friedkiwi/ibm-information-center
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
ibm-information-center/dist/eclipse/plugins/i5OS.ic.rzaja_5.4.0.1/rzajasecassociations.htm

135 lines
9.2 KiB
HTML
Raw Permalink Blame History

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="security" content="public" />
<meta name="Robots" content="index,follow" />
<meta http-equiv="PICS-Label" content='(PICS-1.1 "http://www.icra.org/ratingsv02.html" l gen true r (cz 1 lz 1 nz 1 oz 1 vz 1) "http://www.rsac.org/ratingsv01.html" l gen true r (n 0 s 0 v 0 l 0) "http://www.classify.org/safesurf/" l gen true r (SS~~000 1))' />
<meta name="DC.Type" content="concept" />
<meta name="DC.Title" content="Key management" />
<meta name="abstract" content="A dynamic VPN provides additional security for your communications by using the Internet Key Exchange (IKE) protocol for key management. IKE allows the VPN servers on each end of the connection to negotiate new keys at specified intervals." />
<meta name="description" content="A dynamic VPN provides additional security for your communications by using the Internet Key Exchange (IKE) protocol for key management. IKE allows the VPN servers on each end of the connection to negotiate new keys at specified intervals." />
<meta name="DC.Relation" scheme="URI" content="rzajavpnprotocols.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajaupdscenario.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajaipsec.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajaprotectyourkeys.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajaprotectyourdata.htm" />
<meta name="DC.Relation" scheme="URI" content="http://www.rfc-editor.org" />
<meta name="DC.Relation" scheme="URI" content="rzajaprotectyourkeys.htm" />
<meta name="DC.Relation" scheme="URI" content="rzajaprotectyourdata.htm" />
<meta name="copyright" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Rights.Owner" content="(C) Copyright IBM Corporation 2000, 2006" />
<meta name="DC.Format" content="XHTML" />
<meta name="DC.Identifier" content="rzajasecassociations" />
<meta name="DC.Language" content="en-us" />
<!-- All rights reserved. Licensed Materials Property of IBM -->
<!-- US Government Users Restricted Rights -->
<!-- Use, duplication or disclosure restricted by -->
<!-- GSA ADP Schedule Contract with IBM Corp. -->
<link rel="stylesheet" type="text/css" href="./ibmdita.css" />
<link rel="stylesheet" type="text/css" href="./ic.css" />
<title>Key management</title>
</head>
<body id="rzajasecassociations"><a name="rzajasecassociations"><!-- --></a>
<!-- Java sync-link --><script language="Javascript" src="../rzahg/synch.js" type="text/javascript"></script>
<h1 class="topictitle1">Key management</h1>
<div><p>A dynamic VPN provides additional security for your communications
by using the Internet Key Exchange (IKE) protocol for key management. IKE
allows the VPN servers on each end of the connection to negotiate new keys
at specified intervals.</p>
<p>With each successful negotiation, the VPN servers regenerate the keys that
protect a connection, thus making it more difficult for an attacker to capture
information from the connection. Additionally, if you use perfect forward
secrecy, attackers cannot derive future keys based on past keying information.</p>
<p>The VPN key manager is IBM's implementation of the Internet Key Exchange
(IKE) protocol. The key manager supports the automatic negotiation of security
associations (SAs), as well as the automatic generation and refresh of cryptographic
keys.</p>
<p>A <span class="uicontrol">security association (SA)</span> contains information
that is necessary to use the IPSec protocols. For example, an SA identifies
algorithm types, key lengths and lifetimes, participating parties, and encapsulation
modes.</p>
<p>Cryptographic keys, as the name implies, lock, or protect, your information
until it safely reaches its final destination.</p>
<div class="note"><span class="notetitle">Note:</span> Securely generating your keys is the most important factor in establishing
a secure and private connection. If your keys are compromised, then your authentication
and encryption efforts, no matter how strong, become worthless.</div>
<dl><dt class="dlterm">Phases of key management</dt>
<dd>The VPN key manager uses two distinct phases in its implementation.</dd>
<dd class="ddexpand"><dl><dt class="dlterm">Phase 1</dt>
<dd>Phase 1 establishes a master secret from which subsequent cryptographic
keys are derived in order to protect user data traffic. This is true even
if no security protection yet exists between the two endpoints. VPN uses either
RSA signature mode or preshared keys to authenticate phase 1 negotiations,
as well as to establish the keys that protect the IKE messages that flow during
the subsequent phase 2 negotiations. <p>A <em>preshared key</em> is a nontrivial
string up to 128 characters long. Both ends of a connection must agree on
the preshared key. The advantage of using preshared keys is their simplicity,
the disadvantage is that a shared secret must be distributed out-of-band,
for example over the telephone or through registered mail, before IKE negotiations.
Treat your preshared key like a password.</p>
<p><em>RSA Signature</em> authentication
provides more security than preshared keys because this mode uses digital
certificates to provide authentication. You must configure your digital certificates
by using Digital Certificate Manager (5722-SS1 Option 34). In addition, some
VPN solutions require RSA Signature for interoperability. For example, <span class="keyword">Windows<sup>®</sup> 2000</span> VPN uses RSA Signature as its
default authentication method. Finally, RSA Signature provides more scalability
than preshared keys. The certificates that you use must come from certificate
authorities that both key servers trust.</p>
</dd>
<dt class="dlterm">Phase 2</dt>
<dd>Phase 2, however, negotiates the security associations and keys that protect
the actual application data exchanges. Remember, up to this point, no application
data has actually been sent. Phase 1 protects the phase 2 IKE messages. <p>Once
phase 2 negotiations are complete, your VPN establishes a secure, dynamic
connection over the network and between the endpoints that you defined for
your connection. All data that flows across the VPN is delivered with the
degree of security and efficiency that was agreed on by the key servers during
the phase 1 and phase 2 negotiation processes.</p>
<p>In general, phase 1 negotiations
are negotiated once a day, while phase 2 negotiations are refreshed every
60 minutes or as often as every five minutes. Higher refresh rates increase
your data security, but decrease system performance. Use short key lifetimes
to protect your most sensitive data.</p>
</dd>
</dl>
</dd>
</dl>
<p>When you create a dynamic VPN by using <span class="keyword">iSeries™ Navigator</span>,
you must define an IKE policy to enable phase 1 negotiations and a data policy
to govern phase 2 negotiations. Optionally, you can use the New Connection
wizard. The wizard automatically creates each of the configuration objects
VPN requires to work properly, including an IKE policy, data policy.</p>
<div class="section"><h4 class="sectiontitle">Suggested reading</h4><p> If you want to read more about
the Internet Key Exchange (IKE) protocol and key management, review these
Internet Engineering Task Force (IETF) Request for Comments (RFC):</p>
<ul><li>RFC 2407, <cite>The Internet IP Security Domain of Interpretation for
ISAKMP</cite></li>
<li>RFC 2408, <cite>Internet Security Association and Key Management Protocol
(ISAKMP)</cite></li>
<li>RFC 2409, <cite>The Internet Key Exchange (IKE)</cite></li>
</ul>
<p>You can view these RFCs on the Internet at the following Web site:
http://www.rfc-editor.org.</p>
</div>
</div>
<div>
<div class="familylinks">
<div class="parentlink"><strong>Parent topic:</strong> <a href="rzajavpnprotocols.htm" title="It is important that you have at least a basic knowledge of standard VPN technologies. This topic provides you with conceptual information about the protocols VPN uses in its implementation.">VPN concepts</a></div>
</div>
<div class="relconcepts"><strong>Related concepts</strong><br />
<div><a href="rzajaupdscenario.htm" title="In this scenario, a large insurance company wants to establish a VPN between a gateway in Chicago and a host in Minneapolis when both networks are behind a firewall.">Scenario: Firewall Friendly VPN</a></div>
<div><a href="rzajaipsec.htm" title="IPSec provides a stable, long lasting base for providing network layer security.">IP Security (IPSec) protocols</a></div>
</div>
<div class="reltasks"><strong>Related tasks</strong><br />
<div><a href="rzajaprotectyourkeys.htm" title="The IKE policy defines what level of authentication and encryption protection IKE uses during phase 1 negotiations.">Configure an Internet Key Exchange (IKE) policy</a></div>
<div><a href="rzajaprotectyourdata.htm" title="A data policy defines what level of authentication or encryption protects data as it flows through the VPN.">Configure a data policy</a></div>
</div>
<div class="relinfo"><strong>Related information</strong><br />
<div><a href="http://www.rfc-editor.org" target="_blank">http://www.rfc-editor.org</a></div>
</div>
</div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink