2013.10.24

[uclinux-h8/uClinux-dist.git] / freeswan / doc / glossary.html

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">
<HTML>
<HEAD>
<TITLE> Introduction to FreeS/WAN</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
</HEAD>
<BODY>
<A HREF="toc.html">Contents</a>
<A HREF="web.html">Previous</a>
<A HREF="biblio.html">Next</a>
<HR>
<H1><A name="ourgloss">Glossary for the Linux FreeS/WAN project</A></H1>
<P> Entries are in alphabetical order. Some entries are only one line 
or one paragraph long. Others run to several paragraphs. I have tried 
to put the essential information in the first paragraph so you can skip 
the other paragraphs if that seems appropriate.</P>
<HR>
<H2><A name="jump">Jump to a letter in the glossary</A></H2>
<CENTER><BIG><B><A href="#0"> numeric</A><A href="#A"> A</A><A href="#B">
 B</A><A href="#C"> C</A><A href="#D"> D</A><A href="#E"> E</A><A href="#F">
 F</A><A href="#G"> G</A><A href="#H"> H</A><A href="#I"> I</A><A href="#J">
 J</A><A href="#K"> K</A><A href="#L"> L</A><A href="#M"> M</A><A href="#N">
 N</A><A href="#O"> O</A><A href="#P"> P</A><A href="#Q"> Q</A><A href="#R">
 R</A><A href="#S"> S</A><A href="#T"> T</A><A href="#U"> U</A><A href="#V">
 V</A><A href="#W"> W</A><A href="#X"> X</A><A href="#Y"> Y</A><A href="#Z">
 Z</A></B></BIG></CENTER>
<HR>
<H2><A name="gloss">Other glossaries</A></H2>
<P>Other glossaries which overlap this one include:</P>
<UL>
<LI>The VPN Consortium's glossary of <A href="http://www.vpnc.org/terms.html">
VPN terms</A>.</LI>
<LI>glossary portion of the <A href="http://www.rsa.com/rsalabs/faq/html/glossary.html">
Cryptography  FAQ</A></LI>
<LI>an extensive crytographic glossary on <A href="http://www.io.com/~ritter/GLOSSARY.HTM">
Terry Ritter's</A> page.</LI>
<LI>The <A href="#NSA">NSA</A>'s <A href="http://www.sans.org/newlook/resources/glossary.htm">
glossary of  computer security</A> on the <A href="http://www.sans.org">
SANS  Institute</A> site.</LI>
<LI>an <A href="http://www.ietf.org/internet-drafts/draft-shirey-security-glossary-01.txt">
Internet  Draft</A> Crypto Glossary</LI>
<LI>a small glossary for Internet Security at <A href="http://www5.zdnet.com/pcmag/pctech/content/special/glossaries/internetsecurity.html">
 PC magazine</A></LI>
<LI>The <A href="http://www.visi.com/crypto/inet-crypto/glossary.html">
glossary</A> from Richard Smith's book <A href="biblio.html#Smith">
Internet  Cryptography</A></LI>
</UL>
<P>Three Internet glossaries are available as RFCs:</P>
<UL>
<LI><A href="http://www.rfc-editor.org/rfc/rfc1208.txt">Glossary of 
 Networking Terms</A></LI>
<LI><A href="http://www.rfc-editor.org/rfc/rfc1983.txt">Internet User's 
 Glossary</A></LI>
<LI><A href="http://www.rfc-editor.org/rfc/rfc2828.txt">Internet 
Security  Glossary</A></LI>
</UL>
<P>More general glossary or dictionary information:</P>
<UL>
<LI>Free Online Dictionary of Computing (FOLDOC) 
<UL>
<LI><A href="http://www.nightflight.com/foldoc">North America</A></LI>
<LI><A href="http://wombat.doc.ic.ac.uk/foldoc/index.html">Europe</A></LI>
<LI><A href="http://www.nue.org/foldoc/index.html">Japan</A></LI>
</UL>
</LI>
<P>There are many more mirrors of this dictionary.</P>
<LI><A href="http://hissa.ncsl.nist.gov/~black/CRCDict/">CRC dictionary 
of  Computer Science</A></LI>
<LI>The Jargon File, the definitive resource for hacker slang and 
folklore 
<UL>
<LI><A href="http://www.netmeg.net/jargon">North America</A></LI>
<LI><A href="http://info.wins.uva.nl/~mes/jargon/">Holland</A></LI>
<LI><A href="http://www.tuxedo.org/~esr/jargon">home page</A></LI>
</UL>
</LI>
<P>There are also many mirrors of this. See the home page for a list.</P>
<LI>A general <A href="http://www.trinity.edu/~rjensen/245glosf.htm#Navigate">
 technology  glossary</A></LI>
<LI>An <A href="http://www.yourdictionary.com/">online  dictionary 
resource page</A> with pointers to many dictionaries for many  languages</LI>
<LI>A <A href="http://www.onelook.com/">search engine</A> that accesses 
 several hundred online dictionaries</LI>
<LI>O'Reilly <A href="http://www.ora.com/reference/dictionary/">
Dictionary  of PC Hardware and Data Communications Terms</A></LI>
</UL>
<P>Internet encyclopedias include:</P>
<UL>
<LI><A href="http://www.FreeSoft.org/CIE/index.htm">Connected</A></LI>
<LI><A href="http://www.whatis.com/">whatis.com</A></LI>
</UL>
<HR>
<H2><A name="definitions">Definitions</A></H2>
<DL>
<DT><A name="3DES"><A name="0">3DES (Triple DES)</A></A></DT>
<DD>Using three <A href="#DES">DES</A> encryptions on a single data 
 block, with at least two different keys, to get higher security than 
 is available from a single DES pass. The three-key version of 3DES is 
 the default encryption algorithm for <A href="web.html#FreeSWAN">Linux 
 FreeS/WAN</A>. </DD>
<P><A href="#IPSEC">IPSEC</A> always does 3DES with three different 
 keys, as required by RFC 2451. For an explanation of the two-key 
 variant, see <A href="#2key">two key triple DES</A>. Both use an <A href="#EDE">
EDE</A> encrypt-decrypt-encrpyt sequence of  operations.</P>
<P>Single <A href="#DES">DES</A> is <A href="politics.html#desnotsecure">
insecure</A>.</P>
<P>Double DES is ineffective. Using two 56-bit keys, one might expect 
 an attacker to have to do 2<SUP>112</SUP> work to break it. In fact, 
 only 2<SUP>57</SUP> work is required with a <A href="#meet">
meet-in-the-middle attack</A>, though a large amount of  memory is also 
required. Triple DES is vulnerable to a similar attack,  but that just 
reduces the work factor from the 2<SUP>168</SUP> one  might expect to 2<SUP>
112</SUP>. That provides adequate protection  against <A href="#brute">
brute force</A> attacks, and no better attack  is known.</P>
<P>3DES can be somewhat slow compared to other ciphers. It requires 
 three DES encryptions per block. DES was designed for hardware 
 implementation and includes some operations which are difficult in 
 software. However, the speed we get is quite acceptable for many uses. 
 See <A href="#benchmarks">benchmarks</A> below for details.</P>
<DT><A name="A">A</A></DT>
<DT><A name="active"><A name="A">Active attack</A></A></DT>
<DD>An attack in which the attacker does not merely eavesdrop (see <A href="#passive">
passive attack</A>) but takes action to change,  delete, reroute, add, 
forge or divert data. Perhaps the best-known  active attack is <A href="#middle">
man-in-the-middle</A>. In general, <A href="#authentication">
 authentication</A> is a useful defense  against active attacks.</DD>
<DT><A name="AES">AES</A></DT>
<DD>The <B>A</B>dvanced <B>E</B>ncryption <B>S</B>tandard, a new <A href="#block">
block cipher</A> standard to replace <A href="politics.html#desnotsecure">
DES</A> being developed by <A href="#NIST">NIST</A>, the US National 
Institute of Standards and  Technology. DES used 64-bit blocks and a 
56-bit key. AES ciphers use a  128-bit block and are required to 
support 128, 192 and 256-bit keys.  Some of them support other sizes as 
well. The larger block size helps  resist <A href="#birthday">birthday 
attacks</A> while the large key  size prevents <A href="#brute">brute 
force attacks</A>. </DD>
<P>Fifteen proposals meeting NIST's basic criteria were submitted in 
 1998 and subjected to intense discussion and analysis, &quot;round one&quot; 
 evaluation. In August 1999, NIST narrowed the field to five &quot;round 
 two&quot; candidates:</P>
<UL>
<LI><A href="http://www.research.ibm.com/security/mars.html">Mars</A>
 from IBM</LI>
<LI><A href="http://www.rsa.com/rsalabs/aes/">RC6</A> from RSA</LI>
<LI><A href="http://www.esat.kuleuven.ac.be/~rijmen/rijndael/">Rijndael</A>
 from two Belgian researchers</LI>
<LI><A href="http://www.cl.cam.ac.uk/~rja14/serpent.html">Serpent</A>, 
a  British-Norwegian-Israeli research collaboration</LI>
<LI><A href="http://www.counterpane.com/twofish.html">Twofish</A> from 
the consulting firm Counterpane</LI>
</UL>
<P> In October 2000, NIST announced the winner -- Rijndael.</P>
<P>Adding one or more AES ciphers to <A href="web.html#FreeSWAN">Linux 
 FreeS/WAN</A> would be useful undertaking, and considerable freely 
 available code exists to start from. One complication is that our code 
 is built for a 64-bit block cipher and AES uses a 128-bit block. 
 Volunteers via the <A href="#list">mailing lists</A> would be  welcome.</P>
<P>For more information, see the <A href="http://csrc.nist.gov/encryption/aes/aes_home.htm">
 NIST AES home  page</A> or the <A href="http://www.ii.uib.no/~larsr/aes.html">
 Block  Cipher Lounge AES page</A>. For code and benchmarks see <A href="http://www.btinternet.com/~brian.gladman/">
 Brian Gladman's page </A> .</P>
<DT><A name="AH">AH</A></DT>
<DD>The <A href="#IPSEC">IPSEC</A><B> A</B>uthentication <B>H</B>eader, 
 added after the IP header. For details, see our <A href="web.html#overview">
IPSEC Overview</A> document and/or RFC 2402.</DD>
<DT><A name="alicebob">Alice and Bob</A></DT>
<DD>A and B, the standard example users in writing on cryptography and 
 coding theory. Carol and Dave join them for protocols which require 
 more players. </DD>
<P><A href="biblio.html#schneier">Bruce Schneier</A> extends these with 
many  others such as Eve the Eavesdropper and Victor the Verifier. His 
 extensions seem to be in the process of becoming standard as well. See 
 page 23 of <A href="biblio.html#schneier"> Applied Cryptography</A></P>
<P>Alice and Bob have an amusing <A href="http://www.conceptlabs.co.uk/alicebob.html">
 biography</A> on  the web.</P>
<DT>ARPA</DT>
<DD>see <A href="#DARPA">DARPA</A></DD>
<DT><A name="ASIO">ASIO</A></DT>
<DD>Australian Security Intelligence Organisation.</DD>
<DT>Asymmetric cryptography</DT>
<DD>See <A href="#public">public key cryptography</A>.</DD>
<DT><A name="authentication">Authentication</A></DT>
<DD>Ensuring that a message originated from the expected sender and has 
 not been altered on route. <A href="#IPSEC">IPSEC</A> uses 
 authentication in two places: </DD>
<P>
<UL>
<LI>peer authentication, authenticating the players in <A href="#IKE">
IKE</A>'s <A href="#DH">Diffie-Hellman</A> key  exchanges to prevent <A href="#middle">
man-in-the-middle  attacks</A>. This can be done in a number of ways. 
The methods  supported by FreeS/WAN are discussed in our <A href="config.html#choose">
configuration</A> document.</LI>
<LI>packet authentication, authenticating packets on an established <A href="#SA">
 SA</A>, either with a separate <A href="#AH">authentication header</A>
 or with the optional  authentication in the <A href="#ESP">ESP</A>
 protocol. In either  case, packet authentication uses a <A href="#HMAC">
hashed message  athentication code</A> technique.</LI>
</UL>
<P>Outside IPSEC, passwords are perhaps the most common authentication 
 mechanism. Their function is essentially to authenticate the person's 
 identity to the system. Passwords are generally only as secure as the 
 network they travel over. If you send a cleartext password over a 
 tapped phone line or over a network with a packet sniffer on it, the 
 security provided by that password becomes zero. Sending an encrypted 
 password is no better; the attacker merely records it and reuses it at 
 his convenience. This is called a <A href="#replay">replay</A> attack.</P>
<P>A common solution to this problem is a <A href="#challenge">
challenge-response</A> system. This defeats simple  eavesdropping and 
replay attacks. Of course an attacker might still  try to break the 
cryptographic algorithm used, or the <A href="#random"> random number</A>
 generator.</P>
<DT><A name="auto">Automatic keying</A></DT>
<DD>A mode in which keys are automatically generated at connection 
 establisment and new keys automaically created periodically 
 thereafter. Contrast with <A href="ipsec.html#manual">manual keying</A>
 in which  a single stored key is used. </DD>
<P>IPSEC uses the <A href="#DH">Diffie-Hellman key exchange  protocol</A>
 to create keys. An <A href="authentication">authentication</A>
 mechansim is required for  this. The methods supported by FreeS/WAN 
are discussed in our <A href="config.html#choose">configuration</A>
 document.</P>
<P>Having an attacker break the authentication is emphatically not a 
 good idea. An attacker that breaks authentication, and manages to 
 subvert some other network entities (DNS, routers or gateways), can 
 use a <A href="#middle">man-in-the middle attack</A> to break the 
 security of your IPSEC connections.</P>
<P>However, having an attacker break the authentication in automatic 
 keying is not quite as bad as losing the key in manual keying.</P>
<UL>
<LI>An attacker who reads /etc/ipsec.conf and gets the keys for a 
 manually keyed connection can, without further effort, read all 
 messages encrypted with those keys, including any old messages he  may 
have archived.</LI>
<LI>Automatic keying has a property called <A href="#PFS">perfect 
 forward secrecy</A>. An attacker who breaks the authentication  gets 
none of the automatically generated keys and cannot  immediately read 
any messages. He has to mount a successful <A href="#middle">
man-in-the-middle attack</A> in real time before he  can read anything. 
He cannot read old archived messages at all and  will not be able to 
read any future messages not caught by  man-in-the-middle tricks.</LI>
</UL>
<P>That said, the secrets used for authentication, stored in <A href="manpage.d/ipsec.secrets.5.html">
ipsec.secrets(5)</A>, should  still be protected as tightly as 
cryptographic keys.</P>
<DT><A name="B">B</A></DT>
<DT><A href="http://www.nortelnetworks.com">Bay  Networks</A></DT>
<DD>A vendor of routers, hubs and related products, now a subsidiary of 
 Nortel. Interoperation between their IPSEC products and Linux 
 FreeS/WAN was problematic at last report; see our <A href="interop.html#bay">
interoperation</A> section.</DD>
<DT><A name="benchmarks">benchmarks</A></DT>
<DD>Our default block cipher, <A href="#3DES">triple DES</A>, is slower 
 than many alternate ciphers that might be used. Speeds achieved, 
 however, seem adequate for many purposes. For example, the assembler 
 code from the <A href="#LIBDES">LIBDES</A> library we use encrypts 1.6 
 megabytes per second on a Pentium 200, according to the test program 
 supplied with the library. </DD>
<P> For more detail, see our document on <A href="performance.html">
FreeS/WAN performance</A>. </P>
<DT><A name="BIND">BIND</A></DT>
<DD><B>B</B>erkeley <B>I</B>nternet <B>N</B>ame <B>D</B>aemon, a widely 
 used implementation of <A href="#DNS">DNS</A> (Domain Name Service). 
 See our bibliography for a <A href="#DNS">useful reference</A>. See 
 the <A href="http://www.isc.org/bind.html">BIND home page</A> for more 
 information and the latest version.</DD>
<DT><A name="birthday">Birthday attack</A></DT>
<DD>A cryptographic attack based on the mathematics exemplified by the <A
href="#paradox"> birthday paradox</A>. This math turns up whenever  the 
question of two cryptographic operations producing the same result 
 becomes an issue: 
<UL>
<LI><A href="#collision">collisions</A> in <A href="#digest">message 
 digest</A> functions.</LI>
<LI>identical output blocks from a <A href="#block">block  cipher</A></LI>
<LI>repetition of a challenge in a <A href="#challenge">
challenge-response</A> system</LI>
</UL>
</DD>
<P>Resisting such attacks is part of the motivation for:</P>
<UL>
<LI>hash algorithms such as <A href="#SHA">SHA</A> and <A href="#RIPEMD">
RIPEMD-160</A> giving a 160-bit result rather than  the 128 bits of <A href="#MD4">
MD4</A>, <A href="#MD5">MD5</A> and <A href="#RIPEMD"> RIPEMD-128</A>.</LI>
<LI><A href="#AES">AES</A> block ciphers using a 128-bit block  instead 
of the 64-bit block of most current ciphers</LI>
<LI><A href="#IPSEC">IPSEC</A> using a 32-bit counter for packets  sent 
on an <A href="ipsec.html#auto">automatically keyed</A><A href="#SA"> SA</A>
 and requiring that the connection always be  rekeyed before the 
counter overflows.</LI>
</UL>
<DT><A name="paradox">Birthday paradox</A></DT>
<DD>Not really a paradox, just a rather counter-intuitive mathematical 
 fact. In a group of 23 people, the chance of a least one pair having 
 the same birthday is over 50%. </DD>
<P>The second person has 1 chance in 365 (ignoring leap years) of 
 matching the first. If they don't match, the third person's chances of 
 matching one of them are 2/365. The 4th, 3/365, and so on. The total 
 of these chances grows more quickly than one might guess.</P>
<DT><A name="block">Block cipher</A></DT>
<DD>A <A href="#symmetric">symmetric cipher</A> which operates on 
 fixed-size blocks of plaintext, giving a block of ciphertext for each. 
 Contrast with <A href="#stream"> stream cipher</A>. Block ciphers can 
 be used in various <A href="#mode">modes</A> when multiple block are 
 to be encrypted. </DD>
<P><A href="#DES">DES</A> is among the the best known and widely used 
 block ciphers, but is now obsolete. Its 56-bit key size makes it <A href="politics.html#desnotsecure">
highly insecure</A> today. <A href="#3DES">Triple  DES</A> is the 
default transform for <A href="web.html#FreeSWAN">Linux  FreeS/WAN</A>
 because it is the only cipher which is both required in  the <A href="rfc.html#RFC">
RFCs</A> and apparently secure.</P>
<P>The current generation of block ciphers -- such as <A href="#Blowfish">
Blowfish</A>, <A href="#CAST128">CAST-128</A> and <A href="#IDEA">IDEA</A>
 -- all use 64-bit blocks and 128-bit keys. The  next generation, <A href="#AES">
AES</A>, uses 128-bit blocks and  supports key sizes up to 256 bits.</P>
<P>The <A href="http://www.ii.uib.no/~larsr/bc.html"> Block Cipher 
 Lounge</A> web site has more information.</P>
<DT><A name="Blowfish">Blowfish</A></DT>
<DD>A <A href="#block">block cipher</A> using 64-bit blocks and keys of 
 up to 448 bits, designed by <A href="biblio.html#schneier">Bruce 
Schneier</A> and  used in several products. </DD>
<P>This is not required by the <A href="#IPSEC">IPSEC</A> RFCs and not 
 currently used in <A href="web.html#FreeSWAN">Linux FreeS/WAN</A>.</P>
<DT><A name="brute">Brute force attack (exhaustive search)</A></DT>
<DD>Breaking a cipher by trying all possible keys. This is always 
 possible in theory (except against a <A href="#OTP">one-time pad</A>), 
 but it becomes practical only if the key size is inadequate. For an 
 important example, see our document on the <A href="politics.html#desnotsecure">
insecurity of DES</A> with its 56-bit key. For an  analysis of key 
sizes required to resist plausible brute force  attacks, see <A href="http://www.counterpane.com/keylength.html">
this  paper</A>. </DD>
<P>Longer keys protect against brute force attacks. Each extra bit in 
 the key doubles the number of possible keys and therefore doubles the 
 work a brute force attack must do. A large enough key defeats <STRONG>
 any</STRONG> brute force attack.</P>
<P>For example, the EFF's <A href="#EFF">DES Cracker</A> searches a 
 56-bit key space in an average of a few days. Let us assume an 
 attacker that can find a 64-bit key (256 times harder) by brute force 
 search in a second (a few hundred thousand times faster). For a 96-bit 
 key, that attacker needs 2<SUP>32</SUP> seconds, just over a century. 
 Against a 128-bit key, he needs 2<SUP>32</SUP> centuries or about 
 400,000,000,000 years. Your data is then obviously secure against 
 brute force attacks. Even if our estimate of the attacker's speed is 
 off by a factor of a million, it still takes him 400,000 years to 
 crack a message.</P>
<P>This is why</P>
<UL>
<LI>single <A href="#DES">DES</A> is now considered <A href="politics.html#desnotsecure">
dangerously insecure</A></LI>
<LI>all of the current generation of <A href="#block">block  ciphers</A>
 use a 128-bit or longer key</LI>
<LI><A href="#AES">AES</A> ciphers support keysizes 128, 192 and 256 
 bits</LI>
<LI>any cipher we add to Linux FreeS/WAN will have <EM>at least</EM> a 
128-bit key</LI>
</UL>
<P><STRONG>Cautions:</STRONG>
<BR><EM> Inadequate keylength always indicates a weak cipher</EM> but 
it is  important to note that <EM>adequate keylength does not 
necessarily  indicate a strong cipher</EM>. There are many attacks 
other than brute  force, and adequate keylength <EM>only</EM>
 guarantees resistance to  brute force. Any cipher, whatever its key 
size, will be weak if design  or implementation flaws allow other 
attacks.</P>
<P>Also, <EM>once you have adequate keylength</EM> (somewhere around 
 90 or 100 bits), <EM>adding more key bits make no practical  difference</EM>
, even against brute force. Consider our 128-bit  example above that 
takes 400 billion years to break by brute force. Do  we care if an 
extra 16 bits of key put that into the quadrillions? No.  What about 16 
fewer bits reducing it to the 112-bit security level of <A href="#3DES">
 Triple DES</A>, which our example attacker could break  in just over a 
billion years? No again, unless we're being really  paranoid about 
safety margins.</P>
<P>There may be reasons of convenience in the design of the cipher to 
 support larger keys. For example <A href="#Blowfish">Blowfish</A>
 allows up to 448 bits and <A href="#RC4">RC4</A> up to 2048, but 
 beyond 100-odd bits it makes no difference to practical security.</P>
<DT>Bureau of Export Administration</DT>
<DD>see <A href="#BXA">BXA</A></DD>
<DT><A name="BXA">BXA</A></DT>
<DD>The US Commerce Department's <B>B</B>ureau of E<B>x</B>port <B> A</B>
dministration which administers the <A href="#EAR">EAR</A> Export 
Administration Regulations controling the export of, among  other 
things, cryptography.</DD>
<DT><A name="C">C</A></DT>
<DT><A name="CA"><A name="C">CA</A></A></DT>
<DD><B>C</B>ertification <B>A</B>uthority, an entity in a <A href="ipsec.html#PKI">
public key infrastructure</A> that can certify keys by  signing them. 
Usually CAs form a hierarchy. The top of this hierarchy  is called the <A
href="#rootCA">root CA</A>. </DD>
<P>See <A href="#web">Web of Trust</A> for an alternate model.</P>
<DT><A name="CAST128">CAST-128</A></DT>
<DD>A <A href="#block">block cipher</A> using 64-bit blocks and 128-bit 
 keys, described in RFC 2144 and used in products such as <A href="#Entrust">
Entrust</A> and recent versions of <A href="#PGP">PGP</A>. </DD>
<P>This is not required by the <A href="#IPSEC">IPSEC</A> RFCs and not 
 currently used in <A href="web.html#FreeSWAN">Linux FreeS/WAN</A>.</P>
<DT>CAST-256</DT>
<DD><A href="#Entrust">Entrust</A>'s candidate cipher for the <A href="#AES">
AES standard</A>, largely based on the <A href="#CAST128">CAST-128</A>
 design.</DD>
<DT><A name="CBC">CBC mode</A></DT>
<DD><B>C</B>ipher <B>B</B>lock <B>C</B>haining <A href="#mode">mode</A>
,  a method of using a <A href="#block">block cipher</A> in which for 
 each block except the first, the result of the previous encryption is 
 XORed into the new block before it is encrypted. CBC is the mode used 
 in <A href="#IPSEC">IPSEC</A>. </DD>
<P>An <A href="#IV">initialisation vector</A> (IV) must be provided. 
 It is XORed into the first block before encryption. The IV need not be 
 secret but should be different for each message and unpredictable.</P>
<DT>Certification Authority</DT>
<DD>see <A href="#CA">CA</A></DD>
<DT><A name="mode">Cipher Modes</A></DT>
<DD>Different ways of using a block cipher when encrypting multiple 
 blocks. </DD>
<P>Four standard modes were defined for <A href="#DES">DES</A> in <A href="#FIPS">
FIPS</A> 81. They can actually be applied with any block  cipher.</P>
<TABLE><TBODY>
<TR><TD><TD><A href="#ECB">ECB</A></TD><TD>Electronic CodeBook</TD><TD>
encrypt each block independently</TD></TR>
<TR><TD><TD><A href="#CBC">CBC</A></TD><TD>Cipher Block Chaining
<BR></TD><TD>XOR previous block ciphertext into new block plaintext 
 before encrypting new block</TD></TR>
<TR><TD><TD>CFB</TD><TD>Cipher FeedBack</TD><TD></TR>
<TR><TD><TD>OFB</TD><TD>Output FeedBack</TD><TD></TR>
</TABLE>
<P><A href="#IPSEC">IPSEC</A> uses <A href="#CBC">CBC</A> mode since 
 this is only marginally slower than <A href="#ECB">ECB</A> and is more 
 secure. In ECB mode the same plaintext always encrypts to the same 
 ciphertext, unless the key is changed. In CBC mode, this does not 
 occur.</P>
<P>Various other modes are also possible, but none of them are used in 
 IPSEC.</P>
<DT><A name="challenge">Challenge-response authentication</A></DT>
<DD>An <A href="#authentication">authentication</A> system in which one 
 player generates a <A href="#random">random number</A>, encrypts it 
 and sends the result as a challenge. The other player decrypts and 
 sends back the result. If the result is correct, that proves to the 
 first player that the second player knew the appropriate secret, 
 required for the decryption. Variations on this technique exist using <A
href="#public"> public key</A> or <A href="#symmetric">symmetric</A>
 cryptography. Some provide two-way authentication, assuring each 
 player of the other's identity. </DD>
<P>This is more secure than passwords against two simple attacks:</P>
<UL>
<LI>If cleartext passwords are sent across the wire (e.g. for  telnet), 
an eavesdropper can grab them. The attacker may even be  able to break 
into other systems if the user has chosen the same  password for them.</LI>
<LI>If an encrypted password is sent, an attacker can record the 
 encrypted form and use it later. This is called a replay  attack.</LI>
</UL>
<P>A challenge-response system never sends a password, either 
 cleartext or encrypted.  An attacker cannot record the response to one 
 challenge and use it as a response to a later challenge. The random 
 number is different each time.</P>
<P>Of course an attacker might still try to break the cryptographic 
 algorithm used, or the <A href="#random">random number</A> generator.</P>
<DT><A name="ciphertext">Ciphertext</A></DT>
<DD>The encrypted output of a cipher, as opposed to the unencrypted <A href="#plaintext">
plaintext</A> input.</DD>
<DT><A href="http://www.cisco.com">Cisco</A></DT>
<DD>A vendor of routers, hubs and related products. Their IPSEC 
products  interoperate with Linux FreeS/WAN; see our <A href="interop.html#Cisco">
interop</A> section.</DD>
<DT><A name="client">Client</A></DT>
<DD>This term has at least two distinct uses in discussing IPSEC: 
<UL>
<LI>The <STRONG>clients of an IPSEC gateway</STRONG> are the  machines 
it protects, typically on one or more subnets behind the  gateway. In 
this usage, all the machines on an office network are  clients of that 
office's IPSEC gateway. Laptop or home machines  connecting to the 
office, however, are <EM>not</EM> clients of  that gateway. They are 
remote gateways, running the other end of  an IPSEC connection. Each of 
them is also its own client.</LI>
<LI><STRONG>IPSEC client software</STRONG> is used to describe 
 software which runs on various standalone machines to let them 
 connect to IPSEC networks. In this usage, a laptop or home machine 
 connecting to the office <EM>is</EM> a client machine.</LI>
</UL>
</DD>
<P>We generally use the term in the first sense. Vendors of Windows 
 IPSEC solutions often use it in the second.</P>
<DT>Conventional cryptography</DT>
<DD>See <A href="#symmetric">symmetric cryptography</A></DD>
<DT><A name="collision">Collision resistance</A></DT>
<DD>The property of a <A href="#digest">message digest</A> algorithm 
 which makes it hard for an attacker to find or construct two inputs 
 which hash to the same output.</DD>
<DT>Copyleft</DT>
<DD>see GNU <A href="#GPL">General Public License</A></DD>
<DT><A name="CSE">CSE</A></DT>
<DD><A href="http://www.cse-cst.gc.ca/cse/english/home_1.html">
Communications  Security Establishment</A>, the Canadian organisation 
for <A href="#SIGINT">signals intelligence</A>.</DD>
<DT><A name="D">D</A></DT>
<DT><A name="DARPA"><A name="D">DARPA (sometimes just ARPA)</A></A></DT>
<DD>The US government's <B>D</B>efense <B>A</B>dvanced <B>R</B>esearch <B>
 P</B>rojects <B>A</B>gency. Projects they have funded over the  years 
have included the Arpanet which evolved into the Internet, the  TCP/IP 
protocol suite (as a replacement for the original Arpanet  suite), the 
Berkeley 4.x BSD Unix projects, and <A href="#SDNS">Secure  DNS</A>. </DD>
<P>For current information, see their <A href="http://www.darpa.mil/ito">
web site</A>.</P>
<DT><A name="DOS">Denial of service (DoS) attack</A></DT>
<DD>An attack that aims at denying some service to legitimate users of 
a  system, rather than providing a service to the attacker. 
<UL>
<LI>One variant is a flooding attack, overwhelming the system with  too 
many packets, to much email, or whatever.</LI>
<LI>A closely related variant is a resource exhaustion attack. For 
 example, consider a &quot;TCP SYN flood&quot; attack. Setting up a TCP 
 connection involves a three-packet exchange: 
<UL>
<LI>Initiator: Connection please (SYN)</LI>
<LI>Responder: OK (ACK)</LI>
<LI>Initiator: OK here too</LI>
</UL>
</LI>
<P>If the attacker puts bogus source information in the first  packet, 
such that the second is never delivered, the responder may  wait a long 
time for the third to come back. If responder has  already allocated 
memory for the connection data structures, and  if many of these bogus 
packets arrive, the responder may run out  of memory.</P>
<LI>Another variant is to feed the system undigestible data, hoping  to 
make it sick. For example, IP packets are limited in size to  64K bytes 
and a fragment carries information on where it starts  within that 64K 
and how long it is. The &quot;ping of death&quot; delivers  fragments that say, 
for example, that they start at 60K and are  20K long. Attempting to 
re-assemble these without checking for  overflow can be fatal.</LI>
</UL>
</DD>
<P>The two example attacks discussed were both quite effective when 
 first discovered, capable of crashing or disabling many operating 
 systems. They were also well-publicised, and today far fewer systems 
 are vulnerable to them.</P>
<DT><A name="DES">DES</A></DT>
<DD>The <B>D</B>ata <B>E</B>ncryption <B>S</B>tandard, a <A href="#block">
block cipher</A> with 64-bit blocks and a 56-bit key.  Probably the 
most widely used <A href="#symmetric">symmetric  cipher</A> ever 
devised. DES has been a US government standard for  their own use (only 
for unclassified data), and for some regulated  industries such as 
banking, since the late 70's. </DD>
<P><A href="politics.html#desnotsecure">DES is seriously insecure 
against current  attacks.</A></P>
<P><A href="web.html#FreeSWAN">Linux FreeS/WAN</A> does not include 
DES, even  though the RFCs specify it. <B>We strongly recommend that 
single DES  not be used.</B></P>
<P>See also <A href="#3DES">3DES</A> and <A href="#DESX">DESX</A>, 
 stronger ciphers based on DES.</P>
<DT><A name="DESX">DESX</A></DT>
<DD>An improved <A href="#DES">DES</A> suggested by Ron Rivest of RSA 
 Data Security. It XORs extra key material into the text before and 
 after applying the DES cipher. </DD>
<P>This is not required by the <A href="#IPSEC">IPSEC</A> RFCs and not 
 currently used in <A href="web.html#FreeSWAN">Linux FreeS/WAN</A>. 
DESX would  be the easiest additional transform to add; there would be 
very little  code to write. It would be much faster than 3DES and 
almost certainly  more secure than DES. However, since it is not in the 
RFCs other IPSEC  implementations cannot be expected to have it.</P>
<DT>DH</DT>
<DD>see <A href="#DH">Diffie-Hellman</A></DD>
<DT><A name="DH">Diffie-Hellman (DH) key exchange protocol</A></DT>
<DD>A protocol that allows two parties without any initial shared 
secret  to create one in a manner immune to eavesdropping. Once they 
have done  this, they can communicate privately by using that shared 
secret as a  key for a block cipher or as the basis for key exchange. </DD>
<P>The protocol is secure against all <A href="#passive">passive 
 attacks</A>, but it is not at all resistant to active <A href="#middle">
man-in-the-middle attacks</A>. If a third party can  impersonate Bob to 
Alice and vice versa, then no useful secret can be  created. 
Authentication of the participants is a prerequisite for safe 
 Diffie-Hellman key exchange. IPSEC can use any of several <A href="#authentication">
authentication</A> mechanisims. Those supported  by FreeS/WAN are 
discussed in our <A href="config.html#choose">configuration</A> section.</P>
<P>The Diffie-Hellman key exchange is based on the <A href="#dlog">
discrete logarithm</A> problem and is secure unless  someone finds an 
efficient solution to that problem.</P>
<P>Given a prime <VAR>p</VAR> and generator <VAR>g</VAR> (explained 
 under <A href="#dlog">discrete log</A> below), Alice:</P>
<UL>
<LI>generates a random number <VAR>a</VAR></LI>
<LI>calculates <VAR>A = g^a modulo p</VAR></LI>
<LI>sends <VAR>A</VAR> to Bob</LI>
</UL>
<P>Meanwhile Bob:</P>
<UL>
<LI>generates a random number <VAR>b</VAR></LI>
<LI>calculates <VAR>B = g^b modulo p</VAR></LI>
<LI>sends <VAR>B</VAR> to Alice</LI>
</UL>
<P>Now Alice and Bob can both calculate the shared secret <VAR>s = 
 g^(ab)</VAR>. Alice knows <VAR>a</VAR> and <VAR>B</VAR>, so she 
 calculates <VAR>s = B^a</VAR>. Bob knows <VAR>A</VAR> and <VAR>b</VAR>
 so he calculates <VAR>s = A^b</VAR>.</P>
<P>An eavesdropper will know <VAR>p</VAR> and <VAR>g</VAR> since these 
 are made public, and can intercept <VAR>A</VAR> and <VAR>B</VAR> but, 
 short of solving the <A href="#dlog">discrete log</A> problem, these 
 do not let him or her discover the secret <VAR>s</VAR>.</P>
<DT><A name="signature">Digital signature</A></DT>
<DD>Sender: 
<UL>
<LI>calculates a <A href="#digest">message digest</A> of a  document</LI>
<LI>encrypts the digest with his or her private key, using some <A href="#public">
public key cryptosystem</A>.</LI>
<LI>attaches the encrypted digest to the document as a  signature</LI>
</UL>
</DD>
<P>Receiver:</P>
<UL>
<LI>calculates a digest of the document (not including the  signature)</LI>
<LI>decrypts the signature with the signer's public key</LI>
<LI>verifies that the two results are identical</LI>
</UL>
<P>If the public-key system is secure and the verification succeeds, 
 then the receiver knows</P>
<UL>
<LI>that the document was not altered between signing and  verification</LI>
<LI>that the signer had access to the private key</LI>
</UL>
<P>Such an encrypted message digest can be treated as a signature 
 since it cannot be created without <EM>both</EM> the document <EM> and</EM>
 the private key which only the sender should possess. The <A href="web.html#legal">
 legal issues</A> are complex, but several countries  are moving in the 
direction of legal recognition for digital  signatures.</P>
<DT><A name="dlog">discrete logarithm problem</A></DT>
<DD>The problem of finding logarithms in a finite field. Given a field 
 defintion (such definitions always include some operation analogous to 
 multiplication) and two numbers, a base and a target, find the power 
 which the base must be raised to in order to yield the target. </DD>
<P>The discrete log problem is the basis of several cryptographic 
 systems, including the <A href="#DH">Diffie-Hellman</A> key exchange 
 used in the <A href="#IKE">IKE</A> protocol. The useful property is 
 that exponentiation is relatively easy but the inverse operation, 
 finding the logarithm, is hard. The cryptosystems are designed so that 
 the user does only easy operations (exponentiation in the field) but 
 an attacker must solve the hard problem (discrete log) to crack the 
 system.</P>
<P>There are several variants of the problem for different types of 
 field. The IKE/Oakley key determination protocol uses two variants, 
 either over a field modulo a prime or over a field defined by an 
 elliptic curve. We give an example modulo a prime below. For the 
 elliptic curve version, consult an advanced text such as <A href="biblio.html#handbook">
Handbook of Applied Cryptography</A>.</P>
<P>Given a prime <VAR>p</VAR>, a generator <VAR>g</VAR> for the field 
 modulo that prime, and a number <VAR>x</VAR> in the field, the problem 
 is to find <VAR>y</VAR> such that <VAR>g^y = x</VAR>.</P>
<P>For example, let p = 13. The field is then the integers from 0 to 
 12. Any integer equals one of these modulo 13. That is, the remainder 
 when any integer is divided by 13 must be one of these.</P>
<P>2 is a generator for this field.  That is, the powers of two modulo 
 13 run through all the non-zero numbers in the field. Modulo 13 we 
 have:</P>
<PRE>          y      x
        2^0  ==  1
        2^1  ==  2
        2^2  ==  4
        2^3  ==  8
        2^4  ==  3 that is, the remainder from 16/13 is 3
        2^5  ==  6          the remainder from 32/13 is 6
        2^6  == 12 and so on
        2^7  == 11
        2^8  ==  9
        2^9  ==  5
        2^10 == 10
        2^11 ==  7
        2^12 ==  1</PRE>
<P> Exponentiation in such a field is not difficult. Given, say, <NOBR><VAR>
y = 11</VAR>,</NOBR> calculating <NOBR><VAR>x = 7</VAR></NOBR> is 
straightforward. One method is just to calculate <NOBR><VAR>2^11 = 2048</VAR>
,</NOBR> then <NOBR><VAR>2048 mod 13 == 7</VAR>.</NOBR> When the field 
is modulo a large prime (say a few 100 digits) you need a silghtly 
cleverer method and even that is moderately expensive in computer time, 
but the calculation is still not  problematic in any basic way.</P>
<P> The discrete log problem is the reverse. In our example, given <NOBR>
<VAR>x = 7</VAR>,</NOBR> find the logarithm <NOBR><VAR>y = 11</VAR>.</NOBR>
 When the  field is modulo a large prime (or is based on a suitable 
elliptic  curve), this is indeed problematic. No solution method that 
is not  catastrophically expensive is known. Quite a few mathematicians 
have  tackled this problem. No efficient method has been found and 
mathematicians  do not expect that one will be. It seems likely no 
efficient solution  to either of the main variants the discrete log 
problem exists.</P>
<P>Note, however, that no-one has proven such methods do not exist. If 
 a solution to either variant were found, the security of any crypto 
 system using that variant would be destroyed.  This is one reason <A href="#IKE">
 IKE</A> supports two variants. If one is broken, we can  switch to the 
other.</P>
<DT><A name="DNS">DNS</A></DT>
<DD><B>D</B>omain <B>N</B>ame <B>S</B>ervice, a distributed database 
 through which names are associated with numeric addresses and other 
 information in the Internet Protocol Suite. See also <A href="#BIND">
BIND</A>, the Berkeley Internet Name Daemon which  implements DNS 
services and <A href="#SDNS">Secure DNS</A>. See our  bibliography for 
a <A href="biblio.html#DNS.book">useful reference</A> on  both.</DD>
<DT>DOS attack</DT>
<DD>see <A href="ipsec.html#DOS">Denial Of Service</A> attack</DD>
<DT><A name="E">E</A></DT>
<DT><A name="EAR"><A name="E2"></A><A name="E">EAR</A></DT>
<DD>The US government's <B>E</B>xport <B>A</B>dministration <B> R</B>
egulations, administered by the <A href="#BXA">Bureau of  Export 
Administration</A>. These have replaced the earlier <A href="#ITAR">ITAR</A>
 regulations as the controls on export of  cryptography.</DD>
<DT><A name="ECB">ECB mode</A></DT>
<DD><B>E</B>lectronic <B>C</B>ode<B>B</B>ook mode, the simplest way to 
 use a block cipher. See <A href="#mode">Cipher Modes</A>.</DD>
<DT><A name="EDE">EDE</A></DT>
<DD>The sequence of operations normally used in either the three-key 
 variant of <A href="#3DES">triple DES</A> used in <A href="#IPSEC">
IPSEC</A> or the <A href="#2key">two-key</A> variant  used in some 
other systems. </DD>
<P>The sequence is:</P>
<UL>
<LI><B>E</B>ncrypt with key1</LI>
<LI><B>D</B>ecrypt with key2</LI>
<LI><B>E</B>ncrypt with key3</LI>
</UL>
<P>For the two-key version, key1=key3.</P>
<P>The &quot;advantage&quot; of this EDE order of operations is that it makes it 
 simple to interoperate with older devices offering only single DES. 
 Set key1=key2=key3 and you have the worst of both worlds, the overhead 
 of triple DES with the security of single DES. Since <A href="politics.html#desnotsecure">
single DES is insecure</A>, this is an extremely  dubious &quot;advantage&quot;.</P>
<P>The EDE two-key variant can also interoperate with the EDE 
 three-key variant used in <A href="#IPSEC">IPSEC</A>; just set  k1=k3.</P>
<DT><A name="Entrust"><A href="http://www.entrust.com">Entrust</A></A></DT>
<DD>A Canadian company offerring enterprise <A href="ipsec.html#PKI">PKI</A>
 products using <A href="#CAST128">CAST-128</A> symmetric crypto, <A href="#RSA">
RSA</A> public key and <A href="#X509">X.509</A> directories.</DD>
<DT><A name="EFF">EFF</A></DT>
<DD><A href="http://www.eff.org">Electronic Frontier Foundation</A>, an 
 advocacy group for civil rights in cyberspace.</DD>
<DT><A name="encryption">Encryption</A></DT>
<DD>Techniques for converting a readable message (<A href="#plaintext">
plaintext</A>) into apparently random material (<A href="#ciphertext">
ciphertext</A>) which cannot be read if  intercepted. A key is required 
to read the message. </DD>
<P>Major variants include <A href="#symmetric">symmetric</A> encryption 
in which sender and receiver use the same secret key and <A href="#public">
public key</A> methods in which the sender uses one of  a matched pair 
of keys and the receiver uses the other. Many current  systems, 
including <A href="#IPSEC">IPSEC</A>, are <A href="#hybrid">hybrids</A>
 combining the two techniques.</P>
<DT><A name="ESP">ESP</A></DT>
<DD><B>E</B>ncapsulated <B>S</B>ecurity <B>P</B>ayload, the <A href="#IPSEC">
IPSEC</A> protocol which provides <A href="#encryption">encryption</A>. 
It can also provide <A href="#authentication">authentication</A>
 service and may be used with  null encryption (which we do not 
recommend). For details see our <A href="#ESP">IPSEC Overview</A>
 document and/or RFC 2406.</DD>
<DT><A name="extruded">Extruded subnet</A></DT>
<DD>A situation in which something IP sees as one network is actually 
in  two or more places. </DD>
<P>For example, the Internet may route all traffic for a particular 
 company to that firm's corporate gateway. It then becomes the 
 company's problem to get packets to various machines on their <A href="#subnet">
subnets</A> in various departments. They may decide to  treat a branch 
office like a subnet, giving it IP addresses &quot;on&quot; their  corporate net. 
This becomes an extruded subnet.</P>
<P>Packets bound for it are delivered to the corporate gateway, since 
 as far as the outside world is concerned, that subnet is part of the 
 corporate network. However, instead of going onto the corporate LAN 
 (as they would for, say, the accounting department) they are then 
 encapsulated and sent back onto the Internet for delivery to the 
 branch office.</P>
<P>For information on doing this with Linux FreeS/WAN, look in our <A href="#extruded">
Configuration</A> file.</P>
<DT>Exhaustive search</DT>
<DD>See <A href="#brute">brute force attack</A>.</DD>
<DT><A name="F">F</A></DT>
<DT><A name="FIPS"><A name="F">FIPS</A></A></DT>
<DD><B>F</B>ederal <B>I</B>nformation <B>P</B>rocessing <B>S</B>
tandard,  the US government's standards for products it buys. These are 
issued  by <A href="#NIST">NIST</A>. Among other things, <A href="#DES">
DES</A> and <A href="#SHA">SHA</A> are defined in FIPS  documents. NIST 
have a <A href="http://www.itl.nist.gov/div897/pubs">FIPS home page</A>.</DD>
<DT><A name="FSF">Free Software Foundation (FSF)</A></DT>
<DD>An organisation to promote free software, free in the sense of 
these  quotes from their web pages</DD>
<DD><BLOCKQUOTE> &quot;Free software&quot; is a matter of liberty, not price. To 
understand the  concept, you should think of &quot;free speech&quot;, not &quot;free 
beer.&quot; 
<P>&quot;Free software&quot; refers to the users' freedom to run, copy, 
 distribute, study, change and improve the software.</P>
</BLOCKQUOTE></DD>
<P>See also <A href="#GNU">GNU</A>, <A href="#GPL">GNU General Public 
 License</A>, and <A href="http://www.fsf.org">the FSF site</A>.</P>
<DT>FreeSWAN</DT>
<DD>see <A href="web.html#FreeSWAN">Linux FreeS/WAN</A></DD>
<DT>FSF</DT>
<DD>see <A href="#FSF">Free software Foundation</A></DD>
<DT><A name="G">G</A></DT>
<DT><A name="GCHQ"><A name="G">GCHQ</A></A></DT>
<DD><A href="http://www.gchq.gov.uk">Government Communications 
 Headquarters</A>, the British organisation for <A href="#SIGINT">
signals intelligence</A>.</DD>
<DT>generator of a prime field</DT>
<DD>see <A href="#dlog">discrete logarithm problem</A></DD>
<DT><A name="GILC">GILC</A></DT>
<DD><A href="http://www.gilc.org">Global Internet Liberty Campaign</A>, 
 an international organisation advocating, among other things, free 
 availability of cryptography. They have a <A href="http://www.gilc.org/crypto/wassenaar">
campaign</A> to remove  cryptographic software from the <A href="politics.html#Wassenaar">
Wassenaar  Arrangement</A>.</DD>
<DT>Global Internet Liberty Campaign</DT>
<DD>see <A href="#GILC">GILC</A>.</DD>
<DT><A name="GTR"><A href="http://www.cl.cam.ac.uk/Research/Security/Trust-Register">
Global  Trust Register</A></A></DT>
<DD>An attempt to create something like a <A href="#rootCA">root CA</A>
 for <A href="#PGP">PGP</A> by publishing both <A href="#GTR">as a  book</A>
 and <A href="http://www.cl.cam.ac.uk/Research/Security/Trust-Register">
 on  the web</A> the fingerprints of a set of verified keys for 
well-known  users and organisations.</DD>
<DT>GMP</DT>
<DD>The <B>G</B>NU <B>M</B>ulti-<B>P</B>recision library code, used in <A
href="web.html#FreeSWAN"> Linux FreeS/WAN</A> by <A href="#Pluto">Pluto</A>
 for <A href="#public">public key</A> calculations.</DD>
<DT><A name="GNU">GNU</A></DT>
<DD><B>G</B>NU's <B>N</B>ot <B>U</B>nix, the <A href="#FSF">Free 
 Software Foundation's</A> project aimed at creating a free system with 
 at least the capabilities of Unix. <A href="#Linux">Linux</A> uses GNU 
 utilities extensively.</DD>
<DT>GPG</DT>
<DD>see <A href="#GPG">GNU Privacy Guard</A></DD>
<DT><A name="GPL">GNU <A href="http://www.fsf.org/copyleft/gpl.html">
 General  Public License</A>(GPL, copyleft)</A></DT>
<DD>The license developed by the <A href="#FSF">Free Software 
 Foundation</A> under which <A href="#Linux">Linux</A>, <A href="web.html#FreeSWAN">
Linux FreeS/WAN</A> and many other pieces of software  are distributed. 
The license allows anyone to redistribute and modify  the code, but 
forbids anyone from distributing executables without  providing access 
to source code. For more details see the file <A href="../COPYING">
COPYING</A> included with GPLed source  distributions, including ours, 
or <A href="http://www.fsf.org/copyleft/gpl.html"> the GNU site's GPL 
 page</A>.</DD>
<DT><A name="GPG"><A href="http://www.gnupg.org">GNU Privacy Guard</A></A>
</DT>
<DD>An open source implementation of Open <A href="#PGP">PGP</A> as 
 defined in RFC 2440.</DD>
<DT>GPL</DT>
<DD>see <A href="#GPL">GNU General Public License</A>.</DD>
<DT><A name="H">H</A></DT>
<DT><A name="hash">Hash</A></DT>
<DD>see <A href="#digest">message digest</A></DD>
<DT><A name="HMAC">Hashed Message Authentication Code (HMAC)</A></DT>
<DD>using keyed <A href="#digest">message digest</A> functions to 
 authenticate a message. This differs from other uses of these 
 functions: 
<UL>
<LI>In normal usage, the hash function's internal variable are 
 initialised in some standard way. Anyone can reproduce the hash to 
 check that the message has not been altered.</LI>
<LI>For HMAC usage, you initialise the internal variables from the 
 key. Only someone with the key can reproduce the hash. A  successful 
check of the hash indicates not only that the message  is unchanged but 
also that the creator knew the key.</LI>
</UL>
</DD>
<P>The exact techniques used in <A href="#IPSEC">IPSEC</A> are defined 
 in RFC 2104. They are referred to as HMAC-MD5-96 and HMAC-SHA-96 
 because they output only 96 bits of the hash. This makes some attacks 
 on the hash functions harder.</P>
<DT>HMAC</DT>
<DD>see <A href="#HMAC">Hashed Message Authentication Code</A></DD>
<DT>HMAC-MD5-96</DT>
<DD>see <A href="#HMAC">Hashed Message Authentication Code</A></DD>
<DT>HMAC-SHA-96</DT>
<DD>see <A href="#HMAC">Hashed Message Authentication Code</A></DD>
<DT><A name="hybrid">Hybrid cryptosystem</A></DT>
<DD>A system using both <A href="#public">public key</A> and <A href="#symmetric">
symmetric cipher</A> techniques. This works well.  Public key methods 
provide key management and <A href="#signature">digital signature</A>
 facilities which are not  readily available using symmetric ciphers. 
The symmetric cipher,  however, can do the bulk of the encryption work 
much more efficiently  than public key methods.</DD>
<DT><A name="I">I</A></DT>
<DT><A name="IAB">IAB</A></DT>
<DD><A href="http://www.iab.org/iab">Internet Architecture  Board</A>.</DD>
<DT><A name="icmp">ICMP</A></DT>
<DD><STRONG>I</STRONG>nternet <STRONG>C</STRONG>ontrol <STRONG> M</STRONG>
essage <STRONG>P</STRONG>rotocol. This is used for  various 
IP-connected devices to manage the network.</DD>
<DT><A name="IDEA">IDEA</A></DT>
<DD><B>I</B>nternational <B>D</B>ata <B>E</B>ncrypion <B>A</B>lgorithm, 
 developed in Europe as an alternative to exportable American ciphers 
 such as <A href="#DES">DES</A> which were <A href="politics.html#desnotsecure">
too  weak for serious use</A>. IDEA is a <A href="#block">block cipher</A>
 using 64-bit blocks and 128-bit keys, and is used in products such as <A
href="#PGP"> PGP</A>. </DD>
<P>IDEA is not required by the <A href="#IPSEC">IPSEC</A> RFCs and not 
 currently used in <A href="web.html#FreeSWAN">Linux FreeS/WAN</A>.</P>
<P>IDEA is patented and, with strictly limited exceptions for personal 
 use, using it requires a license from <A href="http://www.ascom.com">
Ascom</A>.</P>
<DT><A name="IESG">IESG</A></DT>
<DD><A href="http://www.ietf.org">Internet Engineering Steering  Group</A>
.</DD>
<DT><A name="IETF">IETF</A></DT>
<DD><A href="http://www.ietf.org">Internet Engineering Task Force</A>, 
 the umbrella organisation whose various working groups make most of 
 the technical decisions for the Internet. The IETF <A href="http://www.ietf.org/html.charters/ipsec-charter.html">
 IPSEC  working group</A> wrote the <A href="rfc.html#RFC">RFCs</A> we 
are  implementing.</DD>
<DT><A name="IKE">IKE</A></DT>
<DD><B>I</B>nternet <B>K</B>ey <B>E</B>xchange, based on the <A href="#DH">
Diffie-Hellman</A> key exchange protocol. IKE is  implemented in <A href="web.html#FreeSWAN">
Linux FreeS/WAN</A> by the <A href="#Pluto">Pluto daemon</A>.</DD>
<DT><A name="IV">Initialisation Vector (IV)</A></DT>
<DD>Some cipher <A href="#mode">modes</A>, including the <A href="#CBC">
CBC</A> mode which IPSEC uses, require some extra data at  the 
beginning. This data is called the initialisation vector. It need  not 
be secret, but should be different for each message. Its function  is 
to prevent messages which begin with the same text from encrypting  to 
the same ciphertext. That might give an analyst an opening, so it  is 
best prevented.</DD>
<DT><A name="IP">IP</A></DT>
<DD><B>I</B>nternet <B>P</B>rotocol.</DD>
<DT><A name="masq">IP masquerade</A></DT>
<DD>A method of allowing multiple machines to communicate over the 
 Internet when only one IP address is available for their use. See the 
 Linux masquerade <A href="http://www.tor.shaw.wave.ca/~ambrose">
resource page</A> for  details. </DD>
<P>The client machines are set up with reserved <A href="non-routable">
non-routable</A> IP addresses defined in RFC 1918.  The masquerading 
gateway, the machine with the actual link to the  Internet, rewrites 
packet headers so that all packets going onto the  Internet appear to 
come from one IP address, that of its Internet  interface. It then gets 
all the replies, does some table lookups and  more header rewriting, 
and delivers the replies to the appropriate  client machines.</P>
<P> For information on using masquerade with Linux FreeS/WAN, see our <A href="firewall.html#NAT">
 firewall document</A> and the <A href="faq.html#masq.faq">FAQ</A> and.</P>
<DT><A name="IPng">IPng</A></DT>
<DD>&quot;IP the Next Generation&quot;, see <A href="#ipv6.gloss">IPv6</A>.</DD>
<DT><A name="IPv4">IPv4</A></DT>
<DD>The current version of the <A href="#IP">Internet protocol  suite</A>
.</DD>
<DT><A name="ipv6.gloss">IPv6 (IPng)</A></DT>
<DD>Version six of the <A href="#IP">Internet protocol suite</A>, 
 currently being developed. It will replace the current <A href="#IPv4">
version four</A>. IPv6 has <A href="#IPSEC">IPSEC</A> as  a mandatory 
component. </DD>
<P>See this <A href="http://playground.sun.com/pub/ipng/html/ipng-main.html">
web  site</A> for more details, and our <A href="compat.html#ipv6">
compatibility</A> document for information on FreeS/WAN and the Linux 
implementation of  IPv6.</P>
<DT><A name="IPSEC">IPSEC</A></DT>
<DD><B>I</B>nternet <B>P</B>rotocol <B>SEC</B>urity, security functions 
 (<A href="#authentication">authentication</A> and <A href="#encryption">
encryption</A>) implemented at the IP level of the  protocol stack. It 
is optional for <A href="#IPv4">IPv4</A> and  mandatory for <A href="#ipv6.gloss">
IPv6</A>. </DD>
<P>This is the standard <A href="web.html#FreeSWAN">Linux FreeS/WAN</A>
 is  implementing. For more details, see our <A href="web.html#overview">
IPSEC  Overview</A>. For the standards, see RFCs listed in our <A href="rfc.html#RFC">
RFCs document</A>.</P>
<DT><A name="ISAKMP">ISAKMP</A></DT>
<DD><B>I</B>nternet <B>S</B>ecurity <B>A</B>ssociation and <B>K</B>ey <B>
 M</B>anagement <B>P</B>rotocol, defined in RFC 2408.</DD>
<DT><A name="ITAR">ITAR</A></DT>
<DD><B>I</B>nternational <B>T</B>raffic in <B>A</B>rms <B> R</B>
egulations, US regulations administered by the State  Department which 
until recently limited export of, among other things,  cryptographic 
technology and software. ITAR still exists, but the  limits on 
cryptography have now been transferred to the <A href="#EAR">Export 
Administration Regulations</A> under the Commerce  Department's <A href="#BXA">
Bureau of Export Administration</A>.</DD>
<DT>IV</DT>
<DD>see <A href="#IV">Initialisation vector</A></DD>
<DT><A name="J">J</A></DT>
<DT><A name="K">K</A></DT>
<DT><A name="kernel">Kernel</A></DT>
<DD>The basic part of an operating system (e.g. Linux) which controls 
 the hardware and provides services to all other programs. </DD>
<P>In the Linux release numbering system, an even second digit as in  2.<STRONG>
2</STRONG>.x indicates a stable or production kernel while  an odd 
number as in 2.<STRONG>3</STRONG>.x indicates an experimental  or 
development kernel. Most users should run a recent kernel version  from 
the production series. The development kernels are primarily for 
 people doing kernel development. Others should consider using 
 development kernels only if they have an urgent need for some feature 
 not yet available in production kernels.</P>
<DT>Keyed message digest</DT>
<DD>See <A href="#HMAC">HMAC</A>.</DD>
<DT>Key length</DT>
<DD>see <A href="#brute">brute force attack</A></DD>
<DT><A name="KLIPS">KLIPS</A></DT>
<DD><B>K</B>erne<B>l</B><B> IP</B><B> S</B>ecurity, the <A href="web.html#FreeSWAN">
Linux FreeS/WAN</A> project's changes to the <A href="#Linux">Linux</A>
 kernel to support the <A href="#IPSEC">IPSEC</A> protocols.</DD>
<DT><A name="L">L</A></DT>
<DT><A name="LDAP">LDAP</A></DT>
<DD><B>L</B>ightweight <B>D</B>irectory <B>A</B>ccess <B>P</B>rotocol, 
 defined in RFCs 1777 and 1778,  a method of accessing information 
 stored in directories. LDAP is used by several <A href="ipsec.html#PKI">
PKI</A> implementations, often with X.501 directories and <A href="#X509">
X.509</A> certificates. It may also be used by <A href="#IPSEC">IPSEC</A>
 to obtain key certifications from those PKIs.  This is not yet 
implemented in <A href="web.html#FreeSWAN">Linux  FreeS/WAN</A>.</DD>
<DT><A name="LIBDES">LIBDES</A></DT>
<DD>A publicly available library of <A href="#DES">DES</A> code, 
written  by Eric Young, which <A href="web.html#FreeSWAN">Linux 
FreeS/WAN</A> uses in  both <A href="#KLIPS">KLIPS</A> and <A href="#Pluto">
Pluto</A>.</DD>
<DT><A name="Linux">Linux</A></DT>
<DD>A freely available Unix-like operating system based on a kernel 
 originally written for the Intel 386 architecture by (then) student 
 Linus Torvalds. Once his 32-bit kernel was available, the <A href="#GNU">
GNU</A> utilities made it a usable system and  contributions from many 
others led to explosive growth. </DD>
<P>Today Linux is a complete Unix replacement available for several 
 CPU architectures -- Intel, DEC/Compaq Alpha, Power PC, both 32-bit 
 SPARC and the 64-bit UltraSPARC, SrongARM, . . . -- with support for 
 multiple CPUs on some architectures.</P>
<P><A href="web.html#FreeSWAN">Linux FreeS/WAN</A> is intended to run 
on all  CPUs supported by Linux and is known to work on several. See 
our <A href="compat.html#CPUs"> compatibility</A> section for a list.</P>
<DT><A name="FreeSWAN">Linux FreeS/WAN</A></DT>
<DD>Our implementation of the <A href="#IPSEC">IPSEC</A> protocols, 
 intended to be freely redistributable source code with <A href="#GPL">
a GNU GPL license</A> and no constraints under US or other <A href="politics.html#exlaw">
 export laws</A>. Linux FreeS/WAN is intended to  interoperate with 
other <A href="#IPSEC">IPSEC</A> implementations.  The name is partly 
taken, with permission, from the <A href="#SWAN">S/WAN</A> multi-vendor 
IPSEC compatability effort. Linux  FreeS/WAN has two major components, <A
href="#KLIPS">KLIPS</A> (KerneL  IPSEC Support) and the <A href="#Pluto">
Pluto</A> daemon which manages  the whole thing. </DD>
<P>See our <A href="web.html#overview">IPSEC Overview</A> for more 
detail. For  the code see our <A href="http://freeswan.org"> primary 
distribution  site</A> or one of the mirror sites on <A href="intro.html#mirrors">
 this  list</A>.</P>
<DT><A name="M">M</A></DT>
<DT><A name="list">Mailing list</A></DT>
<DD>The <A href="web.html#FreeSWAN">Linux FreeS/WAN</A> project has 
several  public email lists for bug reports and software development 
 discussions. See our document on <A href="mail.html">mailing lists</A>.</DD>
<DT><A name="middle">Man-in-the-middle attack</A></DT>
<DD>An <A href="#active">active attack</A> in which the attacker 
 impersonates each of the legitimate players in a protocol to the 
 other. </DD>
<P>For example, if <A href="#alicebob">Alice and Bob</A> are 
 negotiating a key via the <A href="#DH">Diffie-Hellman</A> key 
 agreement, and are not using <A href="#authentication">authentication</A>
 to be certain they are  talking to each other, then an attacker able 
to insert himself in the  communication path can deceive both players.</P>
<P>Call the attacker Mallory. For Bob, he pretends to be Alice. For 
 Alice, he pretends to be Bob. Two keys are then negotiated, 
 Alice-to-Mallory and Bob-to-Mallory. Alice and Bob each think the key 
 they have is Alice-to-Bob.</P>
<P>A message from Alice to Bob then goes to Mallory who decrypts it, 
 reads it and/or saves a copy, re-encrypts using the Bob-to-Mallory key 
 and sends it along to Bob. Bob decrypts successfully and sends a reply 
 which Mallory decrypts, reads, re-encrypts and forwards to Alice.</P>
<P>To make this attack effective, Mallory must</P>
<UL>
<LI>subvert some part of the network in some way that lets him carry 
 out the deception
<BR> possible targets: DNS, router, Alice or Bob's machine, mail 
 server, ...</LI>
<LI>beat any authentication mechanism Alice and Bob use
<BR> strong authentication defeats the attack entirely; this is why <A href="#IKE">
IKE</A> requires authentication</LI>
<LI>work in real time, delivering messages without introducing  a delay 
large enough to alert the victims
<BR> not hard if Alice and Bob are using email; quite difficult in some 
 situations.</LI>
</UL>
<P>If he manages it, however, it is devastating. He not only gets to 
 read all the messages; he can alter messages, inject his own, forge 
 anything he likes, . . . In fact, he controls the communication 
 completely.</P>
<DT><A name="manual">Manual keying</A></DT>
<DD>An IPSEC mode in which the keys are provided by the administrator. 
 In FreeS/WAN, they are stored in /etc/ipsec.conf. The alternative, <A href="ipsec.html#auto">
automatic keying</A>, is preferred in most cases.</DD>
<DT><A name="MD4">MD4</A></DT>
<DD><A href="#digest">Message Digest Algorithm</A> Four from Ron Rivest 
 of <A href="#RSAco">RSA</A>. MD4 was widely used a few years ago, but 
 is now considered obsolete. It has been replaced by its descendants <A href="#MD5">
MD5</A> and <A href="#SHA">SHA</A>.</DD>
<DT><A name="MD5">MD5</A></DT>
<DD><A href="#digest">Message Digest Algorithm</A> Five from Ron Rivest 
 of <A href="#RSAco">RSA</A>, an improved variant of his <A href="#MD4">
MD4</A>. Like MD4, it produces a 128-bit hash. For details  see RFC 
1321. </DD>
<P>MD5 is one of two message digest algorithms available in IPSEC. The 
 other is <A href="#SHA">SHA</A>. SHA produces a longer hash and is 
 therefore more resistant to <A href="#birthday">birthday attacks</A>, 
 but this is not a concern for IPSEC. The <A href="#HMAC">HMAC</A>
 method used in IPSEC is secure even if the underlying hash is not 
 particularly strong against this attack.</P>
<DT><A name="meet">Meet-in-the-middle attack</A></DT>
<DD>A divide-and-conquer attack which breaks a cipher into two parts, 
 works against each separately, and compares results. Probably the best 
 known example is an attack on double DES. This applies in principle to 
 any pair of block ciphers, e.g. to an encryption system using, say, 
 CAST-128 and Blowfish, but we will describe it for double DES. </DD>
<P>Double DES encryption and decryption can be written:</P>
<PRE>        C = E(k2,E(k1,P))
        P = D(k1,D(k2,C))</PRE>
<P>Where C is ciphertext, P is plaintext, E is encryption, D is 
 decryption, k1 is one key, and k2 is the other key. If we know a P, C 
 pair, we can try and find the keys with a brute force attack, trying 
 all possible k1, k2 pairs. Since each key is 56 bits, there are  2<SUP>
112</SUP> such pairs and this attack is painfully  inefficient.</P>
<P>The meet-in-the middle attack re-writes the equations to calculate 
 a middle value M:</P>
<PRE>        M = E(k1,P)
        M = D(k2,C)</PRE>
<P>Now we can try some large number of D(k2,C) decryptions with 
 various values of k2 and store the results in a table. Then start 
 doing E(k1,P) encryptions, checking each result to see if it is in the 
 table.</P>
<P>With enough table space, this breaks double DES with 2<SUP>57</SUP>
 work. The memory requirements of such attacks can be prohibitive, but 
 there is a whole body of research literature on methods of reducing 
 them.</P>
<DT><A name="digest">Message Digest Algorithm</A></DT>
<DD>An algorithm which takes a message as input and produces a hash or 
 digest of it, a fixed-length set of bits which depend on the message 
 contents in some highly complex manner. Design criteria include making 
 it extremely difficult for anyone to counterfeit a digest or to change 
 a message without altering its digest. One essential property is <A href="#collision">
collision resistance</A>. The main applications are  in message <A href="#authentication">
authentication</A> and <A href="#signature">digital signature</A>
 schemes. Widely used  algorithms include <A href="#MD5">MD5</A> and <A href="#SHA">
SHA</A>.  In IPSEC, message digests are used for <A href="#HMAC">HMAC</A>
 authentication of packets.</DD>
<DT><A name="MTU">MTU</A></DT>
<DD><STRONG>M</STRONG>aximum <STRONG>T</STRONG>ransmission <STRONG> U</STRONG>
nit, the largest size of packet that can be sent  over a link. This is 
determined by the underlying network, but must be  taken account of at 
the IP level. </DD>
<P>IP packets, which can be up to 64K bytes each, must be packaged 
 into lower-level packets of the appropriate size for the underlying 
 network(s) and re-assembled on the other end. When a packet must pass 
 over multiple networks, each with its own MTU, and many of the MTUs 
 are unknown to the sender, this becomes a fairly complex problem. See <A
href="#pathMTU"> path MTU discovery</A> for details.</P>
<P>Often the MTU is a few hundred bytes on serial links and 1500  on 
Ethernet. There are, however, serial link protocols which use a  larger 
MTU to avoid fragmentation at the ethernet/serial  boundary, and newer 
(especially gigabit) Ethernet networks sometimes  support much larger 
packets because these are more efficient in some  applications.</P>
<DT><A name="N">N</A></DT>
<DT><A name="NAI">NAI</A></DT>
<DD><A href="http://www.nai.com">Network Associates</A>, a conglomerate 
 formed from <A href="#PGPI">PGP Inc.</A>, <A href="firewall.html#">TIS</A>
,  Macaffee Anti-virus products and several others. Among other things, 
 they offer an IPSEC-based <A href="http://www.nai.com/products/security/prodserv/gauntlet/vpn/index.asp">
VPN</A>.</DD>
<DT><A name="NAT.gloss">NAT</A></DT>
<DD><B>N</B>etwork <B>A</B>ddress <B>T</B>ranslation.</DD>
<DT><A name="NIST">NIST</A></DT>
<DD>The US <A href="http://www.nist.gov"> National Institute of 
 Standards and Technology</A>, responsible for <A href="#FIPS">FIPS 
 standards</A> including <A href="#DES">DES</A> and its replacement, <A href="#AES">
AES</A>.</DD>
<DT><A name="nonce">Nonce</A></DT>
<DD>A <A href="#random">random</A> value used in an <A href="#authentication">
authentication</A> protocol.</DD>
<DT>
<DT><A name="non-routable">Non-routable IP address</A></DT>
<DD>An IP address not normally allowed in the &quot;to&quot; or &quot;from&quot; IP address 
 field header of IP packets. </DD>
<P>Almost invariably, the phrase &quot;non-routable address&quot; means one of 
 the addresses reserved by RFC 1918 for private networks:</P>
<UL>
<LI>10.anything</LI>
<LI>172.x.anything with 16 &lt;= x &lt;= 31</LI>
<LI>192.168.anything</LI>
</UL>
<P>These addresses are commonly used on private networks, e.g. behind 
 a Linux machines doing <A href="#masq">IP masquerade</A>. Machines 
 within the private network can address each other with these 
 addresses. All packets going outside that network, however, have these 
 addresses replaced before they reach the Internet.</P>
<P>If any packets using these addresses do leak out, they do not go 
 far. Most routers automatically discard all such packets.</P>
<P>Various other addresses -- the 127.0.0.0/8 block reserved for local 
 use, 0.0.0.0, various broadcast and network addresses -- cannot be 
 routed over the Internet, but are not normally included in the meaning 
 when the phrase &quot;non-routable address&quot; is used.</P>
<DT><A name="NSA">NSA</A></DT>
<DD>The US <A href="http://www.nsa.gov"> National Security Agency</A>, 
 the American organisation for <A href="#SIGINT">signals  intelligence</A>
, the protection of US government messages and the  interception and 
analysis of other messages. For details, see  Bamford's <A href="biblio.html#puzzle">
&quot;The Puzzle Palace&quot;</A>. </DD>
<P>Some <A href="http://www.gwu.edu/~nsarchiv/NSAEBB/NSAEBB23/index.html">
history  of NSA</A> documents were declassified in response to a FOIA 
(Freedom  of Information Act) request.</P>
<DT><A name="O">O</A></DT>
<DT><A name="oakley">Oakley</A></DT>
<DD>A key determination protocol, defined in RFC 2412.</DD>
<DT>Oakley groups</DT>
<DD>The groups used as the basis of <A href="#DH">Diffie-Hellman</A>
 key  exchange in the Oakley protocol, and in <A href="#IKE">IKE</A>. 
Four  were defined in the original RFC, and a fifth has been <A href="http://www.lounge.org/ike_doi_errata.html">
added since</A>. </DD>
<P>Linux FreeS/WAN currently supports the three groups based on finite 
 fields modulo a prime (Groups 1, 2 and 5) and does not support the 
 elliptic curve groups (3 and 4). For a description of the difference 
 of the types, see <A href="#dlog">discrete logarithms</A>.</P>
<DT><A name="OTP">One time pad</A></DT>
<DD>A cipher in which the key is: 
<UL>
<LI>as long as the total set of messages to be enciphered</LI>
<LI>absolutely <A href="#random">random</A></LI>
<LI>never re-used</LI>
</UL>
</DD>
<P>Given those three conditions, it can easily be proved that the 
 cipher is perfectly secure, in the sense that an attacker with 
 intercepted message in hand has no better chance of guessing the 
 message than an attacker who has nt interecepted the message and only 
 knows the message length. No such proof exists for any other  cipher.</P>
<P>There are, however, several problems with this &quot;perfect&quot;  cipher.</P>
<UL>
<LI>It is wildly impractical for many applications. Key management  is 
difficult or impossible.</LI>
<LI>It is <EM>extremely</EM> fragile. Small changes which violate  the 
conditions listed above do not just weaken the cipher a bit;  quite 
often they destroy its security completely. 
<UL>
<LI>Re-using the pad weakens it to the point where it can be  broken 
with pencil and paper. With a computer, the attack is  trivially easy.</LI>
<LI>Using computer-generated pseudo-random numbers instead of a  really <A
href="#random">random</A> pad completely invalidates  the security 
proof. Depending on random number generator used,  this may also give 
an extremely weak cipher.</LI>
</UL>
</LI>
<LI>If an attacker knows the plaintext and has an intercepted  message, 
he can discover the pad. This does not matter if the  attacker is just 
a <A href="#passive">passive</A> eavesdropper. It  gives him no 
plaintext he didn't already know and we don't care  that he learns a 
pad which we'll never re-use. However, knowing  the pad lets an <A href="#active">
active</A> attacker perform a <A href="#middle">man-in-the-middle</A>
 attack, replacing your  message with whatever he chooses.</LI>
</UL>
<P>Marketing claims about the &quot;unbreakable&quot; security of various 
 products which somewhat resemble one-time pads are common. Such claims 
 are one of the surest signs of cryptographic <A href="#snake">snake 
 oil</A>. Systems marketed with such claims are usually completely 
 worthless.</P>
<P>See also the <A href="http://www.clark.net/pub/mjr/pubs/otpfaq/">one 
time pad  FAQ</A>.</P>
<DT><A name="carpediem">Opportunistic encryption</A></DT>
<DD>A situation in which any two IPSEC-aware machines can secure their 
 communications, without a pre-shared secret and without a common <A href="ipsec.html#PKI">
PKI</A> or previous exchange of public keys. This is one  of the goals 
of the Linux FreeS/WAN project, discussed in our <A href="intro.html#goals">
introduction</A> section. </DD>
<P> Setting up for opportunistic encryption is described in our <A href="config.html#oppex">
 configuration</A> document.</P>
<DT><A name="P">P</A></DT>
<DT><A name="P1363"><A href="http://grouper.ieee.org/groups/1363">P1363 
 standard</A></A></DT>
<DD>An <A href="#IEEE">IEEE</A> standard for public key  cryptography.</DD>
<DT><A name="passive">Passive attack</A></DT>
<DD>An attack in which the attacker only eavesdrops and attempts to 
 analyse intercepted messages, as opposed to an <A href="#active">
active attack</A> in which he diverts messages or  generates his own.</DD>
<DT><A name="pathMTU">Path <A href="#MTU">MTU</A></A> discovery</DT>
<DD>The process of discovering the largest packet size which all links 
 on a path can handle without fragmentation -- that is, without any 
 router having to break the packet up into smaller pieces to match the <A
href="#MTU"> MTU</A> of its outgoing link. </DD>
<P>This is done as follows:</P>
<UL>
<LI>originator sends the largest packets allowed by <A href="#MTU">MTU</A>
 of the first link, setting the DF  (<STRONG>d</STRONG>on't <STRONG>f</STRONG>
ragment) bit in the  packet header</LI>
<LI>any router which cannot send the packet on (outgoing MTU is too 
 small for it, and DF prevents fragmenting it to match) sends back  an <A
href="#ICMP">ICMP</A> packet reporting the problem</LI>
<LI>originator looks at ICMP message and tries a smaller size</LI>
<LI>eventually, you settle on a size that can pass all routers</LI>
<LI>thereafter, originator just sends that size and no-one has to 
 fragment</LI>
</UL>
<P>Since this requires co-operation of many systems, and since the 
 next packet may travel a different path, this is one of the trickier 
 areas of IP programming. Bugs that have shown up over the years have 
 included:</P>
<UL>
<LI>malformed ICMP messages</LI>
<LI>hosts that ignore or mishandle these ICMP messages</LI>
<LI>firewalls blocking the ICMP messages so host does not see  them</LI>
</UL>
<P>Since IPSEC adds a header, it increases packet size and may require 
 fragmentation even where incoming and outgoing MTU are equal.</P>
<DT><A name="PFS">Perfect forward secrecy (PFS)</A></DT>
<DD>A property of systems such as <A href="#DH">Diffie-Hellman</A> key 
 exchange which use a long-term key (such as the shared secret in IKE) 
 and generate short-term keys as required. If an attacker who acquires 
 the long-term key <EM>provably</EM> can 
<UL>
<LI><EM>neither</EM> read previous messages which he may have  archived</LI>
<LI><EM>nor</EM> read future messages without performing additional 
 successful attacks</LI>
</UL>
</DD>
<P>then the system has PFS. The attacker needs the short-term keys in 
 order to read the trafiic and merely having the long-term key does not 
 allow him to infer those. Of course, it may allow him to conduct 
 another attack (such as <A href="#middle">man-in-the-middle</A>) which 
 gives him some short-term keys, but he does not automatically get them 
 just by acquiring the long-term key.</P>
<DT>PFS</DT>
<DD>see Perfect Forward Secrecy</DD>
<DT><A name="PGP">PGP</A></DT>
<DD><B>P</B>retty <B>G</B>ood <B>P</B>rivacy, a personal encryption 
 system for email based on public key technology, written by Phil 
 Zimmerman. </DD>
<P>The 2.xx versions of PGP used the <A href="#RSA">RSA</A> public key 
 algorithm and used <A href="#IDEA">IDEA</A> as the symmetric cipher. 
 These versions are described in RFC 1991 and in <A href="#PGP">
Garfinkel's book</A>. Since version 5, the products from <A href="#pgpi">
 PGP Inc</A>. have used <A href="#DH">Diffie-Hellman</A> public key 
methods and <A href="#CAST128">CAST-128</A> symmetric encryption. These 
can verify  signatures from the 2.xx versions, but cannot exchange 
encryted  messages with them.</P>
<P>An <A href="#IETF">IETF</A> working group has issued RFC 2440 for 
 an &quot;Open PGP&quot; standard, similar to the 5.x versions. PGP Inc. staff 
 were among the authors. A free <A href="#GPG">Gnu Privacy Guard</A>
 based on that standard is now available.</P>
<P>For more information on PGP, including how to obtain it, see our 
 cryptography <A href="web.html#tools">links</A>.</P>
<DT><A name="PGPI">PGP Inc.</A></DT>
<DD>A company founded by Zimmerman, the author of <A href="#PGP">PGP</A>
, now a division of <A href="#NAI">NAI</A>. See the <A href="http://www.pgp.com">
 corporate website</A>. </DD>
<P>Their PGP 6.5 product includes PGPnet, an IPSEC client for 
 Macintosh or for Windows 95/98/NT.</P>
<DT><A name="photuris">Photuris</A></DT>
<DD>Another key negotiation protocol, an alternative to <A href="#IKE">
IKE</A>, described in RFCs 2522 and 2523.</DD>
<DT><A name="PPTP">PPTP</A></DT>
<DD><B>P</B>oint-to-<B>P</B>oint <B>T</B>unneling <B>P</B>rotocol. 
 Papers discussing weaknesses in it are on <A href="http://www.counterpane.com/publish.html">
counterpane.com</A>.</DD>
<DT><A name="PKI">PKI</A></DT>
<DD><B>P</B>ublic <B>K</B>ey <B>I</B>nfrastructure, the things an 
 organisation or community needs to set up in order to make <A href="#public">
public key</A> cryptographic technology a standard part  of their 
operating procedures. </DD>
<P>There are several PKI products on the market. Typically they use a 
 hierarchy of <A href="#CA">Certification Authorities (CAs)</A>. Often 
 they use <A href="#LDAP">LDAP</A> access to <A href="#X509">X.509</A>
 directories to implement this.</P>
<P>See <A href="#web">Web of Trust</A> for a different sort of 
 infrastructure.</P>
<DT><A name="PKIX">PKIX</A></DT>
<DD><B>PKI</B> e<B>X</B>change, an <A href="#IETF">IETF</A> standard 
 that allows <A href="ipsec.html#PKI">PKI</A>s to talk to each other. </DD>
<P>This is required, for example, when users of a corporate PKI need 
 to communicate with people at client, supplier or government 
 organisations, any of which may have a different PKI in place. I 
 should be able to talk to you securely whenever:</P>
<UL>
<LI>your organisation and mine each have a PKI in place</LI>
<LI>you and I are each set up to use those PKIs</LI>
<LI>the two PKIs speak PKIX</LI>
<LI>the configuration allows the conversation</LI>
</UL>
<P>At time of writing (March 1999), this is not yet widely implemented 
 but is under quite active development by several groups.</P>
<DT><A name="plaintext">Plaintext</A></DT>
<DD>The unencrypted input to a cipher, as opposed to the encrypted <A href="#ciphertext">
ciphertext</A> output.</DD>
<DT><A name="Pluto">Pluto</A></DT>
<DD>The <A href="web.html#FreeSWAN">Linux FreeS/WAN</A> daemon which 
handles key  exchange via the <A href="#IKE">IKE</A> protocol, 
connection  negotiation, and other higher-level tasks. Pluto calls the <A
href="#KLIPS">KLIPS</A> kernel code as required. For details, see the 
 manual page ipsec_pluto(8).</DD>
<DT><A name="public">Public Key Cryptography</A></DT>
<DD>In public key cryptography, keys are created in matched pairs. 
 Encrypt with one half of a pair and only the matching other half can 
 decrypt it. This contrasts with <A href="#symmetric">symmetric or 
 secret key cryptography</A> in which a single key known to both 
 parties is used for both encryption and decryption. </DD>
<P>One half of each pair, called the public key, is made public. The 
 other half, called the private key, is kept secret. Messages can then 
 be sent by anyone who knows the public key to the holder of the 
 private key. Encrypt with the public key and you know only someone 
 with the matching private key can decrypt.</P>
<P>Public key techniques can be used to create <A href="#signature">
digital signatures</A> and to deal with key  management issues, perhaps 
the hardest part of effective deployment of <A href="#symmetric">
 symmetric ciphers</A>. The resulting <A href="#hybrid">hybrid 
cryptosystems</A> use public key methods to  manage keys for symmetric 
ciphers.</P>
<P>Many organisations are currently creating <A href="ipsec.html#PKI">
PKIs,  public key infrastructures</A> to make these benefits widely 
 available.</P>
<DT>Public Key Infrastructure</DT>
<DD>see <A href="ipsec.html#PKI">PKI</A></DD>
<DT><A name="Q">Q</A></DT>
<DT><A name="R">R</A></DT>
<DT><A name="random">Random</A></DT>
<DD>A remarkably tricky term, far too much so for me to attempt a 
 definition here. Quite a few cryptosystems have been broken via 
 attacks on weak random number generators, even when the rest of the 
 system was sound. </DD>
<P>See RFC 1750 for the theory. It will be available <A href="../Internet-docs/rfc1750.txt">
locally</A> if you have downloaded  our RFC bundle (which is <A href="rfc.html#RFC">
described here</A>). Or read  it <A href="http://nis.nsf.net/internet/documents/rfc/rfc1750.txt">
on  the net</A>.</P>
<P>See the manual pages for ipsec_ranbits(8) and random(4) for details 
 of what we use.</P>
<P>There has recently been discussion on several mailing lists of the 
 limitations of Linux /dev/random and of whether we are using it 
 correctly. Those discussions are archived on the <A href="http://www.openpgp.net/random/index.html">
/dev/random support  page</A>.</P>
<DT><A href="http://www.raptor.com">Raptor</A></DT>
<DD>A firewall product for Windows NT offerring IPSEC-based VPN 
 services. Linux FreeS/WAN interoperates with Raptor; see our <A href="interop.html#Raptor">
Compatibility</A> document for details. Raptor have  recently merged 
with Axent.</DD>
<DT><A name="RC4">RC4</A></DT>
<DD><B>R</B>ivest <B>C</B>ipher four, designed by Ron Rivest of <A href="#RSAco">
RSA</A> and widely used. Believed highly secure with  adequate key 
length, but often implemented with inadequate key length  to comply 
with export restrictions.</DD>
<DT><A name="RC6">RC6</A></DT>
<DD><B>R</B>ivest <B>C</B>ipher six, <A href="#RSAco">RSA</A>'s <A href="#AES">
AES</A> candidate cipher.</DD>
<DT><A name="replay">Replay attack</A></DT>
<DD>An attack in which the attacker records data and later replays it 
in  an attempt to deceive the recipient.</DD>
<DT>RFC</DT>
<DD><B>R</B>equest <B>F</B>or <B>C</B>omments, an Internet document. 
 Some RFCs are just informative. Others are standards. </DD>
<P>Our list of <A href="#IPSEC">IPSEC</A> and other security-related 
 RFCs is <A href="rfc.html#RFC">here</A>, along with information on 
methods of  obtaining them.</P>
<DT><A name="RIPEMD">RIPEMD</A></DT>
<DD>A <A href="#digest">message digest</A> algorithm. The current 
 version is RIPEMD-160 which gives a 160-bit hash.</DD>
<DT><A name="rootCA">Root CA</A></DT>
<DD>The top level <A href="#CA">Certification Authority</A> in a 
 hierachy of such authorities.</DD>
<DT><A name="routable">Routable IP address</A></DT>
<DD>Most IP addresses can be used as &quot;to&quot; and &quot;from&quot; addresses in 
packet  headers. These are the routable addresses; we expect routing to 
be  possible for them. If we send a packet to one of them, we expect 
(in  most cases; there are various complications) that it will be 
delivered  if the address is in use and will cause an <A href="#icmp">
ICMP</A> error packet to come back to us if not. </DD>
<P>There are also several classes of <A href="#non-routable">
non-routable</A> IP addresses.</P>
<DT><A name="RSA">RSA algorithm</A></DT>
<DD><B>R</B>ivest <B>S</B>hamir <B>A</B>dleman public key encryption 
 method, named for its three inventors. The algorithm is widely used 
 and likely to become moreso since it became free of patent 
 encumbrances in September 2000. </DD>
<P> For a full explanation of the algorithm, consult one of the 
standard references such as <A href="biblio.html#schneier">Applied 
Cryptography</A>. A simple explanation is: </P>
<P> The great 17th century French mathematician <A href="http://www-groups.dcs.st-andrews.ac.uk/~history/Mathematicians/Fermat.html">
Fermat</A> proved that, for any prime p and number x, 0 
<!--= x < p:
<pre-->
 x^p == x 
 modulo p  x^(p-1) == 1  modulo p, non-zero x  From this it follows 
that if we have a pair of primes p, q and two numbers e, d such that: </P>
<PRE>
        ed == 1                 modulo lcm( p-1, q-1)
</PRE>
 where lcm() is least common multiple, then for all x, 0 
<!--= x < pq:
<pre-->
 x^(ed-1) == 1 
 modulo pq, non-zero x  x^ed == x  modulo pq  So we construct such as 
set of numbers p, q, e, d and publish the product N=pq and e as the 
public key. Encryption is then: 
<PRE>
        c = x^e                 modulo N
</PRE>
 An attacker cannot deduce x from the cyphertext c, short of either 
factoring N or solving the <A href="#dlog">discrete logarithm</A>
 problem for this field. If p, q are large primes (hundreds or 
thousands of bits) no efficient solution to either problem is known. 
<P> The receiver, knowing the private key (N and d), can readily find x 
sixce: </P>
<PRE>
        c^d == (x^e)^d          modulo N
            == x^ed             modulo N
            == x                modulo N
</PRE>
 This gives an effective public key technique, with only a couple of 
problems. It uses a good deal of computer time, since calculations with 
large integers are not cheap, and there is no proof it is necessarily 
secure since no-one has proven either factoring or discrete log cannot 
be done efficiently. 
<DT><A name="RSAco">RSA Data Security</A></DT>
<DD>A company founded by the inventors of the <A href="#RSA">RSA</A>
 public key algorithm.</DD>
<DT><A name="S">S</A></DT>
<DT><A name="SA">SA</A></DT>
<DD><B>S</B>ecurity <B>A</B>ssociation, the channel negotiated by the 
 higher levels of an <A href="#IPSEC">IPSEC</A> implementation and used 
 by the lower. SAs are unidirectional; you need a pair of them for 
 two-way communication. </DD>
<P>An SA is defined by three things -- the destination, the protocol  (<A
href="#AH">AH</A> or<A href="#ESP">ESP</A>) and the <A href="SPI">SPI</A>
, security parameters index. It is used to index  other things such as 
session keys and intialisation vectors.</P>
<P>For more detail, see our section on <A href="ipsec.html">IPSEC</A>
 and/or RFC 2401.</P>
<DT><A name="SDNS"><A href="http://www.toad.com/~dnssec">Secure DNS</A></A>
</DT>
<DD>A version of the <A href="#DNS">DNS or Domain Name Service</A>
 enhanced with authentication services. This is being designed by the <A href="#IETF">
 IETF</A> DNS security <A href="http://www.ietf.org/ids.by.wg/dnssec.html">
 working group</A>.  Check the <A href="http://www.isc.org/bind.html">
 Internet Software Consortium</A> for information on implementation 
progress and for  the latest version of <A href="#BIND">BIND</A>. 
Another site has <A href="http://www.toad.com/~dnssec">more information</A>
. </DD>
<P><A href="#IPSEC">IPSEC</A> can use this plus <A href="#DH">
Diffie-Hellman key exchange</A> to bootstrap itself. This  would allow <A
href="#carpediem">opportunistic encryption</A>. Any  pair of machines 
which could authenticate each other via DNS could  communicate 
securely, without either a pre-existing shared secret or a  shared <A href="ipsec.html#PKI">
PKI</A>.</P>
<P><A href="web.html#FreeSWAN">Linux FreeS/WAN</A> will support this in 
a  future release.</P>
<DT>Secret key cryptography</DT>
<DD>See <A href="#symmetric">symmetric cryptography</A></DD>
<DT>Security Association</DT>
<DD>see <A href="#SA">SA</A></DD>
<DT><A name="sequence">Sequence number</A></DT>
<DD>A number added to a packet or message which indicates its position 
 in a sequence of packets or messages. This provides some security 
 against <A href="#replay">replay attacks</A>. </DD>
<P>For <A href="ipsec.html#auto">automatic keying</A> mode, the <A href="#IPSEC">
IPSEC</A> RFCs require that the sender generate sequence  numbers for 
each packet, but leave it optional whether the receiver  does anything 
with them.</P>
<DT><A name="SHA">SHA</A></DT>
<DD><B>S</B>ecure <B>H</B>ash <B>A</B>lgorithm, a <A href="#digest">
message digest algorithm</A> developed by the <A href="#NSA">NSA</A>
 for use in the Digital Signature standard, <A href="#FIPS">FIPS</A>
 number 186 from <A href="#NIST">NIST</A>. SHA is  an improved variant 
of <A href="#MD4">MD4</A> producing a 160-bit  hash. </DD>
<P>SHA is one of two message digest algorithms available in IPSEC. The 
 other is <A href="#MD5">MD5</A>. Some people do not trust SHA because 
 it was developed by the <A href="#NSA">NSA</A>. There is, as far as we 
 know, no cryptographic evidence that SHA is untrustworthy, but this 
 does not prevent that view from being strongly held.</P>
<DT><A name="SIGINT">Signals intelligence (SIGINT)</A></DT>
<DD>Activities of government agencies from various nations aimed at 
 protecting their own communications and reading those of others. 
 Cryptography, cryptanalysis, wiretapping, interception and monitoring 
 of various sorts of signals. The players include the American <A href="#NSA">
NSA</A>, British <A href="#GCHQ">GCHQ</A> and Canadian <A href="#CSE">
CSE</A>.</DD>
<DT><A name="SKIP">SKIP</A></DT>
<DD><B>S</B>imple <B>K</B>ey management for <B>I</B>nternet <B> P</B>
rotocols, an alternative to <A href="#IKE">IKE</A> developed  by Sun 
and being marketed by their <A href="http://skip.incog.com">Internet 
Commerce Group</A>.</DD>
<DT><A name="snake">Snake oil</A></DT>
<DD>Bogus cryptography. See the <A href="http://www.interhack.net/people/cmcurtin/snake-oil-faq.html">
 Snake Oil FAQ</A> or <A href="http://www.counterpane.com/crypto-gram-9902.html#snakeoil">
this  paper</A> by Schneier.</DD>
<DT><A name="SPI">SPI</A></DT>
<DD><B>S</B>ecurity <B>P</B>arameter <B>I</B>ndex, an index used within <A
href="#IPSEC"> IPSEC</A> to keep connections distinct. A <A href="#SA">
Security Association (SA)</A> is defined by destination,  protocol and 
SPI. Without the SPI, two connections to the same gateway  using the 
same protocol could not be distinguished. </DD>
<P>For more detail, see our <A href="#SPI">IPSEC Overview</A> and/or 
 RFC 2401.</P>
<DT><A name="SSH">SSH</A></DT>
<DD><B>S</B>ecure <B>SH</B>ell, an encrypting replacement for the 
 insecure Berkeley commands whose names begin with &quot;r&quot; for &quot;remote&quot;: 
 rsh, rlogin, etc. </DD>
<P>For more information on SSH, including how to obtain it, see our 
 cryptography <A href="web.html#tools">links</A>.</P>
<DT><A name="SSHco">SSH Communications Security</A></DT>
<DD>A company founded by the authors of <A href="#SSH">SSH</A>. Offices 
 are in <A href="http://www.ssh.fi">Finland</A> and <A href="http://www.ipsec.com">
California</A>. They have a toolkit for  developers of IPSEC 
applications.</DD>
<DT><A name="SSL">SSL</A></DT>
<DD><A href="http://home.netscape.com/eng/ssl3">Secure Sockets  Layer</A>
, a set of encryption and authentication services for web  browsers, 
developed by Netscape. Widely used in Internet commerce.  Also known as <A
href="#TLS">TLS</A>.</DD>
<DT>SSLeay</DT>
<DD>A free implementation of <A href="#SSL">SSL</A> by Eric Young (eay) 
 and others. Developed in Australia; not subject to US export  controls.</DD>
<DT><A name="stream">Stream cipher</A></DT>
<DD>A <A href="#symmetric">symmetric cipher</A> which produces a stream 
 of output which can be combined (often using XOR or bytewise addition) 
 with the plaintext to produce ciphertext. Contrasts with <A href="#block">
block cipher</A>. </DD>
<P><A href="#IPSEC">IPSEC</A> does not use stream ciphers. Their main 
 application is link-level encryption, for example of voice, video or 
 data streams on a wire or a radio signal.</P>
<DT><A name="subnet">subnet</A></DT>
<DD>A group of IP addresses which are logically one network, typically 
 (but not always) assigned to a group of physically connected machines. 
 The range of addresses in a subnet is described using a subnet mask. 
 See next entry.</DD>
<DT>subnet mask</DT>
<DD>A method of indicating the addresses included in a subnet. Here are 
 two equivalent examples:
<UL>
<LI>101.101.101.0/24</LI>
<LI>101.101.101.0 with mask 255.255.255.0</LI>
</UL>
</DD>
<P>The '24' is shorthand for a mask with the top 24 bits one and the 
 rest zero. This is exactly the same as 255.255.255.0 which has three 
 all-ones bytes and one all-zeros byte.</P>
<P>These indicate that, for this range of addresses, the top 24 bits 
 are to be treated as naming a network (often referred to as &quot;the 
 101.101.101.0/24 subnet&quot;) while most combinations of the low 8 bits 
 can be used to designate machines on that network. Two addresses are 
 reserved; 101.101.101.0 refers to the subnet rather than a specific 
 machine while 101.101.101.255 is a broadcast address. 1 to 254 are 
 available for machines.</P>
<P>It is common to find subnets arranged in a hierarchy. For example, 
 a large company might have a /16 subnet and allocate /24 subnets 
 within that to departments. An ISP might have a large subnet and 
 allocate /26 subnets (64 addresses, 62 usable) to business customers 
 and /29 subnets (8 addresses, 6 usable) to residential clients.</P>
<DT><A name="SWAN">S/WAN</A></DT>
<DD>Secure Wide Area Network, a project involving <A href="#RSAco">RSA 
 Data Security</A> and a number of other companies. The goal was to 
 ensure that all their <A href="#IPSEC">IPSEC</A> implementations would 
 interoperate so that their customers can communicate with each other 
 securely.</DD>
<DT><A name="symmetric">Symmetric cryptography</A></DT>
<DD>Symmetric cryptography, also referred to as conventional or secret 
 key cryptography, relies on a <EM>shared secret key</EM>, identical 
 for sender and receiver. Sender encrypts with that key, receiver 
 decrypts with it. The idea is that an eavesdropper without the key be 
 unable to read the messages. There are two main types of symmetric 
 cipher, <A href="#block">block ciphers</A> and <A href="#stream">
stream ciphers</A>. </DD>
<P>Symmetric cryptography contrasts with <A href="#public">public  key</A>
 or asymmetric systems where the two players use different  keys.</P>
<P>The great difficulty in symmetric cryptography is, of course, key 
 management. Sender and receiver <EM>must</EM> have identical keys and 
 those keys <EM>must</EM> be kept secret from everyone else. Not too 
 much of a problem if only two people are involved and they can 
 conveniently meet privately or employ a trusted courier. Quite a 
 problem, though, in other circumstances.</P>
<P>It gets much worse if there are many people. An application might 
 be written to use only one key for communication among 100 people, for 
 example, but there would be serious problems. Do you actually trust 
 all of them that much? Do they trust each other that much? Should 
 they? What is at risk if that key is compromised? How are you  going 
 to distribute that key to everyone without risking its secrecy? What 
 do you do when one of them leaves the company? Will you even know?</P>
<P>On the other hand, if you need unique keys for every possible 
 connection between a group of 100, then each user must have 99 keys. 
 You need either 99*100/2 = 4950 <EM>secure</EM> key exchanges between 
 users or a central authority that <EM>securely</EM> distributes 100 
 key packets, each with a different set of 99 keys.</P>
<P>Either of these is possible, though tricky, for 100 users. Either 
 becomes an administrative nightmare for larger numbers. Moreover, keys <EM>
 must</EM> be changed regularly, so the problem of key distribution 
 comes up again and again. If you use the same key for many messages 
 then an attacker has more text to work with in an attempt to crack 
 that key. Moreover, one successful crack will give him or her the text 
 of all those messages.</P>
<P>In short, the <EM>hardest part of conventional cryptography is key 
 management</EM>. Today the standard solution is to build a <A href="#hybrid">
hybrid system</A> using <A href="#public">public  key</A> techniques to 
manage keys.</P>
<DT><A name="T">T</A></DT>
<DT><A name="TIS">TIS</A></DT>
<DD><A href="http://www.tislabs.com">Trusted Information Systems</A>, a 
 firewall vendor now part of <A href="#NAI">NAI</A>. Their Gauntlet 
 product offers IPSEC VPN services. TIS implemented the first version 
 of <A href="#SNDS">Secure DNS</A> on a <A href="#DARPA">DARPA</A>
 contract.</DD>
<DT><A name="TLS">TLS</A></DT>
<DD><B>T</B>ransport <B>L</B>ayer <B>S</B>ecurity, a newer name for <A href="#SSL">
SSL</A>.</DD>
<DT><A name="traffic">Traffic analysis</A></DT>
<DD>Deducing useful intelligence from patterns of message traffic, 
 without breaking codes or reading the messages. In one case during 
 World War II, the British knew an attack was coming because all German 
 radio traffic stopped. The &quot;radio silence&quot; order, intended to preserve 
 security, actually gave the game away. </DD>
<P>In an industrial espionage situation, one might deduce something 
 interesting just by knowing that company A and company B were talking, 
 especially if one were able to tell which departments were involved, 
 or if one already knew that A was looking for acquisitions and B was 
 seeking funds for expansion.</P>
<P><A href="#IPSEC">IPSEC</A> itself does not defend against this, but 
 carefully thought out systems using IPSEC can provide at least partial 
 protection. In particular, one might want to encrypt more traffic than 
 was strictly necessary, route things in odd ways, or even encrypt 
 dummy packets, to confuse the analyst.</P>
<DT><A name="transport">Transport mode</A></DT>
<DD>An IPSEC application in which the IPSEC gateway is the destination 
 of the protected packets, a machine acts as its own gateway. Contrast 
 with <A href="#tunnel">tunnel mode</A>.</DD>
<DT>Triple DES</DT>
<DD>see <A href="#3DES">3DES</A></DD>
<DT><A name="tunnel">Tunnel mode</A></DT>
<DD>An IPSEC application in which an IPSEC gateway provides protection 
 for packets to and from other systems. Contrast with <A href="#transport">
transport mode</A>.</DD>
<DT><A name="2key">Two-key Triple DES</A></DT>
<DD>A variant of <A href="#3DES">triple DES or 3DES</A> in which only 
 two keys are used. As in the three-key version, the order of 
 operations is <A href="#EDE">EDE</A> or encrypt-decrypt-encrypt, but 
 in the two-key variant the first and third keys are the same. </DD>
<P>3DES with three keys has 3*56 = 168 bits of key but has only 
 112-bit strength against a <A href="#meet">meet-in-the-middle</A>
 attack, so it is possible that the two key version is just as strong. 
 Last I looked, this was an open question in the research  literature.</P>
<P>RFC 2451 defines triple DES for <A href="#IPSEC">IPSEC</A> as the 
 three-key variant. The two-key variant should not be used and is not 
 implemented directly in <A href="web.html#FreeSWAN">Linux FreeS/WAN</A>
. It  cannot be used in automatically keyed mode without major fiddles 
in  the source code. For manually keyed connections, you could make 
Linux  FreeS/WAN talk to a two-key implementation by setting two keys 
the  same in /etc/ipsec.conf.</P>
<DT><A name="U">U</A></DT>
<DT><A name="V">V</A></DT>
<DT><A name="virtual">Virtual Interface</A></DT>
<DD>A <A href="#Linux">Linux</A> feature which allows one physical 
 network interface to have two or more IP addresses. See the <CITE>
 Linux Network Administrator's Guide</CITE> in <A href="biblio.html#kirch">
book form</A> or <A href="http://metalab.unc.edu/LDP/LDP/nag/node1.html">
on the web</A> for details.</DD>
<DT>Virtual Private Network</DT>
<DD>see <A href="web.html#VPN">VPN</A></DD>
<DT><A name="VPN">VPN</A></DT>
<DD><B>V</B>irtual <B>P</B>rivate <B>N</B>etwork, a network which can 
 safely be used as if it were private, even though some of its 
 communication uses insecure connections. All traffic on those 
 connections is encrypted. </DD>
<P><A href="#IPSEC">IPSEC</A> is not the only technique available for 
 building VPNs, but it is the only method defined by <A href="rfc.html#RFC">
RFCs</A> and supported by many vendors. VPNs are by no  means the only 
thing you can do with IPSEC, but they may be the most  important 
application for many users.</P>
<DT><A name="VPNC">VPNC</A></DT>
<DD><A href="http://www.vpnc.org">Virtual Private Network  Consortium</A>
, an association of vendors of VPN products.</DD>
<DT><A name="W">W</A></DT>
<DT>Wassenaar Arrangement</DT>
<DD>An international agreement restricting export of munitions and 
other  tools of war. Unfortunately, cryptographic software is also 
restricted  under the current version of the agreement. <A href="politics.html#Wassenaar">
 Discussion</A>.</DD>
<DT><A name="web">Web of Trust</A></DT>
<DD><A href="#PGP">PGP</A>'s method of certifying keys. Any user can 
 sign a key; you decide which signatures or combinations of signatures 
 to accept as certification. This contrasts with the hierarchy of <A href="#CA">
CAs (Certification Authorities)</A> used in many <A href="ipsec.html#PKI">
PKIs (Public Key Infrastructures)</A>. </DD>
<P>See <A href="#GTR">Global Trust Register</A> for an interesting 
 addition to the web of trust.</P>
<DT><A name="X">X</A></DT>
<DT><A name="X509">X.509</A></DT>
<DD>A standard from the <A href="http://www.itu.int">ITU (International 
 Telecommunication Union)</A>, for hierarchical directories with 
 authentication services, used in many <A href="ipsec.html#PKI">PKI</A>
 implementations. </DD>
<P>Use of X.509 services, via the <A href="#LDAP">LDAP protocol</A>, 
 for certification of keys is allowed but not required by the <A href="#IPSEC">
IPSEC</A> RFCs. It is not yet implemented in <A href="web.html#FreeSWAN">
Linux FreeS/WAN</A>.</P>
<DT><A href="http://www.xedia.com">Xedia</A></DT>
<DD>A vendor of router and Internet access products. Their QVPN 
products  interoperate with Linux FreeS/WAN; see our <A href="interop.html#Xedia">
compatibility document</A>.</DD>
<DT><A name="Y">Y</A></DT>
<DT><A name="Z">Z</A></DT>
</DL>
<HR>
<A HREF="toc.html">Contents</a>
<A HREF="web.html">Previous</a>
<A HREF="biblio.html">Next</a>
</BODY>
</HTML>