HP-UX IPSec Version A.03.00 Administrator's Guide
Glossary
3DES Triple Data Encryption Standard. A symmetric key block encryption algorithm that encrypts
data three times, using a different 56-bit key each time (168 bits are used for keys). 3DES is
suitable for bulk data encryption.
AES Advanced Encryption Standard. Uses a symmetric key block encryption. HP-UX IPSec supports
AES with a 128-bit key. AES is suitable for encrypting large amounts of data.
AH The AH (Authentication Header) protocol provides data integrity, system-level authentication
for IP packets. It can also provide anti-replay protection. The AH protocol is part of the IPsec
protocol suite.
asymmetric key
cryptography
See public key cryptography..
authentication The process of verifying a user's identity or integrity of data, or the identity of the party that
sent data.
Authentication
Header (AH)
See AH..
CA Certificate Authority. A trusted third party that authenticates users and issues security
certificates. In addition to establishing trust in the binding between a user’s public key and
other security-related information in a certificate, the CA digitally signs the certificate information
using its private key.
certificate A security certificate associates (or binds) a public key with a principal--a particular person,
system, device, or other entity. The security certificate is issued by an entity, in whom users
have put their trust, called a Certificate Authority (CA) that guarantees or confirms the identity
of the holder (person, device, or other entity) of the corresponding private key. The CA digitally
signs the certificate with the CA’s private key, so the certificate can be verified using the CA’s
public key.The most commonly used format for public-key certificates is the International
Organization for Standardization (ISO) X.509 standard, Version 3.
Certificate
Authority
See CA..
Certificate
Revocation List:
See CRL..
CRL Certificate Revocation List. Security certificates are issued with a specific lifetime, defined by
a start date/time and an expiration date/time. However, situations can arise, such as a
compromised key value, that necessitate the revocation of the certificate. In this case, the
certificate authority can revoke the certificate. This is accomplished by including the certificate’s
serial number on a Certificate Revocation List (CRL) updated and published on a regular basis
by the CA and made available to certificate users.
Diffie-Hellman Method to generate a symmetric key where two parties can publicly exchange values and
generate the same shared key. Start with prime p and generator g, which may be publicly
known (typically these numbers are from a well-known “ Diffie-Hellman Group”). Each party
selects a private value (a and b) and generates a public value (g**a mod p) and (g**b mod p).
They exchange the public values. Each party then uses its private value and the other party's
public value to generate the same shared key, (g**a)**b mod p and (g**b)**a mod p, which both
evaluate to g**(a*b) mod p for future communication.
The Diffie-Hellman method must be combined with authentication to prevent man-in-the-middle
or third party attacks (spoofing) attacks. For example, Diffie-Hellman can be used with certificate
or preshared key authentication.
digital signature Digital signatures are a variation of keyed hash algorithms that use public/private key pairs.
The sender uses its private key and the data as input to create a Digital Signature value.
Encapsulating
Security Payload
See ESP..
encryption The process of converting data from a readable format to non-readable format for privacy.
Encryption functions usually take data and a cryptographic key (value or bit sequence) as input.
249