HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
Glossary
3DES Triple Data Encryption Standard. A symmetric key block encryption algorithm that encrypts data
three times, using a different 56-bit key each time (168 bits are used for keys). 3DES is suitable
for bulk data encryption.
AES Advanced Encryption Standard. Uses a symmetric key block encryption. HP-UX IPSec supports
AES with a 128-bit key. AES is suitable for encrypting large amounts of data.
AH The AH (Authentication Header) protocol provides data integrity, system-level authentication for
IP packets. It can also provide anti-replay protection. The AH protocol is part of the IPsec protocol
suite.
asymmetric key
cryptography
See public key cryptography..
authentication The process of verifying a user's identity or integrity of data, or the identity of the party that sent
data.
Authentication
Header (AH)
See AH..
CA Certificate Authority. A trusted third party that authenticates users and issues security certificates.
In addition to establishing trust in the binding between a user’s public key and other security-related
information in a certificate, the CA digitally signs the certificate information using its private key.
certificate A security certificate associates (or binds) a public key with a principal--a particular person,
system, device, or other entity. The security certificate is issued by an entity, in whom users have
put their trust, called a Certificate Authority (CA) that guarantees or confirms the identity of the
holder (person, device, or other entity) of the corresponding private key. The CA digitally signs
the certificate with the CA’s private key, so the certificate can be verified using the CA’s public
key.The most commonly used format for public-key certificates is the International Organization
for Standardization (ISO) X.509 standard, Version 3.
Certificate
Authority
See CA..
Certificate
Revocation List:
See CRL..
CRL Certificate Revocation List. Security certificates are issued with a specific lifetime, defined by a
start date/time and an expiration date/time. However, situations can arise, such as a compromised
key value, that necessitate the revocation of the certificate. In this case, the certificate authority
can revoke the certificate. This is accomplished by including the certificate’s serial number on a
Certificate Revocation List (CRL) updated and published on a regular basis by the CA and made
available to certificate users.
Diffie-Hellman Method to generate a symmetric key where two parties can publicly exchange values and generate
the same shared key. Start with prime p and generator g, which may be publicly known (typically
these numbers are from a well-known “ Diffie-Hellman Group”). Each party selects a private value
(a and b) and generates a public value (g**a mod p) and (g**b mod p). They exchange the
public values. Each party then uses its private value and the other party's public value to generate
the same shared key, (g**a)**b mod p and (g**b)**a mod p, which both evaluate to g**(a*b)
mod p for future communication.
The Diffie-Hellman method must be combined with authentication to prevent man-in-the-middle or
third party attacks (spoofing) attacks. For example, Diffie-Hellman can be used with certificate or
preshared key authentication.
digital signature Digital signatures are a variation of keyed hash algorithms that use public/private key pairs. The
sender uses its private key and the data as input to create a Digital Signature value.
Encapsulating
Security Payload
See ESP..
encryption The process of converting data from a readable format to non-readable format for privacy.
Encryption functions usually take data and a cryptographic key (value or bit sequence) as input.
214 Glossary