HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
accomplished by including the certificate’s serial number on a Certificate Revocation List (CRL)
updated and published on a regular basis by the CA and made available to certificate users.
Digital Signatures
With digital signatures, the sender uses its private key to create a digital signature value, and
sends the digital signature with the data. The recipient uses the sender’s public key and the data
to verify the digital signature.
There are different methods to generate and verify the digital signature. In one method, the sender
generates a one-way hash value and encrypts it with its private key to form the digital signature.
The recipient uses the sender’s public key to decrypt the digital signature and extract the hash
value; it then generates its own hash value and compares the hash values. In another method, the
sender uses its private key and the data as input to a keyed secure hash algorithm that outputs the
digital signature. The receiver uses the data, the sender's public key and the digital signature as
input to a verification algorithm that verifies the digital signature.
One difference between a digital signature and a symmetric-key hash value is that only the holder
of the private key can generate the digital signature, while either holder of a symmetric key can
generate a symmetric-key hash value. Since only the private key holder can generate the digital
signature, a digital signature also provides non-repudiation which makes it difficult for the sender
to deny sending the message.
IKE Authentication with RSA Signatures
HP-UX IPSec supports IKE authentication with RSA signatures in IKE SA negotiations where the IKE
entities exchange certificates.
The initiator sends an authentication “challenge” to the responder: the initiator sends data, including
a random number (nonce), encrypted using the responder’s public key. To authenticate itself to the
sender, the responder decrypts the data using its private key, then sends a hash of the data back,
encrypted using the symmetric key negotiated for the IKE SA. The reciprocal process is used by
the responder to authenticate the identity of the initiator.
PKI Requirements
To use security certificates with HP-UX IPSec, your topology must meet the following requirements:
• All security certificates must be administered using a PKI product from the same vendor. When
you configure HP-UX IPSec, you must configure only one PKI vendor for all security certificate
operations.
• The PKI must support the following certificate file formats and access methods:
Certificate Signing Requests: If you use the ipsec_config utility to create a key pair
and Certificate Signing Request (CSR) that you will submit to the CA, the CA must support
◦
CSRs in Public Key Cryptography Standards #10 format (PKCS#10), and encoded using
Privacy-Enhanced Mail (PEM) base64 encoding. This CSR format is typically used for
“copy and paste” certificate requests.
If you are using a CA or PKI utility to create the key pair and CSR, the CA must provide
the certificate for the local system and the private key in a PKCS#12 encoded file.
◦ Certificates: The CA must provide X.509 Version 3 certificates encoded using one of the
following formats:
– Privacy-Enhanced Mail base64 (PEM)
– Distinguished Encoding Rules (DER)
– PKCS#12 (valid only for the local system certificate; not valid for CA certificates)
PKI Requirements 101