HP-UX IPSec version A.02.01 Administrator's Guide
Glossary
MM
Glossary364
MM See Main Mode.
Oakley Oakley is a key exchange protocol
which works within the ISAKMP framework
to generate authenticated keying material
for use with other security services.
out-of-band key exchange A key
exchange using a secure communication
channel that is outside of normal computer
communication channels, such as a
face-to-face meeting or telephone call.
policy A generic term referring to packet
filter information and actions. The packet
filter is used to select a policy for a packet
and the actions are applied to the packets
using the policy.
Perfect Forward Secrecy (PFS) With
Perfect Forward Secrecy the exposure of one
key permits access only to data protected by
that key. HP-UX IPSec supports PFS for
keys and identities (the IKE daemon can be
configured to create a new IKE SA for each
IPsec/QM negotiation). HP-UX IPSec does
not support PFS for keys only (the IKE SA is
re-used for multiple IPsec/QM negotiations,
with a new Diffie-Hellman key exchange for
each IPsec/QM negotiation).
preshared key A key agreed upon by two
systems for encryption or authentication and
distributed using an out-of-band key
exchange. In the context of HP-UX IPSec,
the term preshared keys refers to ASCII
strings that are used for IKE (Primary)
authentication (authenticating the peer’s
identity).
public key cryptography A cryptographic
method using two mathematically related
keys (k1 and k2) such that data encrypted
with k1 can be decrypted only using k2. In
addition, most algorithms provide assurance
that only the holder of k1 can correctly
encrypt data that can be decrypted by k2.
One key must be private (known only to the
owner), but the second key can be widely
known (public), which makes key
distribution easy to manage. Public key
encryption is computationally expensive, so
it is impractical for bulk data encryption.
Instead, public key cryptography is usually
used to authenticate data.
Also referred to as asymmetric key
cryptography (the two keys are not the
same) or public-private key cryptography.
QM See Quick Mode.
Quick Mode (QM) The second phase
(Phase 2) of IKE negotiations, which
establishes IPsec SAs.
RSA (Rivest, Shamir, and Adelman)
Public/private key cryptosystem that can be
used for privacy (encryption) and
authentication (signatures). For encryption,
system A can send data encrypted with
system B's public key. Only system B's
private key can decrypt the data. For
authentication, system A sends data with a
signature - a digest or hash encrypted with
system A's private key. To verify, system B
uses system A's public key to decrypt the
signature and compare the decrypted hash
or digest to the digest or hash that it
computes for the message.
RSA Signatures A method used in IKE
authentication to verify the identity of the
peer system using security certificates and
public/private key cryptography.