Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP HP-UX Auditing System Extensions

201

202

203

204

205

206

207

208

209

210

Diameter Base A protocol that provides authentication, authorization, and accounting (AAA) services based on

the RADIUS protocol. The Diameter protocol provides the same functionality as RADIUS, with

improved reliability, security and infrastructure. See also RADIUS.

Diffie-Hellman

A public-key method to generate a symmetric key where two parties can publicly exchange values

and generate the same symmetric key. Start with prime p and generator g, which may be publicly

known (typically these numbers are from a well-known Diffie-Hellman Group). Each party selects a

private value (a and b) and generates a public value (g**a mod p) and (g**b mod p). They

exchange the public values. Each party then uses its private value and the other party's public value

to generate the same symmetric key, (g**a)**b mod p and (g**b)**a mod p, which both

evaluate to g**(a*b) mod p for future communication.

The Diffie-Hellman method must be combined with authentication to prevent man-in-the-middle or

third-party attacks (spoofing) attacks. For example, Diffie-Hellman may be used with certificate or

preshared key authentication.

Digital

Signature

Digital signatures are a variation of keyed hash algorithms that use public/private key pairs. The

sender uses its private key and the data as input to create a Digital Signature value.

EAP Extensible Authentication Protocol. A protocol that provides a framework for using multiple

authentication methods and protocols, including passwords, Kerberos, and challenge-response

protocols.

Encapsulating

Security

Payload

See ESP.

encryption The process of converting data from a readable format to nonreadable format for privacy. Encryption

functions usually take data and a cryptographic key (value or bit sequence) as input.

ESP Encapsulating Security Payload. This is part of the IPsec protocol suite. The ESP provides

confidentiality (encryption) and an antireplay service. It should be used with authentication, either

with the optional ESP authentication field (authenticated ESP) or nested in an authentication header

message. Authenticated ESP also provides data origin authentication and connectionless integrity.

When used in tunnel mode, ESP also provides limited traffic flow confidentiality.

event An action, such as creating a file, opening a file, or logging in to the system.

Extensible Authentication Protocol

See EAP.

filter A mechanism for screening unwanted objects, or the parameters that specify the objects allowed

or denied access. Typically, a filter is used to screen unwanted network packets (a packet filter).

fine-grained

privilege

A permission to perform a specific, low-level operation (for example, permission to execute a specific

system call).

firewall One or more devices or computer systems used as a barrier to protect a network against unwanted

users or harmful, intrusive applications. See also bastion host and hardened system.

hardened

system

A computer system with minimal operating system features, users, and applications that is used as

a barrier to protect a network against unwanted users or harmful, intrusive applications. Also

referred to as a bastion host.

HMAC Hashed Message Authentication Code. See also MAC.

IKE The Internet Key Exchange (IKE) protocol is part of the IPsec protocol suite. IKE is used before the

IPsec ESP or AH protocol exchanges to determine which encryption and/or authentication services

207