Authentication Header vs. IKE

In this Ask the Expert Q&A, Joel Dubin discusses how and when the Authentication Header encryption protocol is used.

Joel Dubin

Do we still need an Authentication Header if the Internet Key Exchange negotiates IPSec protections and the related secret key, binding participants' addresses to the keys, effectively authenticating these critical IP header fields?

There are two different things going on here. One is a key exchange and the other a data encryption protocol. IPSec consists of both a way to securely exchange cryptographic keys and then to transmit data securely over the Internet. The Internet Key Exchange (IKE) is the protocol for the key exchange and Authentication Header (AH) is one of the two encryption protocols.

IKE is used to set up the IPSec conversation and exchange the keys needed for encrypting the data through its secure tunnel. AH and Encapsulating Security Payload (ESP) are the two ways the data is encrypted after the keys are exchanged. Once IKE exchanges the keys, one of the two encryption protocols -- AH or ESP -- must be used. AH just authenticates the TCP packet without encrypting it, while ESP is stronger in that it both authenticates and encrypts the packet. So, AH may still be needed if it's the encryption protocol of choice over ESP in the IPSec set up. Is it still used? Not as much as ESP. There has been talk from time to time of deprecating AH, but it still hasn't been officially removed from any RFP about IPSec.

Though less secure than ESP, AH requires less processor power and is obviously less of a strain on the network. But, besides being less secure, it also can't be used for connecting outside a network using NAT. Despite these weaknesses, if the security risk is low behind a NATed firewall or router, and efficiency is paramount, AH can still be used in an internal network.

More information

Visit our resource center and learn more about authentication systems and protocols.

Learn how to secure public key transport to transmit data security over the Internet.

This was last published in November 2005

Dig Deeper on Email and Messaging Threats-Information Security Threats

Related Q&A from Joel Dubin

What's the purpose of CAPTCHA technology and how does it work?

Learn about the purpose of CAPTCHA challenges that enable websites to differentiate bots from authentic users to stop spammers from hijacking forums ... Continue Reading

Single sign-on best practices: How can enterprises get SSO right?

Proper planning is at the top of the list for single sign-on best practices, but it's important to get enterprise SSO implementations off to a good ... Continue Reading

Options for a mechanical door security system on a server room door

After a server room door has been compromised, finding a more secure solution is of utmost importance. Learn how to choose a server room door that ... Continue Reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

SearchCloudSecurity

Lyft's open source asset tracking tool simplifies security

Security teams need information and context about data in order to keep it safe. Learn how Cartography, Lyft's open source asset ...

Understanding the CSA Cloud Controls Matrix and CSA CAIQ

Uncover how the CSA Cloud Controls Matrix and CSA CAIQ can be used to assess cloud providers' controls and risk models, ensure ...

5 steps to a secure cloud control plane

A locked-down cloud control plane is integral to maintaining cloud security, especially in multi-cloud environments. Here are ...

SearchNetworking

SD-WAN explained: The ultimate guide to SD-WAN architecture

Evaluating SD-WAN architecture can be confusing, especially as the market grows. This guide helps IT pros learn SD-WAN basics, ...

VMware acquisition of Nyansa combines LAN, WAN analytics

The VMware acquisition of Nyansa is expected to provide network traffic analytics that cover the SD-WAN and the wired and ...

The 5 steps to a successful MPLS-to-SD-WAN migration

A solid migration plan is necessary in order to successfully transfer MPLS to SD-WAN and avoid contract mishaps, unexpected costs...

SearchCIO

Preparing for the new forms of cybersecurity threats in 2020

In the first part of a series on the new forms of cyberthreats in 2020, we're diving into the many infiltration points being ...

What is the state of CIO tenure today?

CIO tenure remains significantly lower than other C-suite positions, and according to experts, it's a result of the age of ...

The evolution of RPA, from macros to process transformation

RPA evolved from technology debuted in the 1950s and '60s and was developed to today's standards by the industry's leading ...

SearchEnterpriseDesktop

Managing Windows Defender Device Guard in Windows desktops

IT pros must understand how Windows Defender Device Guard uses a locked-down approach to desktop security and how this method ...

New Ivanti CEO plans to stay close to the customer

New Ivanti CEO Jim Schaper is no stranger to the C-suite of an IT company. And he's got a plan to push the company forward.

With support for Windows 7 ending, a look back at the OS

With support for Windows 7 ending and Microsoft ushering in the end of life for the OS, tech experts and IT pros look back at its...

SearchCloudComputing

Reduce cloud latency for remote employees and offices

Latency remains an issue for cloud users with remote facilities. See how SD-WAN and satellites can improve network performance ...

AWS multi-account management best practices with Control Tower

With the help of AWS Control Tower, organizations who own and operate multiple cloud accounts can manage them all under one roof ...

Beat vendor lock-in with a cloud exit strategy

Without a comprehensive cloud exit strategy, an organization might fall victim to vendor lock-in and find itself dependent on ...

ComputerWeekly.com

CISOs fear becoming the next Travelex

Poll of security professionals by the organisers of the Infosecurity Europe trade fair highlights huge gaps in incident response ...

Gartner: Over two-thirds of management tasks will be automated

Watch out pen-pushers – by 2024, many management tasks will be automated using artificial intelligence

Gender funding gap reveals complacency in the Nordics

Tech investors are biased towards men when it comes to investing, even if they are not aware of it

Authentication Header vs. IKE

In this Ask the Expert Q&A, Joel Dubin discusses how and when the Authentication Header encryption protocol is used.

Dig Deeper on Email and Messaging Threats-Information Security Threats

IPsec (Internet Protocol Security)

How can I ensure the corporate VPN works with our firewall?

How to set up a site-to-site VPN to coexist with a DMZ

VPN types: Protocols and network topologies of IPsec VPNs

Related Q&A from Joel Dubin

What's the purpose of CAPTCHA technology and how does it work?

Single sign-on best practices: How can enterprises get SSO right?

Options for a mechanical door security system on a server room door

Have a question for an expert?

Start the conversation

0 comments

Please create a username to comment.

-ADS BY GOOGLE

SearchCloudSecurity

Lyft's open source asset tracking tool simplifies security

Understanding the CSA Cloud Controls Matrix and CSA CAIQ

5 steps to a secure cloud control plane

SearchNetworking

SD-WAN explained: The ultimate guide to SD-WAN architecture

VMware acquisition of Nyansa combines LAN, WAN analytics

The 5 steps to a successful MPLS-to-SD-WAN migration

SearchCIO

Preparing for the new forms of cybersecurity threats in 2020

What is the state of CIO tenure today?

The evolution of RPA, from macros to process transformation

SearchEnterpriseDesktop

Managing Windows Defender Device Guard in Windows desktops

New Ivanti CEO plans to stay close to the customer

With support for Windows 7 ending, a look back at the OS

SearchCloudComputing

Reduce cloud latency for remote employees and offices

AWS multi-account management best practices with Control Tower

Beat vendor lock-in with a cloud exit strategy

ComputerWeekly.com

CISOs fear becoming the next Travelex

Gartner: Over two-thirds of management tasks will be automated

Gender funding gap reveals complacency in the Nordics

Dig Deeper on Email and Messaging Threats-Information Security Threats

IPsec (Internet Protocol Security)

How can I ensure the corporate VPN works with our firewall?

How to set up a site-to-site VPN to coexist with a DMZ

VPN types: Protocols and network topologies of IPsec VPNs

Related Q&A from Joel Dubin

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.