HP-UX IPSec version A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

Glossary

Diffie-Hellman

Glossary362

DES has been cracked (data encoded using

DES has been decoded by a third party).

Diffie-Hellman Method to generate a

symmetric key where two parties can

publicly exchange values and generate the

same shared key. Start with prime p and

generator g, which may be publicly known

(typically these numbers are from a

well-known “Diffie-Hellman Group”). Each

party selects a private value (a and b) and

generates a public value (g**a mod p) and

(g**b mod p). They exchange the public

values. Each party then uses its private

value and the other party's public value to

generate the same shared key, (g**a)**b

mod p and (g**b)**a mod p, which both

evaluate to g**(a*b) mod p for future

communication.

The Diffie-Hellman method must be

combined with authentication to prevent

man-in-the-middle or third party attacks

(spoofing) attacks. For example,

Diffie-Hellman can be used with certificate

or preshared key authentication.

digital signature Digital signatures are a

variation of keyed hash algorithms that use

public/private key pairs. The sender uses its

private key and the data as input to create a

Digital Signature value.

Encapsulating Security Payload

See ESP.

encryption The process of converting data

from a readable format to non-readable

format for privacy. Encryption functions

usually take data and a cryptographic key

(value or bit sequence) as input.

ESP The ESP (Encapsulating Security

Payload) protocol provides confidentiality

(encryption), data authentication, and an

anti-replay service for IP packets. When

used in tunnel mode, ESP also provides

limited traffic flow confidentiality.

filter The parameters in an IPsec policy

that HP-UX IPSec uses to select the policy

applied to an IP packet. The parameters are

the source and destination IP addresses,

protocol, and source and destination port

numbers.

HMAC Hashed Message Authentication

Code. See also MAC.

IKE The Internet Key Exchange (IKE)

protocol is used before the ESP or AH

protocol exchanges to determine which

encryption and/or authentication services

will be used. IKE also manages the

distribution and update of the symmetric

(shared) encryption keys used by ESP and

AH.

The IKE protocol is a hybrid of three other

protocols: ISAKMP (Internet Security

Association and Key Management Protocol),

Oakley and SKEME. ISAKMP provides a

framework for authentication and key

exchange, but does not define the actual key

exchange. (ISAKMP) defines most of the

message format, with non-specific

key-exchange information fields). The

Oakley Key Determination protocol and

SKEME protocol define key exchange

techniques.

IPsec policy IPsec policies specify the rules

according to which data is transferred

securely. IPsec policies generally contain

packet filter information and an action. The