Manualshelf

HP-UX IPSec Version A.03.02.02 Administrator's Guide HP-UX 11i version 2 and HP-UX 11i version 3 (762800-001, April 2014)

ManualsBrandsHP ManualsSoftwareHP-UX IPSec Software
31323334353637383940
IKE primary authentication
Diffie-Hellman is vulnerable to third-party attacks, in which a third party intercepts messages between
two attacked parties, A and B. A and B assume they are exchanging messages with each other,
but are exchanging messages with the third party. The attacker assumes the identity of A to exchange
messages with B, and assumes the identity of B to exchange messages with A.
Because of this vulnerability, IKE must authenticate the identities of the parties using the Diffie-Hellman
algorithm. This process is known as IKE authentication or IKE primary authentication.
HP-UX IPSec supports two IKE primary authentication methods:
Preshared keys
Digital Signatures
IKE preshared key authentication
With preshared key authentication, you must manually configure the same, shared on both
systems—a preshared key.
The two parties establish a shared key (the preshared key) prior to the Diffie-Hellman exchange
using an out-of-band key exchange, or a key exchange that does not use normal computer
communication channels, such as a face-to-face meeting or telephone call where the two parties
agree on a key. The preshared key is used only for the primary authentication. The two negotiating
entities then generate dynamic shared keys for the IKE SAs and IPsec SAs.
Preshared keys do not require a Certificate Authority or Public Key Infrastructure.
IKE digital signature authentication
Digital signatures are based on security certificates , and are managed using a Public Key
Infrastructure (PKI). To use certificates with HP-UX IPSec the PKI must meet the requirements listed
in “PKI Requirements” (page 101).
For more information on using certificate-based authentication for IKE, see Chapter 5: “Using
Certificates with HP-UX IPSec ” (page 100).
Perfect Forward Secrecy
For efficiency, IKEv2 and IKEv1 can reuse an IKE SA to negotiate multiple IPsec SA pairs.
For additional security, you can enable the Perfect Forward Secrecy (PFS) feature. With PFS, the
compromise (exposure) of one key exposes only the data protected by that key. When PFS is
enabled, the IKE peers perform a Diffie-Hellman exchange and generate new keying material for
each IPsec SA pair.
IPsec re-keying
The IPsec protocol suite also enables IKE to dynamically negotiate new IPsec keys rather than
exposing the same key for long periods. You can configure key lifetimes based on time or number
of bytes sent.
Manual keys
Manual keys are an alternative to IKE. Instead of using IKE to dynamically generate and distribute
cryptography keys for ESP and AH, the cryptography keys are static and manually distributed
using an out-of-band key exchange. Because manual keys are static, using them is less secure than
using IKE. Manual keys are typically used only when the remote system does not support IKE.
40 HP-UX IPSec overview