Manualshelf

HP-UX IPSec Version A.03.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
31323334353637383940
ESP Encryption and Authentication Algorithms
HP-UX IPSec ESP supports the encryption algorithms listed in Table 1-1 (page 36) and the
authentication algorithms listed in Table 1-2 (page 36). For example, HP-UX IPSec can encrypt
an ESP packet using AES and authenticate it using SHA1.
Table 1-1 HP-UX IPSec Encryption Algorithms
DescriptionName
Advanced Encryption Standard (AES) Cipher Block Chaining (CBC)
mode encryption using a 128-bit key.
AES
Triple-DES CBC, three CBC encryption iterations, each with a
different 56-bit key.
3DES
Table 1-2 HP-UX IPSec Authentication Algorithms
DescriptionName
Message Digest-5, 160-bit keyMD5
Secure Hash Algorithm-1, 128-bit keySHA1
TIP: HP recommends that you use AES128 with SHA1. AES is the most secure form of
encryption for HP-UX IPSec, and SHA1 is considered more secure than MD5.
AES encryption throughput rates are comparable to or better than 3DES rates. For more
information about HP-UX IPSec performance, refer to the HP-UX IPSec Sizing and Performance
document available at www.docs.hp.com.
Non-Authenticated ESP
ESP encryption takes the data carried by IP, such as a TCP packet, and encrypts it using a
cryptographic key. The receiving IPsec ESP entity uses the same key to decrypt the cipher text
and extract the original data.
Authentication Header (AH)
The IPsec Authentication Header (AH) provides integrity and authentication but no privacy—the
IP data is not encrypted. The AH contains an authentication value based on a symmetric-key
hash function. Because AH does not encrypt data, it is not commonly used. However, AH provides
one feature that ESP does not: AH authenticates non-mutable fields in the IP header (fields that
do not change in transit, including source and destination addresses). For this reason, AH is
sometimes used with ESP, by nesting an ESP packet within an AH packet.
HP-UX IPSec supports the following authentication algorithms for AH :
HMAC-SHA1
HMAC-MD5
Transport and Tunnel Modes
AH can be used in transport mode or tunnel mode.
Transport Mode
In transport mode, IPsec inserts the AH header with the authentication value after the IP header.
The IP data and header are used to calculate the AH authentication value. Mutable fields in the
IP header (fields might change in transit), such as “hop count,” and “time to live,” are assigned
a zero value before IPsec calculates the authentication value, so the actual values of the mutable
fields are not authenticated. Figure 1-8 shows AH in transport mode.
36 HP-UX IPSec Overview