HP-UX IPSec version A.02.01 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software

Glossary

MD5

Glossary 363

packet filter is used to select a policy for a

packet and the action is applied to the

packets using the policy.

IPsec SA A security association (SA), or

security session, for IPsec. An IPsec SA also

specifies encryption and authentication

methods, encryption keys and lifetimes. Also

referred to as IPsec/QM SA, Phase 2 SA,

Quick Mode SA, QM SA.

IPsec/QM SA See IPsec SA.

ISAKMP HP supports the Internet Security

Association and Key Management Protocol

(ISAKMP) in conjunction with the Oakley

Key Exchange Protocol to establish an

authenticated key exchange. ISAKMP

defines procedures and packet formats to

establish a security association between two

negotiating entities.

IKE SA IKE Security Association. An IKE

SA is a bi-directional, secure communication

channel that IKE uses to negotiate IPsec

SAs. IKE can establish IKE SAs using either

Main Mode or Aggressive Mode negotiations.

Also referred to as IKE Phase One SA,

ISAKMP SA, ISAKMP/MM SA, Aggressive

Mode SA, Main Mode SA.

IPsec SA IPsec Security Association. An

IPsec SA is a uni-directional, secure

communication channel. The IPsec SA

operating parameters include the IPsec

protocol used (ESP or AH), the mode

(transport or tunnel), the cryptographic

algorithms (such as AES and SHA-1), the

cryptographic keys, the SA lifetime, and the

endpoints (IP addresses, protocol and port

numbers). IKE establishes IPsec SAs using

Quick Mode negotiations. Also referred to as

IKE Phase Two SA, IPsec SA, Quick Mode

SA.

ISAKMP SA See IKE SA.

MAC A message authentication code (MAC)

is an authentication tag, also called a

checksum, derived by application of an

authentication scheme, together with a

secret key, to a message. MACs are

computed and verified with the same key so

they can only be verified by the intended

receiver, unlike digital signatures.

Hash function-based MACs (HMACS) use a

key or keys in conjunction with a hash

function to produce a checksum that is

appended to the message. An example is the

keyed-MD5 method of message

authentication.

MACs can also be derived from block

ciphers. The DES-CBC MAC is a widely used

US and international standard. The basic

idea is to encrypt the message blocks using

DES CBC and output the final black in the

ciphertext as the checksum.

Main Mode (MM) A mode used in IKE

Phase 1 negotiations to establish IKE SAs.

MM is more secure than Aggressive Mode,

but requires the IKE peers to exchange more

packets (six instead of three). The IKE

protocol specification requires

implementations to support MM.

manual keys Manually configured

cryptographic keys for IPsec. An alternative

to using the Internet Key Exchange (IKE)

protocol to generate cryptographic keys and

other information for IPsec Security

Associations (SAs).

MD5 (Message Digest-5). Authentication

algorithm developed by RSA. MD5 generates

a 128-bit message digest using a 128-bit key.

IPsec truncates the message digest to 96

bits.