Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
161162163164165166167168169170
HP-UX IPSec Transforms
Comparative Key Lengths
Table A-2 lists the key lengths of AH and ESP algorithms. In general, the longer the key length,
the more secure the encryption algorithm will be. AES encryption provides the most secure
encryption, but should be used with some form of authentication, such as the
ESP-AES128-HMAC-SHA1 authenticated ESP transform.
Table A-2 AH and ESP Algorithms and Key Lengths
Key LengthAlgorithm
168 (3 x 56)ESP-3DES
128ESP-AES
128AH-MD5
160AH-SHA1
3DES (Triple-DES) uses three independent 56-bit keys. The data is encrypted three times, using
the three keys.
AES with HP-UX IPSec supports 128-bit keys. AES encryption is stronger than that of 3DES. In
addition, processing speed is faster with AES.
HMAC-SHA1 generates a 160-bit message digest and uses a 160-bit shared secret key to encrypt
the digest.
HMAC-MD5 generates a 128-bit message digest and uses a 128-bit shared secret key to encrypt
the digest.
Authentication Algorithms
The authentication algorithms described in this section provide authentication values for IPsec
Authentication Header (AH) and for authenticated ESP. The algorithms are based on shared key
hash functions.
AH-MD5
Hashed Message Authentication Code (HMAC) using the RSA Message Digest-5 algorithm. (128
bit message digest encrypted with a 128 bit key.)
AH-SHA1
HMAC using the Secure Hash Algorithm-l. (160 bit digest encrypted with 160 bit key.)
Encryption Algorithms
These algorithms are used to encrypt the IP payload for an IPsec Encapsulating Security Payload
(ESP). The ESP encryption algorithms provide confidentiality (encryption) and are used with an
authentication algorithm. ESP uses the authentication algorithm to compute an Integrity Check
Value (ICV) that authenticates the ESP header and IP data. The ICV does not authenticate the
original IP header unless tunnelling is used.
ESP-3DES-HMAC-MD5
ESP using triple DES-CBC encryption (3DES-CBC; three encryption iterations, each with a
different 56-bit key) and HMAC-MD5 to generate an ICV.
ESP-3DES-HMAC-SHA1
ESP using 3DES-CBC encryption and HMAC-SHA1 to generate an ICV.
HP-UX IPSec Transforms 167