

amounts of data.