Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
31323334353637383940
IPsec Protocol Suite
The major components of the IPsec protocol suite can be divided into the following categories:
Encapsulating Security Payload (ESP) header for data confidentiality, data integrity, and
data authentication. The ESP header also includes a sequence number that provides a form
of replay protection.
Authentication Header (AH) for data integrity and authentication. The AH header also
includes a sequence number for a form of replay protection.
Internet Key Exchange (IKE) protocol, for generating and distributing cryptography keys
for ESP and AH. IKE also authenticates the identity of the remote system, so AH and
authenticated ESP with IKE keys provides data origin authentication.
Manual Keys, an alternative to IKE. Instead of dynamically generating and distributing
cryptography keys for ESP and AH, the cryptography keys are static and manually
distributed. Manual keys are typically used only when the remote system does not support
IKE.
Encapsulating Security Payload (ESP)
The IPsec Encapsulating Security Payload (ESP) uses shared key encryption to provide data
privacy and shared key hash functions to provide data authentication and data integrity.
Shared Key Encryption
In shared key encryption, two parties know the same cryptographic key. The sender (System A
in Figure 1-1) encrypts the data with the key to create encrypted data. The recipient (System B
in Figure 1-1) decrypts the encrypted data with the same key. Since only a holder of the
cryptographic key can decrypt the data, the encrypted data can be transmitted across the network
without being understood by other parties.
Figure 1-1 Shared Key Encryption
Data
Encryption
Algorithm
Encrypted Data
System A System B
Key
Data
Decryption
Algorithm
Encrypted Data
Key
Shared key cryptography alone does not provide protection against tampering. An intruder can
still intercept encrypted data and alter it before sending it to the correct destination. For this
reason, ESP also authenticates the encrypted data.
Shared key cryptography is also referred to as symmetric key cryptography (because the keys
used by both parties must be the same) and private key cryptography (because the two parties
must keep the key private).
32 HP-UX IPSec Overview