HP-UX IPSec Version A.03.00 Administrator's Guide

• Security Association (SA)

An SA is a secure communications channel and its operating parameters. An IPsec SA must

exist to use ESP or AH, and an IKE SA must exist to establish IPsec SAs. Because an IKE SA

is required to create an IPsec SA, the IKEv2 protocol also refers to IPsec SAs as “child SAs.”

• Key Types

HP-UX uses four types of cryptography keys:

— Preshared keys. IKE uses the preshared key to authenticate the identity of the remote

system for IKE. HP-UX supports ASCII keys for preshared keys. The system

administrators must distribute the keys using a secure, out-of-band communications

channel, such as a face-to-face meeting, phone call, or secure mail.

— Public/private keys. As an alternative to IKE preshared key authentication, IKE can

use RSA signatures from a public/private key pair to authenticate the identity of the

remote system. The public keys are distributed using certificates.

— Dynamic keys. IKE generates dynamic keys for the AES, 3DES, MD5 and SHA1

algorithms used by the ESP and AH protocols. IKE also generates dynamic keys to

authenticate and encrypt IKE packets. See Table 4-2 (page 77) for algorithm key lengths.

— Manual keys. As an alternative to IKE, you can manually configure the AES, 3DES,

MD5 and SHA1 keys used for ESP and AH. The system administrators must distribute

the keys using a secure, out-of-band communications channel.

42 HP-UX IPSec Overview