Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
31323334353637383940
Table 2 HP-UX IPSec encryption algorithms
DescriptionName
Advanced Encryption Standard (AES) Cipher Block Chaining (CBC)
mode encryption using a 128-bit key, 192-bit key, and 256-bit key.
AES
Triple-DES CBC, three CBC encryption iterations, each with a different
56-bit key.
3DES
Table 3 HP-UX IPSec authentication algorithms
DescriptionName
Secure Hash Algorithm-2, 256-bit key, 384-bit key, and 512-bit key.SHA2
Message Digest-5, 160-bit keyMD5
Secure Hash Algorithm-1, 128-bit keySHA1
TIP: HP recommends that you use AES256 with SHA2. AES is the most secure form of encryption
for HP-UX IPSec, and SHA2 is considered more secure than SHA1/MD5.
AES encryption throughput rates are comparable to or better than 3DES rates. For more information
about HP-UX IPSec performance, see the HP-UX IPSec Sizing and Performance document at HP-UX
IPSec Software .
Non-authenticated ESP
ESP encryption takes the data carried by IP, such as a TCP packet, and encrypts it using a
cryptographic key. The receiving IPsec ESP entity uses the same key to decrypt the cipher text and
extract the original data.
Authentication Header (AH)
The IPsec Authentication Header (AH) provides integrity and authentication but no privacy—the IP
data is not encrypted. The AH contains an authentication value based on a symmetric-key hash
function. Because AH does not encrypt data, it is not commonly used. However, AH provides one
feature that ESP does not: AH authenticates non-mutable fields in the IP header (fields that do not
change in transit, including source and destination addresses). For this reason, AH is sometimes
used with ESP, by nesting an ESP packet within an AH packet.
Adding a host policy with ESP transforms with an encryption algorithm 3DES and Authentication
Internet Key Exchange (IKE)
Before IPsec sends authenticated or encrypted IP data, both the sender and receiver must agree
on the protocols, encryption algorithms and keys to use. HP-UX IPSec uses the Internet Key Exchange
(IKE) protocol to negotiate the encryption and authentication methods, generate shared encryption
keys, and establish secure communication channels, or Security Associations (SAs).
The IKE protocol also provides primary authentication, which verifies the identity of the remote
system before negotiating the encryption algorithm and keys.
There are two versions of the IKE protocol:
IKE version 1 (IKEv1), defined in RFCs 2407, 2408, and 2409
IKE version 2 (IKEv2), defined in RFC 4306
In this document, the term IKE refers to both IKEv1 and IKEv2; the term IKEv1 refers to information
that applies exclusively to IKE version 1, and the term IKEv2 refers to information to applies
exclusively to IKE version 2.
IPsec protocol suite 37