HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)
Aggressive Mode
(AM)
A mode used in IKEv1 Phase 1 negotiations to establish IKE SAs. AM is less secure than Main
Mode because the IKE peers exchange identity information before establishing a secure channel,
but requires the IKE peers to exchange fewer packets (three instead of six). The IKE protocol
specification does not require implementations to support AM.
Main Mode (MM) A mode used in IKEv1 Phase 1 negotiations to establish IKE SAs. MM is more secure than
Aggressive Mode, but requires the IKE peers to exchange more packets (six instead of three).
The IKEv1 protocol specification requires implementations to support MM.
manual keys Manually configured cryptographic keys for IPsec. An alternative to using the Internet Key Exchange
(IKE) protocol to generate cryptographic keys and other information for IPsec Security Associations
(SAs).
MD5 (Message Digest-5). Authentication algorithm developed by RSA. MD5 generates a 128-bit
message digest using a 128-bit key. IPsec truncates the message digest to 96 bits.
MM See Main Mode..
Oakley Oakley is a key exchange protocol which works within the ISAKMP framework to generate
authenticated keying material for use with other security services.
out-of-band key
exchange
A key exchange using a secure communication channel that is outside of normal computer
communication channels, such as a face-to-face meeting or telephone call.
Perfect Forward
Secrecy (PFS)
With Perfect Forward Secrecy the exposure of one key permits access only to data protected by
that key. HP-UX IPSec supports PFS for keys and identities (the IKE daemon can be configured to
create a new IKE SA for each IPsec/QM negotiation). HP-UX IPSec does not support PFS for keys
only (the IKE SA is re-used for multiple IPsec/QM negotiations, with a new Diffie-Hellman key
exchange for each IPsec/QM negotiation).
policy A generic term referring to packet filter information and actions. The packet filter is used to select
a policy for a packet and the actions are applied to the packets using the policy.
preshared key A key agreed upon by two systems for encryption or authentication and distributed using an
out-of-band key exchange. In the context of HP-UX IPSec, the term preshared keys refers to ASCII
strings that are used for IKE (Primary) authentication (authenticating the peer’s identity).
public key
cryptography
A cryptographic method using two mathematically related keys (k1 and k2) such that data
encrypted with k1 can be decrypted only using k2. In addition, most algorithms provide assurance
that only the holder of k1 can correctly encrypt data that can be decrypted by k2.
One key must be private (known only to the owner), but the second key can be widely known
(public), which makes key distribution easy to manage. Public key encryption is computationally
expensive, so it is impractical for bulk data encryption. Instead, public key cryptography is usually
used to authenticate data.
Also referred to as asymmetric key cryptography (the two keys are not the same) or public-private
key cryptography.
QM See Quick Mode.
Quick Mode (QM) The second phase (Phase 2) of IKEv1 negotiations, which establishes IPsec SAs.
RSA (Rivest, Shamir, and Adelman) Public/private key cryptosystem that can be used for privacy
(encryption) and authentication (signatures). For encryption, system A can send data encrypted
with system B's public key. Only system B's private key can decrypt the data. For authentication,
system A sends data with a signature - a digest or hash encrypted with system A's private key.
To verify, system B uses system A's public key to decrypt the signature and compare the decrypted
hash or digest to the digest or hash that it computes for the message.
RSA Signatures A method used in IKE authentication to verify the identity of the peer system using security
certificates and public/private key cryptography.
SA See Security Association..
Security
Association (SA)
A secure communication channel and its parameters, such as encryption and authentication
method, keys and lifetime.
Security Certificate See Certificate..
216 Glossary