HP-UX IPSec version A.02.01 Administrator's Guide
HP-UX IPSec Overview
IPsec Protocol Suite
Chapter 1 49
The IKE Phase 2 negotiation is also referred to as a Quick Mode
(QM) negotiation.
Figure 1-12 SA Establishment
Generating Shared Keys: Diffie-Hellman
IKE and IPsec SAs use shared keys to encrypt and authenticate
communication. To be effective, a shared key must be kept private, so
other parties cannot decrypt the data or generate a valid authentication
code for modified data. This creates a challenge: How do the two parties
agree on the same shared key? How can you distribute the same key to
both parties without exposing it to other parties listening on the
network?
One method for distributing shared keys is to use the Diffie-Hellman
algorithm to dynamically generate shared keys. The Diffie-Hellman
algorithm enables two parties to establish a shared, secret value while
exchanging information over a nonsecure channel.
The Diffie-Hellman algorithm is based on the principle that (x^a)^b and
(x^b)^a are both equivalent to x^(a*b).With Diffie-Hellman key
generation, each party generates two numbers: one public and one
private. These values are based on a selected, well-known numeric base,
or Diffie-Hellman group. The two parties first select the same
Diffie-Hellman group (Step 1 in Figure 1-13). The two parties each select
a public value and generate a mathematically related private value (Step
2 in Figure 1-13). The two parties exchange public values (Step 3 in
Figure 1-13). This exchange may occur via a nonsecure channel. Each
party then uses its private value and the other party’s public value to
generate a new value (Step 4 in Figure 1-13). Because of the
IKE Phase 1
IKE SAIKE SA
Outbound
Outbound
Inbound
Inbound
IKE Phase 2
NodeA
NodeB
IPsec
IPsec
IPsec SA (ESP or AH)
IPsec SA (ESP or AH)