HP-UX IPSec Version A.03.00 Administrator's Guide
Figure 1-12 Diffie-Hellman Key Generation
System A
System B
Step 1:
A and B agree on Diffie-
Hellman group
Step 2:
A and B each generate
public/private values
Step 3:
A and B exchange public
values with each other
Step 4:
A combines its private value
with B’s public value
B combines its private value
with A’s public value
A and B now have the same
shared secret value.
Public Value
Shared Secret
Value
Private
Value
Public Value
Private
Value
= =
IKE Primary Authentication
Diffie-Hellman is vulnerable to third-party attacks, in which a third party intercepts messages
between two attacked parties, A and B. A and B assume they are exchanging messages with each
other, but are exchanging messages with the third party. The attacker assumes the identity of A
to exchange messages with B, and assumes the identity of B to exchange messages with A.
Because of this vulnerability, IKE must authenticate the identities of the parties using the
Diffie-Hellman algorithm. This process is known as IKE authentication or IKE primary
authentication.
HP-UX IPSec supports two IKE primary authentication methods:
• Preshared keys
• Digital Signatures
IKE Preshared Key Authentication
With preshared key authentication, you must manually configure the same, shared on both
systems—a preshared key.
The two parties establish a shared key (the preshared key) prior to the Diffie-Hellman exchange
using an out-of-band key exchange, or a key exchange that does not use normal computer
communication channels, such as a face-to-face meeting or telephone call where the two parties
agree on a key. The preshared key is used only for the primary authentication. The two negotiating
entities then generate dynamic shared keys for the IKE SAs and IPsec SAs.
Preshared keys do not require a Certificate Authority or Public Key Infrastructure.
IKE Digital Signature Authentication
Digital signatures are based on security certificates , and are managed using a Public Key
Infrastructure (PKI). To use certificates with HP-UX IPSec the PKI must meet the requirements
listed in “PKI Requirements” (page 115).
For more information on using certificate-based authentication for IKE, see Chapter 5: “Using
Certificates with HP-UX IPSec ” (page 113).
40 HP-UX IPSec Overview