HP 635n Practical IPsec Deployment for Printing and Imaging Devices - Page 33

Lifetime in bytes: null Transform 7 Confidentiality Algorithm: AES256 Authentication/Integrity Algorithm: SHA-1 Authentication Type: Pre-share Key DH-Group #: 2 Lifetime in sections: 3600 Lifetime in bytes: null Transform 8 Confidentiality Algorithm: AES256 Authentication/Integrity Algorithm: AES-XCBC Authentication Type: Pre-share Key DH-Group #: 2 Lifetime in sections: 3600 Lifetime in bytes: null If the responder doesn't like any of the proposals and their various transforms, it will respond back with an error NO PROPOSAL CHOSEN. Because IKE cannot establish an SA, no IPsec communication will take place in this scenario (like the builders/suppliers unable to establish a contract in our analogy). If the responder does like a proposal, then its response may look something like this: SA Payload Proposal 1 Transform 8 Confidentiality Algorithm: AES256 Authentication/Integrity Algorithm: AES-XCBC Authentication Type: Pre-share Key DH-Group #: 2 Lifetime in sections: 3600 Lifetime in bytes: null IKE can now begin the establishment of the shared secret. This shared secret is done via a DiffieHellman exchange, an exchange named after its inventors. The main question is "How does one publicly exchange information and still be able to have a shared secret known only to the Initiator and Responder?" Well, Diffie-Hellman figured it out. Rather than going into the mathematics behind it, we look at another quick analogy in graphical form. Refer to Figure 26 - Publicly Exchanging a Secret. 33